diff --git a/.github/workflows/test-chart.yml b/.github/workflows/test-chart.yml index 0a52f59b8..23309c8af 100644 --- a/.github/workflows/test-chart.yml +++ b/.github/workflows/test-chart.yml @@ -1,41 +1,35 @@ name: Test Chart -permissions: - contents: read - on: pull_request: paths-ignore: - 'docs/**' - '**/*.md' +permissions: {} + jobs: test-e2e: - name: Run test chart + permissions: + contents: read + name: Run on Ubuntu runs-on: ubuntu-latest + env: + IMG: controller:latest steps: - name: Clone the code uses: actions/checkout@v6 + with: + persist-credentials: false - name: Setup Go uses: actions/setup-go@v6 with: go-version-file: go.mod - - name: Install Helm - run: | - curl https://raw.githubusercontent.com/helm/helm/main/scripts/get-helm-3 | bash - - - name: Verify Helm installation - run: helm version - - - name: Lint Helm Chart - run: | - helm lint ./dist/chart - - name: Install the latest version of kind run: | - curl -Lo ./kind https://kind.sigs.k8s.io/dl/latest/kind-linux-amd64 + curl -Lo ./kind https://kind.sigs.k8s.io/dl/latest/kind-linux-$(go env GOARCH) chmod +x ./kind sudo mv ./kind /usr/local/bin/kind @@ -47,26 +41,40 @@ jobs: - name: Prepare metal-operator run: | - go mod download - make docker-build CONTROLLER_IMG=metal-operator:v0.1.0 METALPROBE_IMG=metal-probe:v0.1.0 - kind load docker-image metal-operator:v0.1.0 metal-probe:v0.1.0 + go mod tidy + make docker-build + kind load docker-image $IMG + + - name: Install Helm + run: make install-helm - - name: Install cert-manager via Helm + - name: Lint Helm Chart + run: | + helm lint ./dist/chart + + + - name: Install cert-manager via Helm (wait for readiness) run: | helm repo add jetstack https://charts.jetstack.io helm repo update - helm install cert-manager jetstack/cert-manager --namespace cert-manager --create-namespace --set installCRDs=true + helm install cert-manager jetstack/cert-manager \ + --namespace cert-manager \ + --create-namespace \ + --set crds.enabled=true \ + --wait \ + --timeout 300s - - name: Wait for cert-manager to be ready - run: | - kubectl wait --namespace cert-manager --for=condition=available --timeout=300s deployment/cert-manager - kubectl wait --namespace cert-manager --for=condition=available --timeout=300s deployment/cert-manager-cainjector - kubectl wait --namespace cert-manager --for=condition=available --timeout=300s deployment/cert-manager-webhook +# TODO: Uncomment if Prometheus is enabled +# - name: Install Prometheus Operator CRDs +# run: | +# helm repo add prometheus-community https://prometheus-community.github.io/helm-charts +# helm repo update +# helm install prometheus-crds prometheus-community/prometheus-operator-crds - - name: Install Helm chart for project + - name: Deploy manager via Helm run: | - helm install my-release ./dist/chart --create-namespace --namespace metal-operator-system + make helm-deploy - name: Check Helm release status run: | - helm status my-release --namespace metal-operator-system + make helm-status diff --git a/Makefile b/Makefile index 09d1e9572..8ca7b0045 100644 --- a/Makefile +++ b/Makefile @@ -253,7 +253,7 @@ undeploy: kustomize ## Undeploy controller from the K8s cluster specified in ~/. .PHONY: helm helm: manifests kubebuilder - "$(KUBEBUILDER)" edit --plugins=helm/v1-alpha + "$(KUBEBUILDER)" edit --plugins=helm/v2-alpha ##@ Dependencies @@ -420,3 +420,50 @@ kind-delete: ## Destroys the "metal" kind cluster. .PHONY: tilt-up tilt-up: $(ENVTEST) $(KUSTOMIZE) kind-create ## start tilt and build kind cluster if needed EXP_CLUSTER_RESOURCE_SET=true tilt up + +##@ Helm Deployment + +## Helm binary to use for deploying the chart +HELM ?= helm +## Namespace to deploy the Helm release +HELM_NAMESPACE ?= metal-operator-system +## Name of the Helm release +HELM_RELEASE ?= metal-operator +## Path to the Helm chart directory +HELM_CHART_DIR ?= dist/chart +## Additional arguments to pass to helm commands +HELM_EXTRA_ARGS ?= + +.PHONY: install-helm +install-helm: ## Install the latest version of Helm. + @command -v $(HELM) >/dev/null 2>&1 || { \ + echo "Installing Helm..." && \ + curl -fsSL https://raw.githubusercontent.com/helm/helm/main/scripts/get-helm-4 | bash; \ + } + +.PHONY: helm-deploy +helm-deploy: install-helm ## Deploy manager to the K8s cluster via Helm. Specify an image with IMG. + $(HELM) upgrade --install $(HELM_RELEASE) $(HELM_CHART_DIR) \ + --namespace $(HELM_NAMESPACE) \ + --create-namespace \ + --set manager.image.repository=$${IMG%:*} \ + --set manager.image.tag=$${IMG##*:} \ + --wait \ + --timeout 5m \ + $(HELM_EXTRA_ARGS) + +.PHONY: helm-uninstall +helm-uninstall: ## Uninstall the Helm release from the K8s cluster. + $(HELM) uninstall $(HELM_RELEASE) --namespace $(HELM_NAMESPACE) + +.PHONY: helm-status +helm-status: ## Show Helm release status. + $(HELM) status $(HELM_RELEASE) --namespace $(HELM_NAMESPACE) + +.PHONY: helm-history +helm-history: ## Show Helm release history. + $(HELM) history $(HELM_RELEASE) --namespace $(HELM_NAMESPACE) + +.PHONY: helm-rollback +helm-rollback: ## Rollback to previous Helm release. + $(HELM) rollback $(HELM_RELEASE) --namespace $(HELM_NAMESPACE) diff --git a/PROJECT b/PROJECT index 54985e959..d191f4aee 100644 --- a/PROJECT +++ b/PROJECT @@ -8,7 +8,9 @@ layout: - go.kubebuilder.io/v4 plugins: autoupdate.kubebuilder.io/v1-alpha: {} - helm.kubebuilder.io/v1-alpha: {} + helm.kubebuilder.io/v2-alpha: + manifests: dist/install.yaml + output: dist projectName: metal-operator repo: github.com/ironcore-dev/metal-operator resources: diff --git a/config/manager/kustomization.yaml b/config/manager/kustomization.yaml index 5c5f0b84c..05634f2a9 100644 --- a/config/manager/kustomization.yaml +++ b/config/manager/kustomization.yaml @@ -1,2 +1,8 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +images: +- name: controller + newName: controller + newTag: latest resources: - manager.yaml diff --git a/dist/chart/Chart.yaml b/dist/chart/Chart.yaml index 643ed8bdd..3923c109f 100644 --- a/dist/chart/Chart.yaml +++ b/dist/chart/Chart.yaml @@ -1,7 +1,14 @@ apiVersion: v2 name: metal-operator -description: A Helm chart to distribute the project metal-operator +description: A Helm chart to distribute metal-operator type: application + version: 0.1.0 appVersion: "0.1.0" -icon: "https://example.com/icon.png" + +keywords: + - kubernetes + - operator + +annotations: + kubebuilder.io/generated-by: kubebuilder diff --git a/dist/chart/templates/NOTES.txt b/dist/chart/templates/NOTES.txt new file mode 100644 index 000000000..1cec53d10 --- /dev/null +++ b/dist/chart/templates/NOTES.txt @@ -0,0 +1,15 @@ +Thank you for installing {{ .Chart.Name }}. + +Your release is named {{ .Release.Name }}. + +The controller and CRDs have been installed in namespace {{ .Release.Namespace }}. + +To verify the installation: + + kubectl get pods -n {{ .Release.Namespace }} + kubectl get customresourcedefinitions + +To learn more about the release, try: + + $ helm status {{ .Release.Name }} -n {{ .Release.Namespace }} + $ helm get all {{ .Release.Name }} -n {{ .Release.Namespace }} diff --git a/dist/chart/templates/_helpers.tpl b/dist/chart/templates/_helpers.tpl index cd82641a8..6f0930e70 100644 --- a/dist/chart/templates/_helpers.tpl +++ b/dist/chart/templates/_helpers.tpl @@ -1,50 +1,63 @@ -{{- define "chart.name" -}} -{{- if .Chart }} - {{- if .Chart.Name }} - {{- .Chart.Name | trunc 63 | trimSuffix "-" }} - {{- else if .Values.nameOverride }} - {{ .Values.nameOverride | trunc 63 | trimSuffix "-" }} - {{- else }} - metal-operator - {{- end }} +{{/* +Expand the name of the chart. +*/}} +{{- define "metal-operator.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "metal-operator.fullname" -}} +{{- if .Values.fullnameOverride }} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} {{- else }} - metal-operator -{{- end }} -{{- end }} - - -{{- define "chart.labels" -}} -{{- if .Chart.Version -}} -helm.sh/chart: {{ .Chart.Version | quote }} +{{- $name := default .Chart.Name .Values.nameOverride }} +{{- if contains $name .Release.Name }} +{{- .Release.Name | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }} {{- end }} -app.kubernetes.io/name: {{ include "chart.name" . }} -app.kubernetes.io/instance: {{ .Release.Name }} -{{- if .Chart.AppVersion }} -app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} {{- end }} -app.kubernetes.io/managed-by: {{ .Release.Service }} {{- end }} - -{{- define "chart.selectorLabels" -}} -app.kubernetes.io/name: {{ include "chart.name" . }} -app.kubernetes.io/instance: {{ .Release.Name }} +{{/* +Namespace for generated references. +Always uses the Helm release namespace. +*/}} +{{- define "metal-operator.namespaceName" -}} +{{- .Release.Namespace }} {{- end }} - -{{- define "chart.hasMutatingWebhooks" -}} -{{- $hasMutating := false }} -{{- range . }} - {{- if eq .type "mutating" }} - $hasMutating = true }}{{- end }} +{{/* +Resource name with proper truncation for Kubernetes 63-character limit. +Takes a dict with: + - .suffix: Resource name suffix (e.g., "metrics", "webhook") + - .context: Template context (root context with .Values, .Release, etc.) +Dynamically calculates safe truncation to ensure total name length <= 63 chars. +*/}} +{{- define "metal-operator.resourceName" -}} +{{- $fullname := include "metal-operator.fullname" .context }} +{{- $suffix := .suffix }} +{{- $maxLen := sub 62 (len $suffix) | int }} +{{- if gt (len $fullname) $maxLen }} +{{- printf "%s-%s" (trunc $maxLen $fullname | trimSuffix "-") $suffix | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- printf "%s-%s" $fullname $suffix | trunc 63 | trimSuffix "-" }} +{{- end }} {{- end }} -{{ $hasMutating }}}}{{- end }} - -{{- define "chart.hasValidatingWebhooks" -}} -{{- $hasValidating := false }} -{{- range . }} - {{- if eq .type "validating" }} - $hasValidating = true }}{{- end }} +{{/* +ServiceAccount name to use. +If serviceAccount.enable is false and serviceAccount.name is set, use that name. +Otherwise, use the standard resourceName helper with "controller-manager" suffix. +*/}} +{{- define "metal-operator.serviceAccountName" -}} +{{- if and (not (.Values.serviceAccount.enable | default true)) .Values.serviceAccount.name }} +{{- .Values.serviceAccount.name }} +{{- else }} +{{- include "metal-operator.resourceName" (dict "suffix" "controller-manager" "context" .) }} +{{- end }} {{- end }} -{{ $hasValidating }}}}{{- end }} diff --git a/dist/chart/templates/cert-manager/metrics-certs.yaml b/dist/chart/templates/cert-manager/metrics-certs.yaml new file mode 100644 index 000000000..305106eb5 --- /dev/null +++ b/dist/chart/templates/cert-manager/metrics-certs.yaml @@ -0,0 +1,20 @@ +{{- if and .Values.certManager.enable .Values.metrics.enable .Values.metrics.secure }} +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + labels: + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/name: {{ include "metal-operator.name" . }} + helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + app.kubernetes.io/instance: {{ .Release.Name }} + name: {{ include "metal-operator.resourceName" (dict "suffix" "metrics-certs" "context" $) }} + namespace: {{ .Release.Namespace }} +spec: + dnsNames: + - {{ include "metal-operator.resourceName" (dict "suffix" "controller-manager-metrics-service" "context" $) }}.{{ .Release.Namespace }}.svc + - {{ include "metal-operator.resourceName" (dict "suffix" "controller-manager-metrics-service" "context" $) }}.{{ .Release.Namespace }}.svc.cluster.local + issuerRef: + kind: Issuer + name: {{ include "metal-operator.resourceName" (dict "suffix" "selfsigned-issuer" "context" $) }} + secretName: metrics-server-cert +{{- end }} diff --git a/dist/chart/templates/cert-manager/selfsigned-issuer.yaml b/dist/chart/templates/cert-manager/selfsigned-issuer.yaml new file mode 100644 index 000000000..e5ec89b27 --- /dev/null +++ b/dist/chart/templates/cert-manager/selfsigned-issuer.yaml @@ -0,0 +1,14 @@ +{{- if .Values.certManager.enable }} +apiVersion: cert-manager.io/v1 +kind: Issuer +metadata: + labels: + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/name: {{ include "metal-operator.name" . }} + helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + app.kubernetes.io/instance: {{ .Release.Name }} + name: {{ include "metal-operator.resourceName" (dict "suffix" "selfsigned-issuer" "context" $) }} + namespace: {{ .Release.Namespace }} +spec: + selfSigned: {} +{{- end }} diff --git a/dist/chart/templates/cert-manager/serving-cert.yaml b/dist/chart/templates/cert-manager/serving-cert.yaml new file mode 100644 index 000000000..f46823b5b --- /dev/null +++ b/dist/chart/templates/cert-manager/serving-cert.yaml @@ -0,0 +1,20 @@ +{{- if .Values.certManager.enable }} +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + labels: + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/name: {{ include "metal-operator.name" . }} + helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + app.kubernetes.io/instance: {{ .Release.Name }} + name: {{ include "metal-operator.resourceName" (dict "suffix" "serving-cert" "context" $) }} + namespace: {{ .Release.Namespace }} +spec: + dnsNames: + - {{ include "metal-operator.resourceName" (dict "suffix" "webhook-service" "context" $) }}.{{ .Release.Namespace }}.svc + - {{ include "metal-operator.resourceName" (dict "suffix" "webhook-service" "context" $) }}.{{ .Release.Namespace }}.svc.cluster.local + issuerRef: + kind: Issuer + name: {{ include "metal-operator.resourceName" (dict "suffix" "selfsigned-issuer" "context" $) }} + secretName: webhook-server-cert +{{- end }} diff --git a/dist/chart/templates/certmanager/certificate.yaml b/dist/chart/templates/certmanager/certificate.yaml deleted file mode 100644 index ee96e82f8..000000000 --- a/dist/chart/templates/certmanager/certificate.yaml +++ /dev/null @@ -1,60 +0,0 @@ -{{- if .Values.certmanager.enable }} -# Self-signed Issuer -apiVersion: cert-manager.io/v1 -kind: Issuer -metadata: - labels: - {{- include "chart.labels" . | nindent 4 }} - name: selfsigned-issuer - namespace: {{ .Release.Namespace }} -spec: - selfSigned: {} -{{- if .Values.webhook.enable }} ---- -# Certificate for the webhook -apiVersion: cert-manager.io/v1 -kind: Certificate -metadata: - annotations: - {{- if .Values.crd.keep }} - "helm.sh/resource-policy": keep - {{- end }} - name: serving-cert - namespace: {{ .Release.Namespace }} - labels: - {{- include "chart.labels" . | nindent 4 }} -spec: - dnsNames: - - metal-operator.{{ .Release.Namespace }}.svc - - metal-operator.{{ .Release.Namespace }}.svc.cluster.local - - metal-operator-webhook-service.{{ .Release.Namespace }}.svc - issuerRef: - kind: Issuer - name: selfsigned-issuer - secretName: webhook-server-cert -{{- end }} -{{- if .Values.metrics.enable }} ---- -# Certificate for the metrics -apiVersion: cert-manager.io/v1 -kind: Certificate -metadata: - annotations: - {{- if .Values.crd.keep }} - "helm.sh/resource-policy": keep - {{- end }} - labels: - {{- include "chart.labels" . | nindent 4 }} - name: metrics-certs - namespace: {{ .Release.Namespace }} -spec: - dnsNames: - - metal-operator.{{ .Release.Namespace }}.svc - - metal-operator.{{ .Release.Namespace }}.svc.cluster.local - - metal-operator-metrics-service.{{ .Release.Namespace }}.svc - issuerRef: - kind: Issuer - name: selfsigned-issuer - secretName: metrics-server-cert -{{- end }} -{{- end }} diff --git a/dist/chart/templates/configmap/ignition-template.yaml b/dist/chart/templates/configmap/ignition-template.yaml deleted file mode 100644 index 53d3188da..000000000 --- a/dist/chart/templates/configmap/ignition-template.yaml +++ /dev/null @@ -1,17 +0,0 @@ -{{- if .Values.ignition.override }} -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ include "chart.name" . }}-ignition-template - namespace: {{ .Release.Namespace }} - labels: - {{- include "chart.labels" . | nindent 4 }} -data: - # The Ignition template has the following parameters substituted at runtime: - # {{.Image}} - The Docker image to run for metalprobe - # {{.Flags}} - The flags to pass to the metalprobe container, this includes --registry-url and --server-uuid - # {{.SSHPublicKey}} - The SSH public key for the 'metal' user - # {{.PasswordHash}} - The password hash for the 'metal' user - ignition-template.yaml: | -{{ .Values.ignition.template | indent 4 }} -{{- end }} \ No newline at end of file diff --git a/dist/chart/templates/crd/metal.ironcore.dev_biossettings.yaml b/dist/chart/templates/crd/biossettings.metal.ironcore.dev.yaml old mode 100755 new mode 100644 similarity index 98% rename from dist/chart/templates/crd/metal.ironcore.dev_biossettings.yaml rename to dist/chart/templates/crd/biossettings.metal.ironcore.dev.yaml index ad8d69bcf..072d26016 --- a/dist/chart/templates/crd/metal.ironcore.dev_biossettings.yaml +++ b/dist/chart/templates/crd/biossettings.metal.ironcore.dev.yaml @@ -1,14 +1,12 @@ {{- if .Values.crd.enable }} ---- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: - labels: - {{- include "chart.labels" . | nindent 4 }} annotations: {{- if .Values.crd.keep }} "helm.sh/resource-policy": keep {{- end }} + cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ include "metal-operator.resourceName" (dict "suffix" "serving-cert" "context" $) }} controller-gen.kubebuilder.io/version: v0.21.0 name: biossettings.metal.ironcore.dev spec: @@ -322,4 +320,4 @@ spec: storage: true subresources: status: {} -{{- end -}} +{{- end }} diff --git a/dist/chart/templates/crd/metal.ironcore.dev_biossettingssets.yaml b/dist/chart/templates/crd/biossettingssets.metal.ironcore.dev.yaml old mode 100755 new mode 100644 similarity index 98% rename from dist/chart/templates/crd/metal.ironcore.dev_biossettingssets.yaml rename to dist/chart/templates/crd/biossettingssets.metal.ironcore.dev.yaml index 8586aed8f..0c903fc19 --- a/dist/chart/templates/crd/metal.ironcore.dev_biossettingssets.yaml +++ b/dist/chart/templates/crd/biossettingssets.metal.ironcore.dev.yaml @@ -1,14 +1,12 @@ {{- if .Values.crd.enable }} ---- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: - labels: - {{- include "chart.labels" . | nindent 4 }} annotations: {{- if .Values.crd.keep }} "helm.sh/resource-policy": keep {{- end }} + cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ include "metal-operator.resourceName" (dict "suffix" "serving-cert" "context" $) }} controller-gen.kubebuilder.io/version: v0.21.0 name: biossettingssets.metal.ironcore.dev spec: @@ -218,4 +216,4 @@ spec: storage: true subresources: status: {} -{{- end -}} +{{- end }} diff --git a/dist/chart/templates/crd/metal.ironcore.dev_biosversions.yaml b/dist/chart/templates/crd/biosversions.metal.ironcore.dev.yaml old mode 100755 new mode 100644 similarity index 98% rename from dist/chart/templates/crd/metal.ironcore.dev_biosversions.yaml rename to dist/chart/templates/crd/biosversions.metal.ironcore.dev.yaml index b8dab5ee8..4eb1bc71f --- a/dist/chart/templates/crd/metal.ironcore.dev_biosversions.yaml +++ b/dist/chart/templates/crd/biosversions.metal.ironcore.dev.yaml @@ -1,14 +1,12 @@ {{- if .Values.crd.enable }} ---- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: - labels: - {{- include "chart.labels" . | nindent 4 }} annotations: {{- if .Values.crd.keep }} "helm.sh/resource-policy": keep {{- end }} + cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ include "metal-operator.resourceName" (dict "suffix" "serving-cert" "context" $) }} controller-gen.kubebuilder.io/version: v0.21.0 name: biosversions.metal.ironcore.dev spec: @@ -265,4 +263,4 @@ spec: storage: true subresources: status: {} -{{- end -}} +{{- end }} diff --git a/dist/chart/templates/crd/metal.ironcore.dev_biosversionsets.yaml b/dist/chart/templates/crd/biosversionsets.metal.ironcore.dev.yaml old mode 100755 new mode 100644 similarity index 98% rename from dist/chart/templates/crd/metal.ironcore.dev_biosversionsets.yaml rename to dist/chart/templates/crd/biosversionsets.metal.ironcore.dev.yaml index f0a2aa347..3ec914824 --- a/dist/chart/templates/crd/metal.ironcore.dev_biosversionsets.yaml +++ b/dist/chart/templates/crd/biosversionsets.metal.ironcore.dev.yaml @@ -1,14 +1,12 @@ {{- if .Values.crd.enable }} ---- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: - labels: - {{- include "chart.labels" . | nindent 4 }} annotations: {{- if .Values.crd.keep }} "helm.sh/resource-policy": keep {{- end }} + cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ include "metal-operator.resourceName" (dict "suffix" "serving-cert" "context" $) }} controller-gen.kubebuilder.io/version: v0.21.0 name: biosversionsets.metal.ironcore.dev spec: @@ -221,4 +219,4 @@ spec: storage: true subresources: status: {} -{{- end -}} +{{- end }} diff --git a/dist/chart/templates/crd/metal.ironcore.dev_bmcs.yaml b/dist/chart/templates/crd/bmcs.metal.ironcore.dev.yaml old mode 100755 new mode 100644 similarity index 96% rename from dist/chart/templates/crd/metal.ironcore.dev_bmcs.yaml rename to dist/chart/templates/crd/bmcs.metal.ironcore.dev.yaml index 831229924..deeb5826e --- a/dist/chart/templates/crd/metal.ironcore.dev_bmcs.yaml +++ b/dist/chart/templates/crd/bmcs.metal.ironcore.dev.yaml @@ -1,17 +1,25 @@ {{- if .Values.crd.enable }} ---- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: - labels: - {{- include "chart.labels" . | nindent 4 }} annotations: {{- if .Values.crd.keep }} "helm.sh/resource-policy": keep {{- end }} + cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ include "metal-operator.resourceName" (dict "suffix" "serving-cert" "context" $) }} controller-gen.kubebuilder.io/version: v0.21.0 name: bmcs.metal.ironcore.dev spec: + conversion: + strategy: Webhook + webhook: + clientConfig: + service: + name: {{ include "metal-operator.resourceName" (dict "suffix" "webhook-service" "context" $) }} + namespace: {{ .Release.Namespace }} + path: /convert + conversionReviewVersions: + - v1 group: metal.ironcore.dev names: kind: BMC @@ -304,4 +312,4 @@ spec: storage: true subresources: status: {} -{{- end -}} +{{- end }} diff --git a/dist/chart/templates/crd/metal.ironcore.dev_bmcsecrets.yaml b/dist/chart/templates/crd/bmcsecrets.metal.ironcore.dev.yaml old mode 100755 new mode 100644 similarity index 95% rename from dist/chart/templates/crd/metal.ironcore.dev_bmcsecrets.yaml rename to dist/chart/templates/crd/bmcsecrets.metal.ironcore.dev.yaml index a032d894f..3290608b9 --- a/dist/chart/templates/crd/metal.ironcore.dev_bmcsecrets.yaml +++ b/dist/chart/templates/crd/bmcsecrets.metal.ironcore.dev.yaml @@ -1,14 +1,12 @@ {{- if .Values.crd.enable }} ---- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: - labels: - {{- include "chart.labels" . | nindent 4 }} annotations: {{- if .Values.crd.keep }} "helm.sh/resource-policy": keep {{- end }} + cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ include "metal-operator.resourceName" (dict "suffix" "serving-cert" "context" $) }} controller-gen.kubebuilder.io/version: v0.21.0 name: bmcsecrets.metal.ironcore.dev spec: @@ -84,4 +82,4 @@ spec: storage: true subresources: status: {} -{{- end -}} +{{- end }} diff --git a/dist/chart/templates/crd/metal.ironcore.dev_bmcsettings.yaml b/dist/chart/templates/crd/bmcsettings.metal.ironcore.dev.yaml old mode 100755 new mode 100644 similarity index 99% rename from dist/chart/templates/crd/metal.ironcore.dev_bmcsettings.yaml rename to dist/chart/templates/crd/bmcsettings.metal.ironcore.dev.yaml index 7c5b93a00..c2b3069a8 --- a/dist/chart/templates/crd/metal.ironcore.dev_bmcsettings.yaml +++ b/dist/chart/templates/crd/bmcsettings.metal.ironcore.dev.yaml @@ -1,14 +1,12 @@ {{- if .Values.crd.enable }} ---- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: - labels: - {{- include "chart.labels" . | nindent 4 }} annotations: {{- if .Values.crd.keep }} "helm.sh/resource-policy": keep {{- end }} + cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ include "metal-operator.resourceName" (dict "suffix" "serving-cert" "context" $) }} controller-gen.kubebuilder.io/version: v0.21.0 name: bmcsettings.metal.ironcore.dev spec: @@ -341,4 +339,4 @@ spec: storage: true subresources: status: {} -{{- end -}} +{{- end }} diff --git a/dist/chart/templates/crd/metal.ironcore.dev_bmcsettingssets.yaml b/dist/chart/templates/crd/bmcsettingssets.metal.ironcore.dev.yaml old mode 100755 new mode 100644 similarity index 98% rename from dist/chart/templates/crd/metal.ironcore.dev_bmcsettingssets.yaml rename to dist/chart/templates/crd/bmcsettingssets.metal.ironcore.dev.yaml index ec5057f34..239f9c0e8 --- a/dist/chart/templates/crd/metal.ironcore.dev_bmcsettingssets.yaml +++ b/dist/chart/templates/crd/bmcsettingssets.metal.ironcore.dev.yaml @@ -1,14 +1,12 @@ {{- if .Values.crd.enable }} ---- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: - labels: - {{- include "chart.labels" . | nindent 4 }} annotations: {{- if .Values.crd.keep }} "helm.sh/resource-policy": keep {{- end }} + cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ include "metal-operator.resourceName" (dict "suffix" "serving-cert" "context" $) }} controller-gen.kubebuilder.io/version: v0.21.0 name: bmcsettingssets.metal.ironcore.dev spec: @@ -327,4 +325,4 @@ spec: storage: true subresources: status: {} -{{- end -}} +{{- end }} diff --git a/dist/chart/templates/crd/metal.ironcore.dev_bmcusers.yaml b/dist/chart/templates/crd/bmcusers.metal.ironcore.dev.yaml similarity index 97% rename from dist/chart/templates/crd/metal.ironcore.dev_bmcusers.yaml rename to dist/chart/templates/crd/bmcusers.metal.ironcore.dev.yaml index c8798e8f3..e397d0a44 100644 --- a/dist/chart/templates/crd/metal.ironcore.dev_bmcusers.yaml +++ b/dist/chart/templates/crd/bmcusers.metal.ironcore.dev.yaml @@ -1,14 +1,12 @@ {{- if .Values.crd.enable }} ---- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: - labels: - {{- include "chart.labels" . | nindent 4 }} annotations: {{- if .Values.crd.keep }} "helm.sh/resource-policy": keep {{- end }} + cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ include "metal-operator.resourceName" (dict "suffix" "serving-cert" "context" $) }} controller-gen.kubebuilder.io/version: v0.21.0 name: bmcusers.metal.ironcore.dev spec: @@ -152,4 +150,4 @@ spec: storage: true subresources: status: {} -{{- end -}} +{{- end }} diff --git a/dist/chart/templates/crd/metal.ironcore.dev_bmcversions.yaml b/dist/chart/templates/crd/bmcversions.metal.ironcore.dev.yaml old mode 100755 new mode 100644 similarity index 98% rename from dist/chart/templates/crd/metal.ironcore.dev_bmcversions.yaml rename to dist/chart/templates/crd/bmcversions.metal.ironcore.dev.yaml index 578f1a953..5617e24da --- a/dist/chart/templates/crd/metal.ironcore.dev_bmcversions.yaml +++ b/dist/chart/templates/crd/bmcversions.metal.ironcore.dev.yaml @@ -1,14 +1,12 @@ {{- if .Values.crd.enable }} ---- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: - labels: - {{- include "chart.labels" . | nindent 4 }} annotations: {{- if .Values.crd.keep }} "helm.sh/resource-policy": keep {{- end }} + cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ include "metal-operator.resourceName" (dict "suffix" "serving-cert" "context" $) }} controller-gen.kubebuilder.io/version: v0.21.0 name: bmcversions.metal.ironcore.dev spec: @@ -266,4 +264,4 @@ spec: storage: true subresources: status: {} -{{- end -}} +{{- end }} diff --git a/dist/chart/templates/crd/metal.ironcore.dev_bmcversionsets.yaml b/dist/chart/templates/crd/bmcversionsets.metal.ironcore.dev.yaml old mode 100755 new mode 100644 similarity index 98% rename from dist/chart/templates/crd/metal.ironcore.dev_bmcversionsets.yaml rename to dist/chart/templates/crd/bmcversionsets.metal.ironcore.dev.yaml index caa37b782..ebb04e996 --- a/dist/chart/templates/crd/metal.ironcore.dev_bmcversionsets.yaml +++ b/dist/chart/templates/crd/bmcversionsets.metal.ironcore.dev.yaml @@ -1,14 +1,12 @@ {{- if .Values.crd.enable }} ---- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: - labels: - {{- include "chart.labels" . | nindent 4 }} annotations: {{- if .Values.crd.keep }} "helm.sh/resource-policy": keep {{- end }} + cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ include "metal-operator.resourceName" (dict "suffix" "serving-cert" "context" $) }} controller-gen.kubebuilder.io/version: v0.21.0 name: bmcversionsets.metal.ironcore.dev spec: @@ -221,4 +219,4 @@ spec: storage: true subresources: status: {} -{{- end -}} +{{- end }} diff --git a/dist/chart/templates/crd/metal.ironcore.dev_endpoints.yaml b/dist/chart/templates/crd/endpoints.metal.ironcore.dev.yaml old mode 100755 new mode 100644 similarity index 93% rename from dist/chart/templates/crd/metal.ironcore.dev_endpoints.yaml rename to dist/chart/templates/crd/endpoints.metal.ironcore.dev.yaml index 664b7fcd0..62b239f80 --- a/dist/chart/templates/crd/metal.ironcore.dev_endpoints.yaml +++ b/dist/chart/templates/crd/endpoints.metal.ironcore.dev.yaml @@ -1,14 +1,12 @@ {{- if .Values.crd.enable }} ---- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: - labels: - {{- include "chart.labels" . | nindent 4 }} annotations: {{- if .Values.crd.keep }} "helm.sh/resource-policy": keep {{- end }} + cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ include "metal-operator.resourceName" (dict "suffix" "serving-cert" "context" $) }} controller-gen.kubebuilder.io/version: v0.21.0 name: endpoints.metal.ironcore.dev spec: @@ -72,4 +70,4 @@ spec: storage: true subresources: status: {} -{{- end -}} +{{- end }} diff --git a/dist/chart/templates/crd/metal.ironcore.dev_serverbootconfigurations.yaml b/dist/chart/templates/crd/serverbootconfigurations.metal.ironcore.dev.yaml old mode 100755 new mode 100644 similarity index 97% rename from dist/chart/templates/crd/metal.ironcore.dev_serverbootconfigurations.yaml rename to dist/chart/templates/crd/serverbootconfigurations.metal.ironcore.dev.yaml index af7b05873..7bec342e8 --- a/dist/chart/templates/crd/metal.ironcore.dev_serverbootconfigurations.yaml +++ b/dist/chart/templates/crd/serverbootconfigurations.metal.ironcore.dev.yaml @@ -1,14 +1,12 @@ {{- if .Values.crd.enable }} ---- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: - labels: - {{- include "chart.labels" . | nindent 4 }} annotations: {{- if .Values.crd.keep }} "helm.sh/resource-policy": keep {{- end }} + cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ include "metal-operator.resourceName" (dict "suffix" "serving-cert" "context" $) }} controller-gen.kubebuilder.io/version: v0.21.0 name: serverbootconfigurations.metal.ironcore.dev spec: @@ -173,4 +171,4 @@ spec: storage: true subresources: status: {} -{{- end -}} +{{- end }} diff --git a/dist/chart/templates/crd/metal.ironcore.dev_serverclaims.yaml b/dist/chart/templates/crd/serverclaims.metal.ironcore.dev.yaml old mode 100755 new mode 100644 similarity index 94% rename from dist/chart/templates/crd/metal.ironcore.dev_serverclaims.yaml rename to dist/chart/templates/crd/serverclaims.metal.ironcore.dev.yaml index 536e4540e..24da9022b --- a/dist/chart/templates/crd/metal.ironcore.dev_serverclaims.yaml +++ b/dist/chart/templates/crd/serverclaims.metal.ironcore.dev.yaml @@ -1,17 +1,25 @@ {{- if .Values.crd.enable }} ---- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: - labels: - {{- include "chart.labels" . | nindent 4 }} annotations: {{- if .Values.crd.keep }} "helm.sh/resource-policy": keep {{- end }} + cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ include "metal-operator.resourceName" (dict "suffix" "serving-cert" "context" $) }} controller-gen.kubebuilder.io/version: v0.21.0 name: serverclaims.metal.ironcore.dev spec: + conversion: + strategy: Webhook + webhook: + clientConfig: + service: + name: {{ include "metal-operator.resourceName" (dict "suffix" "webhook-service" "context" $) }} + namespace: {{ .Release.Namespace }} + path: /convert + conversionReviewVersions: + - v1 group: metal.ironcore.dev names: kind: ServerClaim @@ -207,4 +215,4 @@ spec: storage: true subresources: status: {} -{{- end -}} +{{- end }} diff --git a/dist/chart/templates/crd/metal.ironcore.dev_servermaintenances.yaml b/dist/chart/templates/crd/servermaintenances.metal.ironcore.dev.yaml old mode 100755 new mode 100644 similarity index 97% rename from dist/chart/templates/crd/metal.ironcore.dev_servermaintenances.yaml rename to dist/chart/templates/crd/servermaintenances.metal.ironcore.dev.yaml index 4df667c22..3ef2983a9 --- a/dist/chart/templates/crd/metal.ironcore.dev_servermaintenances.yaml +++ b/dist/chart/templates/crd/servermaintenances.metal.ironcore.dev.yaml @@ -1,14 +1,12 @@ {{- if .Values.crd.enable }} ---- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: - labels: - {{- include "chart.labels" . | nindent 4 }} annotations: {{- if .Values.crd.keep }} "helm.sh/resource-policy": keep {{- end }} + cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ include "metal-operator.resourceName" (dict "suffix" "serving-cert" "context" $) }} controller-gen.kubebuilder.io/version: v0.21.0 name: servermaintenances.metal.ironcore.dev spec: @@ -167,4 +165,4 @@ spec: storage: true subresources: status: {} -{{- end -}} +{{- end }} diff --git a/dist/chart/templates/crd/metal.ironcore.dev_servers.yaml b/dist/chart/templates/crd/servers.metal.ironcore.dev.yaml old mode 100755 new mode 100644 similarity index 99% rename from dist/chart/templates/crd/metal.ironcore.dev_servers.yaml rename to dist/chart/templates/crd/servers.metal.ironcore.dev.yaml index 4ab9c3d91..6844f1677 --- a/dist/chart/templates/crd/metal.ironcore.dev_servers.yaml +++ b/dist/chart/templates/crd/servers.metal.ironcore.dev.yaml @@ -1,14 +1,12 @@ {{- if .Values.crd.enable }} ---- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: - labels: - {{- include "chart.labels" . | nindent 4 }} annotations: {{- if .Values.crd.keep }} "helm.sh/resource-policy": keep {{- end }} + cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ include "metal-operator.resourceName" (dict "suffix" "serving-cert" "context" $) }} controller-gen.kubebuilder.io/version: v0.21.0 name: servers.metal.ironcore.dev spec: @@ -575,4 +573,4 @@ spec: storage: true subresources: status: {} -{{- end -}} +{{- end }} diff --git a/dist/chart/templates/manager/manager.yaml b/dist/chart/templates/manager/manager.yaml index d6125e3a9..351f3a3a2 100644 --- a/dist/chart/templates/manager/manager.yaml +++ b/dist/chart/templates/manager/manager.yaml @@ -1,123 +1,179 @@ -{{- if .Values.controllerManager.enable }} +{{- if or (not (hasKey .Values.manager "enabled")) (.Values.manager.enabled) }} apiVersion: apps/v1 kind: Deployment metadata: - name: metal-operator-controller-manager - namespace: {{ .Release.Namespace }} labels: + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/name: {{ include "metal-operator.name" . }} + helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + app.kubernetes.io/instance: {{ .Release.Name }} control-plane: controller-manager - {{- include "chart.labels" . | nindent 4 }} + {{- with .Values.manager.labels }} + {{- with omit . "app.kubernetes.io/managed-by" "app.kubernetes.io/name" "helm.sh/chart" "app.kubernetes.io/instance" "control-plane" }} + {{- toYaml . | nindent 4 }} + {{- end }} + {{- end }} + name: {{ include "metal-operator.resourceName" (dict "suffix" "controller-manager" "context" $) }} + namespace: {{ .Release.Namespace }} + {{- if .Values.manager.annotations }} + annotations: + {{- toYaml .Values.manager.annotations | nindent 4 }} + {{- end }} spec: - replicas: {{ .Values.controllerManager.replicas }} - strategy: - type: {{ .Values.controllerManager.strategy.type | quote }} + {{- with .Values.manager.strategy }} + strategy: {{ toYaml . | nindent 6 }} + {{- end }} + replicas: {{ .Values.manager.replicas }} selector: matchLabels: - {{- include "chart.selectorLabels" . | nindent 6 }} + app.kubernetes.io/name: {{ include "metal-operator.name" . }} control-plane: controller-manager template: metadata: + annotations: + kubectl.kubernetes.io/default-container: manager + {{- with .Values.manager.pod }} + {{- with .annotations }} + {{- with omit . "kubectl.kubernetes.io/default-container" }} + {{- toYaml . | nindent 8 }} + {{- end }} + {{- end }} + {{- end }} labels: + app.kubernetes.io/name: {{ include "metal-operator.name" . }} + helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} control-plane: controller-manager - {{- include "chart.labels" . | nindent 8 }} - {{- if and .Values.controllerManager.pod .Values.controllerManager.pod.labels }} - {{- range $key, $value := .Values.controllerManager.pod.labels }} - {{ $key }}: {{ $value }} + {{- with .Values.manager.pod }} + {{- with .labels }} + {{- with omit . "app.kubernetes.io/name" "helm.sh/chart" "app.kubernetes.io/instance" "app.kubernetes.io/managed-by" "control-plane" }} + {{- toYaml . | nindent 8 }} + {{- end }} {{- end }} {{- end }} - annotations: - kubectl.kubernetes.io/default-container: manager spec: + {{- with .Values.manager.topologySpreadConstraints }} + topologySpreadConstraints: {{ toYaml . | nindent 10 }} + {{- end }} + {{- with .Values.manager.priorityClassName }} + priorityClassName: {{ . | quote }} + {{- end }} + {{- with .Values.manager.tolerations }} + tolerations: {{ toYaml . | nindent 10 }} + {{- end }} + {{- with .Values.manager.affinity }} + affinity: {{ toYaml . | nindent 10 }} + {{- end }} + {{- with .Values.manager.nodeSelector }} + nodeSelector: {{ toYaml . | nindent 10 }} + {{- end }} + {{- with .Values.manager.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} containers: - - name: manager - args: - {{- range .Values.controllerManager.manager.args }} + - args: + {{- if .Values.metrics.enable }} + - --metrics-bind-address=:{{ .Values.metrics.port }} + {{- if not .Values.metrics.secure }} + - --metrics-secure=false + {{- end }} + {{- else }} + # Bind to :0 to disable the controller-runtime managed metrics server + - --metrics-bind-address=0 + {{- end }} + {{- range .Values.manager.args }} - {{ . }} {{- end }} + {{- if and .Values.certManager.enable .Values.metrics.enable }} + - --metrics-cert-path=/tmp/k8s-metrics-server/metrics-certs + {{- end }} + {{- if .Values.certManager.enable }} + - --webhook-cert-path=/tmp/k8s-webhook-server/serving-certs + {{- end }} command: - /manager - image: {{ .Values.controllerManager.manager.image.repository }}:{{ .Values.controllerManager.manager.image.tag }} - {{- if .Values.controllerManager.manager.env }} - env: - {{- range $key, $value := .Values.controllerManager.manager.env }} - - name: {{ $key }} - value: {{ $value | quote}} - {{- end }} + image: "{{ .Values.manager.image.repository }}{{- if not (contains "@" .Values.manager.image.repository) }}:{{ .Values.manager.image.tag | default .Chart.AppVersion }}{{- end }}" + {{- with .Values.manager.image.pullPolicy }} + imagePullPolicy: {{ . }} {{- end }} livenessProbe: - {{- toYaml .Values.controllerManager.manager.livenessProbe | nindent 10 }} - readinessProbe: - {{- toYaml .Values.controllerManager.manager.readinessProbe | nindent 10 }} - {{- if .Values.webhook.enable }} + httpGet: + path: /healthz + port: 8081 + initialDelaySeconds: 15 + periodSeconds: 20 + name: manager ports: - - containerPort: 9443 + - containerPort: 8081 + name: health + protocol: TCP + - containerPort: {{ .Values.webhook.port }} name: webhook-server protocol: TCP - {{- end }} + readinessProbe: + httpGet: + path: /readyz + port: 8081 + initialDelaySeconds: 5 + periodSeconds: 10 resources: - {{- toYaml .Values.controllerManager.manager.resources | nindent 10 }} + {{- if .Values.manager.resources }} + {{- toYaml .Values.manager.resources | nindent 10 }} + {{- else }} + {} + {{- end }} securityContext: - {{- toYaml .Values.controllerManager.manager.securityContext | nindent 10 }} + {{- if .Values.manager.securityContext }} + {{- toYaml .Values.manager.securityContext | nindent 10 }} + {{- else }} + {} + {{- end }} volumeMounts: - - mountPath: /etc/macdb/ - name: macdb - {{- if .Values.controllerManager.dnsRecordTemplate.enabled }} - - mountPath: /etc/metal-operator/dns - name: dns-record-template - {{- end }} - {{- if .Values.ignition.override }} - - name: ignition-template - mountPath: /etc/metal-operator - readOnly: true - {{- end }} - {{- if and .Values.webhook.enable .Values.certmanager.enable }} - - name: webhook-cert - mountPath: /tmp/k8s-webhook-server/serving-certs - readOnly: true - {{- end }} - {{- if and .Values.metrics.enable .Values.certmanager.enable }} - - name: metrics-certs - mountPath: /tmp/k8s-metrics-server/metrics-certs + {{- if .Values.manager.extraVolumeMounts }} + {{- toYaml .Values.manager.extraVolumeMounts | nindent 10 }} + {{- end }} + {{- if and .Values.certManager.enable .Values.metrics.enable }} + - mountPath: /tmp/k8s-metrics-server/metrics-certs + name: metrics-certs readOnly: true {{- end }} - {{- range $volume := .Values.controllerManager.manager.volumes }} - - name: {{ $volume.name }} - mountPath: {{ $volume.mountPath }} - {{- if $volume.readOnly }} + {{- if .Values.certManager.enable }} + - mountPath: /tmp/k8s-webhook-server/serving-certs + name: webhook-certs readOnly: true - {{- end }} {{- end }} securityContext: - {{- toYaml .Values.controllerManager.podSecurityContext | nindent 8 }} - serviceAccountName: {{ .Values.controllerManager.serviceAccountName }} - hostNetwork: {{ .Values.controllerManager.hostNetwork }} - terminationGracePeriodSeconds: {{ .Values.controllerManager.terminationGracePeriodSeconds }} - volumes: - - name: macdb - secret: - secretName: macdb - {{- if .Values.controllerManager.dnsRecordTemplate.enabled }} - - name: dns-record-template - configMap: - name: dns-record-template - {{- end }} - {{- if .Values.ignition.override }} - - name: ignition-template - configMap: - name: {{ include "chart.name" . }}-ignition-template - {{- end }} - {{- if and .Values.webhook.enable .Values.certmanager.enable }} - - name: webhook-cert - secret: - secretName: webhook-server-cert + {{- if .Values.manager.podSecurityContext }} + {{- toYaml .Values.manager.podSecurityContext | nindent 8 }} + {{- else }} + {} + {{- end }} + serviceAccountName: {{ include "metal-operator.serviceAccountName" . }} + {{- if and (hasKey .Values.manager "terminationGracePeriodSeconds") (ne .Values.manager.terminationGracePeriodSeconds nil) }} + terminationGracePeriodSeconds: {{ .Values.manager.terminationGracePeriodSeconds }} {{- end }} - {{- if and .Values.metrics.enable .Values.certmanager.enable }} + volumes: + {{- if .Values.manager.extraVolumes }} + {{- toYaml .Values.manager.extraVolumes | nindent 8 }} + {{- end }} + {{- if and .Values.certManager.enable .Values.metrics.enable }} - name: metrics-certs secret: + items: + - key: ca.crt + path: ca.crt + - key: tls.crt + path: tls.crt + - key: tls.key + path: tls.key + optional: false secretName: metrics-server-cert {{- end }} - {{- range $volume := .Values.controllerManager.manager.volumes }} - - name: {{ $volume.name }} - {{- toYaml $volume.source | nindent 8 }} + {{- if .Values.certManager.enable }} + - name: webhook-certs + secret: + secretName: webhook-server-cert {{- end }} {{- end }} diff --git a/dist/chart/templates/metrics/controller-manager-metrics-service.yaml b/dist/chart/templates/metrics/controller-manager-metrics-service.yaml new file mode 100644 index 000000000..eff7ad193 --- /dev/null +++ b/dist/chart/templates/metrics/controller-manager-metrics-service.yaml @@ -0,0 +1,22 @@ +{{- if .Values.metrics.enable }} +apiVersion: v1 +kind: Service +metadata: + labels: + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/name: {{ include "metal-operator.name" . }} + helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + app.kubernetes.io/instance: {{ .Release.Name }} + control-plane: controller-manager + name: {{ include "metal-operator.resourceName" (dict "suffix" "controller-manager-metrics-service" "context" $) }} + namespace: {{ .Release.Namespace }} +spec: + ports: + - name: {{ if .Values.metrics.secure }}https{{ else }}http{{ end }} + port: {{ .Values.metrics.port }} + protocol: TCP + targetPort: {{ .Values.metrics.port }} + selector: + app.kubernetes.io/name: {{ include "metal-operator.name" . }} + control-plane: controller-manager +{{- end }} diff --git a/dist/chart/templates/metrics/metrics-service.yaml b/dist/chart/templates/metrics/metrics-service.yaml deleted file mode 100644 index 3f9b162bf..000000000 --- a/dist/chart/templates/metrics/metrics-service.yaml +++ /dev/null @@ -1,18 +0,0 @@ -{{- if .Values.metrics.enable }} -apiVersion: v1 -kind: Service -metadata: - name: metal-operator-controller-manager-metrics-service - namespace: {{ .Release.Namespace }} - labels: - {{- include "chart.labels" . | nindent 4 }} - control-plane: controller-manager -spec: - ports: - - port: 8443 - targetPort: 8443 - protocol: TCP - name: https - selector: - control-plane: controller-manager -{{- end }} diff --git a/dist/chart/templates/network-policy/allow-metrics-traffic.yaml b/dist/chart/templates/network-policy/allow-metrics-traffic.yaml deleted file mode 100644 index 317b78ccb..000000000 --- a/dist/chart/templates/network-policy/allow-metrics-traffic.yaml +++ /dev/null @@ -1,28 +0,0 @@ -{{- if .Values.networkPolicy.enable }} -# This NetworkPolicy allows ingress traffic -# with Pods running on namespaces labeled with 'metrics: enabled'. Only Pods on those -# namespaces are able to gather data from the metrics endpoint. -apiVersion: networking.k8s.io/v1 -kind: NetworkPolicy -metadata: - labels: - {{- include "chart.labels" . | nindent 4 }} - name: allow-metrics-traffic - namespace: {{ .Release.Namespace }} -spec: - podSelector: - matchLabels: - control-plane: controller-manager - app.kubernetes.io/name: metal-operator - policyTypes: - - Ingress - ingress: - # This allows ingress traffic from any namespace with the label metrics: enabled - - from: - - namespaceSelector: - matchLabels: - metrics: enabled # Only from namespaces with this label - ports: - - port: 8443 - protocol: TCP -{{- end -}} diff --git a/dist/chart/templates/network-policy/allow-webhook-traffic.yaml b/dist/chart/templates/network-policy/allow-webhook-traffic.yaml deleted file mode 100755 index 5bb1aa7e8..000000000 --- a/dist/chart/templates/network-policy/allow-webhook-traffic.yaml +++ /dev/null @@ -1,27 +0,0 @@ -{{- if .Values.networkPolicy.enable }} -# This NetworkPolicy allows ingress traffic to your webhook server running -# as part of the controller-manager from specific namespaces and pods. CR(s) which uses webhooks -# will only work when applied in namespaces labeled with 'webhook: enabled' -apiVersion: networking.k8s.io/v1 -kind: NetworkPolicy -metadata: - labels: - {{- include "chart.labels" . | nindent 4 }} - name: allow-webhook-traffic - namespace: {{ .Release.Namespace }} -spec: - podSelector: - matchLabels: - control-plane: controller-manager - policyTypes: - - Ingress - ingress: - # This allows ingress traffic from any namespace with the label webhook: enabled - - from: - - namespaceSelector: - matchLabels: - webhook: enabled # Only from namespaces with this label - ports: - - port: 443 - protocol: TCP -{{- end -}} diff --git a/dist/chart/templates/prometheus/controller-manager-metrics-monitor.yaml b/dist/chart/templates/prometheus/controller-manager-metrics-monitor.yaml new file mode 100644 index 000000000..92e3e27f5 --- /dev/null +++ b/dist/chart/templates/prometheus/controller-manager-metrics-monitor.yaml @@ -0,0 +1,44 @@ +{{- if .Values.prometheus.enable }} +apiVersion: monitoring.coreos.com/v1 +kind: ServiceMonitor +metadata: + labels: + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/name: {{ include "metal-operator.name" . }} + helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + app.kubernetes.io/instance: {{ .Release.Name }} + control-plane: controller-manager + name: {{ include "metal-operator.resourceName" (dict "suffix" "controller-manager-metrics-monitor" "context" $) }} + namespace: {{ .Release.Namespace }} +spec: + endpoints: + - {{- if .Values.metrics.secure }} + bearerTokenFile: /var/run/secrets/kubernetes.io/serviceaccount/token + {{- end }} + path: /metrics + port: {{ if .Values.metrics.secure }}https{{ else }}http{{ end }} + scheme: {{ if .Values.metrics.secure }}https{{ else }}http{{ end }} + {{- if .Values.metrics.secure }} + tlsConfig: + serverName: {{ include "metal-operator.resourceName" (dict "suffix" "controller-manager-metrics-service" "context" $) }}.{{ .Release.Namespace }}.svc + {{- if .Values.certManager.enable }} + ca: + secret: + name: metrics-server-cert + key: ca.crt + cert: + secret: + name: metrics-server-cert + key: tls.crt + keySecret: + name: metrics-server-cert + key: tls.key + {{- else }} + insecureSkipVerify: true + {{- end }} + {{- end }} + selector: + matchLabels: + app.kubernetes.io/name: {{ include "metal-operator.name" . }} + control-plane: controller-manager +{{- end }} diff --git a/dist/chart/templates/prometheus/monitor.yaml b/dist/chart/templates/prometheus/monitor.yaml deleted file mode 100644 index 6d9a8bc95..000000000 --- a/dist/chart/templates/prometheus/monitor.yaml +++ /dev/null @@ -1,40 +0,0 @@ -# To integrate with Prometheus. -{{- if .Values.prometheus.enable }} -apiVersion: monitoring.coreos.com/v1 -kind: ServiceMonitor -metadata: - labels: - {{- include "chart.labels" . | nindent 4 }} - control-plane: controller-manager - name: metal-operator-controller-manager-metrics-monitor - namespace: {{ .Release.Namespace }} -spec: - endpoints: - - path: /metrics - port: https - scheme: https - bearerTokenFile: /var/run/secrets/kubernetes.io/serviceaccount/token - tlsConfig: - {{- if .Values.certmanager.enable }} - serverName: metal-operator-controller-manager-metrics-service.{{ .Release.Namespace }}.svc - # Apply secure TLS configuration with cert-manager - insecureSkipVerify: false - ca: - secret: - name: metrics-server-cert - key: ca.crt - cert: - secret: - name: metrics-server-cert - key: tls.crt - keySecret: - name: metrics-server-cert - key: tls.key - {{- else }} - # Development/Test mode (insecure configuration) - insecureSkipVerify: true - {{- end }} - selector: - matchLabels: - control-plane: controller-manager -{{- end }} diff --git a/dist/chart/templates/rbac/biossettings-admin-role.yaml b/dist/chart/templates/rbac/biossettings-admin-role.yaml new file mode 100644 index 000000000..d8c53a85a --- /dev/null +++ b/dist/chart/templates/rbac/biossettings-admin-role.yaml @@ -0,0 +1,34 @@ +{{- if .Values.rbac.helpers.enable }} +apiVersion: rbac.authorization.k8s.io/v1 +{{- if .Values.rbac.namespaced }} +kind: Role +{{- else }} +kind: ClusterRole +{{- end }} +metadata: +{{- if .Values.rbac.namespaced }} + namespace: {{ .Release.Namespace }} +{{- end }} + labels: + app.kubernetes.io/component: rbac + app.kubernetes.io/created-by: metal-operator + app.kubernetes.io/instance: biossettings-admin-role + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/name: clusterrole + helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + app.kubernetes.io/part-of: metal-operator + name: {{ include "metal-operator.resourceName" (dict "suffix" "biossettings-admin-role" "context" $) }} +rules: +- apiGroups: + - metal.ironcore.dev + resources: + - biossettings + verbs: + - '*' +- apiGroups: + - metal.ironcore.dev + resources: + - biossettings/status + verbs: + - get +{{- end }} diff --git a/dist/chart/templates/rbac/biossettings-editor-role.yaml b/dist/chart/templates/rbac/biossettings-editor-role.yaml new file mode 100644 index 000000000..27513d7d4 --- /dev/null +++ b/dist/chart/templates/rbac/biossettings-editor-role.yaml @@ -0,0 +1,40 @@ +{{- if .Values.rbac.helpers.enable }} +apiVersion: rbac.authorization.k8s.io/v1 +{{- if .Values.rbac.namespaced }} +kind: Role +{{- else }} +kind: ClusterRole +{{- end }} +metadata: +{{- if .Values.rbac.namespaced }} + namespace: {{ .Release.Namespace }} +{{- end }} + labels: + app.kubernetes.io/component: rbac + app.kubernetes.io/created-by: metal-operator + app.kubernetes.io/instance: biossettings-editor-role + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/name: clusterrole + helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + app.kubernetes.io/part-of: metal-operator + name: {{ include "metal-operator.resourceName" (dict "suffix" "biossettings-editor-role" "context" $) }} +rules: +- apiGroups: + - metal.ironcore.dev + resources: + - biossettings + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - metal.ironcore.dev + resources: + - biossettings/status + verbs: + - get +{{- end }} diff --git a/dist/chart/templates/rbac/biossettings-viewer-role.yaml b/dist/chart/templates/rbac/biossettings-viewer-role.yaml new file mode 100644 index 000000000..e6d3d6cb4 --- /dev/null +++ b/dist/chart/templates/rbac/biossettings-viewer-role.yaml @@ -0,0 +1,36 @@ +{{- if .Values.rbac.helpers.enable }} +apiVersion: rbac.authorization.k8s.io/v1 +{{- if .Values.rbac.namespaced }} +kind: Role +{{- else }} +kind: ClusterRole +{{- end }} +metadata: +{{- if .Values.rbac.namespaced }} + namespace: {{ .Release.Namespace }} +{{- end }} + labels: + app.kubernetes.io/component: rbac + app.kubernetes.io/created-by: metal-operator + app.kubernetes.io/instance: biossettings-viewer-role + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/name: clusterrole + helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + app.kubernetes.io/part-of: metal-operator + name: {{ include "metal-operator.resourceName" (dict "suffix" "biossettings-viewer-role" "context" $) }} +rules: +- apiGroups: + - metal.ironcore.dev + resources: + - biossettings + verbs: + - get + - list + - watch +- apiGroups: + - metal.ironcore.dev + resources: + - biossettings/status + verbs: + - get +{{- end }} diff --git a/dist/chart/templates/rbac/biossettings_admin_role.yaml b/dist/chart/templates/rbac/biossettings_admin_role.yaml deleted file mode 100755 index 947468dd8..000000000 --- a/dist/chart/templates/rbac/biossettings_admin_role.yaml +++ /dev/null @@ -1,28 +0,0 @@ -{{- if .Values.rbac.enable }} -# This rule is not used by the project metal-operator itself. -# It is provided to allow the cluster admin to help manage permissions for users. -# -# Grants full permissions ('*') over metal.ironcore.dev. -# This role is intended for users authorized to modify roles and bindings within the cluster, -# enabling them to delegate specific permissions to other users or groups as needed. - -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - labels: - {{- include "chart.labels" . | nindent 4 }} - name: biossettings-admin-role -rules: -- apiGroups: - - metal.ironcore.dev - resources: - - biossettings - verbs: - - '*' -- apiGroups: - - metal.ironcore.dev - resources: - - biossettings/status - verbs: - - get -{{- end -}} diff --git a/dist/chart/templates/rbac/biossettings_editor_role.yaml b/dist/chart/templates/rbac/biossettings_editor_role.yaml deleted file mode 100755 index 2b680a0a1..000000000 --- a/dist/chart/templates/rbac/biossettings_editor_role.yaml +++ /dev/null @@ -1,34 +0,0 @@ -{{- if .Values.rbac.enable }} -# This rule is not used by the project metal-operator itself. -# It is provided to allow the cluster admin to help manage permissions for users. -# -# Grants permissions to create, update, and delete resources within the metal.ironcore.dev. -# This role is intended for users who need to manage these resources -# but should not control RBAC or manage permissions for others. - -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - labels: - {{- include "chart.labels" . | nindent 4 }} - name: biossettings-editor-role -rules: -- apiGroups: - - metal.ironcore.dev - resources: - - biossettings - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -- apiGroups: - - metal.ironcore.dev - resources: - - biossettings/status - verbs: - - get -{{- end -}} diff --git a/dist/chart/templates/rbac/biossettings_viewer_role.yaml b/dist/chart/templates/rbac/biossettings_viewer_role.yaml deleted file mode 100755 index 9e11208b8..000000000 --- a/dist/chart/templates/rbac/biossettings_viewer_role.yaml +++ /dev/null @@ -1,30 +0,0 @@ -{{- if .Values.rbac.enable }} -# This rule is not used by the project metal-operator itself. -# It is provided to allow the cluster admin to help manage permissions for users. -# -# Grants read-only access to metal.ironcore.dev resources. -# This role is intended for users who need visibility into these resources -# without permissions to modify them. It is ideal for monitoring purposes and limited-access viewing. - -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - labels: - {{- include "chart.labels" . | nindent 4 }} - name: biossettings-viewer-role -rules: -- apiGroups: - - metal.ironcore.dev - resources: - - biossettings - verbs: - - get - - list - - watch -- apiGroups: - - metal.ironcore.dev - resources: - - biossettings/status - verbs: - - get -{{- end -}} diff --git a/dist/chart/templates/rbac/biossettingsset-admin-role.yaml b/dist/chart/templates/rbac/biossettingsset-admin-role.yaml new file mode 100644 index 000000000..648f88c2b --- /dev/null +++ b/dist/chart/templates/rbac/biossettingsset-admin-role.yaml @@ -0,0 +1,31 @@ +{{- if .Values.rbac.helpers.enable }} +apiVersion: rbac.authorization.k8s.io/v1 +{{- if .Values.rbac.namespaced }} +kind: Role +{{- else }} +kind: ClusterRole +{{- end }} +metadata: +{{- if .Values.rbac.namespaced }} + namespace: {{ .Release.Namespace }} +{{- end }} + labels: + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/name: {{ include "metal-operator.name" . }} + helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + app.kubernetes.io/instance: {{ .Release.Name }} + name: {{ include "metal-operator.resourceName" (dict "suffix" "biossettingsset-admin-role" "context" $) }} +rules: +- apiGroups: + - metal.ironcore.dev + resources: + - biossettingssets + verbs: + - '*' +- apiGroups: + - metal.ironcore.dev + resources: + - biossettingssets/status + verbs: + - get +{{- end }} diff --git a/dist/chart/templates/rbac/biossettingsset-editor-role.yaml b/dist/chart/templates/rbac/biossettingsset-editor-role.yaml new file mode 100644 index 000000000..da48ef144 --- /dev/null +++ b/dist/chart/templates/rbac/biossettingsset-editor-role.yaml @@ -0,0 +1,37 @@ +{{- if .Values.rbac.helpers.enable }} +apiVersion: rbac.authorization.k8s.io/v1 +{{- if .Values.rbac.namespaced }} +kind: Role +{{- else }} +kind: ClusterRole +{{- end }} +metadata: +{{- if .Values.rbac.namespaced }} + namespace: {{ .Release.Namespace }} +{{- end }} + labels: + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/name: {{ include "metal-operator.name" . }} + helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + app.kubernetes.io/instance: {{ .Release.Name }} + name: {{ include "metal-operator.resourceName" (dict "suffix" "biossettingsset-editor-role" "context" $) }} +rules: +- apiGroups: + - metal.ironcore.dev + resources: + - biossettingssets + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - metal.ironcore.dev + resources: + - biossettingssets/status + verbs: + - get +{{- end }} diff --git a/dist/chart/templates/rbac/biossettingsset-viewer-role.yaml b/dist/chart/templates/rbac/biossettingsset-viewer-role.yaml new file mode 100644 index 000000000..8fb3da825 --- /dev/null +++ b/dist/chart/templates/rbac/biossettingsset-viewer-role.yaml @@ -0,0 +1,33 @@ +{{- if .Values.rbac.helpers.enable }} +apiVersion: rbac.authorization.k8s.io/v1 +{{- if .Values.rbac.namespaced }} +kind: Role +{{- else }} +kind: ClusterRole +{{- end }} +metadata: +{{- if .Values.rbac.namespaced }} + namespace: {{ .Release.Namespace }} +{{- end }} + labels: + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/name: {{ include "metal-operator.name" . }} + helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + app.kubernetes.io/instance: {{ .Release.Name }} + name: {{ include "metal-operator.resourceName" (dict "suffix" "biossettingsset-viewer-role" "context" $) }} +rules: +- apiGroups: + - metal.ironcore.dev + resources: + - biossettingssets + verbs: + - get + - list + - watch +- apiGroups: + - metal.ironcore.dev + resources: + - biossettingssets/status + verbs: + - get +{{- end }} diff --git a/dist/chart/templates/rbac/biossettingsset_admin_role.yaml b/dist/chart/templates/rbac/biossettingsset_admin_role.yaml deleted file mode 100755 index e3668df07..000000000 --- a/dist/chart/templates/rbac/biossettingsset_admin_role.yaml +++ /dev/null @@ -1,28 +0,0 @@ -{{- if .Values.rbac.enable }} -# This rule is not used by the project metal-operator itself. -# It is provided to allow the cluster admin to help manage permissions for users. -# -# Grants full permissions ('*') over metal.ironcore.dev. -# This role is intended for users authorized to modify roles and bindings within the cluster, -# enabling them to delegate specific permissions to other users or groups as needed. - -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - labels: - {{- include "chart.labels" . | nindent 4 }} - name: biossettingsset-admin-role -rules: -- apiGroups: - - metal.ironcore.dev - resources: - - biossettingssets - verbs: - - '*' -- apiGroups: - - metal.ironcore.dev - resources: - - biossettingssets/status - verbs: - - get -{{- end -}} diff --git a/dist/chart/templates/rbac/biossettingsset_editor_role.yaml b/dist/chart/templates/rbac/biossettingsset_editor_role.yaml deleted file mode 100755 index 19d29a8cd..000000000 --- a/dist/chart/templates/rbac/biossettingsset_editor_role.yaml +++ /dev/null @@ -1,34 +0,0 @@ -{{- if .Values.rbac.enable }} -# This rule is not used by the project metal-operator itself. -# It is provided to allow the cluster admin to help manage permissions for users. -# -# Grants permissions to create, update, and delete resources within the metal.ironcore.dev. -# This role is intended for users who need to manage these resources -# but should not control RBAC or manage permissions for others. - -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - labels: - {{- include "chart.labels" . | nindent 4 }} - name: biossettingsset-editor-role -rules: -- apiGroups: - - metal.ironcore.dev - resources: - - biossettingssets - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -- apiGroups: - - metal.ironcore.dev - resources: - - biossettingssets/status - verbs: - - get -{{- end -}} diff --git a/dist/chart/templates/rbac/biossettingsset_viewer_role.yaml b/dist/chart/templates/rbac/biossettingsset_viewer_role.yaml deleted file mode 100755 index d0b310050..000000000 --- a/dist/chart/templates/rbac/biossettingsset_viewer_role.yaml +++ /dev/null @@ -1,30 +0,0 @@ -{{- if .Values.rbac.enable }} -# This rule is not used by the project metal-operator itself. -# It is provided to allow the cluster admin to help manage permissions for users. -# -# Grants read-only access to metal.ironcore.dev resources. -# This role is intended for users who need visibility into these resources -# without permissions to modify them. It is ideal for monitoring purposes and limited-access viewing. - -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - labels: - {{- include "chart.labels" . | nindent 4 }} - name: biossettingsset-viewer-role -rules: -- apiGroups: - - metal.ironcore.dev - resources: - - biossettingssets - verbs: - - get - - list - - watch -- apiGroups: - - metal.ironcore.dev - resources: - - biossettingssets/status - verbs: - - get -{{- end -}} diff --git a/dist/chart/templates/rbac/biosversion-admin-role.yaml b/dist/chart/templates/rbac/biosversion-admin-role.yaml new file mode 100644 index 000000000..d569e983d --- /dev/null +++ b/dist/chart/templates/rbac/biosversion-admin-role.yaml @@ -0,0 +1,31 @@ +{{- if .Values.rbac.helpers.enable }} +apiVersion: rbac.authorization.k8s.io/v1 +{{- if .Values.rbac.namespaced }} +kind: Role +{{- else }} +kind: ClusterRole +{{- end }} +metadata: +{{- if .Values.rbac.namespaced }} + namespace: {{ .Release.Namespace }} +{{- end }} + labels: + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/name: {{ include "metal-operator.name" . }} + helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + app.kubernetes.io/instance: {{ .Release.Name }} + name: {{ include "metal-operator.resourceName" (dict "suffix" "biosversion-admin-role" "context" $) }} +rules: +- apiGroups: + - metal.ironcore.dev + resources: + - biosversions + verbs: + - '*' +- apiGroups: + - metal.ironcore.dev + resources: + - biosversions/status + verbs: + - get +{{- end }} diff --git a/dist/chart/templates/rbac/biosversion-editor-role.yaml b/dist/chart/templates/rbac/biosversion-editor-role.yaml new file mode 100644 index 000000000..d26af7241 --- /dev/null +++ b/dist/chart/templates/rbac/biosversion-editor-role.yaml @@ -0,0 +1,37 @@ +{{- if .Values.rbac.helpers.enable }} +apiVersion: rbac.authorization.k8s.io/v1 +{{- if .Values.rbac.namespaced }} +kind: Role +{{- else }} +kind: ClusterRole +{{- end }} +metadata: +{{- if .Values.rbac.namespaced }} + namespace: {{ .Release.Namespace }} +{{- end }} + labels: + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/name: {{ include "metal-operator.name" . }} + helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + app.kubernetes.io/instance: {{ .Release.Name }} + name: {{ include "metal-operator.resourceName" (dict "suffix" "biosversion-editor-role" "context" $) }} +rules: +- apiGroups: + - metal.ironcore.dev + resources: + - biosversions + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - metal.ironcore.dev + resources: + - biosversions/status + verbs: + - get +{{- end }} diff --git a/dist/chart/templates/rbac/biosversion-viewer-role.yaml b/dist/chart/templates/rbac/biosversion-viewer-role.yaml new file mode 100644 index 000000000..d0394acd4 --- /dev/null +++ b/dist/chart/templates/rbac/biosversion-viewer-role.yaml @@ -0,0 +1,33 @@ +{{- if .Values.rbac.helpers.enable }} +apiVersion: rbac.authorization.k8s.io/v1 +{{- if .Values.rbac.namespaced }} +kind: Role +{{- else }} +kind: ClusterRole +{{- end }} +metadata: +{{- if .Values.rbac.namespaced }} + namespace: {{ .Release.Namespace }} +{{- end }} + labels: + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/name: {{ include "metal-operator.name" . }} + helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + app.kubernetes.io/instance: {{ .Release.Name }} + name: {{ include "metal-operator.resourceName" (dict "suffix" "biosversion-viewer-role" "context" $) }} +rules: +- apiGroups: + - metal.ironcore.dev + resources: + - biosversions + verbs: + - get + - list + - watch +- apiGroups: + - metal.ironcore.dev + resources: + - biosversions/status + verbs: + - get +{{- end }} diff --git a/dist/chart/templates/rbac/biosversion_admin_role.yaml b/dist/chart/templates/rbac/biosversion_admin_role.yaml deleted file mode 100755 index dd4453d40..000000000 --- a/dist/chart/templates/rbac/biosversion_admin_role.yaml +++ /dev/null @@ -1,28 +0,0 @@ -{{- if .Values.rbac.enable }} -# This rule is not used by the project metal-operator itself. -# It is provided to allow the cluster admin to help manage permissions for users. -# -# Grants full permissions ('*') over metal.ironcore.dev. -# This role is intended for users authorized to modify roles and bindings within the cluster, -# enabling them to delegate specific permissions to other users or groups as needed. - -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - labels: - {{- include "chart.labels" . | nindent 4 }} - name: biosversion-admin-role -rules: -- apiGroups: - - metal.ironcore.dev - resources: - - biosversions - verbs: - - '*' -- apiGroups: - - metal.ironcore.dev - resources: - - biosversions/status - verbs: - - get -{{- end -}} diff --git a/dist/chart/templates/rbac/biosversion_editor_role.yaml b/dist/chart/templates/rbac/biosversion_editor_role.yaml deleted file mode 100755 index 89104d3c1..000000000 --- a/dist/chart/templates/rbac/biosversion_editor_role.yaml +++ /dev/null @@ -1,34 +0,0 @@ -{{- if .Values.rbac.enable }} -# This rule is not used by the project metal-operator itself. -# It is provided to allow the cluster admin to help manage permissions for users. -# -# Grants permissions to create, update, and delete resources within the metal.ironcore.dev. -# This role is intended for users who need to manage these resources -# but should not control RBAC or manage permissions for others. - -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - labels: - {{- include "chart.labels" . | nindent 4 }} - name: biosversion-editor-role -rules: -- apiGroups: - - metal.ironcore.dev - resources: - - biosversions - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -- apiGroups: - - metal.ironcore.dev - resources: - - biosversions/status - verbs: - - get -{{- end -}} diff --git a/dist/chart/templates/rbac/biosversion_viewer_role.yaml b/dist/chart/templates/rbac/biosversion_viewer_role.yaml deleted file mode 100755 index a0df23557..000000000 --- a/dist/chart/templates/rbac/biosversion_viewer_role.yaml +++ /dev/null @@ -1,30 +0,0 @@ -{{- if .Values.rbac.enable }} -# This rule is not used by the project metal-operator itself. -# It is provided to allow the cluster admin to help manage permissions for users. -# -# Grants read-only access to metal.ironcore.dev resources. -# This role is intended for users who need visibility into these resources -# without permissions to modify them. It is ideal for monitoring purposes and limited-access viewing. - -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - labels: - {{- include "chart.labels" . | nindent 4 }} - name: biosversion-viewer-role -rules: -- apiGroups: - - metal.ironcore.dev - resources: - - biosversions - verbs: - - get - - list - - watch -- apiGroups: - - metal.ironcore.dev - resources: - - biosversions/status - verbs: - - get -{{- end -}} diff --git a/dist/chart/templates/rbac/biosversionset-admin-role.yaml b/dist/chart/templates/rbac/biosversionset-admin-role.yaml new file mode 100644 index 000000000..e106e4462 --- /dev/null +++ b/dist/chart/templates/rbac/biosversionset-admin-role.yaml @@ -0,0 +1,31 @@ +{{- if .Values.rbac.helpers.enable }} +apiVersion: rbac.authorization.k8s.io/v1 +{{- if .Values.rbac.namespaced }} +kind: Role +{{- else }} +kind: ClusterRole +{{- end }} +metadata: +{{- if .Values.rbac.namespaced }} + namespace: {{ .Release.Namespace }} +{{- end }} + labels: + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/name: {{ include "metal-operator.name" . }} + helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + app.kubernetes.io/instance: {{ .Release.Name }} + name: {{ include "metal-operator.resourceName" (dict "suffix" "biosversionset-admin-role" "context" $) }} +rules: +- apiGroups: + - metal.ironcore.dev + resources: + - biosversionsets + verbs: + - '*' +- apiGroups: + - metal.ironcore.dev + resources: + - biosversionsets/status + verbs: + - get +{{- end }} diff --git a/dist/chart/templates/rbac/biosversionset-editor-role.yaml b/dist/chart/templates/rbac/biosversionset-editor-role.yaml new file mode 100644 index 000000000..e41482096 --- /dev/null +++ b/dist/chart/templates/rbac/biosversionset-editor-role.yaml @@ -0,0 +1,37 @@ +{{- if .Values.rbac.helpers.enable }} +apiVersion: rbac.authorization.k8s.io/v1 +{{- if .Values.rbac.namespaced }} +kind: Role +{{- else }} +kind: ClusterRole +{{- end }} +metadata: +{{- if .Values.rbac.namespaced }} + namespace: {{ .Release.Namespace }} +{{- end }} + labels: + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/name: {{ include "metal-operator.name" . }} + helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + app.kubernetes.io/instance: {{ .Release.Name }} + name: {{ include "metal-operator.resourceName" (dict "suffix" "biosversionset-editor-role" "context" $) }} +rules: +- apiGroups: + - metal.ironcore.dev + resources: + - biosversionsets + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - metal.ironcore.dev + resources: + - biosversionsets/status + verbs: + - get +{{- end }} diff --git a/dist/chart/templates/rbac/biosversionset-viewer-role.yaml b/dist/chart/templates/rbac/biosversionset-viewer-role.yaml new file mode 100644 index 000000000..7c1069f0c --- /dev/null +++ b/dist/chart/templates/rbac/biosversionset-viewer-role.yaml @@ -0,0 +1,33 @@ +{{- if .Values.rbac.helpers.enable }} +apiVersion: rbac.authorization.k8s.io/v1 +{{- if .Values.rbac.namespaced }} +kind: Role +{{- else }} +kind: ClusterRole +{{- end }} +metadata: +{{- if .Values.rbac.namespaced }} + namespace: {{ .Release.Namespace }} +{{- end }} + labels: + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/name: {{ include "metal-operator.name" . }} + helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + app.kubernetes.io/instance: {{ .Release.Name }} + name: {{ include "metal-operator.resourceName" (dict "suffix" "biosversionset-viewer-role" "context" $) }} +rules: +- apiGroups: + - metal.ironcore.dev + resources: + - biosversionsets + verbs: + - get + - list + - watch +- apiGroups: + - metal.ironcore.dev + resources: + - biosversionsets/status + verbs: + - get +{{- end }} diff --git a/dist/chart/templates/rbac/biosversionset_admin_role.yaml b/dist/chart/templates/rbac/biosversionset_admin_role.yaml deleted file mode 100755 index f1146cb80..000000000 --- a/dist/chart/templates/rbac/biosversionset_admin_role.yaml +++ /dev/null @@ -1,28 +0,0 @@ -{{- if .Values.rbac.enable }} -# This rule is not used by the project metal-operator itself. -# It is provided to allow the cluster admin to help manage permissions for users. -# -# Grants full permissions ('*') over metal.ironcore.dev. -# This role is intended for users authorized to modify roles and bindings within the cluster, -# enabling them to delegate specific permissions to other users or groups as needed. - -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - labels: - {{- include "chart.labels" . | nindent 4 }} - name: biosversionset-admin-role -rules: -- apiGroups: - - metal.ironcore.dev - resources: - - biosversionsets - verbs: - - '*' -- apiGroups: - - metal.ironcore.dev - resources: - - biosversionsets/status - verbs: - - get -{{- end -}} diff --git a/dist/chart/templates/rbac/biosversionset_editor_role.yaml b/dist/chart/templates/rbac/biosversionset_editor_role.yaml deleted file mode 100755 index 76ee48830..000000000 --- a/dist/chart/templates/rbac/biosversionset_editor_role.yaml +++ /dev/null @@ -1,34 +0,0 @@ -{{- if .Values.rbac.enable }} -# This rule is not used by the project metal-operator itself. -# It is provided to allow the cluster admin to help manage permissions for users. -# -# Grants permissions to create, update, and delete resources within the metal.ironcore.dev. -# This role is intended for users who need to manage these resources -# but should not control RBAC or manage permissions for others. - -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - labels: - {{- include "chart.labels" . | nindent 4 }} - name: biosversionset-editor-role -rules: -- apiGroups: - - metal.ironcore.dev - resources: - - biosversionsets - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -- apiGroups: - - metal.ironcore.dev - resources: - - biosversionsets/status - verbs: - - get -{{- end -}} diff --git a/dist/chart/templates/rbac/biosversionset_viewer_role.yaml b/dist/chart/templates/rbac/biosversionset_viewer_role.yaml deleted file mode 100755 index f6c6fd712..000000000 --- a/dist/chart/templates/rbac/biosversionset_viewer_role.yaml +++ /dev/null @@ -1,30 +0,0 @@ -{{- if .Values.rbac.enable }} -# This rule is not used by the project metal-operator itself. -# It is provided to allow the cluster admin to help manage permissions for users. -# -# Grants read-only access to metal.ironcore.dev resources. -# This role is intended for users who need visibility into these resources -# without permissions to modify them. It is ideal for monitoring purposes and limited-access viewing. - -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - labels: - {{- include "chart.labels" . | nindent 4 }} - name: biosversionset-viewer-role -rules: -- apiGroups: - - metal.ironcore.dev - resources: - - biosversionsets - verbs: - - get - - list - - watch -- apiGroups: - - metal.ironcore.dev - resources: - - biosversionsets/status - verbs: - - get -{{- end -}} diff --git a/dist/chart/templates/rbac/bmc-admin-role.yaml b/dist/chart/templates/rbac/bmc-admin-role.yaml new file mode 100644 index 000000000..2bbd00d85 --- /dev/null +++ b/dist/chart/templates/rbac/bmc-admin-role.yaml @@ -0,0 +1,31 @@ +{{- if .Values.rbac.helpers.enable }} +apiVersion: rbac.authorization.k8s.io/v1 +{{- if .Values.rbac.namespaced }} +kind: Role +{{- else }} +kind: ClusterRole +{{- end }} +metadata: +{{- if .Values.rbac.namespaced }} + namespace: {{ .Release.Namespace }} +{{- end }} + labels: + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/name: {{ include "metal-operator.name" . }} + helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + app.kubernetes.io/instance: {{ .Release.Name }} + name: {{ include "metal-operator.resourceName" (dict "suffix" "bmc-admin-role" "context" $) }} +rules: +- apiGroups: + - metal.ironcore.dev + resources: + - bmcs + verbs: + - '*' +- apiGroups: + - metal.ironcore.dev + resources: + - bmcs/status + verbs: + - get +{{- end }} diff --git a/dist/chart/templates/rbac/bmc-editor-role.yaml b/dist/chart/templates/rbac/bmc-editor-role.yaml new file mode 100644 index 000000000..39f63c4d5 --- /dev/null +++ b/dist/chart/templates/rbac/bmc-editor-role.yaml @@ -0,0 +1,40 @@ +{{- if .Values.rbac.helpers.enable }} +apiVersion: rbac.authorization.k8s.io/v1 +{{- if .Values.rbac.namespaced }} +kind: Role +{{- else }} +kind: ClusterRole +{{- end }} +metadata: +{{- if .Values.rbac.namespaced }} + namespace: {{ .Release.Namespace }} +{{- end }} + labels: + app.kubernetes.io/component: rbac + app.kubernetes.io/created-by: metal-operator + app.kubernetes.io/instance: bmc-editor-role + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/name: clusterrole + helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + app.kubernetes.io/part-of: metal-operator + name: {{ include "metal-operator.resourceName" (dict "suffix" "bmc-editor-role" "context" $) }} +rules: +- apiGroups: + - metal.ironcore.dev + resources: + - bmcs + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - metal.ironcore.dev + resources: + - bmcs/status + verbs: + - get +{{- end }} diff --git a/dist/chart/templates/rbac/bmc-viewer-role.yaml b/dist/chart/templates/rbac/bmc-viewer-role.yaml new file mode 100644 index 000000000..7d048c059 --- /dev/null +++ b/dist/chart/templates/rbac/bmc-viewer-role.yaml @@ -0,0 +1,36 @@ +{{- if .Values.rbac.helpers.enable }} +apiVersion: rbac.authorization.k8s.io/v1 +{{- if .Values.rbac.namespaced }} +kind: Role +{{- else }} +kind: ClusterRole +{{- end }} +metadata: +{{- if .Values.rbac.namespaced }} + namespace: {{ .Release.Namespace }} +{{- end }} + labels: + app.kubernetes.io/component: rbac + app.kubernetes.io/created-by: metal-operator + app.kubernetes.io/instance: bmc-viewer-role + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/name: clusterrole + helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + app.kubernetes.io/part-of: metal-operator + name: {{ include "metal-operator.resourceName" (dict "suffix" "bmc-viewer-role" "context" $) }} +rules: +- apiGroups: + - metal.ironcore.dev + resources: + - bmcs + verbs: + - get + - list + - watch +- apiGroups: + - metal.ironcore.dev + resources: + - bmcs/status + verbs: + - get +{{- end }} diff --git a/dist/chart/templates/rbac/bmc_admin_role.yaml b/dist/chart/templates/rbac/bmc_admin_role.yaml deleted file mode 100644 index 70131cb11..000000000 --- a/dist/chart/templates/rbac/bmc_admin_role.yaml +++ /dev/null @@ -1,28 +0,0 @@ -{{- if .Values.rbac.enable }} -# This rule is not used by the project metal-operator itself. -# It is provided to allow the cluster admin to help manage permissions for users. -# -# Grants full permissions ('*') over metal.ironcore.dev. -# This role is intended for users authorized to modify roles and bindings within the cluster, -# enabling them to delegate specific permissions to other users or groups as needed. - -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - labels: - {{- include "chart.labels" . | nindent 4 }} - name: bmc-admin-role -rules: -- apiGroups: - - metal.ironcore.dev - resources: - - bmcs - verbs: - - '*' -- apiGroups: - - metal.ironcore.dev - resources: - - bmcs/status - verbs: - - get -{{- end -}} diff --git a/dist/chart/templates/rbac/bmc_editor_role.yaml b/dist/chart/templates/rbac/bmc_editor_role.yaml deleted file mode 100755 index 7f8e8762a..000000000 --- a/dist/chart/templates/rbac/bmc_editor_role.yaml +++ /dev/null @@ -1,28 +0,0 @@ -{{- if .Values.rbac.enable }} -# permissions for end users to edit bmcs. -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - labels: - {{- include "chart.labels" . | nindent 4 }} - name: bmc-editor-role -rules: -- apiGroups: - - metal.ironcore.dev - resources: - - bmcs - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -- apiGroups: - - metal.ironcore.dev - resources: - - bmcs/status - verbs: - - get -{{- end -}} diff --git a/dist/chart/templates/rbac/bmc_viewer_role.yaml b/dist/chart/templates/rbac/bmc_viewer_role.yaml deleted file mode 100755 index 75a074574..000000000 --- a/dist/chart/templates/rbac/bmc_viewer_role.yaml +++ /dev/null @@ -1,24 +0,0 @@ -{{- if .Values.rbac.enable }} -# permissions for end users to view bmcs. -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - labels: - {{- include "chart.labels" . | nindent 4 }} - name: bmc-viewer-role -rules: -- apiGroups: - - metal.ironcore.dev - resources: - - bmcs - verbs: - - get - - list - - watch -- apiGroups: - - metal.ironcore.dev - resources: - - bmcs/status - verbs: - - get -{{- end -}} diff --git a/dist/chart/templates/rbac/bmcsecret-admin-role.yaml b/dist/chart/templates/rbac/bmcsecret-admin-role.yaml new file mode 100644 index 000000000..6a7ebfa02 --- /dev/null +++ b/dist/chart/templates/rbac/bmcsecret-admin-role.yaml @@ -0,0 +1,31 @@ +{{- if .Values.rbac.helpers.enable }} +apiVersion: rbac.authorization.k8s.io/v1 +{{- if .Values.rbac.namespaced }} +kind: Role +{{- else }} +kind: ClusterRole +{{- end }} +metadata: +{{- if .Values.rbac.namespaced }} + namespace: {{ .Release.Namespace }} +{{- end }} + labels: + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/name: {{ include "metal-operator.name" . }} + helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + app.kubernetes.io/instance: {{ .Release.Name }} + name: {{ include "metal-operator.resourceName" (dict "suffix" "bmcsecret-admin-role" "context" $) }} +rules: +- apiGroups: + - metal.ironcore.dev + resources: + - bmcsecrets + verbs: + - '*' +- apiGroups: + - metal.ironcore.dev + resources: + - bmcsecrets/status + verbs: + - get +{{- end }} diff --git a/dist/chart/templates/rbac/bmcsecret-editor-role.yaml b/dist/chart/templates/rbac/bmcsecret-editor-role.yaml new file mode 100644 index 000000000..18c93978b --- /dev/null +++ b/dist/chart/templates/rbac/bmcsecret-editor-role.yaml @@ -0,0 +1,40 @@ +{{- if .Values.rbac.helpers.enable }} +apiVersion: rbac.authorization.k8s.io/v1 +{{- if .Values.rbac.namespaced }} +kind: Role +{{- else }} +kind: ClusterRole +{{- end }} +metadata: +{{- if .Values.rbac.namespaced }} + namespace: {{ .Release.Namespace }} +{{- end }} + labels: + app.kubernetes.io/component: rbac + app.kubernetes.io/created-by: metal-operator + app.kubernetes.io/instance: bmcsecret-editor-role + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/name: clusterrole + helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + app.kubernetes.io/part-of: metal-operator + name: {{ include "metal-operator.resourceName" (dict "suffix" "bmcsecret-editor-role" "context" $) }} +rules: +- apiGroups: + - metal.ironcore.dev + resources: + - bmcsecrets + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - metal.ironcore.dev + resources: + - bmcsecrets/status + verbs: + - get +{{- end }} diff --git a/dist/chart/templates/rbac/bmcsecret-viewer-role.yaml b/dist/chart/templates/rbac/bmcsecret-viewer-role.yaml new file mode 100644 index 000000000..e6fd3aaf2 --- /dev/null +++ b/dist/chart/templates/rbac/bmcsecret-viewer-role.yaml @@ -0,0 +1,36 @@ +{{- if .Values.rbac.helpers.enable }} +apiVersion: rbac.authorization.k8s.io/v1 +{{- if .Values.rbac.namespaced }} +kind: Role +{{- else }} +kind: ClusterRole +{{- end }} +metadata: +{{- if .Values.rbac.namespaced }} + namespace: {{ .Release.Namespace }} +{{- end }} + labels: + app.kubernetes.io/component: rbac + app.kubernetes.io/created-by: metal-operator + app.kubernetes.io/instance: bmcsecret-viewer-role + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/name: clusterrole + helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + app.kubernetes.io/part-of: metal-operator + name: {{ include "metal-operator.resourceName" (dict "suffix" "bmcsecret-viewer-role" "context" $) }} +rules: +- apiGroups: + - metal.ironcore.dev + resources: + - bmcsecrets + verbs: + - get + - list + - watch +- apiGroups: + - metal.ironcore.dev + resources: + - bmcsecrets/status + verbs: + - get +{{- end }} diff --git a/dist/chart/templates/rbac/bmcsecret_admin_role.yaml b/dist/chart/templates/rbac/bmcsecret_admin_role.yaml deleted file mode 100644 index 1b6fff7ce..000000000 --- a/dist/chart/templates/rbac/bmcsecret_admin_role.yaml +++ /dev/null @@ -1,28 +0,0 @@ -{{- if .Values.rbac.enable }} -# This rule is not used by the project metal-operator itself. -# It is provided to allow the cluster admin to help manage permissions for users. -# -# Grants full permissions ('*') over metal.ironcore.dev. -# This role is intended for users authorized to modify roles and bindings within the cluster, -# enabling them to delegate specific permissions to other users or groups as needed. - -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - labels: - {{- include "chart.labels" . | nindent 4 }} - name: bmcsecret-admin-role -rules: -- apiGroups: - - metal.ironcore.dev - resources: - - bmcsecrets - verbs: - - '*' -- apiGroups: - - metal.ironcore.dev - resources: - - bmcsecrets/status - verbs: - - get -{{- end -}} diff --git a/dist/chart/templates/rbac/bmcsecret_editor_role.yaml b/dist/chart/templates/rbac/bmcsecret_editor_role.yaml deleted file mode 100755 index 922d6829f..000000000 --- a/dist/chart/templates/rbac/bmcsecret_editor_role.yaml +++ /dev/null @@ -1,28 +0,0 @@ -{{- if .Values.rbac.enable }} -# permissions for end users to edit bmcsecrets. -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - labels: - {{- include "chart.labels" . | nindent 4 }} - name: bmcsecret-editor-role -rules: -- apiGroups: - - metal.ironcore.dev - resources: - - bmcsecrets - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -- apiGroups: - - metal.ironcore.dev - resources: - - bmcsecrets/status - verbs: - - get -{{- end -}} diff --git a/dist/chart/templates/rbac/bmcsecret_viewer_role.yaml b/dist/chart/templates/rbac/bmcsecret_viewer_role.yaml deleted file mode 100755 index cc30f5e42..000000000 --- a/dist/chart/templates/rbac/bmcsecret_viewer_role.yaml +++ /dev/null @@ -1,24 +0,0 @@ -{{- if .Values.rbac.enable }} -# permissions for end users to view bmcsecrets. -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - labels: - {{- include "chart.labels" . | nindent 4 }} - name: bmcsecret-viewer-role -rules: -- apiGroups: - - metal.ironcore.dev - resources: - - bmcsecrets - verbs: - - get - - list - - watch -- apiGroups: - - metal.ironcore.dev - resources: - - bmcsecrets/status - verbs: - - get -{{- end -}} diff --git a/dist/chart/templates/rbac/bmcsettings-admin-role.yaml b/dist/chart/templates/rbac/bmcsettings-admin-role.yaml new file mode 100644 index 000000000..4e874cfaa --- /dev/null +++ b/dist/chart/templates/rbac/bmcsettings-admin-role.yaml @@ -0,0 +1,31 @@ +{{- if .Values.rbac.helpers.enable }} +apiVersion: rbac.authorization.k8s.io/v1 +{{- if .Values.rbac.namespaced }} +kind: Role +{{- else }} +kind: ClusterRole +{{- end }} +metadata: +{{- if .Values.rbac.namespaced }} + namespace: {{ .Release.Namespace }} +{{- end }} + labels: + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/name: {{ include "metal-operator.name" . }} + helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + app.kubernetes.io/instance: {{ .Release.Name }} + name: {{ include "metal-operator.resourceName" (dict "suffix" "bmcsettings-admin-role" "context" $) }} +rules: +- apiGroups: + - metal.ironcore.dev + resources: + - bmcsettings + verbs: + - '*' +- apiGroups: + - metal.ironcore.dev + resources: + - bmcsettings/status + verbs: + - get +{{- end }} diff --git a/dist/chart/templates/rbac/bmcsettings-editor-role.yaml b/dist/chart/templates/rbac/bmcsettings-editor-role.yaml new file mode 100644 index 000000000..2fe5b6e80 --- /dev/null +++ b/dist/chart/templates/rbac/bmcsettings-editor-role.yaml @@ -0,0 +1,37 @@ +{{- if .Values.rbac.helpers.enable }} +apiVersion: rbac.authorization.k8s.io/v1 +{{- if .Values.rbac.namespaced }} +kind: Role +{{- else }} +kind: ClusterRole +{{- end }} +metadata: +{{- if .Values.rbac.namespaced }} + namespace: {{ .Release.Namespace }} +{{- end }} + labels: + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/name: {{ include "metal-operator.name" . }} + helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + app.kubernetes.io/instance: {{ .Release.Name }} + name: {{ include "metal-operator.resourceName" (dict "suffix" "bmcsettings-editor-role" "context" $) }} +rules: +- apiGroups: + - metal.ironcore.dev + resources: + - bmcsettings + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - metal.ironcore.dev + resources: + - bmcsettings/status + verbs: + - get +{{- end }} diff --git a/dist/chart/templates/rbac/bmcsettings-viewer-role.yaml b/dist/chart/templates/rbac/bmcsettings-viewer-role.yaml new file mode 100644 index 000000000..3147dcda7 --- /dev/null +++ b/dist/chart/templates/rbac/bmcsettings-viewer-role.yaml @@ -0,0 +1,33 @@ +{{- if .Values.rbac.helpers.enable }} +apiVersion: rbac.authorization.k8s.io/v1 +{{- if .Values.rbac.namespaced }} +kind: Role +{{- else }} +kind: ClusterRole +{{- end }} +metadata: +{{- if .Values.rbac.namespaced }} + namespace: {{ .Release.Namespace }} +{{- end }} + labels: + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/name: {{ include "metal-operator.name" . }} + helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + app.kubernetes.io/instance: {{ .Release.Name }} + name: {{ include "metal-operator.resourceName" (dict "suffix" "bmcsettings-viewer-role" "context" $) }} +rules: +- apiGroups: + - metal.ironcore.dev + resources: + - bmcsettings + verbs: + - get + - list + - watch +- apiGroups: + - metal.ironcore.dev + resources: + - bmcsettings/status + verbs: + - get +{{- end }} diff --git a/dist/chart/templates/rbac/bmcsettings_admin_role.yaml b/dist/chart/templates/rbac/bmcsettings_admin_role.yaml deleted file mode 100755 index 61fc49310..000000000 --- a/dist/chart/templates/rbac/bmcsettings_admin_role.yaml +++ /dev/null @@ -1,28 +0,0 @@ -{{- if .Values.rbac.enable }} -# This rule is not used by the project metal-operator itself. -# It is provided to allow the cluster admin to help manage permissions for users. -# -# Grants full permissions ('*') over metal.ironcore.dev. -# This role is intended for users authorized to modify roles and bindings within the cluster, -# enabling them to delegate specific permissions to other users or groups as needed. - -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - labels: - {{- include "chart.labels" . | nindent 4 }} - name: bmcsettings-admin-role -rules: -- apiGroups: - - metal.ironcore.dev - resources: - - bmcsettings - verbs: - - '*' -- apiGroups: - - metal.ironcore.dev - resources: - - bmcsettings/status - verbs: - - get -{{- end -}} diff --git a/dist/chart/templates/rbac/bmcsettings_editor_role.yaml b/dist/chart/templates/rbac/bmcsettings_editor_role.yaml deleted file mode 100755 index c71b72149..000000000 --- a/dist/chart/templates/rbac/bmcsettings_editor_role.yaml +++ /dev/null @@ -1,34 +0,0 @@ -{{- if .Values.rbac.enable }} -# This rule is not used by the project metal-operator itself. -# It is provided to allow the cluster admin to help manage permissions for users. -# -# Grants permissions to create, update, and delete resources within the metal.ironcore.dev. -# This role is intended for users who need to manage these resources -# but should not control RBAC or manage permissions for others. - -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - labels: - {{- include "chart.labels" . | nindent 4 }} - name: bmcsettings-editor-role -rules: -- apiGroups: - - metal.ironcore.dev - resources: - - bmcsettings - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -- apiGroups: - - metal.ironcore.dev - resources: - - bmcsettings/status - verbs: - - get -{{- end -}} diff --git a/dist/chart/templates/rbac/bmcsettings_viewer_role.yaml b/dist/chart/templates/rbac/bmcsettings_viewer_role.yaml deleted file mode 100755 index 1011dd1be..000000000 --- a/dist/chart/templates/rbac/bmcsettings_viewer_role.yaml +++ /dev/null @@ -1,30 +0,0 @@ -{{- if .Values.rbac.enable }} -# This rule is not used by the project metal-operator itself. -# It is provided to allow the cluster admin to help manage permissions for users. -# -# Grants read-only access to metal.ironcore.dev resources. -# This role is intended for users who need visibility into these resources -# without permissions to modify them. It is ideal for monitoring purposes and limited-access viewing. - -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - labels: - {{- include "chart.labels" . | nindent 4 }} - name: bmcsettings-viewer-role -rules: -- apiGroups: - - metal.ironcore.dev - resources: - - bmcsettings - verbs: - - get - - list - - watch -- apiGroups: - - metal.ironcore.dev - resources: - - bmcsettings/status - verbs: - - get -{{- end -}} diff --git a/dist/chart/templates/rbac/bmcsettingsset-admin-role.yaml b/dist/chart/templates/rbac/bmcsettingsset-admin-role.yaml new file mode 100644 index 000000000..06d5d0916 --- /dev/null +++ b/dist/chart/templates/rbac/bmcsettingsset-admin-role.yaml @@ -0,0 +1,31 @@ +{{- if .Values.rbac.helpers.enable }} +apiVersion: rbac.authorization.k8s.io/v1 +{{- if .Values.rbac.namespaced }} +kind: Role +{{- else }} +kind: ClusterRole +{{- end }} +metadata: +{{- if .Values.rbac.namespaced }} + namespace: {{ .Release.Namespace }} +{{- end }} + labels: + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/name: {{ include "metal-operator.name" . }} + helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + app.kubernetes.io/instance: {{ .Release.Name }} + name: {{ include "metal-operator.resourceName" (dict "suffix" "bmcsettingsset-admin-role" "context" $) }} +rules: +- apiGroups: + - metal.ironcore.dev + resources: + - bmcsettingssets + verbs: + - '*' +- apiGroups: + - metal.ironcore.dev + resources: + - bmcsettingssets/status + verbs: + - get +{{- end }} diff --git a/dist/chart/templates/rbac/bmcsettingsset-editor-role.yaml b/dist/chart/templates/rbac/bmcsettingsset-editor-role.yaml new file mode 100644 index 000000000..f9cc5bafd --- /dev/null +++ b/dist/chart/templates/rbac/bmcsettingsset-editor-role.yaml @@ -0,0 +1,37 @@ +{{- if .Values.rbac.helpers.enable }} +apiVersion: rbac.authorization.k8s.io/v1 +{{- if .Values.rbac.namespaced }} +kind: Role +{{- else }} +kind: ClusterRole +{{- end }} +metadata: +{{- if .Values.rbac.namespaced }} + namespace: {{ .Release.Namespace }} +{{- end }} + labels: + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/name: {{ include "metal-operator.name" . }} + helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + app.kubernetes.io/instance: {{ .Release.Name }} + name: {{ include "metal-operator.resourceName" (dict "suffix" "bmcsettingsset-editor-role" "context" $) }} +rules: +- apiGroups: + - metal.ironcore.dev + resources: + - bmcsettingssets + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - metal.ironcore.dev + resources: + - bmcsettingssets/status + verbs: + - get +{{- end }} diff --git a/dist/chart/templates/rbac/bmcsettingsset-viewer-role.yaml b/dist/chart/templates/rbac/bmcsettingsset-viewer-role.yaml new file mode 100644 index 000000000..af22bb451 --- /dev/null +++ b/dist/chart/templates/rbac/bmcsettingsset-viewer-role.yaml @@ -0,0 +1,33 @@ +{{- if .Values.rbac.helpers.enable }} +apiVersion: rbac.authorization.k8s.io/v1 +{{- if .Values.rbac.namespaced }} +kind: Role +{{- else }} +kind: ClusterRole +{{- end }} +metadata: +{{- if .Values.rbac.namespaced }} + namespace: {{ .Release.Namespace }} +{{- end }} + labels: + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/name: {{ include "metal-operator.name" . }} + helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + app.kubernetes.io/instance: {{ .Release.Name }} + name: {{ include "metal-operator.resourceName" (dict "suffix" "bmcsettingsset-viewer-role" "context" $) }} +rules: +- apiGroups: + - metal.ironcore.dev + resources: + - bmcsettingssets + verbs: + - get + - list + - watch +- apiGroups: + - metal.ironcore.dev + resources: + - bmcsettingssets/status + verbs: + - get +{{- end }} diff --git a/dist/chart/templates/rbac/bmcsettingsset_admin_role.yaml b/dist/chart/templates/rbac/bmcsettingsset_admin_role.yaml deleted file mode 100755 index f1a2c2d50..000000000 --- a/dist/chart/templates/rbac/bmcsettingsset_admin_role.yaml +++ /dev/null @@ -1,28 +0,0 @@ -{{- if .Values.rbac.enable }} -# This rule is not used by the project metal-operator itself. -# It is provided to allow the cluster admin to help manage permissions for users. -# -# Grants full permissions ('*') over metal.ironcore.dev. -# This role is intended for users authorized to modify roles and bindings within the cluster, -# enabling them to delegate specific permissions to other users or groups as needed. - -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - labels: - {{- include "chart.labels" . | nindent 4 }} - name: bmcsettingsset-admin-role -rules: -- apiGroups: - - metal.ironcore.dev - resources: - - bmcsettingssets - verbs: - - '*' -- apiGroups: - - metal.ironcore.dev - resources: - - bmcsettingssets/status - verbs: - - get -{{- end -}} diff --git a/dist/chart/templates/rbac/bmcsettingsset_editor_role.yaml b/dist/chart/templates/rbac/bmcsettingsset_editor_role.yaml deleted file mode 100755 index 4412ac7c4..000000000 --- a/dist/chart/templates/rbac/bmcsettingsset_editor_role.yaml +++ /dev/null @@ -1,34 +0,0 @@ -{{- if .Values.rbac.enable }} -# This rule is not used by the project metal-operator itself. -# It is provided to allow the cluster admin to help manage permissions for users. -# -# Grants permissions to create, update, and delete resources within the metal.ironcore.dev. -# This role is intended for users who need to manage these resources -# but should not control RBAC or manage permissions for others. - -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - labels: - {{- include "chart.labels" . | nindent 4 }} - name: bmcsettingsset-editor-role -rules: -- apiGroups: - - metal.ironcore.dev - resources: - - bmcsettingssets - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -- apiGroups: - - metal.ironcore.dev - resources: - - bmcsettingssets/status - verbs: - - get -{{- end -}} diff --git a/dist/chart/templates/rbac/bmcsettingsset_viewer_role.yaml b/dist/chart/templates/rbac/bmcsettingsset_viewer_role.yaml deleted file mode 100755 index f9544cfe4..000000000 --- a/dist/chart/templates/rbac/bmcsettingsset_viewer_role.yaml +++ /dev/null @@ -1,30 +0,0 @@ -{{- if .Values.rbac.enable }} -# This rule is not used by the project metal-operator itself. -# It is provided to allow the cluster admin to help manage permissions for users. -# -# Grants read-only access to metal.ironcore.dev resources. -# This role is intended for users who need visibility into these resources -# without permissions to modify them. It is ideal for monitoring purposes and limited-access viewing. - -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - labels: - {{- include "chart.labels" . | nindent 4 }} - name: bmcsettingsset-viewer-role -rules: -- apiGroups: - - metal.ironcore.dev - resources: - - bmcsettingssets - verbs: - - get - - list - - watch -- apiGroups: - - metal.ironcore.dev - resources: - - bmcsettingssets/status - verbs: - - get -{{- end -}} diff --git a/dist/chart/templates/rbac/bmcuser-admin-role.yaml b/dist/chart/templates/rbac/bmcuser-admin-role.yaml new file mode 100644 index 000000000..22eb38af9 --- /dev/null +++ b/dist/chart/templates/rbac/bmcuser-admin-role.yaml @@ -0,0 +1,31 @@ +{{- if .Values.rbac.helpers.enable }} +apiVersion: rbac.authorization.k8s.io/v1 +{{- if .Values.rbac.namespaced }} +kind: Role +{{- else }} +kind: ClusterRole +{{- end }} +metadata: +{{- if .Values.rbac.namespaced }} + namespace: {{ .Release.Namespace }} +{{- end }} + labels: + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/name: {{ include "metal-operator.name" . }} + helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + app.kubernetes.io/instance: {{ .Release.Name }} + name: {{ include "metal-operator.resourceName" (dict "suffix" "bmcuser-admin-role" "context" $) }} +rules: +- apiGroups: + - metal.ironcore.dev + resources: + - bmcusers + verbs: + - '*' +- apiGroups: + - metal.ironcore.dev + resources: + - bmcusers/status + verbs: + - get +{{- end }} diff --git a/dist/chart/templates/rbac/bmcuser-editor-role.yaml b/dist/chart/templates/rbac/bmcuser-editor-role.yaml new file mode 100644 index 000000000..5a857558c --- /dev/null +++ b/dist/chart/templates/rbac/bmcuser-editor-role.yaml @@ -0,0 +1,37 @@ +{{- if .Values.rbac.helpers.enable }} +apiVersion: rbac.authorization.k8s.io/v1 +{{- if .Values.rbac.namespaced }} +kind: Role +{{- else }} +kind: ClusterRole +{{- end }} +metadata: +{{- if .Values.rbac.namespaced }} + namespace: {{ .Release.Namespace }} +{{- end }} + labels: + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/name: {{ include "metal-operator.name" . }} + helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + app.kubernetes.io/instance: {{ .Release.Name }} + name: {{ include "metal-operator.resourceName" (dict "suffix" "bmcuser-editor-role" "context" $) }} +rules: +- apiGroups: + - metal.ironcore.dev + resources: + - bmcusers + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - metal.ironcore.dev + resources: + - bmcusers/status + verbs: + - get +{{- end }} diff --git a/dist/chart/templates/rbac/bmcuser-viewer-role.yaml b/dist/chart/templates/rbac/bmcuser-viewer-role.yaml new file mode 100644 index 000000000..a45453df9 --- /dev/null +++ b/dist/chart/templates/rbac/bmcuser-viewer-role.yaml @@ -0,0 +1,33 @@ +{{- if .Values.rbac.helpers.enable }} +apiVersion: rbac.authorization.k8s.io/v1 +{{- if .Values.rbac.namespaced }} +kind: Role +{{- else }} +kind: ClusterRole +{{- end }} +metadata: +{{- if .Values.rbac.namespaced }} + namespace: {{ .Release.Namespace }} +{{- end }} + labels: + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/name: {{ include "metal-operator.name" . }} + helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + app.kubernetes.io/instance: {{ .Release.Name }} + name: {{ include "metal-operator.resourceName" (dict "suffix" "bmcuser-viewer-role" "context" $) }} +rules: +- apiGroups: + - metal.ironcore.dev + resources: + - bmcusers + verbs: + - get + - list + - watch +- apiGroups: + - metal.ironcore.dev + resources: + - bmcusers/status + verbs: + - get +{{- end }} diff --git a/dist/chart/templates/rbac/bmcuser_admin_role.yaml b/dist/chart/templates/rbac/bmcuser_admin_role.yaml deleted file mode 100644 index 2fedf9d54..000000000 --- a/dist/chart/templates/rbac/bmcuser_admin_role.yaml +++ /dev/null @@ -1,28 +0,0 @@ -{{- if .Values.rbac.enable }} -# This rule is not used by the project metal-operator itself. -# It is provided to allow the cluster admin to help manage permissions for users. -# -# Grants full permissions ('*') over metal.ironcore.dev. -# This role is intended for users authorized to modify roles and bindings within the cluster, -# enabling them to delegate specific permissions to other users or groups as needed. - -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - labels: - {{- include "chart.labels" . | nindent 4 }} - name: bmcuser-admin-role -rules: -- apiGroups: - - metal.ironcore.dev - resources: - - bmcusers - verbs: - - '*' -- apiGroups: - - metal.ironcore.dev - resources: - - bmcusers/status - verbs: - - get -{{- end -}} diff --git a/dist/chart/templates/rbac/bmcuser_editor_role.yaml b/dist/chart/templates/rbac/bmcuser_editor_role.yaml deleted file mode 100644 index 1964d4780..000000000 --- a/dist/chart/templates/rbac/bmcuser_editor_role.yaml +++ /dev/null @@ -1,34 +0,0 @@ -{{- if .Values.rbac.enable }} -# This rule is not used by the project metal-operator itself. -# It is provided to allow the cluster admin to help manage permissions for users. -# -# Grants permissions to create, update, and delete resources within the metal.ironcore.dev. -# This role is intended for users who need to manage these resources -# but should not control RBAC or manage permissions for others. - -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - labels: - {{- include "chart.labels" . | nindent 4 }} - name: bmcuser-editor-role -rules: -- apiGroups: - - metal.ironcore.dev - resources: - - bmcusers - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -- apiGroups: - - metal.ironcore.dev - resources: - - bmcusers/status - verbs: - - get -{{- end -}} diff --git a/dist/chart/templates/rbac/bmcuser_viewer_role.yaml b/dist/chart/templates/rbac/bmcuser_viewer_role.yaml deleted file mode 100644 index 46f5d5039..000000000 --- a/dist/chart/templates/rbac/bmcuser_viewer_role.yaml +++ /dev/null @@ -1,30 +0,0 @@ -{{- if .Values.rbac.enable }} -# This rule is not used by the project metal-operator itself. -# It is provided to allow the cluster admin to help manage permissions for users. -# -# Grants read-only access to metal.ironcore.dev resources. -# This role is intended for users who need visibility into these resources -# without permissions to modify them. It is ideal for monitoring purposes and limited-access viewing. - -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - labels: - {{- include "chart.labels" . | nindent 4 }} - name: bmcuser-viewer-role -rules: -- apiGroups: - - metal.ironcore.dev - resources: - - bmcusers - verbs: - - get - - list - - watch -- apiGroups: - - metal.ironcore.dev - resources: - - bmcusers/status - verbs: - - get -{{- end -}} diff --git a/dist/chart/templates/rbac/bmcversion-admin-role.yaml b/dist/chart/templates/rbac/bmcversion-admin-role.yaml new file mode 100644 index 000000000..433180f5f --- /dev/null +++ b/dist/chart/templates/rbac/bmcversion-admin-role.yaml @@ -0,0 +1,31 @@ +{{- if .Values.rbac.helpers.enable }} +apiVersion: rbac.authorization.k8s.io/v1 +{{- if .Values.rbac.namespaced }} +kind: Role +{{- else }} +kind: ClusterRole +{{- end }} +metadata: +{{- if .Values.rbac.namespaced }} + namespace: {{ .Release.Namespace }} +{{- end }} + labels: + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/name: {{ include "metal-operator.name" . }} + helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + app.kubernetes.io/instance: {{ .Release.Name }} + name: {{ include "metal-operator.resourceName" (dict "suffix" "bmcversion-admin-role" "context" $) }} +rules: +- apiGroups: + - metal.ironcore.dev + resources: + - bmcversions + verbs: + - '*' +- apiGroups: + - metal.ironcore.dev + resources: + - bmcversions/status + verbs: + - get +{{- end }} diff --git a/dist/chart/templates/rbac/bmcversion-editor-role.yaml b/dist/chart/templates/rbac/bmcversion-editor-role.yaml new file mode 100644 index 000000000..c122c90de --- /dev/null +++ b/dist/chart/templates/rbac/bmcversion-editor-role.yaml @@ -0,0 +1,37 @@ +{{- if .Values.rbac.helpers.enable }} +apiVersion: rbac.authorization.k8s.io/v1 +{{- if .Values.rbac.namespaced }} +kind: Role +{{- else }} +kind: ClusterRole +{{- end }} +metadata: +{{- if .Values.rbac.namespaced }} + namespace: {{ .Release.Namespace }} +{{- end }} + labels: + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/name: {{ include "metal-operator.name" . }} + helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + app.kubernetes.io/instance: {{ .Release.Name }} + name: {{ include "metal-operator.resourceName" (dict "suffix" "bmcversion-editor-role" "context" $) }} +rules: +- apiGroups: + - metal.ironcore.dev + resources: + - bmcversions + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - metal.ironcore.dev + resources: + - bmcversions/status + verbs: + - get +{{- end }} diff --git a/dist/chart/templates/rbac/bmcversion-viewer-role.yaml b/dist/chart/templates/rbac/bmcversion-viewer-role.yaml new file mode 100644 index 000000000..790c125e9 --- /dev/null +++ b/dist/chart/templates/rbac/bmcversion-viewer-role.yaml @@ -0,0 +1,33 @@ +{{- if .Values.rbac.helpers.enable }} +apiVersion: rbac.authorization.k8s.io/v1 +{{- if .Values.rbac.namespaced }} +kind: Role +{{- else }} +kind: ClusterRole +{{- end }} +metadata: +{{- if .Values.rbac.namespaced }} + namespace: {{ .Release.Namespace }} +{{- end }} + labels: + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/name: {{ include "metal-operator.name" . }} + helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + app.kubernetes.io/instance: {{ .Release.Name }} + name: {{ include "metal-operator.resourceName" (dict "suffix" "bmcversion-viewer-role" "context" $) }} +rules: +- apiGroups: + - metal.ironcore.dev + resources: + - bmcversions + verbs: + - get + - list + - watch +- apiGroups: + - metal.ironcore.dev + resources: + - bmcversions/status + verbs: + - get +{{- end }} diff --git a/dist/chart/templates/rbac/bmcversion_admin_role.yaml b/dist/chart/templates/rbac/bmcversion_admin_role.yaml deleted file mode 100755 index dc312befd..000000000 --- a/dist/chart/templates/rbac/bmcversion_admin_role.yaml +++ /dev/null @@ -1,28 +0,0 @@ -{{- if .Values.rbac.enable }} -# This rule is not used by the project metal-operator itself. -# It is provided to allow the cluster admin to help manage permissions for users. -# -# Grants full permissions ('*') over metal.ironcore.dev. -# This role is intended for users authorized to modify roles and bindings within the cluster, -# enabling them to delegate specific permissions to other users or groups as needed. - -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - labels: - {{- include "chart.labels" . | nindent 4 }} - name: bmcversion-admin-role -rules: -- apiGroups: - - metal.ironcore.dev - resources: - - bmcversions - verbs: - - '*' -- apiGroups: - - metal.ironcore.dev - resources: - - bmcversions/status - verbs: - - get -{{- end -}} diff --git a/dist/chart/templates/rbac/bmcversion_editor_role.yaml b/dist/chart/templates/rbac/bmcversion_editor_role.yaml deleted file mode 100755 index e95187d37..000000000 --- a/dist/chart/templates/rbac/bmcversion_editor_role.yaml +++ /dev/null @@ -1,34 +0,0 @@ -{{- if .Values.rbac.enable }} -# This rule is not used by the project metal-operator itself. -# It is provided to allow the cluster admin to help manage permissions for users. -# -# Grants permissions to create, update, and delete resources within the metal.ironcore.dev. -# This role is intended for users who need to manage these resources -# but should not control RBAC or manage permissions for others. - -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - labels: - {{- include "chart.labels" . | nindent 4 }} - name: bmcversion-editor-role -rules: -- apiGroups: - - metal.ironcore.dev - resources: - - bmcversions - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -- apiGroups: - - metal.ironcore.dev - resources: - - bmcversions/status - verbs: - - get -{{- end -}} diff --git a/dist/chart/templates/rbac/bmcversion_viewer_role.yaml b/dist/chart/templates/rbac/bmcversion_viewer_role.yaml deleted file mode 100755 index 4ade2c30d..000000000 --- a/dist/chart/templates/rbac/bmcversion_viewer_role.yaml +++ /dev/null @@ -1,30 +0,0 @@ -{{- if .Values.rbac.enable }} -# This rule is not used by the project metal-operator itself. -# It is provided to allow the cluster admin to help manage permissions for users. -# -# Grants read-only access to metal.ironcore.dev resources. -# This role is intended for users who need visibility into these resources -# without permissions to modify them. It is ideal for monitoring purposes and limited-access viewing. - -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - labels: - {{- include "chart.labels" . | nindent 4 }} - name: bmcversion-viewer-role -rules: -- apiGroups: - - metal.ironcore.dev - resources: - - bmcversions - verbs: - - get - - list - - watch -- apiGroups: - - metal.ironcore.dev - resources: - - bmcversions/status - verbs: - - get -{{- end -}} diff --git a/dist/chart/templates/rbac/bmcversionset-admin-role.yaml b/dist/chart/templates/rbac/bmcversionset-admin-role.yaml new file mode 100644 index 000000000..296da6b85 --- /dev/null +++ b/dist/chart/templates/rbac/bmcversionset-admin-role.yaml @@ -0,0 +1,31 @@ +{{- if .Values.rbac.helpers.enable }} +apiVersion: rbac.authorization.k8s.io/v1 +{{- if .Values.rbac.namespaced }} +kind: Role +{{- else }} +kind: ClusterRole +{{- end }} +metadata: +{{- if .Values.rbac.namespaced }} + namespace: {{ .Release.Namespace }} +{{- end }} + labels: + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/name: {{ include "metal-operator.name" . }} + helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + app.kubernetes.io/instance: {{ .Release.Name }} + name: {{ include "metal-operator.resourceName" (dict "suffix" "bmcversionset-admin-role" "context" $) }} +rules: +- apiGroups: + - metal.ironcore.dev + resources: + - bmcversionsets + verbs: + - '*' +- apiGroups: + - metal.ironcore.dev + resources: + - bmcversionsets/status + verbs: + - get +{{- end }} diff --git a/dist/chart/templates/rbac/bmcversionset-editor-role.yaml b/dist/chart/templates/rbac/bmcversionset-editor-role.yaml new file mode 100644 index 000000000..a69cd7d97 --- /dev/null +++ b/dist/chart/templates/rbac/bmcversionset-editor-role.yaml @@ -0,0 +1,37 @@ +{{- if .Values.rbac.helpers.enable }} +apiVersion: rbac.authorization.k8s.io/v1 +{{- if .Values.rbac.namespaced }} +kind: Role +{{- else }} +kind: ClusterRole +{{- end }} +metadata: +{{- if .Values.rbac.namespaced }} + namespace: {{ .Release.Namespace }} +{{- end }} + labels: + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/name: {{ include "metal-operator.name" . }} + helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + app.kubernetes.io/instance: {{ .Release.Name }} + name: {{ include "metal-operator.resourceName" (dict "suffix" "bmcversionset-editor-role" "context" $) }} +rules: +- apiGroups: + - metal.ironcore.dev + resources: + - bmcversionsets + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - metal.ironcore.dev + resources: + - bmcversionsets/status + verbs: + - get +{{- end }} diff --git a/dist/chart/templates/rbac/bmcversionset-viewer-role.yaml b/dist/chart/templates/rbac/bmcversionset-viewer-role.yaml new file mode 100644 index 000000000..831b74c09 --- /dev/null +++ b/dist/chart/templates/rbac/bmcversionset-viewer-role.yaml @@ -0,0 +1,33 @@ +{{- if .Values.rbac.helpers.enable }} +apiVersion: rbac.authorization.k8s.io/v1 +{{- if .Values.rbac.namespaced }} +kind: Role +{{- else }} +kind: ClusterRole +{{- end }} +metadata: +{{- if .Values.rbac.namespaced }} + namespace: {{ .Release.Namespace }} +{{- end }} + labels: + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/name: {{ include "metal-operator.name" . }} + helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + app.kubernetes.io/instance: {{ .Release.Name }} + name: {{ include "metal-operator.resourceName" (dict "suffix" "bmcversionset-viewer-role" "context" $) }} +rules: +- apiGroups: + - metal.ironcore.dev + resources: + - bmcversionsets + verbs: + - get + - list + - watch +- apiGroups: + - metal.ironcore.dev + resources: + - bmcversionsets/status + verbs: + - get +{{- end }} diff --git a/dist/chart/templates/rbac/bmcversionset_admin_role.yaml b/dist/chart/templates/rbac/bmcversionset_admin_role.yaml deleted file mode 100755 index 33a090ef6..000000000 --- a/dist/chart/templates/rbac/bmcversionset_admin_role.yaml +++ /dev/null @@ -1,28 +0,0 @@ -{{- if .Values.rbac.enable }} -# This rule is not used by the project metal-operator itself. -# It is provided to allow the cluster admin to help manage permissions for users. -# -# Grants full permissions ('*') over metal.ironcore.dev. -# This role is intended for users authorized to modify roles and bindings within the cluster, -# enabling them to delegate specific permissions to other users or groups as needed. - -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - labels: - {{- include "chart.labels" . | nindent 4 }} - name: bmcversionset-admin-role -rules: -- apiGroups: - - metal.ironcore.dev - resources: - - bmcversionsets - verbs: - - '*' -- apiGroups: - - metal.ironcore.dev - resources: - - bmcversionsets/status - verbs: - - get -{{- end -}} diff --git a/dist/chart/templates/rbac/bmcversionset_editor_role.yaml b/dist/chart/templates/rbac/bmcversionset_editor_role.yaml deleted file mode 100755 index 8327a07a7..000000000 --- a/dist/chart/templates/rbac/bmcversionset_editor_role.yaml +++ /dev/null @@ -1,34 +0,0 @@ -{{- if .Values.rbac.enable }} -# This rule is not used by the project metal-operator itself. -# It is provided to allow the cluster admin to help manage permissions for users. -# -# Grants permissions to create, update, and delete resources within the metal.ironcore.dev. -# This role is intended for users who need to manage these resources -# but should not control RBAC or manage permissions for others. - -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - labels: - {{- include "chart.labels" . | nindent 4 }} - name: bmcversionset-editor-role -rules: -- apiGroups: - - metal.ironcore.dev - resources: - - bmcversionsets - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -- apiGroups: - - metal.ironcore.dev - resources: - - bmcversionsets/status - verbs: - - get -{{- end -}} diff --git a/dist/chart/templates/rbac/bmcversionset_viewer_role.yaml b/dist/chart/templates/rbac/bmcversionset_viewer_role.yaml deleted file mode 100755 index 05615bcc9..000000000 --- a/dist/chart/templates/rbac/bmcversionset_viewer_role.yaml +++ /dev/null @@ -1,30 +0,0 @@ -{{- if .Values.rbac.enable }} -# This rule is not used by the project metal-operator itself. -# It is provided to allow the cluster admin to help manage permissions for users. -# -# Grants read-only access to metal.ironcore.dev resources. -# This role is intended for users who need visibility into these resources -# without permissions to modify them. It is ideal for monitoring purposes and limited-access viewing. - -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - labels: - {{- include "chart.labels" . | nindent 4 }} - name: bmcversionset-viewer-role -rules: -- apiGroups: - - metal.ironcore.dev - resources: - - bmcversionsets - verbs: - - get - - list - - watch -- apiGroups: - - metal.ironcore.dev - resources: - - bmcversionsets/status - verbs: - - get -{{- end -}} diff --git a/dist/chart/templates/rbac/controller-manager.yaml b/dist/chart/templates/rbac/controller-manager.yaml new file mode 100644 index 000000000..28e06e7f2 --- /dev/null +++ b/dist/chart/templates/rbac/controller-manager.yaml @@ -0,0 +1,24 @@ +{{- if ne .Values.serviceAccount.enable false }} +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + app.kubernetes.io/component: rbac + app.kubernetes.io/created-by: metal-operator + app.kubernetes.io/instance: controller-manager-sa + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/name: serviceaccount + helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + app.kubernetes.io/part-of: metal-operator + {{- with .Values.serviceAccount.labels }} + {{- with omit . "app.kubernetes.io/component" "app.kubernetes.io/created-by" "app.kubernetes.io/instance" "app.kubernetes.io/managed-by" "app.kubernetes.io/name" "helm.sh/chart" "app.kubernetes.io/part-of" }} + {{- toYaml . | nindent 4 }} + {{- end }} + {{- end }} + {{- with .Values.serviceAccount.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} + name: {{ include "metal-operator.serviceAccountName" . }} + namespace: {{ .Release.Namespace }} +{{- end }} diff --git a/dist/chart/templates/rbac/endpoint-admin-role.yaml b/dist/chart/templates/rbac/endpoint-admin-role.yaml new file mode 100644 index 000000000..97a0a355f --- /dev/null +++ b/dist/chart/templates/rbac/endpoint-admin-role.yaml @@ -0,0 +1,31 @@ +{{- if .Values.rbac.helpers.enable }} +apiVersion: rbac.authorization.k8s.io/v1 +{{- if .Values.rbac.namespaced }} +kind: Role +{{- else }} +kind: ClusterRole +{{- end }} +metadata: +{{- if .Values.rbac.namespaced }} + namespace: {{ .Release.Namespace }} +{{- end }} + labels: + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/name: {{ include "metal-operator.name" . }} + helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + app.kubernetes.io/instance: {{ .Release.Name }} + name: {{ include "metal-operator.resourceName" (dict "suffix" "endpoint-admin-role" "context" $) }} +rules: +- apiGroups: + - metal.ironcore.dev + resources: + - endpoints + verbs: + - '*' +- apiGroups: + - metal.ironcore.dev + resources: + - endpoints/status + verbs: + - get +{{- end }} diff --git a/dist/chart/templates/rbac/endpoint-editor-role.yaml b/dist/chart/templates/rbac/endpoint-editor-role.yaml new file mode 100644 index 000000000..96cbfe89a --- /dev/null +++ b/dist/chart/templates/rbac/endpoint-editor-role.yaml @@ -0,0 +1,40 @@ +{{- if .Values.rbac.helpers.enable }} +apiVersion: rbac.authorization.k8s.io/v1 +{{- if .Values.rbac.namespaced }} +kind: Role +{{- else }} +kind: ClusterRole +{{- end }} +metadata: +{{- if .Values.rbac.namespaced }} + namespace: {{ .Release.Namespace }} +{{- end }} + labels: + app.kubernetes.io/component: rbac + app.kubernetes.io/created-by: metal-operator + app.kubernetes.io/instance: endpoint-editor-role + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/name: clusterrole + helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + app.kubernetes.io/part-of: metal-operator + name: {{ include "metal-operator.resourceName" (dict "suffix" "endpoint-editor-role" "context" $) }} +rules: +- apiGroups: + - metal.ironcore.dev + resources: + - endpoints + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - metal.ironcore.dev + resources: + - endpoints/status + verbs: + - get +{{- end }} diff --git a/dist/chart/templates/rbac/endpoint-viewer-role.yaml b/dist/chart/templates/rbac/endpoint-viewer-role.yaml new file mode 100644 index 000000000..0bc644148 --- /dev/null +++ b/dist/chart/templates/rbac/endpoint-viewer-role.yaml @@ -0,0 +1,36 @@ +{{- if .Values.rbac.helpers.enable }} +apiVersion: rbac.authorization.k8s.io/v1 +{{- if .Values.rbac.namespaced }} +kind: Role +{{- else }} +kind: ClusterRole +{{- end }} +metadata: +{{- if .Values.rbac.namespaced }} + namespace: {{ .Release.Namespace }} +{{- end }} + labels: + app.kubernetes.io/component: rbac + app.kubernetes.io/created-by: metal-operator + app.kubernetes.io/instance: endpoint-viewer-role + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/name: clusterrole + helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + app.kubernetes.io/part-of: metal-operator + name: {{ include "metal-operator.resourceName" (dict "suffix" "endpoint-viewer-role" "context" $) }} +rules: +- apiGroups: + - metal.ironcore.dev + resources: + - endpoints + verbs: + - get + - list + - watch +- apiGroups: + - metal.ironcore.dev + resources: + - endpoints/status + verbs: + - get +{{- end }} diff --git a/dist/chart/templates/rbac/endpoint_admin_role.yaml b/dist/chart/templates/rbac/endpoint_admin_role.yaml deleted file mode 100644 index 6df53b080..000000000 --- a/dist/chart/templates/rbac/endpoint_admin_role.yaml +++ /dev/null @@ -1,28 +0,0 @@ -{{- if .Values.rbac.enable }} -# This rule is not used by the project metal-operator itself. -# It is provided to allow the cluster admin to help manage permissions for users. -# -# Grants full permissions ('*') over metal.ironcore.dev. -# This role is intended for users authorized to modify roles and bindings within the cluster, -# enabling them to delegate specific permissions to other users or groups as needed. - -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - labels: - {{- include "chart.labels" . | nindent 4 }} - name: endpoint-admin-role -rules: -- apiGroups: - - metal.ironcore.dev - resources: - - endpoints - verbs: - - '*' -- apiGroups: - - metal.ironcore.dev - resources: - - endpoints/status - verbs: - - get -{{- end -}} diff --git a/dist/chart/templates/rbac/endpoint_editor_role.yaml b/dist/chart/templates/rbac/endpoint_editor_role.yaml deleted file mode 100755 index db965cb7e..000000000 --- a/dist/chart/templates/rbac/endpoint_editor_role.yaml +++ /dev/null @@ -1,28 +0,0 @@ -{{- if .Values.rbac.enable }} -# permissions for end users to edit endpoints. -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - labels: - {{- include "chart.labels" . | nindent 4 }} - name: endpoint-editor-role -rules: -- apiGroups: - - metal.ironcore.dev - resources: - - endpoints - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -- apiGroups: - - metal.ironcore.dev - resources: - - endpoints/status - verbs: - - get -{{- end -}} diff --git a/dist/chart/templates/rbac/endpoint_viewer_role.yaml b/dist/chart/templates/rbac/endpoint_viewer_role.yaml deleted file mode 100755 index 0142cfe55..000000000 --- a/dist/chart/templates/rbac/endpoint_viewer_role.yaml +++ /dev/null @@ -1,24 +0,0 @@ -{{- if .Values.rbac.enable }} -# permissions for end users to view endpoints. -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - labels: - {{- include "chart.labels" . | nindent 4 }} - name: endpoint-viewer-role -rules: -- apiGroups: - - metal.ironcore.dev - resources: - - endpoints - verbs: - - get - - list - - watch -- apiGroups: - - metal.ironcore.dev - resources: - - endpoints/status - verbs: - - get -{{- end -}} diff --git a/dist/chart/templates/rbac/leader_election_role.yaml b/dist/chart/templates/rbac/leader-election-role.yaml old mode 100755 new mode 100644 similarity index 50% rename from dist/chart/templates/rbac/leader_election_role.yaml rename to dist/chart/templates/rbac/leader-election-role.yaml index fa9064425..815548aca --- a/dist/chart/templates/rbac/leader_election_role.yaml +++ b/dist/chart/templates/rbac/leader-election-role.yaml @@ -1,12 +1,16 @@ -{{- if .Values.rbac.enable }} -# permissions to do leader election. apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: labels: - {{- include "chart.labels" . | nindent 4 }} + app.kubernetes.io/component: rbac + app.kubernetes.io/created-by: metal-operator + app.kubernetes.io/instance: leader-election-role + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/name: role + helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + app.kubernetes.io/part-of: metal-operator + name: {{ include "metal-operator.resourceName" (dict "suffix" "leader-election-role" "context" $) }} namespace: {{ .Release.Namespace }} - name: metal-operator-leader-election-role rules: - apiGroups: - "" @@ -39,4 +43,3 @@ rules: verbs: - create - patch -{{- end -}} diff --git a/dist/chart/templates/rbac/leader-election-rolebinding.yaml b/dist/chart/templates/rbac/leader-election-rolebinding.yaml new file mode 100644 index 000000000..3c6cfc309 --- /dev/null +++ b/dist/chart/templates/rbac/leader-election-rolebinding.yaml @@ -0,0 +1,21 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + labels: + app.kubernetes.io/component: rbac + app.kubernetes.io/created-by: metal-operator + app.kubernetes.io/instance: leader-election-rolebinding + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/name: rolebinding + helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + app.kubernetes.io/part-of: metal-operator + name: {{ include "metal-operator.resourceName" (dict "suffix" "leader-election-rolebinding" "context" $) }} + namespace: {{ .Release.Namespace }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ include "metal-operator.resourceName" (dict "suffix" "leader-election-role" "context" $) }} +subjects: +- kind: ServiceAccount + name: {{ include "metal-operator.serviceAccountName" . }} + namespace: {{ .Release.Namespace }} diff --git a/dist/chart/templates/rbac/leader_election_role_binding.yaml b/dist/chart/templates/rbac/leader_election_role_binding.yaml deleted file mode 100755 index 5537d97d8..000000000 --- a/dist/chart/templates/rbac/leader_election_role_binding.yaml +++ /dev/null @@ -1,17 +0,0 @@ -{{- if .Values.rbac.enable }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - labels: - {{- include "chart.labels" . | nindent 4 }} - namespace: {{ .Release.Namespace }} - name: metal-operator-leader-election-rolebinding -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: metal-operator-leader-election-role -subjects: -- kind: ServiceAccount - name: {{ .Values.controllerManager.serviceAccountName }} - namespace: {{ .Release.Namespace }} -{{- end -}} diff --git a/dist/chart/templates/rbac/role.yaml b/dist/chart/templates/rbac/manager-role.yaml old mode 100755 new mode 100644 similarity index 88% rename from dist/chart/templates/rbac/role.yaml rename to dist/chart/templates/rbac/manager-role.yaml index f37becf76..35e855c80 --- a/dist/chart/templates/rbac/role.yaml +++ b/dist/chart/templates/rbac/manager-role.yaml @@ -1,11 +1,14 @@ -{{- if .Values.rbac.enable }} ---- apiVersion: rbac.authorization.k8s.io/v1 +{{- if .Values.rbac.namespaced }} +kind: Role +{{- else }} kind: ClusterRole +{{- end }} metadata: - labels: - {{- include "chart.labels" . | nindent 4 }} - name: metal-operator-manager-role +{{- if .Values.rbac.namespaced }} + namespace: {{ .Release.Namespace }} +{{- end }} + name: {{ include "metal-operator.resourceName" (dict "suffix" "manager-role" "context" $) }} rules: - apiGroups: - "" @@ -120,4 +123,3 @@ rules: - get - patch - update -{{- end -}} diff --git a/dist/chart/templates/rbac/manager-rolebinding.yaml b/dist/chart/templates/rbac/manager-rolebinding.yaml new file mode 100644 index 000000000..f900bae84 --- /dev/null +++ b/dist/chart/templates/rbac/manager-rolebinding.yaml @@ -0,0 +1,31 @@ +apiVersion: rbac.authorization.k8s.io/v1 +{{- if .Values.rbac.namespaced }} +kind: RoleBinding +{{- else }} +kind: ClusterRoleBinding +{{- end }} +metadata: +{{- if .Values.rbac.namespaced }} + namespace: {{ .Release.Namespace }} +{{- end }} + labels: + app.kubernetes.io/component: rbac + app.kubernetes.io/created-by: metal-operator + app.kubernetes.io/instance: manager-rolebinding + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/name: clusterrolebinding + helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + app.kubernetes.io/part-of: metal-operator + name: {{ include "metal-operator.resourceName" (dict "suffix" "manager-rolebinding" "context" $) }} +roleRef: + apiGroup: rbac.authorization.k8s.io + {{- if .Values.rbac.namespaced }} + kind: Role + {{- else }} + kind: ClusterRole + {{- end }} + name: {{ include "metal-operator.resourceName" (dict "suffix" "manager-role" "context" $) }} +subjects: +- kind: ServiceAccount + name: {{ include "metal-operator.serviceAccountName" . }} + namespace: {{ .Release.Namespace }} diff --git a/dist/chart/templates/rbac/metrics_auth_role.yaml b/dist/chart/templates/rbac/metrics-auth-role.yaml old mode 100755 new mode 100644 similarity index 60% rename from dist/chart/templates/rbac/metrics_auth_role.yaml rename to dist/chart/templates/rbac/metrics-auth-role.yaml index 041dda581..489994c4e --- a/dist/chart/templates/rbac/metrics_auth_role.yaml +++ b/dist/chart/templates/rbac/metrics-auth-role.yaml @@ -1,10 +1,8 @@ -{{- if and .Values.rbac.enable .Values.metrics.enable }} +{{- if and .Values.metrics.enable .Values.metrics.secure }} apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: - labels: - {{- include "chart.labels" . | nindent 4 }} - name: metal-operator-metrics-auth-role + name: {{ include "metal-operator.resourceName" (dict "suffix" "metrics-auth-role" "context" $) }} rules: - apiGroups: - authentication.k8s.io @@ -18,4 +16,4 @@ rules: - subjectaccessreviews verbs: - create -{{- end -}} +{{- end }} diff --git a/dist/chart/templates/rbac/metrics-auth-rolebinding.yaml b/dist/chart/templates/rbac/metrics-auth-rolebinding.yaml new file mode 100644 index 000000000..d9d2782ae --- /dev/null +++ b/dist/chart/templates/rbac/metrics-auth-rolebinding.yaml @@ -0,0 +1,14 @@ +{{- if and .Values.metrics.enable .Values.metrics.secure }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ include "metal-operator.resourceName" (dict "suffix" "metrics-auth-rolebinding" "context" $) }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ include "metal-operator.resourceName" (dict "suffix" "metrics-auth-role" "context" $) }} +subjects: +- kind: ServiceAccount + name: {{ include "metal-operator.serviceAccountName" . }} + namespace: {{ .Release.Namespace }} +{{- end }} diff --git a/dist/chart/templates/rbac/metrics-reader.yaml b/dist/chart/templates/rbac/metrics-reader.yaml new file mode 100644 index 000000000..6e1f21d9e --- /dev/null +++ b/dist/chart/templates/rbac/metrics-reader.yaml @@ -0,0 +1,11 @@ +{{- if and .Values.metrics.enable .Values.metrics.secure }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ include "metal-operator.resourceName" (dict "suffix" "metrics-reader" "context" $) }} +rules: +- nonResourceURLs: + - /metrics + verbs: + - get +{{- end }} diff --git a/dist/chart/templates/rbac/metrics_auth_role_binding.yaml b/dist/chart/templates/rbac/metrics_auth_role_binding.yaml deleted file mode 100755 index 1e31a0bcd..000000000 --- a/dist/chart/templates/rbac/metrics_auth_role_binding.yaml +++ /dev/null @@ -1,16 +0,0 @@ -{{- if and .Values.rbac.enable .Values.metrics.enable }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - labels: - {{- include "chart.labels" . | nindent 4 }} - name: metal-operator-metrics-auth-rolebinding -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: metal-operator-metrics-auth-role -subjects: -- kind: ServiceAccount - name: {{ .Values.controllerManager.serviceAccountName }} - namespace: {{ .Release.Namespace }} -{{- end -}} diff --git a/dist/chart/templates/rbac/metrics_reader_role.yaml b/dist/chart/templates/rbac/metrics_reader_role.yaml deleted file mode 100755 index 28f0eb064..000000000 --- a/dist/chart/templates/rbac/metrics_reader_role.yaml +++ /dev/null @@ -1,13 +0,0 @@ -{{- if and .Values.rbac.enable .Values.metrics.enable }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - labels: - {{- include "chart.labels" . | nindent 4 }} - name: metal-operator-metrics-reader -rules: -- nonResourceURLs: - - "/metrics" - verbs: - - get -{{- end -}} diff --git a/dist/chart/templates/rbac/role_binding.yaml b/dist/chart/templates/rbac/role_binding.yaml deleted file mode 100755 index e44c53fc3..000000000 --- a/dist/chart/templates/rbac/role_binding.yaml +++ /dev/null @@ -1,16 +0,0 @@ -{{- if .Values.rbac.enable }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - labels: - {{- include "chart.labels" . | nindent 4 }} - name: metal-operator-manager-rolebinding -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: metal-operator-manager-role -subjects: -- kind: ServiceAccount - name: {{ .Values.controllerManager.serviceAccountName }} - namespace: {{ .Release.Namespace }} -{{- end -}} diff --git a/dist/chart/templates/rbac/server-admin-role.yaml b/dist/chart/templates/rbac/server-admin-role.yaml new file mode 100644 index 000000000..d15448997 --- /dev/null +++ b/dist/chart/templates/rbac/server-admin-role.yaml @@ -0,0 +1,31 @@ +{{- if .Values.rbac.helpers.enable }} +apiVersion: rbac.authorization.k8s.io/v1 +{{- if .Values.rbac.namespaced }} +kind: Role +{{- else }} +kind: ClusterRole +{{- end }} +metadata: +{{- if .Values.rbac.namespaced }} + namespace: {{ .Release.Namespace }} +{{- end }} + labels: + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/name: {{ include "metal-operator.name" . }} + helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + app.kubernetes.io/instance: {{ .Release.Name }} + name: {{ include "metal-operator.resourceName" (dict "suffix" "server-admin-role" "context" $) }} +rules: +- apiGroups: + - metal.ironcore.dev + resources: + - servers + verbs: + - '*' +- apiGroups: + - metal.ironcore.dev + resources: + - servers/status + verbs: + - get +{{- end }} diff --git a/dist/chart/templates/rbac/server-editor-role.yaml b/dist/chart/templates/rbac/server-editor-role.yaml new file mode 100644 index 000000000..906c26737 --- /dev/null +++ b/dist/chart/templates/rbac/server-editor-role.yaml @@ -0,0 +1,40 @@ +{{- if .Values.rbac.helpers.enable }} +apiVersion: rbac.authorization.k8s.io/v1 +{{- if .Values.rbac.namespaced }} +kind: Role +{{- else }} +kind: ClusterRole +{{- end }} +metadata: +{{- if .Values.rbac.namespaced }} + namespace: {{ .Release.Namespace }} +{{- end }} + labels: + app.kubernetes.io/component: rbac + app.kubernetes.io/created-by: metal-operator + app.kubernetes.io/instance: server-editor-role + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/name: clusterrole + helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + app.kubernetes.io/part-of: metal-operator + name: {{ include "metal-operator.resourceName" (dict "suffix" "server-editor-role" "context" $) }} +rules: +- apiGroups: + - metal.ironcore.dev + resources: + - servers + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - metal.ironcore.dev + resources: + - servers/status + verbs: + - get +{{- end }} diff --git a/dist/chart/templates/rbac/server-viewer-role.yaml b/dist/chart/templates/rbac/server-viewer-role.yaml new file mode 100644 index 000000000..dd93f5a53 --- /dev/null +++ b/dist/chart/templates/rbac/server-viewer-role.yaml @@ -0,0 +1,36 @@ +{{- if .Values.rbac.helpers.enable }} +apiVersion: rbac.authorization.k8s.io/v1 +{{- if .Values.rbac.namespaced }} +kind: Role +{{- else }} +kind: ClusterRole +{{- end }} +metadata: +{{- if .Values.rbac.namespaced }} + namespace: {{ .Release.Namespace }} +{{- end }} + labels: + app.kubernetes.io/component: rbac + app.kubernetes.io/created-by: metal-operator + app.kubernetes.io/instance: server-viewer-role + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/name: clusterrole + helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + app.kubernetes.io/part-of: metal-operator + name: {{ include "metal-operator.resourceName" (dict "suffix" "server-viewer-role" "context" $) }} +rules: +- apiGroups: + - metal.ironcore.dev + resources: + - servers + verbs: + - get + - list + - watch +- apiGroups: + - metal.ironcore.dev + resources: + - servers/status + verbs: + - get +{{- end }} diff --git a/dist/chart/templates/rbac/server_admin_role.yaml b/dist/chart/templates/rbac/server_admin_role.yaml deleted file mode 100644 index 72d9dda83..000000000 --- a/dist/chart/templates/rbac/server_admin_role.yaml +++ /dev/null @@ -1,28 +0,0 @@ -{{- if .Values.rbac.enable }} -# This rule is not used by the project metal-operator itself. -# It is provided to allow the cluster admin to help manage permissions for users. -# -# Grants full permissions ('*') over metal.ironcore.dev. -# This role is intended for users authorized to modify roles and bindings within the cluster, -# enabling them to delegate specific permissions to other users or groups as needed. - -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - labels: - {{- include "chart.labels" . | nindent 4 }} - name: server-admin-role -rules: -- apiGroups: - - metal.ironcore.dev - resources: - - servers - verbs: - - '*' -- apiGroups: - - metal.ironcore.dev - resources: - - servers/status - verbs: - - get -{{- end -}} diff --git a/dist/chart/templates/rbac/server_editor_role.yaml b/dist/chart/templates/rbac/server_editor_role.yaml deleted file mode 100755 index 83d4ff4a5..000000000 --- a/dist/chart/templates/rbac/server_editor_role.yaml +++ /dev/null @@ -1,28 +0,0 @@ -{{- if .Values.rbac.enable }} -# permissions for end users to edit servers. -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - labels: - {{- include "chart.labels" . | nindent 4 }} - name: server-editor-role -rules: -- apiGroups: - - metal.ironcore.dev - resources: - - servers - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -- apiGroups: - - metal.ironcore.dev - resources: - - servers/status - verbs: - - get -{{- end -}} diff --git a/dist/chart/templates/rbac/server_viewer_role.yaml b/dist/chart/templates/rbac/server_viewer_role.yaml deleted file mode 100755 index bff6c1544..000000000 --- a/dist/chart/templates/rbac/server_viewer_role.yaml +++ /dev/null @@ -1,24 +0,0 @@ -{{- if .Values.rbac.enable }} -# permissions for end users to view servers. -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - labels: - {{- include "chart.labels" . | nindent 4 }} - name: server-viewer-role -rules: -- apiGroups: - - metal.ironcore.dev - resources: - - servers - verbs: - - get - - list - - watch -- apiGroups: - - metal.ironcore.dev - resources: - - servers/status - verbs: - - get -{{- end -}} diff --git a/dist/chart/templates/rbac/serverbootconfiguration-admin-role.yaml b/dist/chart/templates/rbac/serverbootconfiguration-admin-role.yaml new file mode 100644 index 000000000..1d7b7b171 --- /dev/null +++ b/dist/chart/templates/rbac/serverbootconfiguration-admin-role.yaml @@ -0,0 +1,31 @@ +{{- if .Values.rbac.helpers.enable }} +apiVersion: rbac.authorization.k8s.io/v1 +{{- if .Values.rbac.namespaced }} +kind: Role +{{- else }} +kind: ClusterRole +{{- end }} +metadata: +{{- if .Values.rbac.namespaced }} + namespace: {{ .Release.Namespace }} +{{- end }} + labels: + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/name: {{ include "metal-operator.name" . }} + helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + app.kubernetes.io/instance: {{ .Release.Name }} + name: {{ include "metal-operator.resourceName" (dict "suffix" "serverbootconfiguration-admin-role" "context" $) }} +rules: +- apiGroups: + - metal.ironcore.dev + resources: + - serverbootconfigurations + verbs: + - '*' +- apiGroups: + - metal.ironcore.dev + resources: + - serverbootconfigurations/status + verbs: + - get +{{- end }} diff --git a/dist/chart/templates/rbac/serverbootconfiguration-editor-role.yaml b/dist/chart/templates/rbac/serverbootconfiguration-editor-role.yaml new file mode 100644 index 000000000..94b4a05c9 --- /dev/null +++ b/dist/chart/templates/rbac/serverbootconfiguration-editor-role.yaml @@ -0,0 +1,40 @@ +{{- if .Values.rbac.helpers.enable }} +apiVersion: rbac.authorization.k8s.io/v1 +{{- if .Values.rbac.namespaced }} +kind: Role +{{- else }} +kind: ClusterRole +{{- end }} +metadata: +{{- if .Values.rbac.namespaced }} + namespace: {{ .Release.Namespace }} +{{- end }} + labels: + app.kubernetes.io/component: rbac + app.kubernetes.io/created-by: metal-operator + app.kubernetes.io/instance: serverbootconfiguration-editor-role + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/name: clusterrole + helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + app.kubernetes.io/part-of: metal-operator + name: {{ include "metal-operator.resourceName" (dict "suffix" "serverbootconfiguration-editor-role" "context" $) }} +rules: +- apiGroups: + - metal.ironcore.dev + resources: + - serverbootconfigurations + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - metal.ironcore.dev + resources: + - serverbootconfigurations/status + verbs: + - get +{{- end }} diff --git a/dist/chart/templates/rbac/serverbootconfiguration-viewer-role.yaml b/dist/chart/templates/rbac/serverbootconfiguration-viewer-role.yaml new file mode 100644 index 000000000..21c8c112d --- /dev/null +++ b/dist/chart/templates/rbac/serverbootconfiguration-viewer-role.yaml @@ -0,0 +1,36 @@ +{{- if .Values.rbac.helpers.enable }} +apiVersion: rbac.authorization.k8s.io/v1 +{{- if .Values.rbac.namespaced }} +kind: Role +{{- else }} +kind: ClusterRole +{{- end }} +metadata: +{{- if .Values.rbac.namespaced }} + namespace: {{ .Release.Namespace }} +{{- end }} + labels: + app.kubernetes.io/component: rbac + app.kubernetes.io/created-by: metal-operator + app.kubernetes.io/instance: serverbootconfiguration-viewer-role + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/name: clusterrole + helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + app.kubernetes.io/part-of: metal-operator + name: {{ include "metal-operator.resourceName" (dict "suffix" "serverbootconfiguration-viewer-role" "context" $) }} +rules: +- apiGroups: + - metal.ironcore.dev + resources: + - serverbootconfigurations + verbs: + - get + - list + - watch +- apiGroups: + - metal.ironcore.dev + resources: + - serverbootconfigurations/status + verbs: + - get +{{- end }} diff --git a/dist/chart/templates/rbac/serverbootconfiguration_admin_role.yaml b/dist/chart/templates/rbac/serverbootconfiguration_admin_role.yaml deleted file mode 100644 index d6b69fe98..000000000 --- a/dist/chart/templates/rbac/serverbootconfiguration_admin_role.yaml +++ /dev/null @@ -1,28 +0,0 @@ -{{- if .Values.rbac.enable }} -# This rule is not used by the project metal-operator itself. -# It is provided to allow the cluster admin to help manage permissions for users. -# -# Grants full permissions ('*') over metal.ironcore.dev. -# This role is intended for users authorized to modify roles and bindings within the cluster, -# enabling them to delegate specific permissions to other users or groups as needed. - -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - labels: - {{- include "chart.labels" . | nindent 4 }} - name: serverbootconfiguration-admin-role -rules: -- apiGroups: - - metal.ironcore.dev - resources: - - serverbootconfigurations - verbs: - - '*' -- apiGroups: - - metal.ironcore.dev - resources: - - serverbootconfigurations/status - verbs: - - get -{{- end -}} diff --git a/dist/chart/templates/rbac/serverbootconfiguration_editor_role.yaml b/dist/chart/templates/rbac/serverbootconfiguration_editor_role.yaml deleted file mode 100755 index 1864a68d7..000000000 --- a/dist/chart/templates/rbac/serverbootconfiguration_editor_role.yaml +++ /dev/null @@ -1,28 +0,0 @@ -{{- if .Values.rbac.enable }} -# permissions for end users to edit serverbootconfigurations. -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - labels: - {{- include "chart.labels" . | nindent 4 }} - name: serverbootconfiguration-editor-role -rules: -- apiGroups: - - metal.ironcore.dev - resources: - - serverbootconfigurations - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -- apiGroups: - - metal.ironcore.dev - resources: - - serverbootconfigurations/status - verbs: - - get -{{- end -}} diff --git a/dist/chart/templates/rbac/serverbootconfiguration_viewer_role.yaml b/dist/chart/templates/rbac/serverbootconfiguration_viewer_role.yaml deleted file mode 100755 index 2d0446986..000000000 --- a/dist/chart/templates/rbac/serverbootconfiguration_viewer_role.yaml +++ /dev/null @@ -1,24 +0,0 @@ -{{- if .Values.rbac.enable }} -# permissions for end users to view serverbootconfigurations. -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - labels: - {{- include "chart.labels" . | nindent 4 }} - name: serverbootconfiguration-viewer-role -rules: -- apiGroups: - - metal.ironcore.dev - resources: - - serverbootconfigurations - verbs: - - get - - list - - watch -- apiGroups: - - metal.ironcore.dev - resources: - - serverbootconfigurations/status - verbs: - - get -{{- end -}} diff --git a/dist/chart/templates/rbac/serverclaim-admin-role.yaml b/dist/chart/templates/rbac/serverclaim-admin-role.yaml new file mode 100644 index 000000000..7eb1e0bb8 --- /dev/null +++ b/dist/chart/templates/rbac/serverclaim-admin-role.yaml @@ -0,0 +1,31 @@ +{{- if .Values.rbac.helpers.enable }} +apiVersion: rbac.authorization.k8s.io/v1 +{{- if .Values.rbac.namespaced }} +kind: Role +{{- else }} +kind: ClusterRole +{{- end }} +metadata: +{{- if .Values.rbac.namespaced }} + namespace: {{ .Release.Namespace }} +{{- end }} + labels: + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/name: {{ include "metal-operator.name" . }} + helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + app.kubernetes.io/instance: {{ .Release.Name }} + name: {{ include "metal-operator.resourceName" (dict "suffix" "serverclaim-admin-role" "context" $) }} +rules: +- apiGroups: + - metal.ironcore.dev + resources: + - serverclaims + verbs: + - '*' +- apiGroups: + - metal.ironcore.dev + resources: + - serverclaims/status + verbs: + - get +{{- end }} diff --git a/dist/chart/templates/rbac/serverclaim-editor-role.yaml b/dist/chart/templates/rbac/serverclaim-editor-role.yaml new file mode 100644 index 000000000..a3a6d241d --- /dev/null +++ b/dist/chart/templates/rbac/serverclaim-editor-role.yaml @@ -0,0 +1,40 @@ +{{- if .Values.rbac.helpers.enable }} +apiVersion: rbac.authorization.k8s.io/v1 +{{- if .Values.rbac.namespaced }} +kind: Role +{{- else }} +kind: ClusterRole +{{- end }} +metadata: +{{- if .Values.rbac.namespaced }} + namespace: {{ .Release.Namespace }} +{{- end }} + labels: + app.kubernetes.io/component: rbac + app.kubernetes.io/created-by: metal-operator + app.kubernetes.io/instance: serverclaim-editor-role + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/name: clusterrole + helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + app.kubernetes.io/part-of: metal-operator + name: {{ include "metal-operator.resourceName" (dict "suffix" "serverclaim-editor-role" "context" $) }} +rules: +- apiGroups: + - metal.ironcore.dev + resources: + - serverclaims + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - metal.ironcore.dev + resources: + - serverclaims/status + verbs: + - get +{{- end }} diff --git a/dist/chart/templates/rbac/serverclaim-viewer-role.yaml b/dist/chart/templates/rbac/serverclaim-viewer-role.yaml new file mode 100644 index 000000000..d919f56d6 --- /dev/null +++ b/dist/chart/templates/rbac/serverclaim-viewer-role.yaml @@ -0,0 +1,36 @@ +{{- if .Values.rbac.helpers.enable }} +apiVersion: rbac.authorization.k8s.io/v1 +{{- if .Values.rbac.namespaced }} +kind: Role +{{- else }} +kind: ClusterRole +{{- end }} +metadata: +{{- if .Values.rbac.namespaced }} + namespace: {{ .Release.Namespace }} +{{- end }} + labels: + app.kubernetes.io/component: rbac + app.kubernetes.io/created-by: metal-operator + app.kubernetes.io/instance: serverclaim-viewer-role + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/name: clusterrole + helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + app.kubernetes.io/part-of: metal-operator + name: {{ include "metal-operator.resourceName" (dict "suffix" "serverclaim-viewer-role" "context" $) }} +rules: +- apiGroups: + - metal.ironcore.dev + resources: + - serverclaims + verbs: + - get + - list + - watch +- apiGroups: + - metal.ironcore.dev + resources: + - serverclaims/status + verbs: + - get +{{- end }} diff --git a/dist/chart/templates/rbac/serverclaim_admin_role.yaml b/dist/chart/templates/rbac/serverclaim_admin_role.yaml deleted file mode 100644 index ef1fce0fd..000000000 --- a/dist/chart/templates/rbac/serverclaim_admin_role.yaml +++ /dev/null @@ -1,28 +0,0 @@ -{{- if .Values.rbac.enable }} -# This rule is not used by the project metal-operator itself. -# It is provided to allow the cluster admin to help manage permissions for users. -# -# Grants full permissions ('*') over metal.ironcore.dev. -# This role is intended for users authorized to modify roles and bindings within the cluster, -# enabling them to delegate specific permissions to other users or groups as needed. - -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - labels: - {{- include "chart.labels" . | nindent 4 }} - name: serverclaim-admin-role -rules: -- apiGroups: - - metal.ironcore.dev - resources: - - serverclaims - verbs: - - '*' -- apiGroups: - - metal.ironcore.dev - resources: - - serverclaims/status - verbs: - - get -{{- end -}} diff --git a/dist/chart/templates/rbac/serverclaim_editor_role.yaml b/dist/chart/templates/rbac/serverclaim_editor_role.yaml deleted file mode 100755 index 298d15586..000000000 --- a/dist/chart/templates/rbac/serverclaim_editor_role.yaml +++ /dev/null @@ -1,28 +0,0 @@ -{{- if .Values.rbac.enable }} -# permissions for end users to edit serverclaims. -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - labels: - {{- include "chart.labels" . | nindent 4 }} - name: serverclaim-editor-role -rules: -- apiGroups: - - metal.ironcore.dev - resources: - - serverclaims - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -- apiGroups: - - metal.ironcore.dev - resources: - - serverclaims/status - verbs: - - get -{{- end -}} diff --git a/dist/chart/templates/rbac/serverclaim_viewer_role.yaml b/dist/chart/templates/rbac/serverclaim_viewer_role.yaml deleted file mode 100755 index f3d148659..000000000 --- a/dist/chart/templates/rbac/serverclaim_viewer_role.yaml +++ /dev/null @@ -1,24 +0,0 @@ -{{- if .Values.rbac.enable }} -# permissions for end users to view serverclaims. -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - labels: - {{- include "chart.labels" . | nindent 4 }} - name: serverclaim-viewer-role -rules: -- apiGroups: - - metal.ironcore.dev - resources: - - serverclaims - verbs: - - get - - list - - watch -- apiGroups: - - metal.ironcore.dev - resources: - - serverclaims/status - verbs: - - get -{{- end -}} diff --git a/dist/chart/templates/rbac/servermaintenance-admin-role.yaml b/dist/chart/templates/rbac/servermaintenance-admin-role.yaml new file mode 100644 index 000000000..a069d04af --- /dev/null +++ b/dist/chart/templates/rbac/servermaintenance-admin-role.yaml @@ -0,0 +1,31 @@ +{{- if .Values.rbac.helpers.enable }} +apiVersion: rbac.authorization.k8s.io/v1 +{{- if .Values.rbac.namespaced }} +kind: Role +{{- else }} +kind: ClusterRole +{{- end }} +metadata: +{{- if .Values.rbac.namespaced }} + namespace: {{ .Release.Namespace }} +{{- end }} + labels: + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/name: {{ include "metal-operator.name" . }} + helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + app.kubernetes.io/instance: {{ .Release.Name }} + name: {{ include "metal-operator.resourceName" (dict "suffix" "servermaintenance-admin-role" "context" $) }} +rules: +- apiGroups: + - metal.ironcore.dev + resources: + - servermaintenances + verbs: + - '*' +- apiGroups: + - metal.ironcore.dev + resources: + - servermaintenances/status + verbs: + - get +{{- end }} diff --git a/dist/chart/templates/rbac/servermaintenance-editor-role.yaml b/dist/chart/templates/rbac/servermaintenance-editor-role.yaml new file mode 100644 index 000000000..391c0b230 --- /dev/null +++ b/dist/chart/templates/rbac/servermaintenance-editor-role.yaml @@ -0,0 +1,37 @@ +{{- if .Values.rbac.helpers.enable }} +apiVersion: rbac.authorization.k8s.io/v1 +{{- if .Values.rbac.namespaced }} +kind: Role +{{- else }} +kind: ClusterRole +{{- end }} +metadata: +{{- if .Values.rbac.namespaced }} + namespace: {{ .Release.Namespace }} +{{- end }} + labels: + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/name: {{ include "metal-operator.name" . }} + helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + app.kubernetes.io/instance: {{ .Release.Name }} + name: {{ include "metal-operator.resourceName" (dict "suffix" "servermaintenance-editor-role" "context" $) }} +rules: +- apiGroups: + - metal.ironcore.dev + resources: + - servermaintenances + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - metal.ironcore.dev + resources: + - servermaintenances/status + verbs: + - get +{{- end }} diff --git a/dist/chart/templates/rbac/servermaintenance-viewer-role.yaml b/dist/chart/templates/rbac/servermaintenance-viewer-role.yaml new file mode 100644 index 000000000..4d5609cf8 --- /dev/null +++ b/dist/chart/templates/rbac/servermaintenance-viewer-role.yaml @@ -0,0 +1,33 @@ +{{- if .Values.rbac.helpers.enable }} +apiVersion: rbac.authorization.k8s.io/v1 +{{- if .Values.rbac.namespaced }} +kind: Role +{{- else }} +kind: ClusterRole +{{- end }} +metadata: +{{- if .Values.rbac.namespaced }} + namespace: {{ .Release.Namespace }} +{{- end }} + labels: + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/name: {{ include "metal-operator.name" . }} + helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + app.kubernetes.io/instance: {{ .Release.Name }} + name: {{ include "metal-operator.resourceName" (dict "suffix" "servermaintenance-viewer-role" "context" $) }} +rules: +- apiGroups: + - metal.ironcore.dev + resources: + - servermaintenances + verbs: + - get + - list + - watch +- apiGroups: + - metal.ironcore.dev + resources: + - servermaintenances/status + verbs: + - get +{{- end }} diff --git a/dist/chart/templates/rbac/servermaintenance_admin_role.yaml b/dist/chart/templates/rbac/servermaintenance_admin_role.yaml deleted file mode 100755 index 145c5e501..000000000 --- a/dist/chart/templates/rbac/servermaintenance_admin_role.yaml +++ /dev/null @@ -1,28 +0,0 @@ -{{- if .Values.rbac.enable }} -# This rule is not used by the project metal-operator itself. -# It is provided to allow the cluster admin to help manage permissions for users. -# -# Grants full permissions ('*') over metal.ironcore.dev. -# This role is intended for users authorized to modify roles and bindings within the cluster, -# enabling them to delegate specific permissions to other users or groups as needed. - -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - labels: - {{- include "chart.labels" . | nindent 4 }} - name: servermaintenance-admin-role -rules: -- apiGroups: - - metal.ironcore.dev - resources: - - servermaintenances - verbs: - - '*' -- apiGroups: - - metal.ironcore.dev - resources: - - servermaintenances/status - verbs: - - get -{{- end -}} diff --git a/dist/chart/templates/rbac/servermaintenance_editor_role.yaml b/dist/chart/templates/rbac/servermaintenance_editor_role.yaml deleted file mode 100755 index 23175939f..000000000 --- a/dist/chart/templates/rbac/servermaintenance_editor_role.yaml +++ /dev/null @@ -1,34 +0,0 @@ -{{- if .Values.rbac.enable }} -# This rule is not used by the project metal-operator itself. -# It is provided to allow the cluster admin to help manage permissions for users. -# -# Grants permissions to create, update, and delete resources within the metal.ironcore.dev. -# This role is intended for users who need to manage these resources -# but should not control RBAC or manage permissions for others. - -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - labels: - {{- include "chart.labels" . | nindent 4 }} - name: servermaintenance-editor-role -rules: -- apiGroups: - - metal.ironcore.dev - resources: - - servermaintenances - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -- apiGroups: - - metal.ironcore.dev - resources: - - servermaintenances/status - verbs: - - get -{{- end -}} diff --git a/dist/chart/templates/rbac/servermaintenance_viewer_role.yaml b/dist/chart/templates/rbac/servermaintenance_viewer_role.yaml deleted file mode 100755 index b7de278cf..000000000 --- a/dist/chart/templates/rbac/servermaintenance_viewer_role.yaml +++ /dev/null @@ -1,30 +0,0 @@ -{{- if .Values.rbac.enable }} -# This rule is not used by the project metal-operator itself. -# It is provided to allow the cluster admin to help manage permissions for users. -# -# Grants read-only access to metal.ironcore.dev resources. -# This role is intended for users who need visibility into these resources -# without permissions to modify them. It is ideal for monitoring purposes and limited-access viewing. - -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - labels: - {{- include "chart.labels" . | nindent 4 }} - name: servermaintenance-viewer-role -rules: -- apiGroups: - - metal.ironcore.dev - resources: - - servermaintenances - verbs: - - get - - list - - watch -- apiGroups: - - metal.ironcore.dev - resources: - - servermaintenances/status - verbs: - - get -{{- end -}} diff --git a/dist/chart/templates/rbac/service_account.yaml b/dist/chart/templates/rbac/service_account.yaml deleted file mode 100755 index 93e0a323e..000000000 --- a/dist/chart/templates/rbac/service_account.yaml +++ /dev/null @@ -1,15 +0,0 @@ -{{- if .Values.rbac.enable }} -apiVersion: v1 -kind: ServiceAccount -metadata: - labels: - {{- include "chart.labels" . | nindent 4 }} - {{- if and .Values.controllerManager.serviceAccount .Values.controllerManager.serviceAccount.annotations }} - annotations: - {{- range $key, $value := .Values.controllerManager.serviceAccount.annotations }} - {{ $key }}: {{ $value }} - {{- end }} - {{- end }} - name: {{ .Values.controllerManager.serviceAccountName }} - namespace: {{ .Release.Namespace }} -{{- end -}} diff --git a/dist/chart/templates/registry-service/service.yaml b/dist/chart/templates/registry-service/service.yaml index 5613d78d9..62f7597cf 100644 --- a/dist/chart/templates/registry-service/service.yaml +++ b/dist/chart/templates/registry-service/service.yaml @@ -6,12 +6,12 @@ metadata: namespace: {{ .Release.Namespace }} spec: ports: - - name: registry - port: {{ .Values.registry.port }} - protocol: TCP - targetPort: {{ .Values.registry.port }} + - name: registry + port: {{ .Values.registry.port }} + protocol: TCP + targetPort: {{ .Values.registry.port }} selector: control-plane: controller-manager - {{- include "chart.selectorLabels" . | nindent 4 }} + app.kubernetes.io/name: {{ include "metal-operator.name" . }} type: ClusterIP -{{ end }} \ No newline at end of file +{{ end }} diff --git a/dist/chart/templates/webhook/service.yaml b/dist/chart/templates/webhook/service.yaml deleted file mode 100644 index ecd90a84a..000000000 --- a/dist/chart/templates/webhook/service.yaml +++ /dev/null @@ -1,16 +0,0 @@ -{{- if .Values.webhook.enable }} -apiVersion: v1 -kind: Service -metadata: - name: metal-operator-webhook-service - namespace: {{ .Release.Namespace }} - labels: - {{- include "chart.labels" . | nindent 4 }} -spec: - ports: - - port: 443 - protocol: TCP - targetPort: 9443 - selector: - control-plane: controller-manager -{{- end }} diff --git a/dist/chart/templates/webhook/validating-webhook-configuration.yaml b/dist/chart/templates/webhook/validating-webhook-configuration.yaml new file mode 100644 index 000000000..874591d41 --- /dev/null +++ b/dist/chart/templates/webhook/validating-webhook-configuration.yaml @@ -0,0 +1,163 @@ +{{- if .Values.webhook.enable }} +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingWebhookConfiguration +metadata: + annotations: + {{- if .Values.certManager.enable }} + cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ include "metal-operator.resourceName" (dict "suffix" "serving-cert" "context" $) }} + {{- end }} + labels: + app.kubernetes.io/component: webhook + app.kubernetes.io/created-by: metal-operator + app.kubernetes.io/instance: validating-webhook-configuration + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/name: validatingwebhookconfiguration + helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + app.kubernetes.io/part-of: metal-operator + name: {{ include "metal-operator.resourceName" (dict "suffix" "validating-webhook-configuration" "context" $) }} +webhooks: +- admissionReviewVersions: + - v1 + clientConfig: + service: + name: {{ include "metal-operator.resourceName" (dict "suffix" "webhook-service" "context" $) }} + namespace: {{ .Release.Namespace }} + path: /validate-metal-ironcore-dev-v1alpha1-biossettings + failurePolicy: Fail + name: vbiossettings-v1alpha1.kb.io + rules: + - apiGroups: + - metal.ironcore.dev + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + - DELETE + resources: + - biossettings + sideEffects: None +- admissionReviewVersions: + - v1 + clientConfig: + service: + name: {{ include "metal-operator.resourceName" (dict "suffix" "webhook-service" "context" $) }} + namespace: {{ .Release.Namespace }} + path: /validate-metal-ironcore-dev-v1alpha1-biosversion + failurePolicy: Fail + name: vbiosversion-v1alpha1.kb.io + rules: + - apiGroups: + - metal.ironcore.dev + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + - DELETE + resources: + - biosversions + sideEffects: None +- admissionReviewVersions: + - v1 + clientConfig: + service: + name: {{ include "metal-operator.resourceName" (dict "suffix" "webhook-service" "context" $) }} + namespace: {{ .Release.Namespace }} + path: /validate-metal-ironcore-dev-v1alpha1-bmcsecret + failurePolicy: Fail + name: vbmcsecret-v1alpha1.kb.io + rules: + - apiGroups: + - metal.ironcore.dev + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + - DELETE + resources: + - bmcsecrets + sideEffects: None +- admissionReviewVersions: + - v1 + clientConfig: + service: + name: {{ include "metal-operator.resourceName" (dict "suffix" "webhook-service" "context" $) }} + namespace: {{ .Release.Namespace }} + path: /validate-metal-ironcore-dev-v1alpha1-bmcsettings + failurePolicy: Fail + name: vbmcsettings-v1alpha1.kb.io + rules: + - apiGroups: + - metal.ironcore.dev + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + - DELETE + resources: + - bmcsettings + sideEffects: None +- admissionReviewVersions: + - v1 + clientConfig: + service: + name: {{ include "metal-operator.resourceName" (dict "suffix" "webhook-service" "context" $) }} + namespace: {{ .Release.Namespace }} + path: /validate-metal-ironcore-dev-v1alpha1-bmcversion + failurePolicy: Fail + name: vbmcversion-v1alpha1.kb.io + rules: + - apiGroups: + - metal.ironcore.dev + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + - DELETE + resources: + - bmcversions + sideEffects: None +- admissionReviewVersions: + - v1 + clientConfig: + service: + name: {{ include "metal-operator.resourceName" (dict "suffix" "webhook-service" "context" $) }} + namespace: {{ .Release.Namespace }} + path: /validate-metal-ironcore-dev-v1alpha1-endpoint + failurePolicy: Fail + name: vendpoint-v1alpha1.kb.io + rules: + - apiGroups: + - metal.ironcore.dev + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - endpoints + sideEffects: None +- admissionReviewVersions: + - v1 + clientConfig: + service: + name: {{ include "metal-operator.resourceName" (dict "suffix" "webhook-service" "context" $) }} + namespace: {{ .Release.Namespace }} + path: /validate-metal-ironcore-dev-v1alpha1-server + failurePolicy: Fail + name: vserver-v1alpha1.kb.io + rules: + - apiGroups: + - metal.ironcore.dev + apiVersions: + - v1alpha1 + operations: + - DELETE + resources: + - servers + sideEffects: None +{{- end }} diff --git a/dist/chart/templates/webhook/webhook-service.yaml b/dist/chart/templates/webhook/webhook-service.yaml new file mode 100644 index 000000000..402bf36e1 --- /dev/null +++ b/dist/chart/templates/webhook/webhook-service.yaml @@ -0,0 +1,20 @@ +{{- if .Values.webhook.enable }} +apiVersion: v1 +kind: Service +metadata: + labels: + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/name: {{ include "metal-operator.name" . }} + helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + app.kubernetes.io/instance: {{ .Release.Name }} + name: {{ include "metal-operator.resourceName" (dict "suffix" "webhook-service" "context" $) }} + namespace: {{ .Release.Namespace }} +spec: + ports: + - port: 443 + protocol: TCP + targetPort: {{ .Values.webhook.port }} + selector: + app.kubernetes.io/name: {{ include "metal-operator.name" . }} + control-plane: controller-manager +{{- end }} diff --git a/dist/chart/templates/webhook/webhooks.yaml b/dist/chart/templates/webhook/webhooks.yaml deleted file mode 100644 index d75c1501c..000000000 --- a/dist/chart/templates/webhook/webhooks.yaml +++ /dev/null @@ -1,158 +0,0 @@ -{{- if .Values.webhook.enable }} -apiVersion: admissionregistration.k8s.io/v1 -kind: ValidatingWebhookConfiguration -metadata: - name: metal-operator-validating-webhook-configuration - namespace: {{ .Release.Namespace }} - annotations: - {{- if .Values.certmanager.enable }} - cert-manager.io/inject-ca-from: "{{ $.Release.Namespace }}/serving-cert" - {{- end }} - labels: - {{- include "chart.labels" . | nindent 4 }} -webhooks: - - name: vbiossettings-v1alpha1.kb.io - clientConfig: - service: - name: metal-operator-webhook-service - namespace: {{ .Release.Namespace }} - path: /validate-metal-ironcore-dev-v1alpha1-biossettings - failurePolicy: Fail - sideEffects: None - admissionReviewVersions: - - v1 - rules: - - operations: - - CREATE - - UPDATE - - DELETE - apiGroups: - - metal.ironcore.dev - apiVersions: - - v1alpha1 - resources: - - biossettings - - name: vbiosversion-v1alpha1.kb.io - clientConfig: - service: - name: metal-operator-webhook-service - namespace: {{ .Release.Namespace }} - path: /validate-metal-ironcore-dev-v1alpha1-biosversion - failurePolicy: Fail - sideEffects: None - admissionReviewVersions: - - v1 - rules: - - operations: - - CREATE - - UPDATE - - DELETE - apiGroups: - - metal.ironcore.dev - apiVersions: - - v1alpha1 - resources: - - biosversions - - name: vbmcsecret-v1alpha1.kb.io - clientConfig: - service: - name: metal-operator-webhook-service - namespace: {{ .Release.Namespace }} - path: /validate-metal-ironcore-dev-v1alpha1-bmcsecret - failurePolicy: Fail - sideEffects: None - admissionReviewVersions: - - v1 - rules: - - operations: - - CREATE - - UPDATE - - DELETE - apiGroups: - - metal.ironcore.dev - apiVersions: - - v1alpha1 - resources: - - bmcsecrets - - name: vbmcsettings-v1alpha1.kb.io - clientConfig: - service: - name: metal-operator-webhook-service - namespace: {{ .Release.Namespace }} - path: /validate-metal-ironcore-dev-v1alpha1-bmcsettings - failurePolicy: Fail - sideEffects: None - admissionReviewVersions: - - v1 - rules: - - operations: - - CREATE - - UPDATE - - DELETE - apiGroups: - - metal.ironcore.dev - apiVersions: - - v1alpha1 - resources: - - bmcsettings - - name: vbmcversion-v1alpha1.kb.io - clientConfig: - service: - name: metal-operator-webhook-service - namespace: {{ .Release.Namespace }} - path: /validate-metal-ironcore-dev-v1alpha1-bmcversion - failurePolicy: Fail - sideEffects: None - admissionReviewVersions: - - v1 - rules: - - operations: - - CREATE - - UPDATE - - DELETE - apiGroups: - - metal.ironcore.dev - apiVersions: - - v1alpha1 - resources: - - bmcversions - - name: vendpoint-v1alpha1.kb.io - clientConfig: - service: - name: metal-operator-webhook-service - namespace: {{ .Release.Namespace }} - path: /validate-metal-ironcore-dev-v1alpha1-endpoint - failurePolicy: Fail - sideEffects: None - admissionReviewVersions: - - v1 - rules: - - operations: - - CREATE - - UPDATE - apiGroups: - - metal.ironcore.dev - apiVersions: - - v1alpha1 - resources: - - endpoints - - name: vserver-v1alpha1.kb.io - clientConfig: - service: - name: metal-operator-webhook-service - namespace: {{ .Release.Namespace }} - path: /validate-metal-ironcore-dev-v1alpha1-server - failurePolicy: Fail - sideEffects: None - admissionReviewVersions: - - v1 - rules: - - operations: - - DELETE - apiGroups: - - metal.ironcore.dev - apiVersions: - - v1alpha1 - resources: - - servers -{{- end }} diff --git a/dist/chart/values.yaml b/dist/chart/values.yaml index b2830ee6f..466405afb 100644 --- a/dist/chart/values.yaml +++ b/dist/chart/values.yaml @@ -1,104 +1,182 @@ -# [MANAGER]: Manager Deployment Configurations -controllerManager: - enable: true +## String to partially override chart.fullname template (will maintain the release name) +## +# nameOverride: "" + +## String to fully override chart.fullname template +## +# fullnameOverride: "" + +## Configure the controller manager deployment +## +manager: + ## Set to false to skip manager installation + ## + enabled: true + replicas: 1 - strategy: - type: Recreate - manager: - image: - repository: controller - tag: latest - args: - - "--leader-elect" - - "--metrics-bind-address=:8443" - - "--health-probe-bind-address=:8081" - resources: - limits: - cpu: 300m - memory: 200Mi - requests: - cpu: 300m - memory: 50Mi - livenessProbe: - initialDelaySeconds: 15 - periodSeconds: 20 - httpGet: - path: /healthz - port: 8081 - readinessProbe: - initialDelaySeconds: 5 - periodSeconds: 10 - httpGet: - path: /readyz - port: 8081 - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - "ALL" - dnsRecordTemplate: - enabled: false + + image: + repository: controller + ## Image tag (defaults to Chart.appVersion if not set) + ## + # tag: "" + pullPolicy: IfNotPresent + + ## Arguments + ## + args: + - --leader-elect + + ## Image pull secrets + ## + # imagePullSecrets: + # - name: myregistrykey + + ## Pod-level security settings + ## podSecurityContext: runAsNonRoot: true seccompProfile: type: RuntimeDefault + + ## Container-level security settings + ## + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + + ## Resource limits and requests + ## + resources: + limits: + cpu: 500m + memory: 128Mi + requests: + cpu: 10m + memory: 64Mi + + ## Manager pod's affinity + ## + affinity: {} + + ## Manager pod's node selector + ## + nodeSelector: {} + + ## Manager pod's tolerations + ## + tolerations: [] + + ## Deployment strategy + ## + # strategy: + # type: RollingUpdate + # rollingUpdate: + # maxSurge: 25% + # maxUnavailable: 25% + + ## Priority class name + ## + # priorityClassName: "" + + ## Topology spread constraints + ## + # topologySpreadConstraints: [] + + ## Termination grace period seconds + ## terminationGracePeriodSeconds: 10 - serviceAccountName: metal-operator-controller-manager - hostNetwork: true -registry: - enabled: false - port: 30000 + ## Custom Deployment labels + ## + # labels: {} + + ## Custom Deployment annotations + ## + # annotations: {} + + ## Custom Pod labels and annotations + ## + # pod: + # labels: {} + # annotations: {} -# [RBAC]: To enable RBAC (Permissions) configurations +## RBAC configuration +## rbac: + ## RBAC resource scope + ## - false (default): ClusterRole/ClusterRoleBinding (all namespaces) + ## - true: Role/RoleBinding (release namespace only) + ## + namespaced: false + + ## Helper roles for CRD management (admin/editor/viewer) + ## + helpers: + ## Install convenience admin/editor/viewer roles for CRDs + ## + enable: false + +## ServiceAccount configuration +## +serviceAccount: + # Install default ServiceAccount provided enable: true -# [CRDs]: To enable the CRDs + ## Existing ServiceAccount name (only when enable=false) + ## Note: When enable=true, respects nameOverride/fullnameOverride + ## + # name: "" + + ## Custom ServiceAccount annotations + ## + # annotations: {} + + ## Custom ServiceAccount labels + ## + # labels: {} + +## Custom Resource Definitions +## crd: - # This option determines whether the CRDs are included - # in the installation process. + # Install CRDs with the chart enable: true - - # Enabling this option adds the "helm.sh/resource-policy": keep - # annotation to the CRD, ensuring it remains installed even when - # the Helm release is uninstalled. - # NOTE: Removing the CRDs will also remove all cert-manager CR(s) - # (Certificates, Issuers, ...) due to garbage collection. + # Keep CRDs when uninstalling keep: true -# [METRICS]: Set to true to generate manifests for exporting metrics. -# To disable metrics export set false, and ensure that the -# ControllerManager argument "--metrics-bind-address=:8443" is removed. +## Controller metrics endpoint. +## Enable to expose /metrics endpoint +## metrics: enable: true + # Metrics server port + port: 8443 + # Enable secure metrics: HTTPS with certs/auth (true) or HTTP (false). + # Note: Metrics authn/authz needs ClusterRole access. + secure: true -# [WEBHOOKS]: Webhooks configuration -# The following configuration is automatically generated from the manifests -# generated by controller-gen. To update run 'make manifests' and -# the edit command with the '--force' flag -webhook: +## Cert-manager integration for TLS certificates. +## Required for webhook certificates and metrics endpoint certificates. +## +certManager: enable: true -# [PROMETHEUS]: To enable a ServiceMonitor to export metrics to Prometheus set true -prometheus: - enable: false - -# [CERT-MANAGER]: To enable cert-manager injection to webhooks set true -certmanager: +## Webhook server configuration +## +webhook: enable: true + # Webhook server port + port: 9443 -# [NETWORK POLICIES]: To enable NetworkPolicies set true -networkPolicy: +## Prometheus ServiceMonitor for metrics scraping. +## Requires prometheus-operator to be installed in the cluster. +## +prometheus: enable: false -# [IGNITION]: Ignition template configuration -# By default, the operator uses a template file baked into the container at /etc/metal-operator/ignition-template.yaml -# Enable this to override the template by mounting a ConfigMap at that location -ignition: - # Set to true to override the default ignition template with a custom one. - override: false - # Template content that can be customized - this will be created as a ConfigMap - # and mounted to override the default template - # template: | - \ No newline at end of file +## The registry service exposed by the metal-controller-manager to receive metalprobe request call-backs. +registry: + enabled: false + port: 30000 diff --git a/dist/install.yaml b/dist/install.yaml new file mode 100644 index 000000000..b42e71e9a --- /dev/null +++ b/dist/install.yaml @@ -0,0 +1,5683 @@ +apiVersion: v1 +kind: Namespace +metadata: + labels: + app.kubernetes.io/managed-by: kustomize + app.kubernetes.io/name: metal-operator + control-plane: controller-manager + name: metal-operator-system +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + cert-manager.io/inject-ca-from: metal-operator-system/metal-operator-serving-cert + controller-gen.kubebuilder.io/version: v0.21.0 + name: biossettings.metal.ironcore.dev +spec: + group: metal.ironcore.dev + names: + kind: BIOSSettings + listKind: BIOSSettingsList + plural: biossettings + shortNames: + - bioss + singular: biossettings + scope: Cluster + versions: + - additionalPrinterColumns: + - jsonPath: .spec.version + name: BIOSVersion + type: string + - jsonPath: .spec.serverRef.name + name: ServerRef + type: string + - jsonPath: .spec.serverMaintenanceRef.name + name: ServerMaintenanceRef + type: string + - jsonPath: .status.state + name: State + type: string + - jsonPath: .status.lastAppliedTime + name: AppliedOn + type: date + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: BIOSSettings is the Schema for the biossettings API. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: BIOSSettingsSpec defines the desired state of BIOSSettings. + properties: + retryPolicy: + description: RetryPolicy defines the retry behavior for automatic + retries on transient failures. + properties: + maxAttempts: + description: |- + MaxAttempts is the maximum number of automatic retry attempts after failure. + 0 means no automatic retries. Must be between 0 and 10 inclusive. + If not set, the operator-level default is used. + format: int32 + maximum: 10 + minimum: 0 + type: integer + type: object + serverMaintenancePolicy: + description: ServerMaintenancePolicy is a maintenance policy to be + enforced on the server. + type: string + serverMaintenanceRef: + description: ServerMaintenanceRef is a reference to a ServerMaintenance + object that BIOSSettings has requested for the referred server. + properties: + name: + description: Name is the name of the referenced object. + type: string + namespace: + description: Namespace is the namespace of the referenced object. + type: string + required: + - name + - namespace + type: object + serverRef: + description: ServerRef is a reference to a specific server to apply + the BIOS settings on. + properties: + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + type: object + x-kubernetes-map-type: atomic + x-kubernetes-validations: + - message: serverRef is immutable + rule: self == oldSelf + settingsFlow: + description: SettingsFlow contains the BIOS settings sequence to apply + in the given order. + items: + properties: + name: + description: Name is the name of the flow item. + maxLength: 1000 + minLength: 1 + type: string + priority: + description: Priority defines the order of applying the settings. + Lower numbers have higher priority (i.e. lower numbers are + applied first). + format: int32 + maximum: 2147483645 + minimum: 1 + type: integer + settings: + additionalProperties: + type: string + description: Settings contains software (e.g. BIOS, BMC) settings + as a map. + type: object + required: + - name + - priority + type: object + type: array + version: + description: Version specifies the software version (e.g. BIOS, BMC) + these settings apply to. + type: string + required: + - version + type: object + status: + description: BIOSSettingsStatus defines the observed state of BIOSSettings. + properties: + conditions: + description: Conditions represents the latest available observations + of the BIOSSettings's current state. + items: + description: Condition contains details for one aspect of the current + state of this API Resource. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + failedAttempts: + description: FailedAttempts is the number of automatic retry attempts + made after failure. + format: int32 + type: integer + flowState: + description: FlowState is a list of individual BIOSSettings operation + flows. + items: + properties: + conditions: + description: Conditions represents the latest available observations + of the BIOSSettings's current Flowstate. + items: + description: Condition contains details for one aspect of + the current state of this API Resource. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, + Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + flowState: + description: State represents the current state of the BIOS + settings update for the current priority. + type: string + lastAppliedTime: + description: LastAppliedTime represents the timestamp when the + last setting was successfully applied. + format: date-time + type: string + name: + description: Name identifies the current priority settings from + the spec. + type: string + priority: + description: Priority identifies the settings priority from + the spec. + format: int32 + type: integer + type: object + type: array + lastAppliedTime: + description: LastAppliedTime represents the timestamp when the last + setting was successfully applied. + format: date-time + type: string + observedGeneration: + description: ObservedGeneration is the most recent generation observed + by the controller. + format: int64 + type: integer + state: + description: State represents the current state of the BIOS settings + update. + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + cert-manager.io/inject-ca-from: metal-operator-system/metal-operator-serving-cert + controller-gen.kubebuilder.io/version: v0.21.0 + name: biossettingssets.metal.ironcore.dev +spec: + group: metal.ironcore.dev + names: + kind: BIOSSettingsSet + listKind: BIOSSettingsSetList + plural: biossettingssets + shortNames: + - biosss + singular: biossettingsset + scope: Cluster + versions: + - additionalPrinterColumns: + - jsonPath: .spec.biosSettingsTemplate.version + name: BIOSVersion + type: string + - jsonPath: .status.fullyLabeledServers + name: TotalServers + type: string + - jsonPath: .status.availableBIOSSettings + name: AvailableBIOSSettings + type: string + - jsonPath: .status.pendingBIOSSettings + name: Pending + type: string + - jsonPath: .status.inProgressBIOSSettings + name: InProgress + type: string + - jsonPath: .status.completedBIOSSettings + name: Completed + type: string + - jsonPath: .status.failedBIOSSettings + name: Failed + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: BIOSSettingsSet is the Schema for the biossettingssets API. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: BIOSSettingsSetSpec defines the desired state of BIOSSettingsSet. + properties: + biosSettingsTemplate: + description: BIOSSettingsTemplate defines the template for the BIOSSettings + resource to be applied to the servers. + properties: + retryPolicy: + description: RetryPolicy defines the retry behavior for automatic + retries on transient failures. + properties: + maxAttempts: + description: |- + MaxAttempts is the maximum number of automatic retry attempts after failure. + 0 means no automatic retries. Must be between 0 and 10 inclusive. + If not set, the operator-level default is used. + format: int32 + maximum: 10 + minimum: 0 + type: integer + type: object + serverMaintenancePolicy: + description: ServerMaintenancePolicy is a maintenance policy to + be enforced on the server. + type: string + settingsFlow: + description: SettingsFlow contains the BIOS settings sequence + to apply in the given order. + items: + properties: + name: + description: Name is the name of the flow item. + maxLength: 1000 + minLength: 1 + type: string + priority: + description: Priority defines the order of applying the + settings. Lower numbers have higher priority (i.e. lower + numbers are applied first). + format: int32 + maximum: 2147483645 + minimum: 1 + type: integer + settings: + additionalProperties: + type: string + description: Settings contains software (e.g. BIOS, BMC) + settings as a map. + type: object + required: + - name + - priority + type: object + type: array + version: + description: Version specifies the software version (e.g. BIOS, + BMC) these settings apply to. + type: string + required: + - version + type: object + serverSelector: + description: ServerSelector specifies a label selector to identify + the servers that are to be selected. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. + The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector applies + to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + required: + - serverSelector + type: object + status: + description: BIOSSettingsSetStatus defines the observed state of BIOSSettingsSet. + properties: + availableBIOSSettings: + description: AvailableBIOSSettings is the number of BIOSSettings currently + created by the set. + format: int32 + type: integer + completedBIOSSettings: + description: CompletedBIOSSettings is the total number of completed + BIOSSettings in the set. + format: int32 + type: integer + failedBIOSSettings: + description: FailedBIOSSettings is the total number of failed BIOSSettings + in the set. + format: int32 + type: integer + fullyLabeledServers: + description: FullyLabeledServers is the number of servers in the set. + format: int32 + type: integer + inProgressBIOSSettings: + description: InProgressBIOSSettings is the total number of BIOSSettings + in the set that are currently in progress. + format: int32 + type: integer + pendingBIOSSettings: + description: PendingBIOSSettings is the total number of pending BIOSSettings + in the set. + format: int32 + type: integer + type: object + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + cert-manager.io/inject-ca-from: metal-operator-system/metal-operator-serving-cert + controller-gen.kubebuilder.io/version: v0.21.0 + name: biosversions.metal.ironcore.dev +spec: + group: metal.ironcore.dev + names: + kind: BIOSVersion + listKind: BIOSVersionList + plural: biosversions + shortNames: + - biosv + singular: biosversion + scope: Cluster + versions: + - additionalPrinterColumns: + - jsonPath: .spec.version + name: BIOSVersion + type: string + - jsonPath: .spec.updatePolicy + name: UpdatePolicy + type: string + - jsonPath: .spec.serverRef.name + name: ServerRef + type: string + - jsonPath: .spec.serverMaintenanceRef.name + name: ServerMaintenanceRef + type: string + - jsonPath: .status.upgradeTask.state + name: TaskState + type: string + - jsonPath: .status.upgradeTask.status + name: TaskStatus + type: string + - jsonPath: .status.upgradeTask.percentageComplete + name: TaskProgress + type: integer + - jsonPath: .status.state + name: State + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: BIOSVersion is the Schema for the biosversions API. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: BIOSVersionSpec defines the desired state of BIOSVersion. + properties: + image: + description: Image specifies the image to use to upgrade to the given + BIOS version. + properties: + URI: + description: URI is the URI of the software image to install. + type: string + secretRef: + description: SecretRef is a reference to the Secret containing + the credentials to access the image URI. + properties: + name: + description: name is unique within a namespace to reference + a secret resource. + type: string + namespace: + description: namespace defines the space within which the + secret name must be unique. + type: string + type: object + x-kubernetes-map-type: atomic + transferProtocol: + description: TransferProtocol is the network protocol used to + retrieve the image URI. + type: string + required: + - URI + type: object + retryPolicy: + description: RetryPolicy defines the retry behavior for automatic + retries on transient failures. + properties: + maxAttempts: + description: |- + MaxAttempts is the maximum number of automatic retry attempts after failure. + 0 means no automatic retries. Must be between 0 and 10 inclusive. + If not set, the operator-level default is used. + format: int32 + maximum: 10 + minimum: 0 + type: integer + type: object + serverMaintenancePolicy: + description: ServerMaintenancePolicy is a maintenance policy to be + enforced on the server. + type: string + serverMaintenanceRef: + description: ServerMaintenanceRef is a reference to a ServerMaintenance + object that the controller has requested for the referred server. + properties: + name: + description: Name is the name of the referenced object. + type: string + namespace: + description: Namespace is the namespace of the referenced object. + type: string + required: + - name + - namespace + type: object + serverRef: + description: ServerRef is a reference to a specific server to apply + the BIOS upgrade on. + properties: + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + type: object + x-kubernetes-map-type: atomic + x-kubernetes-validations: + - message: serverRef is immutable + rule: self == oldSelf + updatePolicy: + description: UpdatePolicy indicates whether the server's upgrade service + should bypass vendor update policies. + type: string + version: + description: Version specifies the BIOS version to upgrade to. + type: string + required: + - image + - version + type: object + status: + description: BIOSVersionStatus defines the observed state of BIOSVersion. + properties: + conditions: + description: Conditions represents the latest available observations + of the BIOS version upgrade state. + items: + description: Condition contains details for one aspect of the current + state of this API Resource. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + failedAttempts: + description: FailedAttempts is the number of automatic retry attempts + made after failure. + format: int32 + type: integer + observedGeneration: + description: ObservedGeneration is the most recent generation observed + by the controller. + format: int64 + type: integer + state: + description: State represents the current state of the BIOS upgrade + task. + type: string + upgradeTask: + description: UpgradeTask contains the state of the Upgrade Task created + by the BMC + properties: + URI: + description: URI is the URI of the task created by the BMC for + the BIOS upgrade. + type: string + percentageComplete: + description: PercentComplete is the percentage of completion of + the task. + format: int32 + type: integer + state: + description: State is the current state of the task. + type: string + status: + description: Status is the current status of the task. + type: string + type: object + type: object + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + cert-manager.io/inject-ca-from: metal-operator-system/metal-operator-serving-cert + controller-gen.kubebuilder.io/version: v0.21.0 + name: biosversionsets.metal.ironcore.dev +spec: + group: metal.ironcore.dev + names: + kind: BIOSVersionSet + listKind: BIOSVersionSetList + plural: biosversionsets + shortNames: + - biosvs + singular: biosversionset + scope: Cluster + versions: + - additionalPrinterColumns: + - jsonPath: .spec.biosVersionTemplate.version + name: BIOSVersion + type: string + - jsonPath: .status.fullyLabeledServers + name: selectedServers + type: integer + - jsonPath: .status.availableBIOSVersion + name: AvailableBIOSVersion + type: integer + - jsonPath: .status.pendingBIOSVersion + name: Pending + type: integer + - jsonPath: .status.inProgressBIOSVersion + name: InProgress + type: integer + - jsonPath: .status.completedBIOSVersion + name: Completed + type: integer + - jsonPath: .status.failedBIOSVersion + name: Failed + type: integer + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: BIOSVersionSet is the Schema for the biosversionsets API. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: BIOSVersionSetSpec defines the desired state of BIOSVersionSet. + properties: + biosVersionTemplate: + description: BIOSVersionTemplate defines the template for the BIOSVersion + resource to be applied to the servers. + properties: + image: + description: Image specifies the image to use to upgrade to the + given BIOS version. + properties: + URI: + description: URI is the URI of the software image to install. + type: string + secretRef: + description: SecretRef is a reference to the Secret containing + the credentials to access the image URI. + properties: + name: + description: name is unique within a namespace to reference + a secret resource. + type: string + namespace: + description: namespace defines the space within which + the secret name must be unique. + type: string + type: object + x-kubernetes-map-type: atomic + transferProtocol: + description: TransferProtocol is the network protocol used + to retrieve the image URI. + type: string + required: + - URI + type: object + retryPolicy: + description: RetryPolicy defines the retry behavior for automatic + retries on transient failures. + properties: + maxAttempts: + description: |- + MaxAttempts is the maximum number of automatic retry attempts after failure. + 0 means no automatic retries. Must be between 0 and 10 inclusive. + If not set, the operator-level default is used. + format: int32 + maximum: 10 + minimum: 0 + type: integer + type: object + serverMaintenancePolicy: + description: ServerMaintenancePolicy is a maintenance policy to + be enforced on the server. + type: string + updatePolicy: + description: UpdatePolicy indicates whether the server's upgrade + service should bypass vendor update policies. + type: string + version: + description: Version specifies the BIOS version to upgrade to. + type: string + required: + - image + - version + type: object + serverSelector: + description: ServerSelector specifies a label selector to identify + the servers that are to be selected. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. + The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector applies + to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + required: + - serverSelector + type: object + status: + description: BIOSVersionSetStatus defines the observed state of BIOSVersionSet. + properties: + availableBIOSVersion: + description: AvailableBIOSVersion is the number of BIOSVersion created + by the set. + format: int32 + type: integer + completedBIOSVersion: + description: CompletedBIOSVersion is the total number of completed + BIOSVersion in the set. + format: int32 + type: integer + failedBIOSVersion: + description: FailedBIOSVersion is the total number of failed BIOSVersion + in the set. + format: int32 + type: integer + fullyLabeledServers: + description: FullyLabeledServers is the number of servers in the set. + format: int32 + type: integer + inProgressBIOSVersion: + description: InProgressBIOSVersion is the total number of BIOSVersion + resources in the set that are currently in progress. + format: int32 + type: integer + pendingBIOSVersion: + description: PendingBIOSVersion is the total number of pending BIOSVersion + in the set. + format: int32 + type: integer + type: object + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + cert-manager.io/inject-ca-from: metal-operator-system/metal-operator-serving-cert + controller-gen.kubebuilder.io/version: v0.21.0 + name: bmcs.metal.ironcore.dev +spec: + conversion: + strategy: Webhook + webhook: + clientConfig: + service: + name: metal-operator-webhook-service + namespace: metal-operator-system + path: /convert + conversionReviewVersions: + - v1 + group: metal.ironcore.dev + names: + kind: BMC + listKind: BMCList + plural: bmcs + singular: bmc + scope: Cluster + versions: + - additionalPrinterColumns: + - jsonPath: .status.macAddress + name: MACAddress + type: string + - jsonPath: .status.ip + name: IP + type: string + - jsonPath: .status.model + name: Model + type: string + - jsonPath: .status.sku + name: SKU + priority: 100 + type: string + - jsonPath: .status.serialNumber + name: SerialNumber + priority: 100 + type: string + - jsonPath: .status.firmwareVersion + name: FirmwareVersion + priority: 100 + type: string + - jsonPath: .status.state + name: State + type: string + - jsonPath: .status.powerState + name: PowerState + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: BMC is the Schema for the bmcs API + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: BMCSpec defines the desired state of BMC + properties: + access: + description: Endpoint specifies inline network access details for + the BMC. + properties: + ip: + description: IP is the IP address of the BMC. + type: string + macAddress: + description: MACAddress is the MAC address of the endpoint. + type: string + type: object + x-kubernetes-validations: + - message: access is immutable + rule: self == oldSelf + bmcSecretRef: + description: |- + BMCSecretRef is a reference to the BMCSecret object that contains the credentials + required to access the BMC. + properties: + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + type: object + x-kubernetes-map-type: atomic + bmcSettingsRef: + description: |- + BMCSettingRef is a reference to a BMCSettings object that specifies + the BMC configuration for this BMC. + properties: + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + type: object + x-kubernetes-map-type: atomic + bmcUUID: + description: BMCUUID is the unique identifier for the BMC as defined + in Redfish API. + type: string + consoleProtocol: + description: ConsoleProtocol specifies the protocol to be used for + console access to the BMC. + properties: + name: + description: Name specifies the name of the console protocol. + enum: + - IPMI + - SSH + - SSHLenovo + type: string + port: + description: Port specifies the port number used for console access. + format: int32 + type: integer + required: + - name + - port + type: object + endpointRef: + description: EndpointRef is a reference to the Endpoint object that + contains the network access information for the BMC. + properties: + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + type: object + x-kubernetes-map-type: atomic + x-kubernetes-validations: + - message: endpointRef is immutable + rule: self == oldSelf + hostname: + description: Hostname is the hostname of the BMC. + type: string + protocol: + description: Protocol specifies the protocol to be used for communicating + with the BMC. + properties: + name: + description: Name specifies the name of the protocol. + type: string + port: + description: Port specifies the port number used for communication. + format: int32 + type: integer + scheme: + description: Scheme specifies the scheme used for communication. + type: string + required: + - name + - port + type: object + required: + - bmcSecretRef + - protocol + type: object + x-kubernetes-validations: + - message: exactly one of access or endpointRef needs to be set + rule: has(self.access) != has(self.endpointRef) + status: + description: BMCStatus defines the observed state of BMC. + properties: + conditions: + description: Conditions represents the latest available observations + of the BMC's current state. + items: + description: Condition contains details for one aspect of the current + state of this API Resource. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + eventsSubscriptionLink: + description: EventsSubscriptionLink is the link to the events subscription + of the bmc. + type: string + firmwareVersion: + description: FirmwareVersion is the version of the firmware currently + running on the BMC. + type: string + ip: + description: IP is the IP address of the BMC. + type: string + lastResetTime: + description: LastResetTime is the timestamp of the last reset operation + performed on the BMC. + format: date-time + type: string + macAddress: + description: MACAddress is the MAC address of the BMC. + pattern: ^([0-9A-Fa-f]{2}[:-]){5}([0-9A-Fa-f]{2})$ + type: string + manufacturer: + description: Manufacturer is the name of the BMC manufacturer. + type: string + metricsReportSubscriptionLink: + description: MetricsReportSubscriptionLink is the link to the metrics + report subscription of the bmc. + type: string + model: + description: Model is the model number or name of the BMC. + type: string + powerState: + description: PowerState represents the current power state of the + BMC. + type: string + serialNumber: + description: SerialNumber is the serial number of the BMC. + type: string + sku: + description: SKU is the stock keeping unit identifier for the BMC. + type: string + state: + default: Pending + description: |- + State represents the current state of the BMC. + kubebuilder:validation:Enum=Enabled;Error;Pending + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + cert-manager.io/inject-ca-from: metal-operator-system/metal-operator-serving-cert + controller-gen.kubebuilder.io/version: v0.21.0 + name: bmcsecrets.metal.ironcore.dev +spec: + group: metal.ironcore.dev + names: + kind: BMCSecret + listKind: BMCSecretList + plural: bmcsecrets + shortNames: + - bmcsec + singular: bmcsecret + scope: Cluster + versions: + - additionalPrinterColumns: + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: BMCSecret is the Schema for the bmcsecrets API + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + data: + additionalProperties: + format: byte + type: string + description: |- + Data contains the secret data. Each key must consist of alphanumeric + characters, '-', '_' or '.'. The serialized form of the secret data is a + base64 encoded string, representing the arbitrary (possibly non-string) + data value here. Described in https://tools.ietf.org/html/rfc4648#section-4 + type: object + immutable: + description: |- + Immutable, if set to true, ensures that data stored in the Secret cannot + be updated (only object metadata can be modified). + If not set to true, the field can be modified at any time. + Defaulted to nil. + type: boolean + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + stringData: + additionalProperties: + type: string + description: |- + stringData allows specifying non-binary secret data in string form. + It is provided as a write-only input field for convenience. + All keys and values are merged into the data field on write, overwriting any existing values. + The stringData field is never output when reading from the API. + type: object + type: + description: |- + Used to facilitate programmatic handling of secret data. + More info: https://kubernetes.io/docs/concepts/configuration/secret/#secret-types + type: string + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + cert-manager.io/inject-ca-from: metal-operator-system/metal-operator-serving-cert + controller-gen.kubebuilder.io/version: v0.21.0 + name: bmcsettings.metal.ironcore.dev +spec: + group: metal.ironcore.dev + names: + kind: BMCSettings + listKind: BMCSettingsList + plural: bmcsettings + singular: bmcsettings + scope: Cluster + versions: + - additionalPrinterColumns: + - jsonPath: .spec.version + name: BMCVersion + type: string + - jsonPath: .status.state + name: State + type: string + - jsonPath: .spec.BMCRef.name + name: BMCRef + type: string + name: v1alpha1 + schema: + openAPIV3Schema: + description: BMCSettings is the Schema for the BMCSettings API. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: BMCSettingsSpec defines the desired state of BMCSettings. + properties: + BMCRef: + description: BMCRef is a reference to a specific BMC to apply settings + to. + properties: + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + type: object + x-kubernetes-map-type: atomic + x-kubernetes-validations: + - message: BMCRef is immutable + rule: self == oldSelf + retryPolicy: + description: RetryPolicy defines the retry behavior for automatic + retries on transient failures. + properties: + maxAttempts: + description: |- + MaxAttempts is the maximum number of automatic retry attempts after failure. + 0 means no automatic retries. Must be between 0 and 10 inclusive. + If not set, the operator-level default is used. + format: int32 + maximum: 10 + minimum: 0 + type: integer + type: object + serverMaintenancePolicy: + description: ServerMaintenancePolicy is a maintenance policy to be + applied on the server. + type: string + serverMaintenanceRefs: + description: |- + ServerMaintenanceRefs are references to ServerMaintenance objects which are created by the controller for each + server that needs to be updated with the BMC settings. + items: + description: ServerMaintenanceRefItem is a reference to a ServerMaintenance + object. + properties: + serverMaintenanceRef: + description: ServerMaintenanceRef is a reference to a ServerMaintenance + object that the BMCSettings has requested for the referred + server. + properties: + name: + description: Name is the name of the referenced object. + type: string + namespace: + description: Namespace is the namespace of the referenced + object. + type: string + required: + - name + - namespace + type: object + type: object + type: array + settings: + additionalProperties: + type: string + description: SettingsMap contains BMC settings as a map. + type: object + variables: + description: Variables is a list of variables that can be used in + the settings for templating. + items: + properties: + key: + description: Key is the name of the variable to be used in the + BMCSettingsTemplate format. + maxLength: 63 + minLength: 1 + type: string + valueFrom: + description: ValueFrom defines a simple single source for the + variable value. + properties: + configMapKeyRef: + description: ConfigMapKeyRef points to a namespaced ConfigMap + key. + properties: + key: + description: Key is the key within the referenced object. + maxLength: 253 + minLength: 1 + type: string + name: + description: Name is the referenced object name. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: Namespace is the referenced object namespace. + maxLength: 63 + minLength: 1 + type: string + required: + - key + - name + - namespace + type: object + fieldRef: + description: |- + FieldRef sources the value from a field of the BMCSettings object itself (e.g. spec.BMCRef.name). + Only string-typed fields are supported; integer, bool, or map fields will cause a resolution error. + properties: + fieldPath: + description: |- + FieldPath is the path of the field on the BMCSettings object to select (e.g. spec.BMCRef.name). + Only string-typed fields are supported; integer, bool, or map fields will cause a resolution error. + maxLength: 256 + minLength: 1 + type: string + required: + - fieldPath + type: object + objectFieldRef: + description: |- + ObjectFieldRef sources the value from a field of a named related object. + The kind must be "BMC". Supports dot-path navigation and bracket notation for map keys + containing dots or slashes (e.g. metadata.labels[kubernetes.metal.cloud.sap/nodename]). + properties: + fieldPath: + description: |- + FieldPath is the path of the field to select on the target object. + Supports dot-path navigation (e.g. metadata.name) and bracket notation for map + keys containing dots or slashes (e.g. metadata.labels[topology.kubernetes.io/region]). + maxLength: 256 + minLength: 1 + type: string + kind: + description: Kind is the API kind of the object to read + the field from (e.g. "BMC"). + maxLength: 63 + minLength: 1 + type: string + name: + description: |- + Name is the name of the object to read the field from. + Supports $(VAR) substitution using previously resolved variables in declaration order. + maxLength: 253 + minLength: 1 + type: string + required: + - fieldPath + - kind + - name + type: object + secretKeyRef: + description: SecretKeyRef points to a namespaced Secret + key. + properties: + key: + description: Key is the key within the referenced object. + maxLength: 253 + minLength: 1 + type: string + name: + description: Name is the referenced object name. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: Namespace is the referenced object namespace. + maxLength: 63 + minLength: 1 + type: string + required: + - key + - name + - namespace + type: object + type: object + x-kubernetes-validations: + - message: exactly one of fieldRef, objectFieldRef, configMapKeyRef, + or secretKeyRef must be provided + rule: '(has(self.fieldRef) ? 1 : 0) + (has(self.objectFieldRef) + ? 1 : 0) + (has(self.configMapKeyRef) ? 1 : 0) + (has(self.secretKeyRef) + ? 1 : 0) == 1' + - message: objectFieldRef.kind must be 'BMC' + rule: '!has(self.objectFieldRef) || self.objectFieldRef.kind + == ''BMC''' + required: + - key + - valueFrom + type: object + maxItems: 64 + type: array + version: + description: Version specifies the BMC firmware version for which + the settings should be applied. + type: string + required: + - BMCRef + - version + type: object + x-kubernetes-validations: + - message: variable keys must be unique + rule: '!has(self.variables) || self.variables.all(v, self.variables.filter(w, + w.key == v.key).size() == 1)' + status: + description: BMCSettingsStatus defines the observed state of BMCSettings. + properties: + conditions: + description: Conditions represents the latest available observations + of the BMC Settings Resource state. + items: + description: Condition contains details for one aspect of the current + state of this API Resource. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + failedAttempts: + description: FailedAttempts is the number of automatic retry attempts + made after failure. + format: int32 + type: integer + observedGeneration: + description: ObservedGeneration is the most recent generation observed + by the controller. + format: int64 + type: integer + state: + description: State represents the current state of the BMC configuration + task. + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + cert-manager.io/inject-ca-from: metal-operator-system/metal-operator-serving-cert + controller-gen.kubebuilder.io/version: v0.21.0 + name: bmcsettingssets.metal.ironcore.dev +spec: + group: metal.ironcore.dev + names: + kind: BMCSettingsSet + listKind: BMCSettingsSetList + plural: bmcsettingssets + singular: bmcsettingsset + scope: Cluster + versions: + - additionalPrinterColumns: + - jsonPath: .spec.bmcSettingsTemplate.version + name: BMCVersion + type: string + - jsonPath: .status.fullyLabeledBMCs + name: TotalBMCs + type: integer + - jsonPath: .status.availableBMCSettings + name: AvailableBMCSettings + type: integer + - jsonPath: .status.pendingBMCSettings + name: Pending + type: integer + - jsonPath: .status.inProgressBMCSettings + name: InProgress + type: integer + - jsonPath: .status.completedBMCSettings + name: Completed + type: integer + - jsonPath: .status.failedBMCSettings + name: Failed + type: integer + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: BMCSettingsSet is the Schema for the bmcsettingssets API. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: BMCSettingsSetSpec defines the desired state of BMCSettingsSet. + properties: + bmcSelector: + description: BMCSelector specifies a label selector to identify the + BMCs to be selected. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. + The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector applies + to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + bmcSettingsTemplate: + description: BMCSettingsTemplate defines the template for the BMCSettings + resource to be applied to the BMCs. + properties: + retryPolicy: + description: RetryPolicy defines the retry behavior for automatic + retries on transient failures. + properties: + maxAttempts: + description: |- + MaxAttempts is the maximum number of automatic retry attempts after failure. + 0 means no automatic retries. Must be between 0 and 10 inclusive. + If not set, the operator-level default is used. + format: int32 + maximum: 10 + minimum: 0 + type: integer + type: object + serverMaintenancePolicy: + description: ServerMaintenancePolicy is a maintenance policy to + be applied on the server. + type: string + settings: + additionalProperties: + type: string + description: SettingsMap contains BMC settings as a map. + type: object + variables: + description: Variables is a list of variables that can be used + in the settings for templating. + items: + properties: + key: + description: Key is the name of the variable to be used + in the BMCSettingsTemplate format. + maxLength: 63 + minLength: 1 + type: string + valueFrom: + description: ValueFrom defines a simple single source for + the variable value. + properties: + configMapKeyRef: + description: ConfigMapKeyRef points to a namespaced + ConfigMap key. + properties: + key: + description: Key is the key within the referenced + object. + maxLength: 253 + minLength: 1 + type: string + name: + description: Name is the referenced object name. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: Namespace is the referenced object + namespace. + maxLength: 63 + minLength: 1 + type: string + required: + - key + - name + - namespace + type: object + fieldRef: + description: |- + FieldRef sources the value from a field of the BMCSettings object itself (e.g. spec.BMCRef.name). + Only string-typed fields are supported; integer, bool, or map fields will cause a resolution error. + properties: + fieldPath: + description: |- + FieldPath is the path of the field on the BMCSettings object to select (e.g. spec.BMCRef.name). + Only string-typed fields are supported; integer, bool, or map fields will cause a resolution error. + maxLength: 256 + minLength: 1 + type: string + required: + - fieldPath + type: object + objectFieldRef: + description: |- + ObjectFieldRef sources the value from a field of a named related object. + The kind must be "BMC". Supports dot-path navigation and bracket notation for map keys + containing dots or slashes (e.g. metadata.labels[kubernetes.metal.cloud.sap/nodename]). + properties: + fieldPath: + description: |- + FieldPath is the path of the field to select on the target object. + Supports dot-path navigation (e.g. metadata.name) and bracket notation for map + keys containing dots or slashes (e.g. metadata.labels[topology.kubernetes.io/region]). + maxLength: 256 + minLength: 1 + type: string + kind: + description: Kind is the API kind of the object + to read the field from (e.g. "BMC"). + maxLength: 63 + minLength: 1 + type: string + name: + description: |- + Name is the name of the object to read the field from. + Supports $(VAR) substitution using previously resolved variables in declaration order. + maxLength: 253 + minLength: 1 + type: string + required: + - fieldPath + - kind + - name + type: object + secretKeyRef: + description: SecretKeyRef points to a namespaced Secret + key. + properties: + key: + description: Key is the key within the referenced + object. + maxLength: 253 + minLength: 1 + type: string + name: + description: Name is the referenced object name. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: Namespace is the referenced object + namespace. + maxLength: 63 + minLength: 1 + type: string + required: + - key + - name + - namespace + type: object + type: object + x-kubernetes-validations: + - message: exactly one of fieldRef, objectFieldRef, configMapKeyRef, + or secretKeyRef must be provided + rule: '(has(self.fieldRef) ? 1 : 0) + (has(self.objectFieldRef) + ? 1 : 0) + (has(self.configMapKeyRef) ? 1 : 0) + (has(self.secretKeyRef) + ? 1 : 0) == 1' + - message: objectFieldRef.kind must be 'BMC' + rule: '!has(self.objectFieldRef) || self.objectFieldRef.kind + == ''BMC''' + required: + - key + - valueFrom + type: object + maxItems: 64 + type: array + version: + description: Version specifies the BMC firmware version for which + the settings should be applied. + type: string + required: + - version + type: object + x-kubernetes-validations: + - message: variable keys must be unique + rule: '!has(self.variables) || self.variables.all(v, self.variables.filter(w, + w.key == v.key).size() == 1)' + required: + - bmcSelector + - bmcSettingsTemplate + type: object + status: + description: BMCSettingsSetStatus defines the observed state of BMCSettingsSet. + properties: + availableBMCSettings: + description: AvailableBMCSettings is the number of BMCSettings currently + created by the set. + format: int32 + type: integer + completedBMCSettings: + description: CompletedBMCSettings is the total number of completed + BMCSettings in the set. + format: int32 + type: integer + failedBMCSettings: + description: FailedBMCSettings is the total number of failed BMCSettings + in the set. + format: int32 + type: integer + fullyLabeledBMCs: + description: FullyLabeledBMCs is the number of BMCs in the set. + format: int32 + type: integer + inProgressBMCSettings: + description: InProgressBMCSettings is the total number of BMCSettings + in the set that are currently in progress. + format: int32 + type: integer + pendingBMCSettings: + description: PendingBMCSettings is the total number of pending BMCSettings + in the set. + format: int32 + type: integer + type: object + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + cert-manager.io/inject-ca-from: metal-operator-system/metal-operator-serving-cert + controller-gen.kubebuilder.io/version: v0.21.0 + name: bmcusers.metal.ironcore.dev +spec: + group: metal.ironcore.dev + names: + kind: BMCUser + listKind: BMCUserList + plural: bmcusers + shortNames: + - bmcu + singular: bmcuser + scope: Cluster + versions: + - additionalPrinterColumns: + - jsonPath: .status.id + name: ID + type: string + - jsonPath: .spec.userName + name: UserName + type: string + - jsonPath: .spec.roleID + name: RoleID + type: string + - jsonPath: .status.lastRotation + name: LastRotation + type: date + - jsonPath: .status.passwordExpiration + name: PasswordExpiration + type: date + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: BMCUser is the Schema for the bmcusers API. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: BMCUserSpec defines the desired state of BMCUser. + properties: + bmcRef: + description: BMCRef references the BMC this user should be created + on. + properties: + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + type: object + x-kubernetes-map-type: atomic + bmcSecretRef: + description: |- + BMCSecretRef references the BMCSecret containing the credentials for this user. + If not set, the operator will generate a secure password based on BMC manufacturer requirements. + properties: + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + type: object + x-kubernetes-map-type: atomic + description: + description: Description is a description for the BMC user. + type: string + roleID: + description: RoleID is the ID of the role to assign to the user. + type: string + rotationPeriod: + description: |- + RotationPeriod defines how often the password should be rotated. + If not set, the password will not be rotated. + type: string + userName: + description: UserName is the username of the BMC user. + type: string + required: + - roleID + - userName + type: object + status: + description: BMCUserStatus defines the observed state of BMCUser. + properties: + effectiveBMCSecretRef: + description: |- + EffectiveBMCSecretRef references the BMCSecret currently used for this user. + This may differ from Spec.BMCSecretRef if the operator generated a password. + properties: + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + type: object + x-kubernetes-map-type: atomic + id: + description: ID is the identifier of the user in the BMC system. + type: string + lastRotation: + description: LastRotation is the timestamp of the last password rotation. + format: date-time + type: string + passwordExpiration: + description: PasswordExpiration is the timestamp when the password + will expire. + format: date-time + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + cert-manager.io/inject-ca-from: metal-operator-system/metal-operator-serving-cert + controller-gen.kubebuilder.io/version: v0.21.0 + name: bmcversions.metal.ironcore.dev +spec: + group: metal.ironcore.dev + names: + kind: BMCVersion + listKind: BMCVersionList + plural: bmcversions + shortNames: + - bmcv + singular: bmcversion + scope: Cluster + versions: + - additionalPrinterColumns: + - jsonPath: .spec.version + name: BMCVersion + type: string + - jsonPath: .spec.updatePolicy + name: UpdatePolicy + type: string + - jsonPath: .spec.bmcRef.name + name: BMCRef + type: string + - jsonPath: .status.upgradeTask.percentageComplete + name: TaskProgress + type: integer + - jsonPath: .status.upgradeTask.state + name: TaskState + type: string + - jsonPath: .status.upgradeTask.status + name: TaskStatus + type: string + - jsonPath: .status.state + name: State + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: BMCVersion is the Schema for the bmcversions API. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: BMCVersionSpec defines the desired state of BMCVersion. + properties: + bmcRef: + description: BMCRef is a reference to a specific BMC to apply BMC + upgrade on. + properties: + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + type: object + x-kubernetes-map-type: atomic + x-kubernetes-validations: + - message: bmcRef is immutable + rule: self == oldSelf + image: + description: Image specifies the image to use to upgrade to the given + BMC version. + properties: + URI: + description: URI is the URI of the software image to install. + type: string + secretRef: + description: SecretRef is a reference to the Secret containing + the credentials to access the image URI. + properties: + name: + description: name is unique within a namespace to reference + a secret resource. + type: string + namespace: + description: namespace defines the space within which the + secret name must be unique. + type: string + type: object + x-kubernetes-map-type: atomic + transferProtocol: + description: TransferProtocol is the network protocol used to + retrieve the image URI. + type: string + required: + - URI + type: object + retryPolicy: + description: RetryPolicy defines the retry behavior for automatic + retries on transient failures. + properties: + maxAttempts: + description: |- + MaxAttempts is the maximum number of automatic retry attempts after failure. + 0 means no automatic retries. Must be between 0 and 10 inclusive. + If not set, the operator-level default is used. + format: int32 + maximum: 10 + minimum: 0 + type: integer + type: object + serverMaintenancePolicy: + description: ServerMaintenancePolicy is a maintenance policy to be + enforced on the server managed by referred BMC. + type: string + serverMaintenanceRefs: + description: ServerMaintenanceRefs are references to ServerMaintenance + objects that the controller has requested for the related servers. + items: + description: ObjectReference is the namespaced name reference to + an object. + properties: + name: + description: Name is the name of the referenced object. + type: string + namespace: + description: Namespace is the namespace of the referenced object. + type: string + required: + - name + - namespace + type: object + type: array + updatePolicy: + description: UpdatePolicy indicates whether the server's upgrade service + should bypass vendor update policies. + type: string + version: + description: Version specifies the BMC version to upgrade to. + type: string + required: + - image + - version + type: object + status: + description: BMCVersionStatus defines the observed state of BMCVersion. + properties: + conditions: + description: Conditions represents the latest available observations + of the BMC version upgrade state. + items: + description: Condition contains details for one aspect of the current + state of this API Resource. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + failedAttempts: + description: FailedAttempts is the number of automatic retry attempts + made after failure. + format: int32 + type: integer + observedGeneration: + description: ObservedGeneration is the most recent generation observed + by the controller. + format: int64 + type: integer + state: + description: State represents the current state of the BMC configuration + task. + type: string + upgradeTask: + description: UpgradeTask contains the state of the upgrade task created + by the BMC. + properties: + URI: + description: URI is the URI of the task created by the BMC for + the BIOS upgrade. + type: string + percentageComplete: + description: PercentComplete is the percentage of completion of + the task. + format: int32 + type: integer + state: + description: State is the current state of the task. + type: string + status: + description: Status is the current status of the task. + type: string + type: object + type: object + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + cert-manager.io/inject-ca-from: metal-operator-system/metal-operator-serving-cert + controller-gen.kubebuilder.io/version: v0.21.0 + name: bmcversionsets.metal.ironcore.dev +spec: + group: metal.ironcore.dev + names: + kind: BMCVersionSet + listKind: BMCVersionSetList + plural: bmcversionsets + shortNames: + - bmcvs + singular: bmcversionset + scope: Cluster + versions: + - additionalPrinterColumns: + - jsonPath: .spec.bmcVersionTemplate.version + name: BMCVersion + type: string + - jsonPath: .status.fullyLabeledBMCs + name: selectedBMCs + type: integer + - jsonPath: .status.availableBMCVersion + name: AvailableBMCVersion + type: integer + - jsonPath: .status.pendingBMCVersion + name: Pending + type: integer + - jsonPath: .status.inProgressBMCVersion + name: InProgress + type: integer + - jsonPath: .status.completedBMCVersion + name: Completed + type: integer + - jsonPath: .status.failedBMCVersion + name: Failed + type: integer + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: BMCVersionSet is the Schema for the bmcversionsets API. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: BMCVersionSetSpec defines the desired state of BMCVersionSet. + properties: + bmcSelector: + description: BMCSelector specifies a label selector to identify the + BMCs to be selected. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. + The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector applies + to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + bmcVersionTemplate: + description: BMCVersionTemplate defines the template for the BMCVersion + resource to be applied to the BMCs. + properties: + image: + description: Image specifies the image to use to upgrade to the + given BMC version. + properties: + URI: + description: URI is the URI of the software image to install. + type: string + secretRef: + description: SecretRef is a reference to the Secret containing + the credentials to access the image URI. + properties: + name: + description: name is unique within a namespace to reference + a secret resource. + type: string + namespace: + description: namespace defines the space within which + the secret name must be unique. + type: string + type: object + x-kubernetes-map-type: atomic + transferProtocol: + description: TransferProtocol is the network protocol used + to retrieve the image URI. + type: string + required: + - URI + type: object + retryPolicy: + description: RetryPolicy defines the retry behavior for automatic + retries on transient failures. + properties: + maxAttempts: + description: |- + MaxAttempts is the maximum number of automatic retry attempts after failure. + 0 means no automatic retries. Must be between 0 and 10 inclusive. + If not set, the operator-level default is used. + format: int32 + maximum: 10 + minimum: 0 + type: integer + type: object + serverMaintenancePolicy: + description: ServerMaintenancePolicy is a maintenance policy to + be enforced on the server managed by referred BMC. + type: string + updatePolicy: + description: UpdatePolicy indicates whether the server's upgrade + service should bypass vendor update policies. + type: string + version: + description: Version specifies the BMC version to upgrade to. + type: string + required: + - image + - version + type: object + required: + - bmcSelector + type: object + status: + description: BMCVersionSetStatus defines the observed state of BMCVersionSet. + properties: + availableBMCVersion: + description: AvailableBMCVersion is the number of BMCVersion resources + currently created by the set. + format: int32 + type: integer + completedBMCVersion: + description: CompletedBMCVersion is the total number of completed + BMCVersion resources in the set. + format: int32 + type: integer + failedBMCVersion: + description: FailedBMCVersion is the total number of failed BMCVersion + resources in the set. + format: int32 + type: integer + fullyLabeledBMCs: + description: FullyLabeledBMCs is the number of BMCs in the set. + format: int32 + type: integer + inProgressBMCVersion: + description: InProgressBMCVersion is the total number of BMCVersion + resources in the set that are currently in progress. + format: int32 + type: integer + pendingBMCVersion: + description: PendingBMCVersion is the total number of pending BMCVersion + resources in the set. + format: int32 + type: integer + type: object + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + cert-manager.io/inject-ca-from: metal-operator-system/metal-operator-serving-cert + controller-gen.kubebuilder.io/version: v0.21.0 + name: endpoints.metal.ironcore.dev +spec: + group: metal.ironcore.dev + names: + kind: Endpoint + listKind: EndpointList + plural: endpoints + shortNames: + - mep + singular: endpoint + scope: Cluster + versions: + - additionalPrinterColumns: + - jsonPath: .spec.macAddress + name: MACAddress + type: string + - jsonPath: .spec.ip + name: IP + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: Endpoint is the Schema for the endpoints API + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: EndpointSpec defines the desired state of Endpoint + properties: + ip: + description: IP is the IP address of the endpoint. + type: string + macAddress: + description: MACAddress is the MAC address of the endpoint. + type: string + type: object + status: + description: EndpointStatus defines the observed state of Endpoint + type: object + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + cert-manager.io/inject-ca-from: metal-operator-system/metal-operator-serving-cert + controller-gen.kubebuilder.io/version: v0.21.0 + name: serverbootconfigurations.metal.ironcore.dev +spec: + group: metal.ironcore.dev + names: + kind: ServerBootConfiguration + listKind: ServerBootConfigurationList + plural: serverbootconfigurations + shortNames: + - sbc + singular: serverbootconfiguration + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .spec.serverRef.name + name: ServerRef + type: string + - jsonPath: .spec.image + name: Image + type: string + - jsonPath: .spec.ignitionSecretRef.name + name: IgnitionRef + type: string + - jsonPath: .status.state + name: State + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: ServerBootConfiguration is the Schema for the serverbootconfigurations + API + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: ServerBootConfigurationSpec defines the desired state of + ServerBootConfiguration. + properties: + ignitionSecretRef: + description: |- + IgnitionSecretRef is a reference to the Secret object that contains + the ignition configuration for the server. + properties: + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + type: object + x-kubernetes-map-type: atomic + image: + description: Image specifies the boot image to be used for the server. + type: string + serverRef: + description: ServerRef is a reference to the server for which this + boot configuration is intended. + properties: + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + type: object + x-kubernetes-map-type: atomic + required: + - serverRef + type: object + status: + description: ServerBootConfigurationStatus defines the observed state + of ServerBootConfiguration. + properties: + conditions: + description: Conditions represents the latest available observations + of the ServerBootConfig's current state. + items: + description: Condition contains details for one aspect of the current + state of this API Resource. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + state: + description: State represents the current state of the boot configuration. + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + cert-manager.io/inject-ca-from: metal-operator-system/metal-operator-serving-cert + controller-gen.kubebuilder.io/version: v0.21.0 + name: serverclaims.metal.ironcore.dev +spec: + conversion: + strategy: Webhook + webhook: + clientConfig: + service: + name: metal-operator-webhook-service + namespace: metal-operator-system + path: /convert + conversionReviewVersions: + - v1 + group: metal.ironcore.dev + names: + kind: ServerClaim + listKind: ServerClaimList + plural: serverclaims + shortNames: + - scl + singular: serverclaim + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .spec.serverRef.name + name: Server + type: string + - jsonPath: .spec.ignitionSecretRef.name + name: Ignition + type: string + - jsonPath: .spec.image + name: Image + type: string + - jsonPath: .status.phase + name: Phase + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: ServerClaim is the Schema for the serverclaims API + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: ServerClaimSpec defines the desired state of ServerClaim. + properties: + ignitionSecretRef: + description: |- + IgnitionSecretRef is a reference to the Secret object that contains + the ignition configuration for the server. + properties: + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + type: object + x-kubernetes-map-type: atomic + image: + description: Image specifies the boot image to be used for the server. + type: string + power: + description: Power specifies the desired power state of the server. + type: string + serverRef: + description: ServerRef is a reference to a specific server to be claimed. + properties: + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + type: object + x-kubernetes-map-type: atomic + x-kubernetes-validations: + - message: serverRef is immutable + rule: self == oldSelf + serverSelector: + description: ServerSelector specifies a label selector to identify + the server to be claimed. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. + The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector applies + to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + x-kubernetes-validations: + - message: serverSelector is immutable + rule: self == oldSelf + tolerations: + description: Tolerations allow a ServerClaim to bind to a Server with + matching taints. + items: + description: |- + Toleration allows a ServerClaim to tolerate taints on a Server so that + the claim can be bound to a server that would otherwise be restricted. + properties: + effect: + description: Effect indicates the taint effect to tolerate. + enum: + - NoBind + - Evict + type: string + key: + description: Key is the taint key that the toleration applies + to. + minLength: 1 + type: string + operator: + description: Operator represents the key's relationship to the + value. + enum: + - Equal + - Exists + type: string + value: + description: Value is the taint value the toleration matches + to. + type: string + required: + - key + type: object + type: array + required: + - image + - power + type: object + x-kubernetes-validations: + - message: serverRef is required once set + rule: '!has(oldSelf.serverRef) || has(self.serverRef)' + - message: serverSelector is required once set + rule: '!has(oldSelf.serverSelector) || has(self.serverSelector)' + status: + description: ServerClaimStatus defines the observed state of ServerClaim. + properties: + phase: + description: Phase represents the current phase of the server claim. + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + cert-manager.io/inject-ca-from: metal-operator-system/metal-operator-serving-cert + controller-gen.kubebuilder.io/version: v0.21.0 + name: servermaintenances.metal.ironcore.dev +spec: + group: metal.ironcore.dev + names: + kind: ServerMaintenance + listKind: ServerMaintenanceList + plural: servermaintenances + shortNames: + - sm + singular: servermaintenance + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .spec.serverRef.name + name: Server + type: string + - jsonPath: .spec.policy + name: Policy + type: string + - jsonPath: .spec.serverBootConfigurationTemplate.name + name: BootConfiguration + type: string + - jsonPath: .metadata.annotations.metal\.ironcore\.dev\/reason + name: Reason + type: string + - jsonPath: .status.state + name: State + type: string + - jsonPath: .spec.priority + name: Priority + type: integer + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: ServerMaintenance is the Schema for the ServerMaintenance API + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: ServerMaintenanceSpec defines the desired state of a ServerMaintenance + properties: + policy: + description: Policy specifies the maintenance policy to be enforced + on the server. + type: string + priority: + default: 0 + description: |- + Priority determines ordering when multiple ServerMaintenance resources target the same server. + Higher values are processed first. If priorities are equal, older resources are processed first. + If omitted, priority is treated as 0. + format: int32 + type: integer + serverBootConfigurationTemplate: + description: ServerBootConfigurationTemplate specifies the boot configuration + to be applied to the server during maintenance. + properties: + name: + description: Name specifies the name of the boot configuration. + type: string + spec: + description: Spec specifies the boot configuration to be rendered. + properties: + ignitionSecretRef: + description: |- + IgnitionSecretRef is a reference to the Secret object that contains + the ignition configuration for the server. + properties: + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + type: object + x-kubernetes-map-type: atomic + image: + description: Image specifies the boot image to be used for + the server. + type: string + serverRef: + description: ServerRef is a reference to the server for which + this boot configuration is intended. + properties: + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + type: object + x-kubernetes-map-type: atomic + required: + - serverRef + type: object + required: + - name + - spec + type: object + serverPower: + description: ServerPower specifies the power state of the server during + maintenance. + type: string + serverRef: + description: ServerRef is a reference to the server that is to be + maintained. + properties: + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + type: object + x-kubernetes-map-type: atomic + required: + - serverRef + type: object + status: + description: ServerMaintenanceStatus defines the observed state of a ServerMaintenance + properties: + state: + description: State specifies the current state of the server maintenance. + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + cert-manager.io/inject-ca-from: metal-operator-system/metal-operator-serving-cert + controller-gen.kubebuilder.io/version: v0.21.0 + name: servers.metal.ironcore.dev +spec: + group: metal.ironcore.dev + names: + kind: Server + listKind: ServerList + plural: servers + shortNames: + - srv + singular: server + scope: Cluster + versions: + - additionalPrinterColumns: + - jsonPath: .spec.systemUUID + name: SystemUUID + type: string + - jsonPath: .status.manufacturer + name: Manufacturer + type: string + - jsonPath: .status.model + name: Model + type: string + - jsonPath: .status.totalSystemMemory + name: Memory + type: string + - jsonPath: .status.sku + name: SKU + priority: 100 + type: string + - jsonPath: .status.serialNumber + name: SerialNumber + priority: 100 + type: string + - jsonPath: .status.powerState + name: PowerState + type: string + - jsonPath: .status.indicatorLED + name: IndicatorLED + priority: 100 + type: string + - jsonPath: .status.state + name: State + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: Server is the Schema for the servers API + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: ServerSpec defines the desired state of a Server. + properties: + biosSettingsRef: + description: |- + BIOSSettingsRef is a reference to a biossettings object that specifies + the BIOS configuration for this server. + properties: + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + type: object + x-kubernetes-map-type: atomic + bmc: + description: BMC contains the access details for the BMC. + properties: + address: + description: Address is the address of the BMC. + type: string + bmcSecretRef: + description: |- + BMCSecretRef is a reference to the BMCSecret object that contains the credentials + required to access the BMC. + properties: + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + type: object + x-kubernetes-map-type: atomic + protocol: + description: Protocol specifies the protocol to be used for communicating + with the BMC. + properties: + name: + description: Name specifies the name of the protocol. + type: string + port: + description: Port specifies the port number used for communication. + format: int32 + type: integer + scheme: + description: Scheme specifies the scheme used for communication. + type: string + required: + - name + - port + type: object + required: + - address + - bmcSecretRef + - protocol + type: object + bmcRef: + description: BMCRef is a reference to the BMC object associated with + this server. + properties: + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + type: object + x-kubernetes-map-type: atomic + bootConfigurationRef: + description: |- + BootConfigurationRef is a reference to a BootConfiguration object that specifies + the boot configuration for this server. + properties: + name: + description: Name is the name of the referenced object. + type: string + namespace: + description: Namespace is the namespace of the referenced object. + type: string + required: + - name + - namespace + type: object + bootOrder: + description: BootOrder specifies the boot order of the server. + items: + description: BootOrder represents the boot order of the server. + properties: + device: + description: Device is the device to boot from. + type: string + name: + description: Name is the name of the boot device. + type: string + priority: + description: Priority is the priority of the boot device. + type: integer + required: + - device + - name + - priority + type: object + type: array + indicatorLED: + description: IndicatorLED specifies the desired state of the server's + indicator LED. + type: string + maintenanceBootConfigurationRef: + description: |- + MaintenanceBootConfigurationRef is a reference to a BootConfiguration object that specifies + the boot configuration for this server during maintenance. + properties: + name: + description: Name is the name of the referenced object. + type: string + namespace: + description: Namespace is the namespace of the referenced object. + type: string + required: + - name + - namespace + type: object + power: + description: Power specifies the desired power state of the server. + type: string + serverClaimRef: + description: ServerClaimRef is a reference to a ServerClaim object + that claims this server. + properties: + name: + description: Name is the name of the referenced object. + maxLength: 253 + type: string + x-kubernetes-validations: + - rule: self == oldSelf + namespace: + description: Namespace is the namespace of the referenced object. + maxLength: 63 + type: string + x-kubernetes-validations: + - rule: self == oldSelf + required: + - name + - namespace + type: object + serverMaintenanceRef: + description: ServerMaintenanceRef is a reference to a ServerMaintenance + object that maintains this server. + properties: + name: + description: Name is the name of the referenced object. + type: string + namespace: + description: Namespace is the namespace of the referenced object. + type: string + required: + - name + - namespace + type: object + systemURI: + description: SystemURI is the unique URI for the server resource in + REDFISH API. + type: string + systemUUID: + description: SystemUUID is the unique identifier for the server. + type: string + taints: + description: Taints control which ServerClaims can be bound to this + server. + items: + description: |- + Taint represents a taint applied to a Server that restricts which + ServerClaims can be bound to it. + properties: + effect: + default: NoBind + description: |- + Effect indicates the effect of the taint on ServerClaims that do not + tolerate the taint. + enum: + - NoBind + - Evict + type: string + key: + description: Key is the taint key to be applied to a server. + minLength: 1 + type: string + value: + description: Value is the taint value corresponding to the taint + key. + type: string + required: + - key + type: object + type: array + required: + - systemUUID + type: object + status: + description: ServerStatus defines the observed state of Server. + properties: + biosVersion: + description: BIOSVersion is the version of the server's BIOS. + type: string + conditions: + description: Conditions represents the latest available observations + of the server's current state. + items: + description: Condition contains details for one aspect of the current + state of this API Resource. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + indicatorLED: + description: IndicatorLED specifies the current state of the server's + indicator LED. + type: string + manufacturer: + description: Manufacturer is the name of the server manufacturer. + type: string + model: + description: Model is the model of the server. + type: string + networkInterfaces: + description: NetworkInterfaces is a list of network interfaces associated + with the server. + items: + description: NetworkInterface defines the details of a network interface. + properties: + carrierStatus: + description: CarrierStatus is the operational carrier status + of the network interface. + type: string + ip: + description: |- + IP is the IP address assigned to the network interface. + Deprecated: Use IPs instead. Kept for backward compatibility, always nil. + type: string + ips: + description: IPs is a list of IP addresses (both IPv4 and IPv6) + assigned to the network interface. + items: + format: ip + type: string + type: array + macAddress: + description: MACAddress is the MAC address of the network interface. + type: string + name: + description: Name is the name of the network interface. + type: string + neighbors: + description: Neighbors contains the LLDP neighbors discovered + on this interface. + items: + description: LLDPNeighbor defines the details of an LLDP neighbor. + properties: + macAddress: + description: MACAddress is the MAC address of the LLDP + neighbor. + type: string + portDescription: + description: PortDescription is the port description of + the LLDP neighbor. + type: string + portID: + description: PortID is the port identifier of the LLDP + neighbor. + type: string + systemDescription: + description: SystemDescription is the system description + of the LLDP neighbor. + type: string + systemName: + description: SystemName is the system name of the LLDP + neighbor. + type: string + type: object + type: array + required: + - macAddress + - name + type: object + type: array + powerState: + description: PowerState represents the current power state of the + server. + type: string + processors: + description: Processors is a list of Processors associated with the + server. + items: + description: Processor defines the details of a Processor. + properties: + architecture: + description: Architecture is the architecture of the Processor. + type: string + id: + description: ID is the name of the Processor. + type: string + instructionSet: + description: InstructionSet is the instruction set of the Processor. + type: string + manufacturer: + description: Manufacturer is the manufacturer of the Processor. + type: string + maxSpeedMHz: + description: MaxSpeedMHz is the maximum speed of the Processor + in MHz. + format: int32 + type: integer + model: + description: Model is the model of the Processor. + type: string + totalCores: + description: TotalCores is the total number of cores in the + Processor. + format: int32 + type: integer + totalThreads: + description: TotalThreads is the total number of threads in + the Processor. + format: int32 + type: integer + type: + description: Type is the type of the Processor. + type: string + required: + - id + type: object + type: array + serialNumber: + description: SerialNumber is the serial number of the server. + type: string + sku: + description: SKU is the stock keeping unit identifier for the server. + type: string + state: + description: State represents the current state of the server. + type: string + storages: + description: Storages is a list of storages associated with the server. + items: + description: Storage defines the details of one storage device. + properties: + drives: + description: Drives is a collection of drives associated with + this storage. + items: + description: StorageDrive defines the details of one storage + drive. + properties: + capacity: + anyOf: + - type: integer + - type: string + description: Capacity specifies the size of the storage + device in bytes. + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + mediaType: + description: MediaType specifies the media type of the + storage device. + type: string + model: + description: Model specifies the model of the storage + device. + type: string + name: + description: Name is the name of the storage drive. + type: string + state: + description: State specifies the state of the storage + device. + type: string + type: + description: Type specifies the type of the storage device. + type: string + vendor: + description: Vendor specifies the vendor of the storage + device. + type: string + type: object + type: array + name: + description: Name is the name of the storage device. + type: string + state: + description: State specifies the state of the storage device. + type: string + volumes: + description: Volumes is a collection of volumes associated with + this storage. + items: + description: StorageVolume defines the details of one storage + volume. + properties: + capacity: + anyOf: + - type: integer + - type: string + description: Capacity specifies the size of the storage + device in bytes. + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + name: + description: Name is the name of the storage volume. + type: string + raidType: + description: RAIDType specifies the RAID type of the associated + Volume. + type: string + state: + description: Status specifies the status of the volume. + type: string + volumeUsage: + description: VolumeUsage specifies the volume usage type + for the Volume. + type: string + type: object + type: array + type: object + type: array + totalSystemMemory: + anyOf: + - type: integer + - type: string + description: TotalSystemMemory is the total amount of memory in bytes + available on the server. + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: object + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + app.kubernetes.io/component: rbac + app.kubernetes.io/created-by: metal-operator + app.kubernetes.io/instance: controller-manager-sa + app.kubernetes.io/managed-by: kustomize + app.kubernetes.io/name: serviceaccount + app.kubernetes.io/part-of: metal-operator + name: metal-operator-controller-manager + namespace: metal-operator-system +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + labels: + app.kubernetes.io/component: rbac + app.kubernetes.io/created-by: metal-operator + app.kubernetes.io/instance: leader-election-role + app.kubernetes.io/managed-by: kustomize + app.kubernetes.io/name: role + app.kubernetes.io/part-of: metal-operator + name: metal-operator-leader-election-role + namespace: metal-operator-system +rules: +- apiGroups: + - "" + resources: + - configmaps + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - "" + resources: + - events + verbs: + - create + - patch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/component: rbac + app.kubernetes.io/created-by: metal-operator + app.kubernetes.io/instance: biossettings-admin-role + app.kubernetes.io/managed-by: kustomize + app.kubernetes.io/name: clusterrole + app.kubernetes.io/part-of: metal-operator + name: metal-operator-biossettings-admin-role +rules: +- apiGroups: + - metal.ironcore.dev + resources: + - biossettings + verbs: + - '*' +- apiGroups: + - metal.ironcore.dev + resources: + - biossettings/status + verbs: + - get +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/component: rbac + app.kubernetes.io/created-by: metal-operator + app.kubernetes.io/instance: biossettings-editor-role + app.kubernetes.io/managed-by: kustomize + app.kubernetes.io/name: clusterrole + app.kubernetes.io/part-of: metal-operator + name: metal-operator-biossettings-editor-role +rules: +- apiGroups: + - metal.ironcore.dev + resources: + - biossettings + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - metal.ironcore.dev + resources: + - biossettings/status + verbs: + - get +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/component: rbac + app.kubernetes.io/created-by: metal-operator + app.kubernetes.io/instance: biossettings-viewer-role + app.kubernetes.io/managed-by: kustomize + app.kubernetes.io/name: clusterrole + app.kubernetes.io/part-of: metal-operator + name: metal-operator-biossettings-viewer-role +rules: +- apiGroups: + - metal.ironcore.dev + resources: + - biossettings + verbs: + - get + - list + - watch +- apiGroups: + - metal.ironcore.dev + resources: + - biossettings/status + verbs: + - get +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/managed-by: kustomize + app.kubernetes.io/name: metal-operator + name: metal-operator-biossettingsset-admin-role +rules: +- apiGroups: + - metal.ironcore.dev + resources: + - biossettingssets + verbs: + - '*' +- apiGroups: + - metal.ironcore.dev + resources: + - biossettingssets/status + verbs: + - get +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/managed-by: kustomize + app.kubernetes.io/name: metal-operator + name: metal-operator-biossettingsset-editor-role +rules: +- apiGroups: + - metal.ironcore.dev + resources: + - biossettingssets + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - metal.ironcore.dev + resources: + - biossettingssets/status + verbs: + - get +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/managed-by: kustomize + app.kubernetes.io/name: metal-operator + name: metal-operator-biossettingsset-viewer-role +rules: +- apiGroups: + - metal.ironcore.dev + resources: + - biossettingssets + verbs: + - get + - list + - watch +- apiGroups: + - metal.ironcore.dev + resources: + - biossettingssets/status + verbs: + - get +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/managed-by: kustomize + app.kubernetes.io/name: metal-operator + name: metal-operator-biosversion-admin-role +rules: +- apiGroups: + - metal.ironcore.dev + resources: + - biosversions + verbs: + - '*' +- apiGroups: + - metal.ironcore.dev + resources: + - biosversions/status + verbs: + - get +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/managed-by: kustomize + app.kubernetes.io/name: metal-operator + name: metal-operator-biosversion-editor-role +rules: +- apiGroups: + - metal.ironcore.dev + resources: + - biosversions + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - metal.ironcore.dev + resources: + - biosversions/status + verbs: + - get +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/managed-by: kustomize + app.kubernetes.io/name: metal-operator + name: metal-operator-biosversion-viewer-role +rules: +- apiGroups: + - metal.ironcore.dev + resources: + - biosversions + verbs: + - get + - list + - watch +- apiGroups: + - metal.ironcore.dev + resources: + - biosversions/status + verbs: + - get +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/managed-by: kustomize + app.kubernetes.io/name: metal-operator + name: metal-operator-biosversionset-admin-role +rules: +- apiGroups: + - metal.ironcore.dev + resources: + - biosversionsets + verbs: + - '*' +- apiGroups: + - metal.ironcore.dev + resources: + - biosversionsets/status + verbs: + - get +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/managed-by: kustomize + app.kubernetes.io/name: metal-operator + name: metal-operator-biosversionset-editor-role +rules: +- apiGroups: + - metal.ironcore.dev + resources: + - biosversionsets + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - metal.ironcore.dev + resources: + - biosversionsets/status + verbs: + - get +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/managed-by: kustomize + app.kubernetes.io/name: metal-operator + name: metal-operator-biosversionset-viewer-role +rules: +- apiGroups: + - metal.ironcore.dev + resources: + - biosversionsets + verbs: + - get + - list + - watch +- apiGroups: + - metal.ironcore.dev + resources: + - biosversionsets/status + verbs: + - get +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/managed-by: kustomize + app.kubernetes.io/name: metal-operator + name: metal-operator-bmc-admin-role +rules: +- apiGroups: + - metal.ironcore.dev + resources: + - bmcs + verbs: + - '*' +- apiGroups: + - metal.ironcore.dev + resources: + - bmcs/status + verbs: + - get +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/component: rbac + app.kubernetes.io/created-by: metal-operator + app.kubernetes.io/instance: bmc-editor-role + app.kubernetes.io/managed-by: kustomize + app.kubernetes.io/name: clusterrole + app.kubernetes.io/part-of: metal-operator + name: metal-operator-bmc-editor-role +rules: +- apiGroups: + - metal.ironcore.dev + resources: + - bmcs + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - metal.ironcore.dev + resources: + - bmcs/status + verbs: + - get +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/component: rbac + app.kubernetes.io/created-by: metal-operator + app.kubernetes.io/instance: bmc-viewer-role + app.kubernetes.io/managed-by: kustomize + app.kubernetes.io/name: clusterrole + app.kubernetes.io/part-of: metal-operator + name: metal-operator-bmc-viewer-role +rules: +- apiGroups: + - metal.ironcore.dev + resources: + - bmcs + verbs: + - get + - list + - watch +- apiGroups: + - metal.ironcore.dev + resources: + - bmcs/status + verbs: + - get +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/managed-by: kustomize + app.kubernetes.io/name: metal-operator + name: metal-operator-bmcsecret-admin-role +rules: +- apiGroups: + - metal.ironcore.dev + resources: + - bmcsecrets + verbs: + - '*' +- apiGroups: + - metal.ironcore.dev + resources: + - bmcsecrets/status + verbs: + - get +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/component: rbac + app.kubernetes.io/created-by: metal-operator + app.kubernetes.io/instance: bmcsecret-editor-role + app.kubernetes.io/managed-by: kustomize + app.kubernetes.io/name: clusterrole + app.kubernetes.io/part-of: metal-operator + name: metal-operator-bmcsecret-editor-role +rules: +- apiGroups: + - metal.ironcore.dev + resources: + - bmcsecrets + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - metal.ironcore.dev + resources: + - bmcsecrets/status + verbs: + - get +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/component: rbac + app.kubernetes.io/created-by: metal-operator + app.kubernetes.io/instance: bmcsecret-viewer-role + app.kubernetes.io/managed-by: kustomize + app.kubernetes.io/name: clusterrole + app.kubernetes.io/part-of: metal-operator + name: metal-operator-bmcsecret-viewer-role +rules: +- apiGroups: + - metal.ironcore.dev + resources: + - bmcsecrets + verbs: + - get + - list + - watch +- apiGroups: + - metal.ironcore.dev + resources: + - bmcsecrets/status + verbs: + - get +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/managed-by: kustomize + app.kubernetes.io/name: metal-operator + name: metal-operator-bmcsettings-admin-role +rules: +- apiGroups: + - metal.ironcore.dev + resources: + - bmcsettings + verbs: + - '*' +- apiGroups: + - metal.ironcore.dev + resources: + - bmcsettings/status + verbs: + - get +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/managed-by: kustomize + app.kubernetes.io/name: metal-operator + name: metal-operator-bmcsettings-editor-role +rules: +- apiGroups: + - metal.ironcore.dev + resources: + - bmcsettings + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - metal.ironcore.dev + resources: + - bmcsettings/status + verbs: + - get +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/managed-by: kustomize + app.kubernetes.io/name: metal-operator + name: metal-operator-bmcsettings-viewer-role +rules: +- apiGroups: + - metal.ironcore.dev + resources: + - bmcsettings + verbs: + - get + - list + - watch +- apiGroups: + - metal.ironcore.dev + resources: + - bmcsettings/status + verbs: + - get +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/managed-by: kustomize + app.kubernetes.io/name: metal-operator + name: metal-operator-bmcsettingsset-admin-role +rules: +- apiGroups: + - metal.ironcore.dev + resources: + - bmcsettingssets + verbs: + - '*' +- apiGroups: + - metal.ironcore.dev + resources: + - bmcsettingssets/status + verbs: + - get +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/managed-by: kustomize + app.kubernetes.io/name: metal-operator + name: metal-operator-bmcsettingsset-editor-role +rules: +- apiGroups: + - metal.ironcore.dev + resources: + - bmcsettingssets + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - metal.ironcore.dev + resources: + - bmcsettingssets/status + verbs: + - get +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/managed-by: kustomize + app.kubernetes.io/name: metal-operator + name: metal-operator-bmcsettingsset-viewer-role +rules: +- apiGroups: + - metal.ironcore.dev + resources: + - bmcsettingssets + verbs: + - get + - list + - watch +- apiGroups: + - metal.ironcore.dev + resources: + - bmcsettingssets/status + verbs: + - get +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/managed-by: kustomize + app.kubernetes.io/name: metal-operator + name: metal-operator-bmcuser-admin-role +rules: +- apiGroups: + - metal.ironcore.dev + resources: + - bmcusers + verbs: + - '*' +- apiGroups: + - metal.ironcore.dev + resources: + - bmcusers/status + verbs: + - get +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/managed-by: kustomize + app.kubernetes.io/name: metal-operator + name: metal-operator-bmcuser-editor-role +rules: +- apiGroups: + - metal.ironcore.dev + resources: + - bmcusers + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - metal.ironcore.dev + resources: + - bmcusers/status + verbs: + - get +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/managed-by: kustomize + app.kubernetes.io/name: metal-operator + name: metal-operator-bmcuser-viewer-role +rules: +- apiGroups: + - metal.ironcore.dev + resources: + - bmcusers + verbs: + - get + - list + - watch +- apiGroups: + - metal.ironcore.dev + resources: + - bmcusers/status + verbs: + - get +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/managed-by: kustomize + app.kubernetes.io/name: metal-operator + name: metal-operator-bmcversion-admin-role +rules: +- apiGroups: + - metal.ironcore.dev + resources: + - bmcversions + verbs: + - '*' +- apiGroups: + - metal.ironcore.dev + resources: + - bmcversions/status + verbs: + - get +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/managed-by: kustomize + app.kubernetes.io/name: metal-operator + name: metal-operator-bmcversion-editor-role +rules: +- apiGroups: + - metal.ironcore.dev + resources: + - bmcversions + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - metal.ironcore.dev + resources: + - bmcversions/status + verbs: + - get +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/managed-by: kustomize + app.kubernetes.io/name: metal-operator + name: metal-operator-bmcversion-viewer-role +rules: +- apiGroups: + - metal.ironcore.dev + resources: + - bmcversions + verbs: + - get + - list + - watch +- apiGroups: + - metal.ironcore.dev + resources: + - bmcversions/status + verbs: + - get +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/managed-by: kustomize + app.kubernetes.io/name: metal-operator + name: metal-operator-bmcversionset-admin-role +rules: +- apiGroups: + - metal.ironcore.dev + resources: + - bmcversionsets + verbs: + - '*' +- apiGroups: + - metal.ironcore.dev + resources: + - bmcversionsets/status + verbs: + - get +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/managed-by: kustomize + app.kubernetes.io/name: metal-operator + name: metal-operator-bmcversionset-editor-role +rules: +- apiGroups: + - metal.ironcore.dev + resources: + - bmcversionsets + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - metal.ironcore.dev + resources: + - bmcversionsets/status + verbs: + - get +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/managed-by: kustomize + app.kubernetes.io/name: metal-operator + name: metal-operator-bmcversionset-viewer-role +rules: +- apiGroups: + - metal.ironcore.dev + resources: + - bmcversionsets + verbs: + - get + - list + - watch +- apiGroups: + - metal.ironcore.dev + resources: + - bmcversionsets/status + verbs: + - get +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/managed-by: kustomize + app.kubernetes.io/name: metal-operator + name: metal-operator-endpoint-admin-role +rules: +- apiGroups: + - metal.ironcore.dev + resources: + - endpoints + verbs: + - '*' +- apiGroups: + - metal.ironcore.dev + resources: + - endpoints/status + verbs: + - get +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/component: rbac + app.kubernetes.io/created-by: metal-operator + app.kubernetes.io/instance: endpoint-editor-role + app.kubernetes.io/managed-by: kustomize + app.kubernetes.io/name: clusterrole + app.kubernetes.io/part-of: metal-operator + name: metal-operator-endpoint-editor-role +rules: +- apiGroups: + - metal.ironcore.dev + resources: + - endpoints + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - metal.ironcore.dev + resources: + - endpoints/status + verbs: + - get +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/component: rbac + app.kubernetes.io/created-by: metal-operator + app.kubernetes.io/instance: endpoint-viewer-role + app.kubernetes.io/managed-by: kustomize + app.kubernetes.io/name: clusterrole + app.kubernetes.io/part-of: metal-operator + name: metal-operator-endpoint-viewer-role +rules: +- apiGroups: + - metal.ironcore.dev + resources: + - endpoints + verbs: + - get + - list + - watch +- apiGroups: + - metal.ironcore.dev + resources: + - endpoints/status + verbs: + - get +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: metal-operator-manager-role +rules: +- apiGroups: + - "" + resources: + - configmaps + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - secrets + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - batch + resources: + - jobs + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - metal.ironcore.dev + resources: + - BMC + verbs: + - get + - list + - update + - watch +- apiGroups: + - metal.ironcore.dev + resources: + - biossettings + - biossettingssets + - biosversions + - biosversionsets + - bmcs + - bmcsecrets + - bmcsettings + - bmcsettingssets + - bmcusers + - bmcversions + - bmcversionsets + - endpoints + - serverbootconfigurations + - serverclaims + - serverconfigurations + - servermaintenances + - servers + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - metal.ironcore.dev + resources: + - biossettings/finalizers + - biossettingssets/finalizers + - biosversions/finalizers + - biosversionsets/finalizers + - bmcs/finalizers + - bmcsecrets/finalizers + - bmcsettings/finalizers + - bmcsettingssets/finalizers + - bmcusers/finalizers + - bmcversions/finalizers + - bmcversionsets/finalizers + - endpoints/finalizers + - serverbootconfigurations/finalizers + - serverclaims/finalizers + - servermaintenances/finalizers + - servers/finalizers + verbs: + - update +- apiGroups: + - metal.ironcore.dev + resources: + - biossettings/status + - biossettingssets/status + - biosversions/status + - biosversionsets/status + - bmcs/status + - bmcsecrets/status + - bmcsettings/status + - bmcsettingssets/status + - bmcusers/status + - bmcversions/status + - bmcversionsets/status + - endpoints/status + - serverbootconfigurations/status + - serverclaims/status + - servermaintenances/status + - servers/status + verbs: + - get + - patch + - update +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: metal-operator-metrics-auth-role +rules: +- apiGroups: + - authentication.k8s.io + resources: + - tokenreviews + verbs: + - create +- apiGroups: + - authorization.k8s.io + resources: + - subjectaccessreviews + verbs: + - create +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: metal-operator-metrics-reader +rules: +- nonResourceURLs: + - /metrics + verbs: + - get +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/managed-by: kustomize + app.kubernetes.io/name: metal-operator + name: metal-operator-server-admin-role +rules: +- apiGroups: + - metal.ironcore.dev + resources: + - servers + verbs: + - '*' +- apiGroups: + - metal.ironcore.dev + resources: + - servers/status + verbs: + - get +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/component: rbac + app.kubernetes.io/created-by: metal-operator + app.kubernetes.io/instance: server-editor-role + app.kubernetes.io/managed-by: kustomize + app.kubernetes.io/name: clusterrole + app.kubernetes.io/part-of: metal-operator + name: metal-operator-server-editor-role +rules: +- apiGroups: + - metal.ironcore.dev + resources: + - servers + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - metal.ironcore.dev + resources: + - servers/status + verbs: + - get +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/component: rbac + app.kubernetes.io/created-by: metal-operator + app.kubernetes.io/instance: server-viewer-role + app.kubernetes.io/managed-by: kustomize + app.kubernetes.io/name: clusterrole + app.kubernetes.io/part-of: metal-operator + name: metal-operator-server-viewer-role +rules: +- apiGroups: + - metal.ironcore.dev + resources: + - servers + verbs: + - get + - list + - watch +- apiGroups: + - metal.ironcore.dev + resources: + - servers/status + verbs: + - get +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/managed-by: kustomize + app.kubernetes.io/name: metal-operator + name: metal-operator-serverbootconfiguration-admin-role +rules: +- apiGroups: + - metal.ironcore.dev + resources: + - serverbootconfigurations + verbs: + - '*' +- apiGroups: + - metal.ironcore.dev + resources: + - serverbootconfigurations/status + verbs: + - get +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/component: rbac + app.kubernetes.io/created-by: metal-operator + app.kubernetes.io/instance: serverbootconfiguration-editor-role + app.kubernetes.io/managed-by: kustomize + app.kubernetes.io/name: clusterrole + app.kubernetes.io/part-of: metal-operator + name: metal-operator-serverbootconfiguration-editor-role +rules: +- apiGroups: + - metal.ironcore.dev + resources: + - serverbootconfigurations + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - metal.ironcore.dev + resources: + - serverbootconfigurations/status + verbs: + - get +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/component: rbac + app.kubernetes.io/created-by: metal-operator + app.kubernetes.io/instance: serverbootconfiguration-viewer-role + app.kubernetes.io/managed-by: kustomize + app.kubernetes.io/name: clusterrole + app.kubernetes.io/part-of: metal-operator + name: metal-operator-serverbootconfiguration-viewer-role +rules: +- apiGroups: + - metal.ironcore.dev + resources: + - serverbootconfigurations + verbs: + - get + - list + - watch +- apiGroups: + - metal.ironcore.dev + resources: + - serverbootconfigurations/status + verbs: + - get +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/managed-by: kustomize + app.kubernetes.io/name: metal-operator + name: metal-operator-serverclaim-admin-role +rules: +- apiGroups: + - metal.ironcore.dev + resources: + - serverclaims + verbs: + - '*' +- apiGroups: + - metal.ironcore.dev + resources: + - serverclaims/status + verbs: + - get +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/component: rbac + app.kubernetes.io/created-by: metal-operator + app.kubernetes.io/instance: serverclaim-editor-role + app.kubernetes.io/managed-by: kustomize + app.kubernetes.io/name: clusterrole + app.kubernetes.io/part-of: metal-operator + name: metal-operator-serverclaim-editor-role +rules: +- apiGroups: + - metal.ironcore.dev + resources: + - serverclaims + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - metal.ironcore.dev + resources: + - serverclaims/status + verbs: + - get +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/component: rbac + app.kubernetes.io/created-by: metal-operator + app.kubernetes.io/instance: serverclaim-viewer-role + app.kubernetes.io/managed-by: kustomize + app.kubernetes.io/name: clusterrole + app.kubernetes.io/part-of: metal-operator + name: metal-operator-serverclaim-viewer-role +rules: +- apiGroups: + - metal.ironcore.dev + resources: + - serverclaims + verbs: + - get + - list + - watch +- apiGroups: + - metal.ironcore.dev + resources: + - serverclaims/status + verbs: + - get +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/managed-by: kustomize + app.kubernetes.io/name: metal-operator + name: metal-operator-servermaintenance-admin-role +rules: +- apiGroups: + - metal.ironcore.dev + resources: + - servermaintenances + verbs: + - '*' +- apiGroups: + - metal.ironcore.dev + resources: + - servermaintenances/status + verbs: + - get +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/managed-by: kustomize + app.kubernetes.io/name: metal-operator + name: metal-operator-servermaintenance-editor-role +rules: +- apiGroups: + - metal.ironcore.dev + resources: + - servermaintenances + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - metal.ironcore.dev + resources: + - servermaintenances/status + verbs: + - get +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/managed-by: kustomize + app.kubernetes.io/name: metal-operator + name: metal-operator-servermaintenance-viewer-role +rules: +- apiGroups: + - metal.ironcore.dev + resources: + - servermaintenances + verbs: + - get + - list + - watch +- apiGroups: + - metal.ironcore.dev + resources: + - servermaintenances/status + verbs: + - get +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + labels: + app.kubernetes.io/component: rbac + app.kubernetes.io/created-by: metal-operator + app.kubernetes.io/instance: leader-election-rolebinding + app.kubernetes.io/managed-by: kustomize + app.kubernetes.io/name: rolebinding + app.kubernetes.io/part-of: metal-operator + name: metal-operator-leader-election-rolebinding + namespace: metal-operator-system +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: metal-operator-leader-election-role +subjects: +- kind: ServiceAccount + name: metal-operator-controller-manager + namespace: metal-operator-system +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + app.kubernetes.io/component: rbac + app.kubernetes.io/created-by: metal-operator + app.kubernetes.io/instance: manager-rolebinding + app.kubernetes.io/managed-by: kustomize + app.kubernetes.io/name: clusterrolebinding + app.kubernetes.io/part-of: metal-operator + name: metal-operator-manager-rolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: metal-operator-manager-role +subjects: +- kind: ServiceAccount + name: metal-operator-controller-manager + namespace: metal-operator-system +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: metal-operator-metrics-auth-rolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: metal-operator-metrics-auth-role +subjects: +- kind: ServiceAccount + name: metal-operator-controller-manager + namespace: metal-operator-system +--- +apiVersion: v1 +kind: Service +metadata: + labels: + app.kubernetes.io/managed-by: kustomize + app.kubernetes.io/name: metal-operator + control-plane: controller-manager + name: metal-operator-controller-manager-metrics-service + namespace: metal-operator-system +spec: + ports: + - name: https + port: 8443 + protocol: TCP + targetPort: 8443 + selector: + app.kubernetes.io/name: metal-operator + control-plane: controller-manager +--- +apiVersion: v1 +kind: Service +metadata: + labels: + app.kubernetes.io/managed-by: kustomize + app.kubernetes.io/name: metal-operator + name: metal-operator-webhook-service + namespace: metal-operator-system +spec: + ports: + - port: 443 + protocol: TCP + targetPort: 9443 + selector: + app.kubernetes.io/name: metal-operator + control-plane: controller-manager +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app.kubernetes.io/managed-by: kustomize + app.kubernetes.io/name: metal-operator + control-plane: controller-manager + name: metal-operator-controller-manager + namespace: metal-operator-system +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/name: metal-operator + control-plane: controller-manager + template: + metadata: + annotations: + kubectl.kubernetes.io/default-container: manager + labels: + app.kubernetes.io/name: metal-operator + control-plane: controller-manager + spec: + containers: + - args: + - --metrics-bind-address=:8443 + - --leader-elect + - --metrics-cert-path=/tmp/k8s-metrics-server/metrics-certs + - --webhook-cert-path=/tmp/k8s-webhook-server/serving-certs + command: + - /manager + image: controller:latest + livenessProbe: + httpGet: + path: /healthz + port: 8081 + initialDelaySeconds: 15 + periodSeconds: 20 + name: manager + ports: + - containerPort: 8081 + name: health + protocol: TCP + - containerPort: 9443 + name: webhook-server + protocol: TCP + readinessProbe: + httpGet: + path: /readyz + port: 8081 + initialDelaySeconds: 5 + periodSeconds: 10 + resources: + limits: + cpu: 500m + memory: 128Mi + requests: + cpu: 10m + memory: 64Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + volumeMounts: + - mountPath: /tmp/k8s-metrics-server/metrics-certs + name: metrics-certs + readOnly: true + - mountPath: /tmp/k8s-webhook-server/serving-certs + name: webhook-certs + readOnly: true + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + serviceAccountName: metal-operator-controller-manager + terminationGracePeriodSeconds: 10 + volumes: + - name: metrics-certs + secret: + items: + - key: ca.crt + path: ca.crt + - key: tls.crt + path: tls.crt + - key: tls.key + path: tls.key + optional: false + secretName: metrics-server-cert + - name: webhook-certs + secret: + secretName: webhook-server-cert +--- +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + labels: + app.kubernetes.io/managed-by: kustomize + app.kubernetes.io/name: metal-operator + name: metal-operator-metrics-certs + namespace: metal-operator-system +spec: + dnsNames: + - metal-operator-controller-manager-metrics-service.metal-operator-system.svc + - metal-operator-controller-manager-metrics-service.metal-operator-system.svc.cluster.local + issuerRef: + kind: Issuer + name: metal-operator-selfsigned-issuer + secretName: metrics-server-cert +--- +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + labels: + app.kubernetes.io/managed-by: kustomize + app.kubernetes.io/name: metal-operator + name: metal-operator-serving-cert + namespace: metal-operator-system +spec: + dnsNames: + - metal-operator-webhook-service.metal-operator-system.svc + - metal-operator-webhook-service.metal-operator-system.svc.cluster.local + issuerRef: + kind: Issuer + name: metal-operator-selfsigned-issuer + secretName: webhook-server-cert +--- +apiVersion: cert-manager.io/v1 +kind: Issuer +metadata: + labels: + app.kubernetes.io/managed-by: kustomize + app.kubernetes.io/name: metal-operator + name: metal-operator-selfsigned-issuer + namespace: metal-operator-system +spec: + selfSigned: {} +--- +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingWebhookConfiguration +metadata: + annotations: + cert-manager.io/inject-ca-from: metal-operator-system/metal-operator-serving-cert + labels: + app.kubernetes.io/component: webhook + app.kubernetes.io/created-by: metal-operator + app.kubernetes.io/instance: validating-webhook-configuration + app.kubernetes.io/managed-by: kustomize + app.kubernetes.io/name: validatingwebhookconfiguration + app.kubernetes.io/part-of: metal-operator + name: metal-operator-validating-webhook-configuration +webhooks: +- admissionReviewVersions: + - v1 + clientConfig: + service: + name: metal-operator-webhook-service + namespace: metal-operator-system + path: /validate-metal-ironcore-dev-v1alpha1-biossettings + failurePolicy: Fail + name: vbiossettings-v1alpha1.kb.io + rules: + - apiGroups: + - metal.ironcore.dev + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + - DELETE + resources: + - biossettings + sideEffects: None +- admissionReviewVersions: + - v1 + clientConfig: + service: + name: metal-operator-webhook-service + namespace: metal-operator-system + path: /validate-metal-ironcore-dev-v1alpha1-biosversion + failurePolicy: Fail + name: vbiosversion-v1alpha1.kb.io + rules: + - apiGroups: + - metal.ironcore.dev + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + - DELETE + resources: + - biosversions + sideEffects: None +- admissionReviewVersions: + - v1 + clientConfig: + service: + name: metal-operator-webhook-service + namespace: metal-operator-system + path: /validate-metal-ironcore-dev-v1alpha1-bmcsecret + failurePolicy: Fail + name: vbmcsecret-v1alpha1.kb.io + rules: + - apiGroups: + - metal.ironcore.dev + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + - DELETE + resources: + - bmcsecrets + sideEffects: None +- admissionReviewVersions: + - v1 + clientConfig: + service: + name: metal-operator-webhook-service + namespace: metal-operator-system + path: /validate-metal-ironcore-dev-v1alpha1-bmcsettings + failurePolicy: Fail + name: vbmcsettings-v1alpha1.kb.io + rules: + - apiGroups: + - metal.ironcore.dev + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + - DELETE + resources: + - bmcsettings + sideEffects: None +- admissionReviewVersions: + - v1 + clientConfig: + service: + name: metal-operator-webhook-service + namespace: metal-operator-system + path: /validate-metal-ironcore-dev-v1alpha1-bmcversion + failurePolicy: Fail + name: vbmcversion-v1alpha1.kb.io + rules: + - apiGroups: + - metal.ironcore.dev + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + - DELETE + resources: + - bmcversions + sideEffects: None +- admissionReviewVersions: + - v1 + clientConfig: + service: + name: metal-operator-webhook-service + namespace: metal-operator-system + path: /validate-metal-ironcore-dev-v1alpha1-endpoint + failurePolicy: Fail + name: vendpoint-v1alpha1.kb.io + rules: + - apiGroups: + - metal.ironcore.dev + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - endpoints + sideEffects: None +- admissionReviewVersions: + - v1 + clientConfig: + service: + name: metal-operator-webhook-service + namespace: metal-operator-system + path: /validate-metal-ironcore-dev-v1alpha1-server + failurePolicy: Fail + name: vserver-v1alpha1.kb.io + rules: + - apiGroups: + - metal.ironcore.dev + apiVersions: + - v1alpha1 + operations: + - DELETE + resources: + - servers + sideEffects: None