mirror of
https://github.com/projectcapsule/capsule.git
synced 2026-02-14 09:59:57 +00:00
00b59fa843
* feat(deps): update kubernetes components to 1.30 Signed-off-by: Oliver Bähler <oliverbaehler@hotmail.com> * ci(deps): update kubernetes components to 1.30 Signed-off-by: Oliver Bähler <oliverbaehler@hotmail.com> * chore(makefile): update binaries and improve building Signed-off-by: Oliver Bähler <oliverbaehler@hotmail.com> * feat(deps): remove multierror dependency Signed-off-by: Oliver Bähler <oliverbaehler@hotmail.com> * chore(ci): use go.mod as go version Signed-off-by: Oliver Bähler <oliverbaehler@hotmail.com> --------- Signed-off-by: Oliver Bähler <oliverbaehler@hotmail.com> Co-authored-by: Oliver Bähler <oliverbaehler@hotmail.com>
133 lines
5.8 KiB
YAML
133 lines
5.8 KiB
YAML
---
|
|
apiVersion: apiextensions.k8s.io/v1
|
|
kind: CustomResourceDefinition
|
|
metadata:
|
|
annotations:
|
|
controller-gen.kubebuilder.io/version: v0.15.0
|
|
name: capsuleconfigurations.capsule.clastix.io
|
|
spec:
|
|
group: capsule.clastix.io
|
|
names:
|
|
kind: CapsuleConfiguration
|
|
listKind: CapsuleConfigurationList
|
|
plural: capsuleconfigurations
|
|
singular: capsuleconfiguration
|
|
scope: Cluster
|
|
versions:
|
|
- name: v1beta2
|
|
schema:
|
|
openAPIV3Schema:
|
|
description: CapsuleConfiguration is the Schema for the Capsule configuration
|
|
API.
|
|
properties:
|
|
apiVersion:
|
|
description: |-
|
|
APIVersion defines the versioned schema of this representation of an object.
|
|
Servers should convert recognized schemas to the latest internal value, and
|
|
may reject unrecognized values.
|
|
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
|
|
type: string
|
|
kind:
|
|
description: |-
|
|
Kind is a string value representing the REST resource this object represents.
|
|
Servers may infer this from the endpoint the client submits requests to.
|
|
Cannot be updated.
|
|
In CamelCase.
|
|
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
|
|
type: string
|
|
metadata:
|
|
type: object
|
|
spec:
|
|
description: CapsuleConfigurationSpec defines the Capsule configuration.
|
|
properties:
|
|
enableTLSReconciler:
|
|
default: true
|
|
description: |-
|
|
Toggles the TLS reconciler, the controller that is able to generate CA and certificates for the webhooks
|
|
when not using an already provided CA and certificate, or when these are managed externally with Vault, or cert-manager.
|
|
type: boolean
|
|
forceTenantPrefix:
|
|
default: false
|
|
description: |-
|
|
Enforces the Tenant owner, during Namespace creation, to name it using the selected Tenant name as prefix,
|
|
separated by a dash. This is useful to avoid Namespace name collision in a public CaaS environment.
|
|
type: boolean
|
|
nodeMetadata:
|
|
description: |-
|
|
Allows to set the forbidden metadata for the worker nodes that could be patched by a Tenant.
|
|
This applies only if the Tenant has an active NodeSelector, and the Owner have right to patch their nodes.
|
|
properties:
|
|
forbiddenAnnotations:
|
|
description: Define the annotations that a Tenant Owner cannot
|
|
set for their nodes.
|
|
properties:
|
|
denied:
|
|
items:
|
|
type: string
|
|
type: array
|
|
deniedRegex:
|
|
type: string
|
|
type: object
|
|
forbiddenLabels:
|
|
description: Define the labels that a Tenant Owner cannot set
|
|
for their nodes.
|
|
properties:
|
|
denied:
|
|
items:
|
|
type: string
|
|
type: array
|
|
deniedRegex:
|
|
type: string
|
|
type: object
|
|
required:
|
|
- forbiddenAnnotations
|
|
- forbiddenLabels
|
|
type: object
|
|
overrides:
|
|
default:
|
|
TLSSecretName: capsule-tls
|
|
mutatingWebhookConfigurationName: capsule-mutating-webhook-configuration
|
|
validatingWebhookConfigurationName: capsule-validating-webhook-configuration
|
|
description: |-
|
|
Allows to set different name rather than the canonical one for the Capsule configuration objects,
|
|
such as webhook secret or configurations.
|
|
properties:
|
|
TLSSecretName:
|
|
default: capsule-tls
|
|
description: |-
|
|
Defines the Secret name used for the webhook server.
|
|
Must be in the same Namespace where the Capsule Deployment is deployed.
|
|
type: string
|
|
mutatingWebhookConfigurationName:
|
|
default: capsule-mutating-webhook-configuration
|
|
description: Name of the MutatingWebhookConfiguration which contains
|
|
the dynamic admission controller paths and resources.
|
|
type: string
|
|
validatingWebhookConfigurationName:
|
|
default: capsule-validating-webhook-configuration
|
|
description: Name of the ValidatingWebhookConfiguration which
|
|
contains the dynamic admission controller paths and resources.
|
|
type: string
|
|
required:
|
|
- TLSSecretName
|
|
- mutatingWebhookConfigurationName
|
|
- validatingWebhookConfigurationName
|
|
type: object
|
|
protectedNamespaceRegex:
|
|
description: Disallow creation of namespaces, whose name matches this
|
|
regexp
|
|
type: string
|
|
userGroups:
|
|
default:
|
|
- capsule.clastix.io
|
|
description: Names of the groups for Capsule users.
|
|
items:
|
|
type: string
|
|
type: array
|
|
required:
|
|
- enableTLSReconciler
|
|
type: object
|
|
type: object
|
|
served: true
|
|
storage: true
|