apiVersion: v1 kind: Namespace metadata: labels: cluster.x-k8s.io/provider: bootstrap-rke2 control-plane: controller-manager name: rke2-bootstrap-system --- apiVersion: v1 data: components: | apiVersion: v1 kind: Namespace metadata: labels: cluster.x-k8s.io/provider: bootstrap-rke2 control-plane: controller-manager name: rke2-bootstrap-system --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: cert-manager.io/inject-ca-from: rke2-bootstrap-system/rke2-bootstrap-serving-cert controller-gen.kubebuilder.io/version: v0.14.0 labels: cluster.x-k8s.io/provider: bootstrap-rke2 cluster.x-k8s.io/v1beta1: v1alpha1_v1beta1 name: rke2configs.bootstrap.cluster.x-k8s.io spec: conversion: strategy: Webhook webhook: clientConfig: service: name: rke2-bootstrap-webhook-service namespace: rke2-bootstrap-system path: /convert conversionReviewVersions: - v1 - v1beta1 group: bootstrap.cluster.x-k8s.io names: kind: RKE2Config listKind: RKE2ConfigList plural: rke2configs singular: rke2config scope: Namespaced versions: - name: v1alpha1 schema: openAPIV3Schema: description: RKE2Config is the Schema for the rke2configs API. properties: apiVersion: description: |- APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: description: |- Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object spec: description: RKE2ConfigSpec defines the desired state of RKE2Config. properties: agentConfig: description: AgentConfig specifies configuration for the agent nodes. properties: additionalUserData: description: |- AdditionalUserData is a field that allows users to specify additional cloud-init or ignition configuration to be included in the generated cloud-init/ignition script. properties: config: description: |- In case of using ignition, the data format is documented here: https://kinvolk.io/docs/flatcar-container-linux/latest/provisioning/cl-config/ NOTE: All fields of the UserData that are managed by the RKE2Config controller will be ignored, this include "write_files", "runcmd", "ntp". Deprecated: Data is reserved for the arbitrary cloud-init data type: string data: additionalProperties: type: string description: |- Data allows to pass arbitrary set of key/value pairs consistent with https://cloudinit.readthedocs.io/en/latest/reference/modules.html to extend existing cloud-init configuration type: object strict: description: Strict controls if Config should be strictly parsed. If so, warnings are treated as errors. type: boolean type: object x-kubernetes-validations: - message: Only config or data could be populated at once rule: '!has(self.data) || !has(self.config)' airGapped: description: |- AirGapped is a boolean value to define if the bootstrapping should be air-gapped, basically supposing that online container registries and RKE2 install scripts are not reachable. type: boolean cisProfile: description: CISProfile activates CIS compliance of RKE2 for a certain profile enum: - cis - cis-1.23 - cis-1.5 - cis-1.6 type: string containerRuntimeEndpoint: description: ContainerRuntimeEndpoint Disable embedded containerd and use alternative CRI implementation. type: string dataDir: description: DataDir Folder to hold state. type: string enableContainerdSElinux: description: |- EnableContainerdSElinux defines the policy for enabling SELinux for Containerd if value is true, Containerd will run with selinux-enabled=true flag if value is false, Containerd will run without the above flag type: boolean format: description: Format specifies the output format of the bootstrap data. Defaults to cloud-config. enum: - cloud-config - ignition type: string imageCredentialProviderConfigMap: description: |- ImageCredentialProviderConfigMap is a reference to the ConfigMap that contains credential provider plugin config The config map should contain a key "credential-config.yaml" with YAML file content and a key "credential-provider-binaries" with the a path to the binaries for the credential provider. properties: apiVersion: description: API version of the referent. type: string fieldPath: description: |- If referring to a piece of an object instead of an entire object, this string should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. For example, if the object reference is to a container within a pod, this would take on a value like: "spec.containers{name}" (where "name" refers to the name of the container that triggered the event) or if no container name is specified "spec.containers[2]" (container with index 2 in this pod). This syntax is chosen only to have some well-defined way of referencing a part of an object. TODO: this design is not final and this field is subject to change in the future. type: string kind: description: |- Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string name: description: |- Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names type: string namespace: description: |- Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ type: string resourceVersion: description: |- Specific resourceVersion to which this reference is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency type: string uid: description: |- UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids type: string type: object x-kubernetes-map-type: atomic kubeProxy: description: KubeProxyArgs Customized flag for kube-proxy process. properties: extraArgs: description: 'ExtraArgs is a list of command line arguments (format: flag=value) to pass to a Kubernetes Component command.' items: type: string type: array extraEnv: additionalProperties: type: string description: ExtraEnv is a map of environment variables to pass on to a Kubernetes Component command. type: object extraMounts: additionalProperties: type: string description: ExtraMounts is a map of volume mounts to be added for the Kubernetes component StaticPod type: object overrideImage: description: OverrideImage is a string that references a container image to override the default one for the Kubernetes Component type: string type: object kubelet: description: KubeletArgs Customized flag for kubelet process. properties: extraArgs: description: 'ExtraArgs is a list of command line arguments (format: flag=value) to pass to a Kubernetes Component command.' items: type: string type: array extraEnv: additionalProperties: type: string description: ExtraEnv is a map of environment variables to pass on to a Kubernetes Component command. type: object extraMounts: additionalProperties: type: string description: ExtraMounts is a map of volume mounts to be added for the Kubernetes component StaticPod type: object overrideImage: description: OverrideImage is a string that references a container image to override the default one for the Kubernetes Component type: string type: object kubeletPath: description: KubeletPath Override kubelet binary path. type: string loadBalancerPort: description: |- LoadBalancerPort local port for supervisor client load-balancer. If the supervisor and apiserver are not colocated an additional port 1 less than this port will also be used for the apiserver client load-balancer (default: 6444). type: integer nodeAnnotations: additionalProperties: type: string description: |- NodeAnnotations are annotations that are created on nodes post bootstrap phase. Unfortunately it is not possible to apply annotations via kubelet using current bootstrap configurations. Issue: https://github.com/kubernetes/kubernetes/issues/108046 type: object nodeLabels: description: NodeLabels Registering and starting kubelet with set of labels. items: type: string type: array nodeName: description: NodeNamePrefix Prefix to the Node Name that CAPI will generate. type: string nodeTaints: description: NodeTaints Registering kubelet with set of taints. items: type: string type: array ntp: description: NTP specifies NTP configuration properties: enabled: description: Enabled specifies whether NTP should be enabled type: boolean servers: description: Servers specifies which NTP servers to use items: type: string type: array type: object protectKernelDefaults: description: |- ProtectKernelDefaults defines Kernel tuning behavior. If true, error if kernel tunables are different than kubelet defaults. if false, kernel tunable can be different from kubelet defaults type: boolean resolvConf: description: ResolvConf is a reference to a ConfigMap containing resolv.conf content for the node. properties: apiVersion: description: API version of the referent. type: string fieldPath: description: |- If referring to a piece of an object instead of an entire object, this string should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. For example, if the object reference is to a container within a pod, this would take on a value like: "spec.containers{name}" (where "name" refers to the name of the container that triggered the event) or if no container name is specified "spec.containers[2]" (container with index 2 in this pod). This syntax is chosen only to have some well-defined way of referencing a part of an object. TODO: this design is not final and this field is subject to change in the future. type: string kind: description: |- Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string name: description: |- Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names type: string namespace: description: |- Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ type: string resourceVersion: description: |- Specific resourceVersion to which this reference is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency type: string uid: description: |- UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids type: string type: object x-kubernetes-map-type: atomic runtimeImage: description: RuntimeImage override image to use for runtime binaries (containerd, kubectl, crictl, etc). type: string snapshotter: description: 'Snapshotter override default containerd snapshotter (default: "overlayfs").' type: string systemDefaultRegistry: description: SystemDefaultRegistry Private registry to be used for all system images. type: string version: description: Version specifies the rke2 version. type: string type: object files: description: Files specifies extra files to be passed to user_data upon creation. items: description: File defines the input for generating write_files in cloud-init. properties: content: description: Content is the actual content of the file. type: string contentFrom: description: ContentFrom is a referenced source of content to populate the file. properties: secret: description: SecretFileSource represents a secret that should populate this file. properties: key: description: Key is the key in the secret's data map for this value. type: string name: description: Name of the secret in the RKE2BootstrapConfig's namespace to use. type: string required: - key - name type: object required: - secret type: object encoding: description: Encoding specifies the encoding of the file contents. enum: - base64 - gzip - gzip+base64 type: string owner: description: Owner specifies the ownership of the file, e.g. "root:root". type: string path: description: Path specifies the full path on disk where to store the file. type: string permissions: description: Permissions specifies the permissions to assign to the file, e.g. "0640". type: string required: - path type: object type: array postRKE2Commands: description: PostRKE2Commands specifies extra commands to run after rke2 setup runs. items: type: string type: array preRKE2Commands: description: PreRKE2Commands specifies extra commands to run before rke2 setup runs. items: type: string type: array privateRegistriesConfig: description: PrivateRegistriesConfig defines the containerd configuration for private registries and local registry mirrors. properties: configs: additionalProperties: description: RegistryConfig contains configuration used to communicate with the registry. properties: authSecret: description: |- Auth si a reference to a Secret containing information to authenticate to the registry. The Secret must provite a username and a password data entry. properties: apiVersion: description: API version of the referent. type: string fieldPath: description: |- If referring to a piece of an object instead of an entire object, this string should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. For example, if the object reference is to a container within a pod, this would take on a value like: "spec.containers{name}" (where "name" refers to the name of the container that triggered the event) or if no container name is specified "spec.containers[2]" (container with index 2 in this pod). This syntax is chosen only to have some well-defined way of referencing a part of an object. TODO: this design is not final and this field is subject to change in the future. type: string kind: description: |- Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string name: description: |- Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names type: string namespace: description: |- Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ type: string resourceVersion: description: |- Specific resourceVersion to which this reference is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency type: string uid: description: |- UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids type: string type: object x-kubernetes-map-type: atomic tls: description: |- TLS is a pair of CA/Cert/Key which then are used when creating the transport that communicates with the registry. properties: insecureSkipVerify: description: InsecureSkipVerify may be set to false to skip verifying the registry's certificate, default is true. type: boolean tlsConfigSecret: description: |- TLSConfigSecret is a reference to a secret of type `kubernetes.io/tls` thich has up to 3 entries: tls.crt, tls.key and ca.crt which describe the TLS configuration necessary to connect to the registry. properties: apiVersion: description: API version of the referent. type: string fieldPath: description: |- If referring to a piece of an object instead of an entire object, this string should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. For example, if the object reference is to a container within a pod, this would take on a value like: "spec.containers{name}" (where "name" refers to the name of the container that triggered the event) or if no container name is specified "spec.containers[2]" (container with index 2 in this pod). This syntax is chosen only to have some well-defined way of referencing a part of an object. TODO: this design is not final and this field is subject to change in the future. type: string kind: description: |- Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string name: description: |- Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names type: string namespace: description: |- Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ type: string resourceVersion: description: |- Specific resourceVersion to which this reference is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency type: string uid: description: |- UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids type: string type: object x-kubernetes-map-type: atomic type: object type: object description: |- Configs are configs for each registry. The key is the FDQN or IP of the registry. type: object mirrors: additionalProperties: description: Mirror contains the config related to the registry mirror. properties: endpoint: description: |- Endpoints are endpoints for a namespace. CRI plugin will try the endpoints one by one until a working one is found. The endpoint must be a valid url with host specified. The scheme, host and path from the endpoint URL will be used. items: type: string type: array rewrite: additionalProperties: type: string description: |- Rewrites are repository rewrite rules for a namespace. When fetching image resources from an endpoint and a key matches the repository via regular expression matching it will be replaced with the corresponding value from the map in the resource request. type: object type: object description: Mirrors are namespace to mirror mapping for all namespaces. type: object type: object type: object status: description: RKE2ConfigStatus defines the observed state of RKE2Config. properties: conditions: description: Conditions defines current service state of the RKE2Config. items: description: Condition defines an observation of a Cluster API resource operational state. properties: lastTransitionTime: description: |- Last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. format: date-time type: string message: description: |- A human readable message indicating details about the transition. This field may be empty. type: string reason: description: |- The reason for the condition's last transition in CamelCase. The specific API may choose whether or not this field is considered a guaranteed API. This field may not be empty. type: string severity: description: |- Severity provides an explicit classification of Reason code, so the users or machines can immediately understand the current situation and act accordingly. The Severity field MUST be set only when Status=False. type: string status: description: Status of the condition, one of True, False, Unknown. type: string type: description: |- Type of condition in CamelCase or in foo.example.com/CamelCase. Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important. type: string required: - lastTransitionTime - status - type type: object type: array dataSecretName: description: DataSecretName is the name of the secret that stores the bootstrap data script. type: string failureMessage: description: FailureMessage will be set on non-retryable errors. type: string failureReason: description: FailureReason will be set on non-retryable errors. type: string observedGeneration: description: ObservedGeneration is the latest generation observed by the controller. format: int64 type: integer ready: description: Ready indicates the BootstrapData field is ready to be consumed. type: boolean type: object type: object served: true storage: false subresources: status: {} - name: v1beta1 schema: openAPIV3Schema: description: RKE2Config is the Schema for the rke2configs API. properties: apiVersion: description: |- APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: description: |- Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object spec: description: RKE2ConfigSpec defines the desired state of RKE2Config. properties: agentConfig: description: AgentConfig specifies configuration for the agent nodes. properties: additionalUserData: description: |- AdditionalUserData is a field that allows users to specify additional cloud-init or ignition configuration to be included in the generated cloud-init/ignition script. properties: config: description: |- In case of using ignition, the data format is documented here: https://kinvolk.io/docs/flatcar-container-linux/latest/provisioning/cl-config/ NOTE: All fields of the UserData that are managed by the RKE2Config controller will be ignored, this include "write_files", "runcmd", "ntp". type: string data: additionalProperties: type: string description: |- Data allows to pass arbitrary set of key/value pairs consistent with https://cloudinit.readthedocs.io/en/latest/reference/modules.html to extend existing cloud-init configuration type: object strict: description: Strict controls if Config should be strictly parsed. If so, warnings are treated as errors. type: boolean type: object x-kubernetes-validations: - message: Only config or data could be populated at once rule: '!has(self.data) || !has(self.config)' airGapped: description: |- AirGapped is a boolean value to define if the bootstrapping should be air-gapped, basically supposing that online container registries and RKE2 install scripts are not reachable. type: boolean airGappedChecksum: description: |- AirGappedChecksum is a string value with a sha256sum checksum to compare with checksum of existing sha256sum-.txt file for packages already available on the machine before performing air-gapped installation. type: string cisProfile: description: CISProfile activates CIS compliance of RKE2 for a certain profile enum: - cis - cis-1.23 - cis-1.5 - cis-1.6 type: string containerRuntimeEndpoint: description: ContainerRuntimeEndpoint Disable embedded containerd and use alternative CRI implementation. type: string dataDir: description: DataDir Folder to hold state. type: string enableContainerdSElinux: description: |- EnableContainerdSElinux defines the policy for enabling SELinux for Containerd if value is true, Containerd will run with selinux-enabled=true flag if value is false, Containerd will run without the above flag type: boolean format: description: Format specifies the output format of the bootstrap data. Defaults to cloud-config. enum: - cloud-config - ignition type: string imageCredentialProviderConfigMap: description: |- ImageCredentialProviderConfigMap is a reference to the ConfigMap that contains credential provider plugin config The config map should contain a key "credential-config.yaml" with YAML file content and a key "credential-provider-binaries" with the a path to the binaries for the credential provider. properties: apiVersion: description: API version of the referent. type: string fieldPath: description: |- If referring to a piece of an object instead of an entire object, this string should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. For example, if the object reference is to a container within a pod, this would take on a value like: "spec.containers{name}" (where "name" refers to the name of the container that triggered the event) or if no container name is specified "spec.containers[2]" (container with index 2 in this pod). This syntax is chosen only to have some well-defined way of referencing a part of an object. TODO: this design is not final and this field is subject to change in the future. type: string kind: description: |- Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string name: description: |- Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names type: string namespace: description: |- Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ type: string resourceVersion: description: |- Specific resourceVersion to which this reference is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency type: string uid: description: |- UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids type: string type: object x-kubernetes-map-type: atomic kubeProxy: description: KubeProxyArgs Customized flag for kube-proxy process. properties: extraArgs: description: 'ExtraArgs is a list of command line arguments (format: flag=value) to pass to a Kubernetes Component command.' items: type: string type: array extraEnv: additionalProperties: type: string description: ExtraEnv is a map of environment variables to pass on to a Kubernetes Component command. type: object extraMounts: additionalProperties: type: string description: ExtraMounts is a map of volume mounts to be added for the Kubernetes component StaticPod type: object overrideImage: description: OverrideImage is a string that references a container image to override the default one for the Kubernetes Component type: string type: object kubelet: description: KubeletArgs Customized flag for kubelet process. properties: extraArgs: description: 'ExtraArgs is a list of command line arguments (format: flag=value) to pass to a Kubernetes Component command.' items: type: string type: array extraEnv: additionalProperties: type: string description: ExtraEnv is a map of environment variables to pass on to a Kubernetes Component command. type: object extraMounts: additionalProperties: type: string description: ExtraMounts is a map of volume mounts to be added for the Kubernetes component StaticPod type: object overrideImage: description: OverrideImage is a string that references a container image to override the default one for the Kubernetes Component type: string type: object kubeletPath: description: KubeletPath Override kubelet binary path. type: string loadBalancerPort: description: |- LoadBalancerPort local port for supervisor client load-balancer. If the supervisor and apiserver are not colocated an additional port 1 less than this port will also be used for the apiserver client load-balancer (default: 6444). type: integer nodeAnnotations: additionalProperties: type: string description: |- NodeAnnotations are annotations that are created on nodes post bootstrap phase. Unfortunately it is not possible to apply annotations via kubelet using current bootstrap configurations. Issue: https://github.com/kubernetes/kubernetes/issues/108046 type: object nodeLabels: description: NodeLabels Registering and starting kubelet with set of labels. items: type: string type: array nodeName: description: NodeNamePrefix Prefix to the Node Name that CAPI will generate. type: string nodeTaints: description: NodeTaints Registering kubelet with set of taints. items: type: string type: array ntp: description: NTP specifies NTP configuration properties: enabled: description: Enabled specifies whether NTP should be enabled type: boolean servers: description: Servers specifies which NTP servers to use items: type: string type: array type: object podSecurityAdmissionConfigFile: description: |- PodSecurityPolicyConfigFile contains the path to the PodSecurityPolicy configuration file. The file can be passed through spec.Files field. type: string protectKernelDefaults: description: |- ProtectKernelDefaults defines Kernel tuning behavior. If true, error if kernel tunables are different than kubelet defaults. if false, kernel tunable can be different from kubelet defaults type: boolean resolvConf: description: ResolvConf is a reference to a ConfigMap containing resolv.conf content for the node. properties: apiVersion: description: API version of the referent. type: string fieldPath: description: |- If referring to a piece of an object instead of an entire object, this string should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. For example, if the object reference is to a container within a pod, this would take on a value like: "spec.containers{name}" (where "name" refers to the name of the container that triggered the event) or if no container name is specified "spec.containers[2]" (container with index 2 in this pod). This syntax is chosen only to have some well-defined way of referencing a part of an object. TODO: this design is not final and this field is subject to change in the future. type: string kind: description: |- Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string name: description: |- Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names type: string namespace: description: |- Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ type: string resourceVersion: description: |- Specific resourceVersion to which this reference is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency type: string uid: description: |- UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids type: string type: object x-kubernetes-map-type: atomic runtimeImage: description: RuntimeImage override image to use for runtime binaries (containerd, kubectl, crictl, etc). type: string snapshotter: description: 'Snapshotter override default containerd snapshotter (default: "overlayfs").' type: string systemDefaultRegistry: description: SystemDefaultRegistry Private registry to be used for all system images. type: string type: object files: description: Files specifies extra files to be passed to user_data upon creation. items: description: File defines the input for generating write_files in cloud-init. properties: content: description: Content is the actual content of the file. type: string contentFrom: description: ContentFrom is a referenced source of content to populate the file. properties: secret: description: SecretFileSource represents a secret that should populate this file. properties: key: description: Key is the key in the secret's data map for this value. type: string name: description: Name of the secret in the RKE2BootstrapConfig's namespace to use. type: string required: - key - name type: object required: - secret type: object encoding: description: Encoding specifies the encoding of the file contents. enum: - base64 - gzip - gzip+base64 type: string owner: description: Owner specifies the ownership of the file, e.g. "root:root". type: string path: description: Path specifies the full path on disk where to store the file. type: string permissions: description: Permissions specifies the permissions to assign to the file, e.g. "0640". type: string required: - path type: object type: array postRKE2Commands: description: PostRKE2Commands specifies extra commands to run after rke2 setup runs. items: type: string type: array preRKE2Commands: description: PreRKE2Commands specifies extra commands to run before rke2 setup runs. items: type: string type: array privateRegistriesConfig: description: PrivateRegistriesConfig defines the containerd configuration for private registries and local registry mirrors. properties: configs: additionalProperties: description: RegistryConfig contains configuration used to communicate with the registry. properties: authSecret: description: |- Auth is a reference to a Secret containing information to authenticate to the registry. The Secret must provite a username and a password data entry. properties: apiVersion: description: API version of the referent. type: string fieldPath: description: |- If referring to a piece of an object instead of an entire object, this string should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. For example, if the object reference is to a container within a pod, this would take on a value like: "spec.containers{name}" (where "name" refers to the name of the container that triggered the event) or if no container name is specified "spec.containers[2]" (container with index 2 in this pod). This syntax is chosen only to have some well-defined way of referencing a part of an object. TODO: this design is not final and this field is subject to change in the future. type: string kind: description: |- Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string name: description: |- Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names type: string namespace: description: |- Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ type: string resourceVersion: description: |- Specific resourceVersion to which this reference is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency type: string uid: description: |- UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids type: string type: object x-kubernetes-map-type: atomic tls: description: |- TLS is a pair of CA/Cert/Key which then are used when creating the transport that communicates with the registry. properties: insecureSkipVerify: description: InsecureSkipVerify may be set to false to skip verifying the registry's certificate, default is true. type: boolean tlsConfigSecret: description: |- TLSConfigSecret is a reference to a secret of type `kubernetes.io/tls` thich has up to 3 entries: tls.crt, tls.key and ca.crt which describe the TLS configuration necessary to connect to the registry. properties: apiVersion: description: API version of the referent. type: string fieldPath: description: |- If referring to a piece of an object instead of an entire object, this string should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. For example, if the object reference is to a container within a pod, this would take on a value like: "spec.containers{name}" (where "name" refers to the name of the container that triggered the event) or if no container name is specified "spec.containers[2]" (container with index 2 in this pod). This syntax is chosen only to have some well-defined way of referencing a part of an object. TODO: this design is not final and this field is subject to change in the future. type: string kind: description: |- Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string name: description: |- Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names type: string namespace: description: |- Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ type: string resourceVersion: description: |- Specific resourceVersion to which this reference is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency type: string uid: description: |- UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids type: string type: object x-kubernetes-map-type: atomic type: object type: object description: |- Configs are configs for each registry. The key is the FDQN or IP of the registry. type: object mirrors: additionalProperties: description: Mirror contains the config related to the registry mirror. properties: endpoint: description: |- Endpoints are endpoints for a namespace. CRI plugin will try the endpoints one by one until a working one is found. The endpoint must be a valid url with host specified. The scheme, host and path from the endpoint URL will be used. items: type: string type: array rewrite: additionalProperties: type: string description: |- Rewrites are repository rewrite rules for a namespace. When fetching image resources from an endpoint and a key matches the repository via regular expression matching it will be replaced with the corresponding value from the map in the resource request. type: object type: object description: Mirrors are namespace to mirror mapping for all namespaces. type: object type: object type: object status: description: RKE2ConfigStatus defines the observed state of RKE2Config. properties: conditions: description: Conditions defines current service state of the RKE2Config. items: description: Condition defines an observation of a Cluster API resource operational state. properties: lastTransitionTime: description: |- Last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. format: date-time type: string message: description: |- A human readable message indicating details about the transition. This field may be empty. type: string reason: description: |- The reason for the condition's last transition in CamelCase. The specific API may choose whether or not this field is considered a guaranteed API. This field may not be empty. type: string severity: description: |- Severity provides an explicit classification of Reason code, so the users or machines can immediately understand the current situation and act accordingly. The Severity field MUST be set only when Status=False. type: string status: description: Status of the condition, one of True, False, Unknown. type: string type: description: |- Type of condition in CamelCase or in foo.example.com/CamelCase. Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important. type: string required: - lastTransitionTime - status - type type: object type: array dataSecretName: description: DataSecretName is the name of the secret that stores the bootstrap data script. type: string failureMessage: description: FailureMessage will be set on non-retryable errors. type: string failureReason: description: FailureReason will be set on non-retryable errors. type: string observedGeneration: description: ObservedGeneration is the latest generation observed by the controller. format: int64 type: integer ready: description: Ready indicates the BootstrapData field is ready to be consumed. type: boolean type: object type: object served: true storage: true subresources: status: {} --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: cert-manager.io/inject-ca-from: rke2-bootstrap-system/rke2-bootstrap-serving-cert controller-gen.kubebuilder.io/version: v0.14.0 labels: cluster.x-k8s.io/provider: bootstrap-rke2 cluster.x-k8s.io/v1beta1: v1alpha1_v1beta1 name: rke2configtemplates.bootstrap.cluster.x-k8s.io spec: conversion: strategy: Webhook webhook: clientConfig: service: name: rke2-bootstrap-webhook-service namespace: rke2-bootstrap-system path: /convert conversionReviewVersions: - v1 group: bootstrap.cluster.x-k8s.io names: kind: RKE2ConfigTemplate listKind: RKE2ConfigTemplateList plural: rke2configtemplates singular: rke2configtemplate scope: Namespaced versions: - name: v1alpha1 schema: openAPIV3Schema: description: RKE2ConfigTemplate is the Schema for the RKE2configtemplates API. properties: apiVersion: description: |- APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: description: |- Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object spec: description: Spec details the RKE2ConfigTemplate specification. properties: template: description: "Template references a RKE2ConfigTemplate, which is used to include an RKE2ConfigSpec struct.\n\tThis is used to include a desired RKE2ConfigSpec configuration when an RKE2Config resource is generated by a MachineDeployment resource." properties: spec: description: Spec is the RKE2ConfigSpec that should be used for the template. properties: agentConfig: description: AgentConfig specifies configuration for the agent nodes. properties: additionalUserData: description: |- AdditionalUserData is a field that allows users to specify additional cloud-init or ignition configuration to be included in the generated cloud-init/ignition script. properties: config: description: |- In case of using ignition, the data format is documented here: https://kinvolk.io/docs/flatcar-container-linux/latest/provisioning/cl-config/ NOTE: All fields of the UserData that are managed by the RKE2Config controller will be ignored, this include "write_files", "runcmd", "ntp". Deprecated: Data is reserved for the arbitrary cloud-init data type: string data: additionalProperties: type: string description: |- Data allows to pass arbitrary set of key/value pairs consistent with https://cloudinit.readthedocs.io/en/latest/reference/modules.html to extend existing cloud-init configuration type: object strict: description: Strict controls if Config should be strictly parsed. If so, warnings are treated as errors. type: boolean type: object x-kubernetes-validations: - message: Only config or data could be populated at once rule: '!has(self.data) || !has(self.config)' airGapped: description: |- AirGapped is a boolean value to define if the bootstrapping should be air-gapped, basically supposing that online container registries and RKE2 install scripts are not reachable. type: boolean cisProfile: description: CISProfile activates CIS compliance of RKE2 for a certain profile enum: - cis - cis-1.23 - cis-1.5 - cis-1.6 type: string containerRuntimeEndpoint: description: ContainerRuntimeEndpoint Disable embedded containerd and use alternative CRI implementation. type: string dataDir: description: DataDir Folder to hold state. type: string enableContainerdSElinux: description: |- EnableContainerdSElinux defines the policy for enabling SELinux for Containerd if value is true, Containerd will run with selinux-enabled=true flag if value is false, Containerd will run without the above flag type: boolean format: description: Format specifies the output format of the bootstrap data. Defaults to cloud-config. enum: - cloud-config - ignition type: string imageCredentialProviderConfigMap: description: |- ImageCredentialProviderConfigMap is a reference to the ConfigMap that contains credential provider plugin config The config map should contain a key "credential-config.yaml" with YAML file content and a key "credential-provider-binaries" with the a path to the binaries for the credential provider. properties: apiVersion: description: API version of the referent. type: string fieldPath: description: |- If referring to a piece of an object instead of an entire object, this string should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. For example, if the object reference is to a container within a pod, this would take on a value like: "spec.containers{name}" (where "name" refers to the name of the container that triggered the event) or if no container name is specified "spec.containers[2]" (container with index 2 in this pod). This syntax is chosen only to have some well-defined way of referencing a part of an object. TODO: this design is not final and this field is subject to change in the future. type: string kind: description: |- Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string name: description: |- Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names type: string namespace: description: |- Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ type: string resourceVersion: description: |- Specific resourceVersion to which this reference is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency type: string uid: description: |- UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids type: string type: object x-kubernetes-map-type: atomic kubeProxy: description: KubeProxyArgs Customized flag for kube-proxy process. properties: extraArgs: description: 'ExtraArgs is a list of command line arguments (format: flag=value) to pass to a Kubernetes Component command.' items: type: string type: array extraEnv: additionalProperties: type: string description: ExtraEnv is a map of environment variables to pass on to a Kubernetes Component command. type: object extraMounts: additionalProperties: type: string description: ExtraMounts is a map of volume mounts to be added for the Kubernetes component StaticPod type: object overrideImage: description: OverrideImage is a string that references a container image to override the default one for the Kubernetes Component type: string type: object kubelet: description: KubeletArgs Customized flag for kubelet process. properties: extraArgs: description: 'ExtraArgs is a list of command line arguments (format: flag=value) to pass to a Kubernetes Component command.' items: type: string type: array extraEnv: additionalProperties: type: string description: ExtraEnv is a map of environment variables to pass on to a Kubernetes Component command. type: object extraMounts: additionalProperties: type: string description: ExtraMounts is a map of volume mounts to be added for the Kubernetes component StaticPod type: object overrideImage: description: OverrideImage is a string that references a container image to override the default one for the Kubernetes Component type: string type: object kubeletPath: description: KubeletPath Override kubelet binary path. type: string loadBalancerPort: description: |- LoadBalancerPort local port for supervisor client load-balancer. If the supervisor and apiserver are not colocated an additional port 1 less than this port will also be used for the apiserver client load-balancer (default: 6444). type: integer nodeAnnotations: additionalProperties: type: string description: |- NodeAnnotations are annotations that are created on nodes post bootstrap phase. Unfortunately it is not possible to apply annotations via kubelet using current bootstrap configurations. Issue: https://github.com/kubernetes/kubernetes/issues/108046 type: object nodeLabels: description: NodeLabels Registering and starting kubelet with set of labels. items: type: string type: array nodeName: description: NodeNamePrefix Prefix to the Node Name that CAPI will generate. type: string nodeTaints: description: NodeTaints Registering kubelet with set of taints. items: type: string type: array ntp: description: NTP specifies NTP configuration properties: enabled: description: Enabled specifies whether NTP should be enabled type: boolean servers: description: Servers specifies which NTP servers to use items: type: string type: array type: object protectKernelDefaults: description: |- ProtectKernelDefaults defines Kernel tuning behavior. If true, error if kernel tunables are different than kubelet defaults. if false, kernel tunable can be different from kubelet defaults type: boolean resolvConf: description: ResolvConf is a reference to a ConfigMap containing resolv.conf content for the node. properties: apiVersion: description: API version of the referent. type: string fieldPath: description: |- If referring to a piece of an object instead of an entire object, this string should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. For example, if the object reference is to a container within a pod, this would take on a value like: "spec.containers{name}" (where "name" refers to the name of the container that triggered the event) or if no container name is specified "spec.containers[2]" (container with index 2 in this pod). This syntax is chosen only to have some well-defined way of referencing a part of an object. TODO: this design is not final and this field is subject to change in the future. type: string kind: description: |- Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string name: description: |- Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names type: string namespace: description: |- Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ type: string resourceVersion: description: |- Specific resourceVersion to which this reference is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency type: string uid: description: |- UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids type: string type: object x-kubernetes-map-type: atomic runtimeImage: description: RuntimeImage override image to use for runtime binaries (containerd, kubectl, crictl, etc). type: string snapshotter: description: 'Snapshotter override default containerd snapshotter (default: "overlayfs").' type: string systemDefaultRegistry: description: SystemDefaultRegistry Private registry to be used for all system images. type: string version: description: Version specifies the rke2 version. type: string type: object files: description: Files specifies extra files to be passed to user_data upon creation. items: description: File defines the input for generating write_files in cloud-init. properties: content: description: Content is the actual content of the file. type: string contentFrom: description: ContentFrom is a referenced source of content to populate the file. properties: secret: description: SecretFileSource represents a secret that should populate this file. properties: key: description: Key is the key in the secret's data map for this value. type: string name: description: Name of the secret in the RKE2BootstrapConfig's namespace to use. type: string required: - key - name type: object required: - secret type: object encoding: description: Encoding specifies the encoding of the file contents. enum: - base64 - gzip - gzip+base64 type: string owner: description: Owner specifies the ownership of the file, e.g. "root:root". type: string path: description: Path specifies the full path on disk where to store the file. type: string permissions: description: Permissions specifies the permissions to assign to the file, e.g. "0640". type: string required: - path type: object type: array postRKE2Commands: description: PostRKE2Commands specifies extra commands to run after rke2 setup runs. items: type: string type: array preRKE2Commands: description: PreRKE2Commands specifies extra commands to run before rke2 setup runs. items: type: string type: array privateRegistriesConfig: description: PrivateRegistriesConfig defines the containerd configuration for private registries and local registry mirrors. properties: configs: additionalProperties: description: RegistryConfig contains configuration used to communicate with the registry. properties: authSecret: description: |- Auth si a reference to a Secret containing information to authenticate to the registry. The Secret must provite a username and a password data entry. properties: apiVersion: description: API version of the referent. type: string fieldPath: description: |- If referring to a piece of an object instead of an entire object, this string should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. For example, if the object reference is to a container within a pod, this would take on a value like: "spec.containers{name}" (where "name" refers to the name of the container that triggered the event) or if no container name is specified "spec.containers[2]" (container with index 2 in this pod). This syntax is chosen only to have some well-defined way of referencing a part of an object. TODO: this design is not final and this field is subject to change in the future. type: string kind: description: |- Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string name: description: |- Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names type: string namespace: description: |- Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ type: string resourceVersion: description: |- Specific resourceVersion to which this reference is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency type: string uid: description: |- UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids type: string type: object x-kubernetes-map-type: atomic tls: description: |- TLS is a pair of CA/Cert/Key which then are used when creating the transport that communicates with the registry. properties: insecureSkipVerify: description: InsecureSkipVerify may be set to false to skip verifying the registry's certificate, default is true. type: boolean tlsConfigSecret: description: |- TLSConfigSecret is a reference to a secret of type `kubernetes.io/tls` thich has up to 3 entries: tls.crt, tls.key and ca.crt which describe the TLS configuration necessary to connect to the registry. properties: apiVersion: description: API version of the referent. type: string fieldPath: description: |- If referring to a piece of an object instead of an entire object, this string should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. For example, if the object reference is to a container within a pod, this would take on a value like: "spec.containers{name}" (where "name" refers to the name of the container that triggered the event) or if no container name is specified "spec.containers[2]" (container with index 2 in this pod). This syntax is chosen only to have some well-defined way of referencing a part of an object. TODO: this design is not final and this field is subject to change in the future. type: string kind: description: |- Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string name: description: |- Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names type: string namespace: description: |- Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ type: string resourceVersion: description: |- Specific resourceVersion to which this reference is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency type: string uid: description: |- UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids type: string type: object x-kubernetes-map-type: atomic type: object type: object description: |- Configs are configs for each registry. The key is the FDQN or IP of the registry. type: object mirrors: additionalProperties: description: Mirror contains the config related to the registry mirror. properties: endpoint: description: |- Endpoints are endpoints for a namespace. CRI plugin will try the endpoints one by one until a working one is found. The endpoint must be a valid url with host specified. The scheme, host and path from the endpoint URL will be used. items: type: string type: array rewrite: additionalProperties: type: string description: |- Rewrites are repository rewrite rules for a namespace. When fetching image resources from an endpoint and a key matches the repository via regular expression matching it will be replaced with the corresponding value from the map in the resource request. type: object type: object description: Mirrors are namespace to mirror mapping for all namespaces. type: object type: object type: object required: - spec type: object required: - template type: object required: - spec type: object served: true storage: false subresources: status: {} - name: v1beta1 schema: openAPIV3Schema: description: RKE2ConfigTemplate is the Schema for the RKE2configtemplates API. properties: apiVersion: description: |- APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: description: |- Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object spec: description: Spec details the RKE2ConfigTemplate specification. properties: template: description: "Template references a RKE2ConfigTemplate, which is used to include an RKE2ConfigSpec struct.\n\tThis is used to include a desired RKE2ConfigSpec configuration when an RKE2Config resource is generated by a MachineDeployment resource." properties: spec: description: Spec is the RKE2ConfigSpec that should be used for the template. properties: agentConfig: description: AgentConfig specifies configuration for the agent nodes. properties: additionalUserData: description: |- AdditionalUserData is a field that allows users to specify additional cloud-init or ignition configuration to be included in the generated cloud-init/ignition script. properties: config: description: |- In case of using ignition, the data format is documented here: https://kinvolk.io/docs/flatcar-container-linux/latest/provisioning/cl-config/ NOTE: All fields of the UserData that are managed by the RKE2Config controller will be ignored, this include "write_files", "runcmd", "ntp". type: string data: additionalProperties: type: string description: |- Data allows to pass arbitrary set of key/value pairs consistent with https://cloudinit.readthedocs.io/en/latest/reference/modules.html to extend existing cloud-init configuration type: object strict: description: Strict controls if Config should be strictly parsed. If so, warnings are treated as errors. type: boolean type: object x-kubernetes-validations: - message: Only config or data could be populated at once rule: '!has(self.data) || !has(self.config)' airGapped: description: |- AirGapped is a boolean value to define if the bootstrapping should be air-gapped, basically supposing that online container registries and RKE2 install scripts are not reachable. type: boolean airGappedChecksum: description: |- AirGappedChecksum is a string value with a sha256sum checksum to compare with checksum of existing sha256sum-.txt file for packages already available on the machine before performing air-gapped installation. type: string cisProfile: description: CISProfile activates CIS compliance of RKE2 for a certain profile enum: - cis - cis-1.23 - cis-1.5 - cis-1.6 type: string containerRuntimeEndpoint: description: ContainerRuntimeEndpoint Disable embedded containerd and use alternative CRI implementation. type: string dataDir: description: DataDir Folder to hold state. type: string enableContainerdSElinux: description: |- EnableContainerdSElinux defines the policy for enabling SELinux for Containerd if value is true, Containerd will run with selinux-enabled=true flag if value is false, Containerd will run without the above flag type: boolean format: description: Format specifies the output format of the bootstrap data. Defaults to cloud-config. enum: - cloud-config - ignition type: string imageCredentialProviderConfigMap: description: |- ImageCredentialProviderConfigMap is a reference to the ConfigMap that contains credential provider plugin config The config map should contain a key "credential-config.yaml" with YAML file content and a key "credential-provider-binaries" with the a path to the binaries for the credential provider. properties: apiVersion: description: API version of the referent. type: string fieldPath: description: |- If referring to a piece of an object instead of an entire object, this string should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. For example, if the object reference is to a container within a pod, this would take on a value like: "spec.containers{name}" (where "name" refers to the name of the container that triggered the event) or if no container name is specified "spec.containers[2]" (container with index 2 in this pod). This syntax is chosen only to have some well-defined way of referencing a part of an object. TODO: this design is not final and this field is subject to change in the future. type: string kind: description: |- Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string name: description: |- Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names type: string namespace: description: |- Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ type: string resourceVersion: description: |- Specific resourceVersion to which this reference is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency type: string uid: description: |- UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids type: string type: object x-kubernetes-map-type: atomic kubeProxy: description: KubeProxyArgs Customized flag for kube-proxy process. properties: extraArgs: description: 'ExtraArgs is a list of command line arguments (format: flag=value) to pass to a Kubernetes Component command.' items: type: string type: array extraEnv: additionalProperties: type: string description: ExtraEnv is a map of environment variables to pass on to a Kubernetes Component command. type: object extraMounts: additionalProperties: type: string description: ExtraMounts is a map of volume mounts to be added for the Kubernetes component StaticPod type: object overrideImage: description: OverrideImage is a string that references a container image to override the default one for the Kubernetes Component type: string type: object kubelet: description: KubeletArgs Customized flag for kubelet process. properties: extraArgs: description: 'ExtraArgs is a list of command line arguments (format: flag=value) to pass to a Kubernetes Component command.' items: type: string type: array extraEnv: additionalProperties: type: string description: ExtraEnv is a map of environment variables to pass on to a Kubernetes Component command. type: object extraMounts: additionalProperties: type: string description: ExtraMounts is a map of volume mounts to be added for the Kubernetes component StaticPod type: object overrideImage: description: OverrideImage is a string that references a container image to override the default one for the Kubernetes Component type: string type: object kubeletPath: description: KubeletPath Override kubelet binary path. type: string loadBalancerPort: description: |- LoadBalancerPort local port for supervisor client load-balancer. If the supervisor and apiserver are not colocated an additional port 1 less than this port will also be used for the apiserver client load-balancer (default: 6444). type: integer nodeAnnotations: additionalProperties: type: string description: |- NodeAnnotations are annotations that are created on nodes post bootstrap phase. Unfortunately it is not possible to apply annotations via kubelet using current bootstrap configurations. Issue: https://github.com/kubernetes/kubernetes/issues/108046 type: object nodeLabels: description: NodeLabels Registering and starting kubelet with set of labels. items: type: string type: array nodeName: description: NodeNamePrefix Prefix to the Node Name that CAPI will generate. type: string nodeTaints: description: NodeTaints Registering kubelet with set of taints. items: type: string type: array ntp: description: NTP specifies NTP configuration properties: enabled: description: Enabled specifies whether NTP should be enabled type: boolean servers: description: Servers specifies which NTP servers to use items: type: string type: array type: object podSecurityAdmissionConfigFile: description: |- PodSecurityPolicyConfigFile contains the path to the PodSecurityPolicy configuration file. The file can be passed through spec.Files field. type: string protectKernelDefaults: description: |- ProtectKernelDefaults defines Kernel tuning behavior. If true, error if kernel tunables are different than kubelet defaults. if false, kernel tunable can be different from kubelet defaults type: boolean resolvConf: description: ResolvConf is a reference to a ConfigMap containing resolv.conf content for the node. properties: apiVersion: description: API version of the referent. type: string fieldPath: description: |- If referring to a piece of an object instead of an entire object, this string should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. For example, if the object reference is to a container within a pod, this would take on a value like: "spec.containers{name}" (where "name" refers to the name of the container that triggered the event) or if no container name is specified "spec.containers[2]" (container with index 2 in this pod). This syntax is chosen only to have some well-defined way of referencing a part of an object. TODO: this design is not final and this field is subject to change in the future. type: string kind: description: |- Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string name: description: |- Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names type: string namespace: description: |- Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ type: string resourceVersion: description: |- Specific resourceVersion to which this reference is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency type: string uid: description: |- UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids type: string type: object x-kubernetes-map-type: atomic runtimeImage: description: RuntimeImage override image to use for runtime binaries (containerd, kubectl, crictl, etc). type: string snapshotter: description: 'Snapshotter override default containerd snapshotter (default: "overlayfs").' type: string systemDefaultRegistry: description: SystemDefaultRegistry Private registry to be used for all system images. type: string type: object files: description: Files specifies extra files to be passed to user_data upon creation. items: description: File defines the input for generating write_files in cloud-init. properties: content: description: Content is the actual content of the file. type: string contentFrom: description: ContentFrom is a referenced source of content to populate the file. properties: secret: description: SecretFileSource represents a secret that should populate this file. properties: key: description: Key is the key in the secret's data map for this value. type: string name: description: Name of the secret in the RKE2BootstrapConfig's namespace to use. type: string required: - key - name type: object required: - secret type: object encoding: description: Encoding specifies the encoding of the file contents. enum: - base64 - gzip - gzip+base64 type: string owner: description: Owner specifies the ownership of the file, e.g. "root:root". type: string path: description: Path specifies the full path on disk where to store the file. type: string permissions: description: Permissions specifies the permissions to assign to the file, e.g. "0640". type: string required: - path type: object type: array postRKE2Commands: description: PostRKE2Commands specifies extra commands to run after rke2 setup runs. items: type: string type: array preRKE2Commands: description: PreRKE2Commands specifies extra commands to run before rke2 setup runs. items: type: string type: array privateRegistriesConfig: description: PrivateRegistriesConfig defines the containerd configuration for private registries and local registry mirrors. properties: configs: additionalProperties: description: RegistryConfig contains configuration used to communicate with the registry. properties: authSecret: description: |- Auth is a reference to a Secret containing information to authenticate to the registry. The Secret must provite a username and a password data entry. properties: apiVersion: description: API version of the referent. type: string fieldPath: description: |- If referring to a piece of an object instead of an entire object, this string should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. For example, if the object reference is to a container within a pod, this would take on a value like: "spec.containers{name}" (where "name" refers to the name of the container that triggered the event) or if no container name is specified "spec.containers[2]" (container with index 2 in this pod). This syntax is chosen only to have some well-defined way of referencing a part of an object. TODO: this design is not final and this field is subject to change in the future. type: string kind: description: |- Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string name: description: |- Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names type: string namespace: description: |- Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ type: string resourceVersion: description: |- Specific resourceVersion to which this reference is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency type: string uid: description: |- UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids type: string type: object x-kubernetes-map-type: atomic tls: description: |- TLS is a pair of CA/Cert/Key which then are used when creating the transport that communicates with the registry. properties: insecureSkipVerify: description: InsecureSkipVerify may be set to false to skip verifying the registry's certificate, default is true. type: boolean tlsConfigSecret: description: |- TLSConfigSecret is a reference to a secret of type `kubernetes.io/tls` thich has up to 3 entries: tls.crt, tls.key and ca.crt which describe the TLS configuration necessary to connect to the registry. properties: apiVersion: description: API version of the referent. type: string fieldPath: description: |- If referring to a piece of an object instead of an entire object, this string should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. For example, if the object reference is to a container within a pod, this would take on a value like: "spec.containers{name}" (where "name" refers to the name of the container that triggered the event) or if no container name is specified "spec.containers[2]" (container with index 2 in this pod). This syntax is chosen only to have some well-defined way of referencing a part of an object. TODO: this design is not final and this field is subject to change in the future. type: string kind: description: |- Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string name: description: |- Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names type: string namespace: description: |- Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ type: string resourceVersion: description: |- Specific resourceVersion to which this reference is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency type: string uid: description: |- UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids type: string type: object x-kubernetes-map-type: atomic type: object type: object description: |- Configs are configs for each registry. The key is the FDQN or IP of the registry. type: object mirrors: additionalProperties: description: Mirror contains the config related to the registry mirror. properties: endpoint: description: |- Endpoints are endpoints for a namespace. CRI plugin will try the endpoints one by one until a working one is found. The endpoint must be a valid url with host specified. The scheme, host and path from the endpoint URL will be used. items: type: string type: array rewrite: additionalProperties: type: string description: |- Rewrites are repository rewrite rules for a namespace. When fetching image resources from an endpoint and a key matches the repository via regular expression matching it will be replaced with the corresponding value from the map in the resource request. type: object type: object description: Mirrors are namespace to mirror mapping for all namespaces. type: object type: object type: object required: - spec type: object required: - template type: object required: - spec type: object served: true storage: true subresources: status: {} --- apiVersion: v1 kind: ServiceAccount metadata: labels: cluster.x-k8s.io/provider: bootstrap-rke2 name: rke2-bootstrap-manager namespace: rke2-bootstrap-system --- apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: labels: cluster.x-k8s.io/provider: bootstrap-rke2 name: rke2-bootstrap-leader-election-role namespace: rke2-bootstrap-system rules: - apiGroups: - "" resources: - configmaps verbs: - get - list - watch - create - update - patch - delete - apiGroups: - coordination.k8s.io resources: - leases verbs: - get - list - watch - create - update - patch - delete - apiGroups: - "" resources: - events verbs: - create - patch --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: labels: cluster.x-k8s.io/provider: bootstrap-rke2 name: rke2-bootstrap-manager-role rules: - apiGroups: - "" resources: - configmaps - events - secrets verbs: - create - delete - get - list - patch - update - watch - apiGroups: - authentication.k8s.io resources: - tokenreviews verbs: - create - apiGroups: - authorization.k8s.io resources: - subjectaccessreviews verbs: - create - apiGroups: - bootstrap.cluster.x-k8s.io resources: - rke2configs - rke2configs/finalizers - rke2configs/status verbs: - create - delete - get - list - patch - update - watch - apiGroups: - cluster.x-k8s.io resources: - clusters - clusters/status - machinepools - machinepools/status - machines - machines/status - machinesets verbs: - get - list - watch - apiGroups: - controlplane.cluster.x-k8s.io resources: - rke2controlplanes - rke2controlplanes/status verbs: - get - list - watch --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: labels: cluster.x-k8s.io/provider: bootstrap-rke2 name: rke2-bootstrap-leader-election-rolebinding namespace: rke2-bootstrap-system roleRef: apiGroup: rbac.authorization.k8s.io kind: Role name: rke2-bootstrap-leader-election-role subjects: - kind: ServiceAccount name: rke2-bootstrap-manager namespace: rke2-bootstrap-system --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: labels: cluster.x-k8s.io/provider: bootstrap-rke2 name: rke2-bootstrap-manager-rolebinding roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: rke2-bootstrap-manager-role subjects: - kind: ServiceAccount name: rke2-bootstrap-manager namespace: rke2-bootstrap-system --- apiVersion: v1 kind: Service metadata: labels: cluster.x-k8s.io/provider: bootstrap-rke2 name: rke2-bootstrap-webhook-service namespace: rke2-bootstrap-system spec: ports: - port: 443 targetPort: webhook-server selector: cluster.x-k8s.io/provider: bootstrap-rke2 --- apiVersion: apps/v1 kind: Deployment metadata: labels: cluster.x-k8s.io/provider: bootstrap-rke2 control-plane: controller-manager name: rke2-bootstrap-controller-manager namespace: rke2-bootstrap-system spec: replicas: 1 selector: matchLabels: cluster.x-k8s.io/provider: bootstrap-rke2 control-plane: controller-manager template: metadata: annotations: kubectl.kubernetes.io/default-container: manager labels: cluster.x-k8s.io/provider: bootstrap-rke2 control-plane: controller-manager spec: containers: - args: - --leader-elect - --diagnostics-address=${CAPRKE2_DIAGNOSTICS_ADDRESS:=:8443} - --insecure-diagnostics=${CAPRKE2_INSECURE_DIAGNOSTICS:=false} command: - /manager image: ghcr.io/rancher/cluster-api-provider-rke2-bootstrap:v0.9.0 imagePullPolicy: IfNotPresent livenessProbe: httpGet: path: /healthz port: healthz name: manager ports: - containerPort: 9443 name: webhook-server protocol: TCP - containerPort: 9440 name: healthz protocol: TCP - containerPort: 8443 name: metrics protocol: TCP readinessProbe: httpGet: path: /readyz port: healthz securityContext: allowPrivilegeEscalation: false capabilities: drop: - ALL privileged: false runAsGroup: 65532 runAsUser: 65532 terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /tmp/k8s-webhook-server/serving-certs name: cert readOnly: true securityContext: runAsNonRoot: true seccompProfile: type: RuntimeDefault serviceAccountName: rke2-bootstrap-manager terminationGracePeriodSeconds: 10 tolerations: - effect: NoSchedule key: node-role.kubernetes.io/master - effect: NoSchedule key: node-role.kubernetes.io/control-plane volumes: - name: cert secret: secretName: rke2-bootstrap-webhook-service-cert --- apiVersion: cert-manager.io/v1 kind: Certificate metadata: labels: cluster.x-k8s.io/provider: bootstrap-rke2 name: rke2-bootstrap-serving-cert namespace: rke2-bootstrap-system spec: dnsNames: - rke2-bootstrap-webhook-service.rke2-bootstrap-system.svc - rke2-bootstrap-webhook-service.rke2-bootstrap-system.svc.cluster.local issuerRef: kind: Issuer name: rke2-bootstrap-selfsigned-issuer secretName: rke2-bootstrap-webhook-service-cert subject: organizations: - Rancher by SUSE --- apiVersion: cert-manager.io/v1 kind: Issuer metadata: labels: cluster.x-k8s.io/provider: bootstrap-rke2 name: rke2-bootstrap-selfsigned-issuer namespace: rke2-bootstrap-system spec: selfSigned: {} --- apiVersion: admissionregistration.k8s.io/v1 kind: MutatingWebhookConfiguration metadata: annotations: cert-manager.io/inject-ca-from: rke2-bootstrap-system/rke2-bootstrap-serving-cert labels: cluster.x-k8s.io/provider: bootstrap-rke2 name: rke2-bootstrap-mutating-webhook-configuration webhooks: - admissionReviewVersions: - v1 clientConfig: service: name: rke2-bootstrap-webhook-service namespace: rke2-bootstrap-system path: /mutate-bootstrap-cluster-x-k8s-io-v1beta1-rke2config failurePolicy: Fail name: mrke2config.kb.io rules: - apiGroups: - bootstrap.cluster.x-k8s.io apiVersions: - v1beta1 operations: - CREATE - UPDATE resources: - rke2configs sideEffects: None - admissionReviewVersions: - v1 clientConfig: service: name: rke2-bootstrap-webhook-service namespace: rke2-bootstrap-system path: /mutate-bootstrap-cluster-x-k8s-io-v1beta1-rke2configtemplate failurePolicy: Fail name: mrke2configtemplate.kb.io rules: - apiGroups: - bootstrap.cluster.x-k8s.io apiVersions: - v1beta1 operations: - CREATE - UPDATE resources: - rke2configtemplates sideEffects: None --- apiVersion: admissionregistration.k8s.io/v1 kind: ValidatingWebhookConfiguration metadata: annotations: cert-manager.io/inject-ca-from: rke2-bootstrap-system/rke2-bootstrap-serving-cert labels: cluster.x-k8s.io/provider: bootstrap-rke2 name: rke2-bootstrap-validating-webhook-configuration webhooks: - admissionReviewVersions: - v1 clientConfig: service: name: rke2-bootstrap-webhook-service namespace: rke2-bootstrap-system path: /validate-bootstrap-cluster-x-k8s-io-v1beta1-rke2config failurePolicy: Fail name: vrke2config.kb.io rules: - apiGroups: - bootstrap.cluster.x-k8s.io apiVersions: - v1beta1 operations: - CREATE - UPDATE resources: - rke2configs sideEffects: None - admissionReviewVersions: - v1 clientConfig: service: name: rke2-bootstrap-webhook-service namespace: rke2-bootstrap-system path: /validate-bootstrap-cluster-x-k8s-io-v1beta1-rke2configtemplate failurePolicy: Fail name: vrke2configtemplate.kb.io rules: - apiGroups: - bootstrap.cluster.x-k8s.io apiVersions: - v1beta1 operations: - CREATE - UPDATE resources: - rke2configtemplates sideEffects: None metadata: | # maps release series of major.minor to cluster-api contract version # the contract version may change between minor or major versions, but *not* # between patch versions. # # update this file only when a new major or minor version is released apiVersion: clusterctl.cluster.x-k8s.io/v1alpha3 kind: Metadata releaseSeries: - major: 0 minor: 1 contract: v1beta1 - major: 0 minor: 2 contract: v1beta1 - major: 0 minor: 3 contract: v1beta1 - major: 0 minor: 4 contract: v1beta1 - major: 0 minor: 5 contract: v1beta1 - major: 0 minor: 6 contract: v1beta1 - major: 0 minor: 7 contract: v1beta1 - major: 0 minor: 8 contract: v1beta1 - major: 0 minor: 9 contract: v1beta1 kind: ConfigMap metadata: creationTimestamp: null name: v0.9.0 namespace: rke2-bootstrap-system labels: provider-components: rke2-bootstrap