diff --git a/.github/workflows/publish.yaml b/.github/workflows/publish.yaml
index 8dee58b..3a0e080 100644
--- a/.github/workflows/publish.yaml
+++ b/.github/workflows/publish.yaml
@@ -6,12 +6,13 @@ on:
description: 'Version tag'
required: true
type:
- description: 'Name of the software that should be released. '
+ description: 'Name of the software that should be released.'
required: true
type: choice
options:
- stunner
- stunner-gateway-operator
+ - stunner-premium #stunner-gateway-operator premium edition, left out the gateway-operator part to shorten the name
env:
@@ -64,6 +65,27 @@ jobs:
sed -i '/authService:/,/tag:/ s/\(tag:\s*\).*/\1'"${{ env.TAG }}"'/' stunner-gateway-operator/values.yaml
sed -ri 's/^(\s*)(appVersion\s*:\s*.*\s*$)/\1appVersion: ${{ env.TAG }}/' stunner-gateway-operator/Chart.yaml
+ # STUNner premium edition
+ - name: Edit helm chart for stunner-premium
+ if: ${{ env.TYPE == 'stunner-premium' }}
+ run: |
+ cd stunner-helm/helm
+ if ${{ env.TAG == 'dev' }}; then
+ sed -ri 's/^(\s*)(name\s*:\s*.*\s*$)/\1name: stunner-gateway-operator-dev/' stunner-gateway-operator/Chart.yaml
+ sed -i '/stunnerGatewayOperator:/,/pullPolicy:/ s/\(pullPolicy:\s*\).*/\1Always/' stunner-gateway-operator/values.yaml
+ sed -i '/dataplane:/,/pullPolicy:/ s/\(pullPolicy:\s*\).*/\1Always/' stunner-gateway-operator/values.yaml
+ sed -i '/authService:/,/pullPolicy:/ s/\(pullPolicy:\s*\).*/\1Always/' stunner-gateway-operator/values.yaml
+ else
+ sed -ri 's/^(\s*)(version\s*:\s*.*\s*$)/\1version: ${{ env.TAG }}/' stunner-gateway-operator/Chart.yaml
+ fi
+ sed -i '/stunnerGatewayOperator:/,/tag:/ s/\(tag:\s*\).*/\1'"${{ env.TAG }}"'/' stunner-gateway-operator/values.yaml
+ sed -i '/dataplane:/,/tag:/ s/\(tag:\s*\).*/\1'"${{ env.TAG }}"'/' stunner-gateway-operator/values.yaml
+ sed -i '/authService:/,/tag:/ s/\(tag:\s*\).*/\1'"${{ env.TAG }}"'/' stunner-gateway-operator/values.yaml
+ sed -ri 's/^(\s*)(appVersion\s*:\s*.*\s*$)/\1appVersion: ${{ env.TAG }}/' stunner-gateway-operator/Chart.yaml
+ sed -i '/container:/,/name:/ s/\(name:\s*\)docker\.io\/l7mp\/stunner-gateway-operator/\1'"${{ env.TYPE }}"'/' stunner-gateway-operator/values.yaml
+ sed -i '/dataplane:/,/name:/ s/\(name:\s*\)docker\.io\/l7mp\/stunnerd/\1docker.io\/l7mp\/stunnerd-premium/' stunner-gateway-operator/values.yaml
+ sed -ri 's/^(\s*)(name\s*:\s*.*\s*$)/\1name: stunner-premium/' stunner-gateway-operator/Chart.yaml
+
- name: Set up Helm
uses: azure/setup-helm@v4
with:
@@ -73,14 +95,20 @@ jobs:
uses: helm/chart-testing-action@v2
- name: Run chart-testing (lint)
+ #TODO: temporary 'if', should be removed. To remove we may need to provide a dummy customer key, not sure
+ if: ${{ env.TYPE != 'stunner-premium' }}
run: |
cd stunner-helm
ct lint --all --chart-dirs helm --excluded-charts stunner-kurento-one2one-call
- name: Create kind cluster
+ #TODO: temporary 'if', should be removed. To remove we may need to provide a dummy customer key, not sure
+ if: ${{ env.TYPE != 'stunner-premium' }}
uses: helm/kind-action@v1
- name: Run chart-testing (install)
+ #TODO: temporary 'if', should be removed. To remove we may need to provide a dummy customer key, not sure
+ if: ${{ env.TYPE != 'stunner-premium' }}
run: |
cd stunner-helm
ct install --chart-dirs helm --charts helm/${{ env.TYPE }}
@@ -88,7 +116,11 @@ jobs:
- name: Build helm chart for ${{ env.TYPE }}
run: |
cd stunner-helm/helm
- helm package ${{ env.TYPE }}
+ if ${{ env.TYPE == 'stunner-premium' }}; then
+ helm package stunner-gateway-operator
+ else
+ helm package ${{ env.TYPE }}
+ fi
- name: Set git config
run: |
@@ -120,7 +152,7 @@ jobs:
git push origin master
- name: Update stunner-helm repo
- if: ${{ env.TAG != 'dev' }}
+ if: ${{ env.TAG != 'dev' || env.TYPE != 'stunner-premium' }}
run: |
cd stunner-helm
rm helm/*.tgz
diff --git a/helm/stunner-gateway-operator/crds/stunner-crd.yaml b/helm/stunner-gateway-operator/crds/stunner-crd.yaml
index db856cb..868cbc5 100644
--- a/helm/stunner-gateway-operator/crds/stunner-crd.yaml
+++ b/helm/stunner-gateway-operator/crds/stunner-crd.yaml
@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
- controller-gen.kubebuilder.io/version: v0.14.0
+ controller-gen.kubebuilder.io/version: v0.16.5
name: gatewayconfigs.stunner.l7mp.io
spec:
group: stunner.l7mp.io
@@ -91,13 +91,11 @@ spec:
Namespace is the namespace of the referenced object. When unspecified, the local
namespace is inferred.
-
Note that when a namespace different than the local namespace is specified,
a ReferenceGrant object is required in the referent namespace to allow that
namespace's owner to accept the reference. See the ReferenceGrant
documentation for details.
-
Support: Core
maxLength: 63
minLength: 1
@@ -125,7 +123,6 @@ spec:
LoadBalancerServiceAnnotations is a list of annotations that will go into the
LoadBalancer services created automatically by the operator to wrap Gateways.
-
NOTE: removing annotations from a GatewayConfig will not result in the removal of the
corresponding annotations from the LoadBalancer service, in order to prevent the
accidental removal of an annotation installed there by Kubernetes or the cloud
@@ -149,7 +146,6 @@ spec:
Realm defines the STUN/TURN authentication realm to be used for clients toauthenticate
with STUNner.
-
The realm must consist of lower case alphanumeric characters or '-', and must start and
end with an alphanumeric character. No other punctuation is allowed.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
@@ -158,11 +154,27 @@ spec:
description: SharedSecret defines the shared secret to be used for
"longterm" authentication.
type: string
+ stunMode:
+ description: |-
+ STUNMode toggles STUN-server mode. In this mode only STUN binding requests are handled,
+ but no TURN allocations are allowed by the gateway. This is useful to prevent a DDoS
+ vector when STUNner is deployed as a user-facing STUN server, where a client creates and
+ removes empty allocations in a fast loop to overload the TURN server. When STUN-mode is
+ enabled TURN credentials are optional and ignored even if provided, otherwise TURN
+ credentials are mandatory. Default is false, which disables pure-STUN mode. Not
+ supported in the free tier.
+ type: boolean
userName:
description: Username defines the `username` credential for "plaintext"
authentication.
pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
type: string
+ userQuota:
+ description: |-
+ UserQuota limits the number of allocations active at one time for a given TURN username
+ (see RFC8656/Section 5). Overlimit allocations are rejected with a 486 (Allocation Quota
+ Reached) error. Default is no quota. Not supported in the free tier.
+ type: integer
type: object
type: object
served: true
@@ -241,13 +253,11 @@ spec:
Namespace is the namespace of the referenced object. When unspecified, the local
namespace is inferred.
-
Note that when a namespace different than the local namespace is specified,
a ReferenceGrant object is required in the referent namespace to allow that
namespace's owner to accept the reference. See the ReferenceGrant
documentation for details.
-
Support: Core
maxLength: 63
minLength: 1
@@ -283,7 +293,6 @@ spec:
LoadBalancerServiceAnnotations is a list of annotations that will go into the
LoadBalancer services created automatically by the operator to wrap Gateways.
-
NOTE: removing annotations from a GatewayConfig will not result in the removal of the
corresponding annotations from the LoadBalancer service, in order to prevent the
accidental removal of an annotation installed there by Kubernetes or the cloud
@@ -323,7 +332,6 @@ spec:
Realm defines the STUN/TURN authentication realm to be used for clients toauthenticate
with STUNner.
-
The realm must consist of lower case alphanumeric characters or '-', and must start and
end with an alphanumeric character. No other punctuation is allowed.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
@@ -355,7 +363,7 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
- controller-gen.kubebuilder.io/version: v0.14.0
+ controller-gen.kubebuilder.io/version: v0.16.5
name: staticservices.stunner.l7mp.io
spec:
group: stunner.l7mp.io
@@ -451,17 +459,14 @@ spec:
This field follows standard Kubernetes label syntax.
Valid values are either:
-
* Un-prefixed protocol names - reserved for IANA standard service names (as per
RFC-6335 and https://www.iana.org/assignments/service-names).
-
* Kubernetes-defined prefixed names:
* 'kubernetes.io/h2c' - HTTP/2 prior knowledge over cleartext as described in https://www.rfc-editor.org/rfc/rfc9113.html#name-starting-http-2-with-prior-
* 'kubernetes.io/ws' - WebSocket over cleartext as described in https://www.rfc-editor.org/rfc/rfc6455
* 'kubernetes.io/wss' - WebSocket over TLS as described in https://www.rfc-editor.org/rfc/rfc6455
-
* Other protocols should use implementation-defined prefixed names such as
mycompany.com/my-custom-protocol.
type: string
@@ -535,7 +540,7 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
- controller-gen.kubebuilder.io/version: v0.14.0
+ controller-gen.kubebuilder.io/version: v0.16.5
name: dataplanes.stunner.l7mp.io
spec:
group: stunner.l7mp.io
@@ -632,11 +637,13 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchFields:
description: A list of node selector requirements
by node's fields.
@@ -664,11 +671,13 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
type: object
x-kubernetes-map-type: atomic
weight:
@@ -681,6 +690,7 @@ spec:
- weight
type: object
type: array
+ x-kubernetes-list-type: atomic
requiredDuringSchedulingIgnoredDuringExecution:
description: |-
If the affinity requirements specified by this field are not met at
@@ -725,11 +735,13 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchFields:
description: A list of node selector requirements
by node's fields.
@@ -757,14 +769,17 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
type: object
x-kubernetes-map-type: atomic
type: array
+ x-kubernetes-list-type: atomic
required:
- nodeSelectorTerms
type: object
@@ -825,11 +840,13 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
@@ -844,13 +861,13 @@ spec:
description: |-
MatchLabelKeys is a set of pod label keys to select which pods will
be taken into consideration. The keys are used to lookup values from the
- incoming pod labels, those key-value labels are merged with `LabelSelector` as `key in (value)`
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
to select the group of existing pods which pods will be taken into consideration
for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
pod labels will be ignored. The default value is empty.
- The same key is forbidden to exist in both MatchLabelKeys and LabelSelector.
- Also, MatchLabelKeys cannot be set when LabelSelector isn't set.
- This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
+ The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+ Also, matchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
items:
type: string
type: array
@@ -859,13 +876,13 @@ spec:
description: |-
MismatchLabelKeys is a set of pod label keys to select which pods will
be taken into consideration. The keys are used to lookup values from the
- incoming pod labels, those key-value labels are merged with `LabelSelector` as `key notin (value)`
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
to select the group of existing pods which pods will be taken into consideration
for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
pod labels will be ignored. The default value is empty.
- The same key is forbidden to exist in both MismatchLabelKeys and LabelSelector.
- Also, MismatchLabelKeys cannot be set when LabelSelector isn't set.
- This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
+ The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+ Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
items:
type: string
type: array
@@ -905,11 +922,13 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
@@ -929,6 +948,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
topologyKey:
description: |-
This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
@@ -951,6 +971,7 @@ spec:
- weight
type: object
type: array
+ x-kubernetes-list-type: atomic
requiredDuringSchedulingIgnoredDuringExecution:
description: |-
If the affinity requirements specified by this field are not met at
@@ -1000,11 +1021,13 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
@@ -1019,13 +1042,13 @@ spec:
description: |-
MatchLabelKeys is a set of pod label keys to select which pods will
be taken into consideration. The keys are used to lookup values from the
- incoming pod labels, those key-value labels are merged with `LabelSelector` as `key in (value)`
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
to select the group of existing pods which pods will be taken into consideration
for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
pod labels will be ignored. The default value is empty.
- The same key is forbidden to exist in both MatchLabelKeys and LabelSelector.
- Also, MatchLabelKeys cannot be set when LabelSelector isn't set.
- This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
+ The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+ Also, matchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
items:
type: string
type: array
@@ -1034,13 +1057,13 @@ spec:
description: |-
MismatchLabelKeys is a set of pod label keys to select which pods will
be taken into consideration. The keys are used to lookup values from the
- incoming pod labels, those key-value labels are merged with `LabelSelector` as `key notin (value)`
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
to select the group of existing pods which pods will be taken into consideration
for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
pod labels will be ignored. The default value is empty.
- The same key is forbidden to exist in both MismatchLabelKeys and LabelSelector.
- Also, MismatchLabelKeys cannot be set when LabelSelector isn't set.
- This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
+ The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+ Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
items:
type: string
type: array
@@ -1079,11 +1102,13 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
@@ -1103,6 +1128,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
topologyKey:
description: |-
This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
@@ -1115,6 +1141,7 @@ spec:
- topologyKey
type: object
type: array
+ x-kubernetes-list-type: atomic
type: object
podAntiAffinity:
description: Describes pod anti-affinity scheduling rules (e.g.
@@ -1172,11 +1199,13 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
@@ -1191,13 +1220,13 @@ spec:
description: |-
MatchLabelKeys is a set of pod label keys to select which pods will
be taken into consideration. The keys are used to lookup values from the
- incoming pod labels, those key-value labels are merged with `LabelSelector` as `key in (value)`
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
to select the group of existing pods which pods will be taken into consideration
for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
pod labels will be ignored. The default value is empty.
- The same key is forbidden to exist in both MatchLabelKeys and LabelSelector.
- Also, MatchLabelKeys cannot be set when LabelSelector isn't set.
- This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
+ The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+ Also, matchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
items:
type: string
type: array
@@ -1206,13 +1235,13 @@ spec:
description: |-
MismatchLabelKeys is a set of pod label keys to select which pods will
be taken into consideration. The keys are used to lookup values from the
- incoming pod labels, those key-value labels are merged with `LabelSelector` as `key notin (value)`
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
to select the group of existing pods which pods will be taken into consideration
for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
pod labels will be ignored. The default value is empty.
- The same key is forbidden to exist in both MismatchLabelKeys and LabelSelector.
- Also, MismatchLabelKeys cannot be set when LabelSelector isn't set.
- This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
+ The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+ Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
items:
type: string
type: array
@@ -1252,11 +1281,13 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
@@ -1276,6 +1307,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
topologyKey:
description: |-
This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
@@ -1298,6 +1330,7 @@ spec:
- weight
type: object
type: array
+ x-kubernetes-list-type: atomic
requiredDuringSchedulingIgnoredDuringExecution:
description: |-
If the anti-affinity requirements specified by this field are not met at
@@ -1347,11 +1380,13 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
@@ -1366,13 +1401,13 @@ spec:
description: |-
MatchLabelKeys is a set of pod label keys to select which pods will
be taken into consideration. The keys are used to lookup values from the
- incoming pod labels, those key-value labels are merged with `LabelSelector` as `key in (value)`
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
to select the group of existing pods which pods will be taken into consideration
for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
pod labels will be ignored. The default value is empty.
- The same key is forbidden to exist in both MatchLabelKeys and LabelSelector.
- Also, MatchLabelKeys cannot be set when LabelSelector isn't set.
- This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
+ The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+ Also, matchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
items:
type: string
type: array
@@ -1381,13 +1416,13 @@ spec:
description: |-
MismatchLabelKeys is a set of pod label keys to select which pods will
be taken into consideration. The keys are used to lookup values from the
- incoming pod labels, those key-value labels are merged with `LabelSelector` as `key notin (value)`
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
to select the group of existing pods which pods will be taken into consideration
for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
pod labels will be ignored. The default value is empty.
- The same key is forbidden to exist in both MismatchLabelKeys and LabelSelector.
- Also, MismatchLabelKeys cannot be set when LabelSelector isn't set.
- This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
+ The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+ Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
items:
type: string
type: array
@@ -1426,11 +1461,13 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
@@ -1450,6 +1487,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
topologyKey:
description: |-
This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
@@ -1462,6 +1500,7 @@ spec:
- topologyKey
type: object
type: array
+ x-kubernetes-list-type: atomic
type: object
type: object
annotations:
@@ -1469,9 +1508,10 @@ spec:
type: string
description: |-
Custom annotations to add to dataplane pods. Note that this does not affect the
- annotations added to the Deployment (this come from the correspnding Gateway), just the
- pods. Note also that mandatory pod annotations override whatever you set here on
- conflict, and the annotations set here override annotations manually added to the pods.
+ annotations added to the dataplane resource (Deployment or DaemonSet) as those are
+ copied from the correspnding Gateway, just the pods. Note also that mandatory pod
+ annotations override whatever you set here on conflict, and the annotations set here
+ override annotations manually added to the pods.
type: object
args:
description: Arguments to the entrypoint.
@@ -1498,6 +1538,30 @@ spec:
2) has CAP_SYS_ADMIN
Note that this field cannot be set when spec.os.name is windows.
type: boolean
+ appArmorProfile:
+ description: |-
+ appArmorProfile is the AppArmor options to use by this container. If set, this profile
+ overrides the pod's appArmorProfile.
+ Note that this field cannot be set when spec.os.name is windows.
+ properties:
+ localhostProfile:
+ description: |-
+ localhostProfile indicates a profile loaded on the node that should be used.
+ The profile must be preconfigured on the node to work.
+ Must match the loaded name of the profile.
+ Must be set if and only if type is "Localhost".
+ type: string
+ type:
+ description: |-
+ type indicates which kind of AppArmor profile will be applied.
+ Valid options are:
+ Localhost - a profile pre-loaded on the node.
+ RuntimeDefault - the container runtime's default profile.
+ Unconfined - no AppArmor enforcement.
+ type: string
+ required:
+ - type
+ type: object
capabilities:
description: |-
The capabilities to add/drop when running containers.
@@ -1510,12 +1574,14 @@ spec:
description: Capability represent POSIX capabilities type
type: string
type: array
+ x-kubernetes-list-type: atomic
drop:
description: Removed capabilities
items:
description: Capability represent POSIX capabilities type
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
privileged:
description: |-
@@ -1527,7 +1593,7 @@ spec:
procMount:
description: |-
procMount denotes the type of proc mount to use for the containers.
- The default is DefaultProcMount which uses the container runtime defaults for
+ The default value is Default which uses the container runtime defaults for
readonly paths and masked paths.
This requires the ProcMountType feature flag to be enabled.
Note that this field cannot be set when spec.os.name is windows.
@@ -1609,7 +1675,6 @@ spec:
type indicates which kind of seccomp profile will be applied.
Valid options are:
-
Localhost - a profile defined in a file on the node should be used.
RuntimeDefault - the container runtime default profile should be used.
Unconfined - no profile should be applied.
@@ -1650,6 +1715,15 @@ spec:
type: string
type: object
type: object
+ dataplaneResource:
+ default: Deployment
+ description: |-
+ DataplaneResource defines the Kubernetes resource kind to use to deploy the dataplane,
+ can be either Deployment (default) or DaemonSet (not supported in the free tier).
+ enum:
+ - Deployment
+ - DaemonSet
+ type: string
disableHealthCheck:
description: |-
Disable health-checking. Default is to enable HTTP health-checks on port 8086: a
@@ -1695,10 +1769,13 @@ spec:
description: The key to select.
type: string
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
optional:
description: Specify whether the ConfigMap or its key
@@ -1757,10 +1834,13 @@ spec:
be a valid secret key.
type: string
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
optional:
description: Specify whether the Secret or its key must
@@ -1785,10 +1865,13 @@ spec:
description: The ConfigMap to select from
properties:
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
optional:
description: Specify whether the ConfigMap must be defined
@@ -1803,10 +1886,13 @@ spec:
description: The Secret to select from
properties:
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
optional:
description: Specify whether the Secret must be defined
@@ -1839,10 +1925,13 @@ spec:
referenced object inside the same namespace.
properties:
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
type: object
x-kubernetes-map-type: atomic
@@ -1852,15 +1941,16 @@ spec:
type: string
description: |-
Custom labels to add to dataplane pods. Note that this does not affect the labels added
- to the Deployment (those come from the Gateway), just the pods. Note also that mandatory
- pod labels override whatever you set here on conflict. The only way to set pod labels is
- here: whatever you set manually on the dataplane pod will be reset by the opetator.
+ to the dataplane resource (Deployment or DaemonSet) as those are copied from the
+ Gateway, just the pods. Note also that mandatory pod labels override whatever you set
+ here on conflict. The only way to set pod labels is here: whatever you set manually on
+ the dataplane pod will be reset by the opetator.
type: object
replicas:
description: |-
- Number of desired pods. If empty or set to 1, use whatever is in the target Deployment.
- Otherwise, enforce this setting, overwiting whatever is set in the Deployment (this may
- block autoscaling the dataplane though). Defaults to 1.
+ Number of desired pods. If empty or set to 1, use whatever is in the target Deployment,
+ otherwise overwite whatever is in the Deployment (this may block autoscaling the
+ dataplane though). Ignored if the dataplane is deployed into a DaemonSet. Defaults to 1.
format: int32
type: integer
resources:
@@ -1871,11 +1961,9 @@ spec:
Claims lists the names of resources, defined in spec.resourceClaims,
that are used by this container.
-
This is an alpha field and requires enabling the
DynamicResourceAllocation feature gate.
-
This field is immutable. It can only be set for containers.
items:
description: ResourceClaim references one entry in PodSpec.ResourceClaims.
@@ -1886,6 +1974,12 @@ spec:
the Pod where this field is used. It makes that resource available
inside a container.
type: string
+ request:
+ description: |-
+ Request is the name chosen for a request in the referenced claim.
+ If empty, everything from the claim is made available, otherwise
+ only the result of this request.
+ type: string
required:
- name
type: object
@@ -1922,18 +2016,39 @@ spec:
description: SecurityContext holds pod-level security attributes and
common container settings.
properties:
+ appArmorProfile:
+ description: |-
+ appArmorProfile is the AppArmor options to use by the containers in this pod.
+ Note that this field cannot be set when spec.os.name is windows.
+ properties:
+ localhostProfile:
+ description: |-
+ localhostProfile indicates a profile loaded on the node that should be used.
+ The profile must be preconfigured on the node to work.
+ Must match the loaded name of the profile.
+ Must be set if and only if type is "Localhost".
+ type: string
+ type:
+ description: |-
+ type indicates which kind of AppArmor profile will be applied.
+ Valid options are:
+ Localhost - a profile pre-loaded on the node.
+ RuntimeDefault - the container runtime's default profile.
+ Unconfined - no AppArmor enforcement.
+ type: string
+ required:
+ - type
+ type: object
fsGroup:
description: |-
A special supplemental group that applies to all containers in a pod.
Some volume types allow the Kubelet to change the ownership of that volume
to be owned by the pod:
-
1. The owning GID will be the FSGroup
2. The setgid bit is set (new files created in the volume will be owned by FSGroup)
3. The permission bits are OR'd with rw-rw----
-
If unset, the Kubelet will not modify the ownership and permissions of any volume.
Note that this field cannot be set when spec.os.name is windows.
format: int64
@@ -1977,6 +2092,32 @@ spec:
Note that this field cannot be set when spec.os.name is windows.
format: int64
type: integer
+ seLinuxChangePolicy:
+ description: |-
+ seLinuxChangePolicy defines how the container's SELinux label is applied to all volumes used by the Pod.
+ It has no effect on nodes that do not support SELinux or to volumes does not support SELinux.
+ Valid values are "MountOption" and "Recursive".
+
+ "Recursive" means relabeling of all files on all Pod volumes by the container runtime.
+ This may be slow for large volumes, but allows mixing privileged and unprivileged Pods sharing the same volume on the same node.
+
+ "MountOption" mounts all eligible Pod volumes with `-o context` mount option.
+ This requires all Pods that share the same volume to use the same SELinux label.
+ It is not possible to share the same volume among privileged and unprivileged Pods.
+ Eligible volumes are in-tree FibreChannel and iSCSI volumes, and all CSI volumes
+ whose CSI driver announces SELinux support by setting spec.seLinuxMount: true in their
+ CSIDriver instance. Other volumes are always re-labelled recursively.
+ "MountOption" value is allowed only when SELinuxMount feature gate is enabled.
+
+ If not specified and SELinuxMount feature gate is enabled, "MountOption" is used.
+ If not specified and SELinuxMount feature gate is disabled, "MountOption" is used for ReadWriteOncePod volumes
+ and "Recursive" for all other volumes.
+
+ This field affects only Pods that have SELinux label set, either in PodSecurityContext or in SecurityContext of all containers.
+
+ All Pods that use the same volume should use the same seLinuxChangePolicy, otherwise some pods can get stuck in ContainerCreating state.
+ Note that this field cannot be set when spec.os.name is windows.
+ type: string
seLinuxOptions:
description: |-
The SELinux context to be applied to all containers.
@@ -2020,7 +2161,6 @@ spec:
type indicates which kind of seccomp profile will be applied.
Valid options are:
-
Localhost - a profile defined in a file on the node should be used.
RuntimeDefault - the container runtime default profile should be used.
Unconfined - no profile should be applied.
@@ -2030,17 +2170,28 @@ spec:
type: object
supplementalGroups:
description: |-
- A list of groups applied to the first process run in each container, in addition
- to the container's primary GID, the fsGroup (if specified), and group memberships
- defined in the container image for the uid of the container process. If unspecified,
- no additional groups are added to any container. Note that group memberships
- defined in the container image for the uid of the container process are still effective,
- even if they are not included in this list.
+ A list of groups applied to the first process run in each container, in
+ addition to the container's primary GID and fsGroup (if specified). If
+ the SupplementalGroupsPolicy feature is enabled, the
+ supplementalGroupsPolicy field determines whether these are in addition
+ to or instead of any group memberships defined in the container image.
+ If unspecified, no additional groups are added, though group memberships
+ defined in the container image may still be used, depending on the
+ supplementalGroupsPolicy field.
Note that this field cannot be set when spec.os.name is windows.
items:
format: int64
type: integer
type: array
+ x-kubernetes-list-type: atomic
+ supplementalGroupsPolicy:
+ description: |-
+ Defines how supplemental groups of the first container processes are calculated.
+ Valid values are "Merge" and "Strict". If not specified, "Merge" is used.
+ (Alpha) Using the field requires the SupplementalGroupsPolicy feature gate to be enabled
+ and the container runtime must implement support for this feature.
+ Note that this field cannot be set when spec.os.name is windows.
+ type: string
sysctls:
description: |-
Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported
@@ -2060,6 +2211,7 @@ spec:
- value
type: object
type: array
+ x-kubernetes-list-type: atomic
windowsOptions:
description: |-
The Windows specific settings applied to all containers.
@@ -2177,11 +2329,13 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
@@ -2203,7 +2357,6 @@ spec:
Keys that don't exist in the incoming pod labels will
be ignored. A null or empty list means only match against labelSelector.
-
This is a beta field and requires the MatchLabelKeysInPodTopologySpread feature gate to be enabled (enabled by default).
items:
type: string
@@ -2243,7 +2396,6 @@ spec:
Valid values are integers greater than 0.
When value is not nil, WhenUnsatisfiable must be DoNotSchedule.
-
For example, in a 3-zone cluster, MaxSkew is set to 2, MinDomains is set to 5 and pods with the same
labelSelector spread as 2/2/2:
| zone1 | zone2 | zone3 |
@@ -2252,9 +2404,6 @@ spec:
In this situation, new pod with the same labelSelector cannot be scheduled,
because computed skew will be 3(3 - 0) if new Pod is scheduled to any of the three zones,
it will violate MaxSkew.
-
-
- This is a beta field and requires the MinDomainsInPodTopologySpread feature gate to be enabled (enabled by default).
format: int32
type: integer
nodeAffinityPolicy:
@@ -2264,7 +2413,6 @@ spec:
- Honor: only nodes matching nodeAffinity/nodeSelector are included in the calculations.
- Ignore: nodeAffinity/nodeSelector are ignored. All nodes are included in the calculations.
-
If this value is nil, the behavior is equivalent to the Honor policy.
This is a beta-level feature default enabled by the NodeInclusionPolicyInPodTopologySpread feature flag.
type: string
@@ -2276,7 +2424,6 @@ spec:
has a toleration, are included.
- Ignore: node taints are ignored. All nodes are included.
-
If this value is nil, the behavior is equivalent to the Ignore policy.
This is a beta-level feature default enabled by the NodeInclusionPolicyInPodTopologySpread feature flag.
type: string
@@ -2406,11 +2553,13 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchFields:
description: A list of node selector requirements
by node's fields.
@@ -2438,11 +2587,13 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
type: object
x-kubernetes-map-type: atomic
weight:
@@ -2455,6 +2606,7 @@ spec:
- weight
type: object
type: array
+ x-kubernetes-list-type: atomic
requiredDuringSchedulingIgnoredDuringExecution:
description: |-
If the affinity requirements specified by this field are not met at
@@ -2499,11 +2651,13 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchFields:
description: A list of node selector requirements
by node's fields.
@@ -2531,14 +2685,17 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
type: object
x-kubernetes-map-type: atomic
type: array
+ x-kubernetes-list-type: atomic
required:
- nodeSelectorTerms
type: object
@@ -2599,11 +2756,13 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
@@ -2618,13 +2777,13 @@ spec:
description: |-
MatchLabelKeys is a set of pod label keys to select which pods will
be taken into consideration. The keys are used to lookup values from the
- incoming pod labels, those key-value labels are merged with `LabelSelector` as `key in (value)`
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
to select the group of existing pods which pods will be taken into consideration
for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
pod labels will be ignored. The default value is empty.
- The same key is forbidden to exist in both MatchLabelKeys and LabelSelector.
- Also, MatchLabelKeys cannot be set when LabelSelector isn't set.
- This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
+ The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+ Also, matchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
items:
type: string
type: array
@@ -2633,13 +2792,13 @@ spec:
description: |-
MismatchLabelKeys is a set of pod label keys to select which pods will
be taken into consideration. The keys are used to lookup values from the
- incoming pod labels, those key-value labels are merged with `LabelSelector` as `key notin (value)`
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
to select the group of existing pods which pods will be taken into consideration
for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
pod labels will be ignored. The default value is empty.
- The same key is forbidden to exist in both MismatchLabelKeys and LabelSelector.
- Also, MismatchLabelKeys cannot be set when LabelSelector isn't set.
- This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
+ The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+ Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
items:
type: string
type: array
@@ -2679,11 +2838,13 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
@@ -2703,6 +2864,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
topologyKey:
description: |-
This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
@@ -2725,6 +2887,7 @@ spec:
- weight
type: object
type: array
+ x-kubernetes-list-type: atomic
requiredDuringSchedulingIgnoredDuringExecution:
description: |-
If the affinity requirements specified by this field are not met at
@@ -2774,11 +2937,13 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
@@ -2793,13 +2958,13 @@ spec:
description: |-
MatchLabelKeys is a set of pod label keys to select which pods will
be taken into consideration. The keys are used to lookup values from the
- incoming pod labels, those key-value labels are merged with `LabelSelector` as `key in (value)`
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
to select the group of existing pods which pods will be taken into consideration
for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
pod labels will be ignored. The default value is empty.
- The same key is forbidden to exist in both MatchLabelKeys and LabelSelector.
- Also, MatchLabelKeys cannot be set when LabelSelector isn't set.
- This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
+ The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+ Also, matchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
items:
type: string
type: array
@@ -2808,13 +2973,13 @@ spec:
description: |-
MismatchLabelKeys is a set of pod label keys to select which pods will
be taken into consideration. The keys are used to lookup values from the
- incoming pod labels, those key-value labels are merged with `LabelSelector` as `key notin (value)`
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
to select the group of existing pods which pods will be taken into consideration
for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
pod labels will be ignored. The default value is empty.
- The same key is forbidden to exist in both MismatchLabelKeys and LabelSelector.
- Also, MismatchLabelKeys cannot be set when LabelSelector isn't set.
- This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
+ The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+ Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
items:
type: string
type: array
@@ -2853,11 +3018,13 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
@@ -2877,6 +3044,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
topologyKey:
description: |-
This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
@@ -2889,6 +3057,7 @@ spec:
- topologyKey
type: object
type: array
+ x-kubernetes-list-type: atomic
type: object
podAntiAffinity:
description: Describes pod anti-affinity scheduling rules (e.g.
@@ -2946,11 +3115,13 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
@@ -2965,13 +3136,13 @@ spec:
description: |-
MatchLabelKeys is a set of pod label keys to select which pods will
be taken into consideration. The keys are used to lookup values from the
- incoming pod labels, those key-value labels are merged with `LabelSelector` as `key in (value)`
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
to select the group of existing pods which pods will be taken into consideration
for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
pod labels will be ignored. The default value is empty.
- The same key is forbidden to exist in both MatchLabelKeys and LabelSelector.
- Also, MatchLabelKeys cannot be set when LabelSelector isn't set.
- This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
+ The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+ Also, matchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
items:
type: string
type: array
@@ -2980,13 +3151,13 @@ spec:
description: |-
MismatchLabelKeys is a set of pod label keys to select which pods will
be taken into consideration. The keys are used to lookup values from the
- incoming pod labels, those key-value labels are merged with `LabelSelector` as `key notin (value)`
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
to select the group of existing pods which pods will be taken into consideration
for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
pod labels will be ignored. The default value is empty.
- The same key is forbidden to exist in both MismatchLabelKeys and LabelSelector.
- Also, MismatchLabelKeys cannot be set when LabelSelector isn't set.
- This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
+ The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+ Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
items:
type: string
type: array
@@ -3026,11 +3197,13 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
@@ -3050,6 +3223,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
topologyKey:
description: |-
This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
@@ -3072,6 +3246,7 @@ spec:
- weight
type: object
type: array
+ x-kubernetes-list-type: atomic
requiredDuringSchedulingIgnoredDuringExecution:
description: |-
If the anti-affinity requirements specified by this field are not met at
@@ -3121,11 +3296,13 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
@@ -3140,13 +3317,13 @@ spec:
description: |-
MatchLabelKeys is a set of pod label keys to select which pods will
be taken into consideration. The keys are used to lookup values from the
- incoming pod labels, those key-value labels are merged with `LabelSelector` as `key in (value)`
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
to select the group of existing pods which pods will be taken into consideration
for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
pod labels will be ignored. The default value is empty.
- The same key is forbidden to exist in both MatchLabelKeys and LabelSelector.
- Also, MatchLabelKeys cannot be set when LabelSelector isn't set.
- This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
+ The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+ Also, matchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
items:
type: string
type: array
@@ -3155,13 +3332,13 @@ spec:
description: |-
MismatchLabelKeys is a set of pod label keys to select which pods will
be taken into consideration. The keys are used to lookup values from the
- incoming pod labels, those key-value labels are merged with `LabelSelector` as `key notin (value)`
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
to select the group of existing pods which pods will be taken into consideration
for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
pod labels will be ignored. The default value is empty.
- The same key is forbidden to exist in both MismatchLabelKeys and LabelSelector.
- Also, MismatchLabelKeys cannot be set when LabelSelector isn't set.
- This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
+ The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+ Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
items:
type: string
type: array
@@ -3200,11 +3377,13 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
@@ -3224,6 +3403,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
topologyKey:
description: |-
This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
@@ -3236,6 +3416,7 @@ spec:
- topologyKey
type: object
type: array
+ x-kubernetes-list-type: atomic
type: object
type: object
args:
@@ -3281,10 +3462,13 @@ spec:
description: The key to select.
type: string
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
optional:
description: Specify whether the ConfigMap or its key
@@ -3343,10 +3527,13 @@ spec:
be a valid secret key.
type: string
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
optional:
description: Specify whether the Secret or its key must
@@ -3389,11 +3576,9 @@ spec:
Claims lists the names of resources, defined in spec.resourceClaims,
that are used by this container.
-
This is an alpha field and requires enabling the
DynamicResourceAllocation feature gate.
-
This field is immutable. It can only be set for containers.
items:
description: ResourceClaim references one entry in PodSpec.ResourceClaims.
@@ -3404,6 +3589,12 @@ spec:
the Pod where this field is used. It makes that resource available
inside a container.
type: string
+ request:
+ description: |-
+ Request is the name chosen for a request in the referenced claim.
+ If empty, everything from the claim is made available, otherwise
+ only the result of this request.
+ type: string
required:
- name
type: object
@@ -3440,18 +3631,39 @@ spec:
description: SecurityContext holds pod-level security attributes and
common container settings.
properties:
+ appArmorProfile:
+ description: |-
+ appArmorProfile is the AppArmor options to use by the containers in this pod.
+ Note that this field cannot be set when spec.os.name is windows.
+ properties:
+ localhostProfile:
+ description: |-
+ localhostProfile indicates a profile loaded on the node that should be used.
+ The profile must be preconfigured on the node to work.
+ Must match the loaded name of the profile.
+ Must be set if and only if type is "Localhost".
+ type: string
+ type:
+ description: |-
+ type indicates which kind of AppArmor profile will be applied.
+ Valid options are:
+ Localhost - a profile pre-loaded on the node.
+ RuntimeDefault - the container runtime's default profile.
+ Unconfined - no AppArmor enforcement.
+ type: string
+ required:
+ - type
+ type: object
fsGroup:
description: |-
A special supplemental group that applies to all containers in a pod.
Some volume types allow the Kubelet to change the ownership of that volume
to be owned by the pod:
-
1. The owning GID will be the FSGroup
2. The setgid bit is set (new files created in the volume will be owned by FSGroup)
3. The permission bits are OR'd with rw-rw----
-
If unset, the Kubelet will not modify the ownership and permissions of any volume.
Note that this field cannot be set when spec.os.name is windows.
format: int64
@@ -3495,6 +3707,32 @@ spec:
Note that this field cannot be set when spec.os.name is windows.
format: int64
type: integer
+ seLinuxChangePolicy:
+ description: |-
+ seLinuxChangePolicy defines how the container's SELinux label is applied to all volumes used by the Pod.
+ It has no effect on nodes that do not support SELinux or to volumes does not support SELinux.
+ Valid values are "MountOption" and "Recursive".
+
+ "Recursive" means relabeling of all files on all Pod volumes by the container runtime.
+ This may be slow for large volumes, but allows mixing privileged and unprivileged Pods sharing the same volume on the same node.
+
+ "MountOption" mounts all eligible Pod volumes with `-o context` mount option.
+ This requires all Pods that share the same volume to use the same SELinux label.
+ It is not possible to share the same volume among privileged and unprivileged Pods.
+ Eligible volumes are in-tree FibreChannel and iSCSI volumes, and all CSI volumes
+ whose CSI driver announces SELinux support by setting spec.seLinuxMount: true in their
+ CSIDriver instance. Other volumes are always re-labelled recursively.
+ "MountOption" value is allowed only when SELinuxMount feature gate is enabled.
+
+ If not specified and SELinuxMount feature gate is enabled, "MountOption" is used.
+ If not specified and SELinuxMount feature gate is disabled, "MountOption" is used for ReadWriteOncePod volumes
+ and "Recursive" for all other volumes.
+
+ This field affects only Pods that have SELinux label set, either in PodSecurityContext or in SecurityContext of all containers.
+
+ All Pods that use the same volume should use the same seLinuxChangePolicy, otherwise some pods can get stuck in ContainerCreating state.
+ Note that this field cannot be set when spec.os.name is windows.
+ type: string
seLinuxOptions:
description: |-
The SELinux context to be applied to all containers.
@@ -3538,7 +3776,6 @@ spec:
type indicates which kind of seccomp profile will be applied.
Valid options are:
-
Localhost - a profile defined in a file on the node should be used.
RuntimeDefault - the container runtime default profile should be used.
Unconfined - no profile should be applied.
@@ -3548,17 +3785,28 @@ spec:
type: object
supplementalGroups:
description: |-
- A list of groups applied to the first process run in each container, in addition
- to the container's primary GID, the fsGroup (if specified), and group memberships
- defined in the container image for the uid of the container process. If unspecified,
- no additional groups are added to any container. Note that group memberships
- defined in the container image for the uid of the container process are still effective,
- even if they are not included in this list.
+ A list of groups applied to the first process run in each container, in
+ addition to the container's primary GID and fsGroup (if specified). If
+ the SupplementalGroupsPolicy feature is enabled, the
+ supplementalGroupsPolicy field determines whether these are in addition
+ to or instead of any group memberships defined in the container image.
+ If unspecified, no additional groups are added, though group memberships
+ defined in the container image may still be used, depending on the
+ supplementalGroupsPolicy field.
Note that this field cannot be set when spec.os.name is windows.
items:
format: int64
type: integer
type: array
+ x-kubernetes-list-type: atomic
+ supplementalGroupsPolicy:
+ description: |-
+ Defines how supplemental groups of the first container processes are calculated.
+ Valid values are "Merge" and "Strict". If not specified, "Merge" is used.
+ (Alpha) Using the field requires the SupplementalGroupsPolicy feature gate to be enabled
+ and the container runtime must implement support for this feature.
+ Note that this field cannot be set when spec.os.name is windows.
+ type: string
sysctls:
description: |-
Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported
@@ -3578,6 +3826,7 @@ spec:
- value
type: object
type: array
+ x-kubernetes-list-type: atomic
windowsOptions:
description: |-
The Windows specific settings applied to all containers.
@@ -3664,7 +3913,7 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
- controller-gen.kubebuilder.io/version: v0.14.0
+ controller-gen.kubebuilder.io/version: v0.16.5
name: udproutes.stunner.l7mp.io
spec:
group: stunner.l7mp.io
@@ -3689,7 +3938,6 @@ spec:
used to forward traffic on the port specified by the listener to a set of backends specified by
the UDPRoute.
-
Differences from Gateway API UDPRoutes
- port-ranges are correctly handled ([port, endPort])
- port is not mandatory
@@ -3728,21 +3976,16 @@ spec:
create a "producer" route for a Service in a different namespace from the
Route.
-
There are two kinds of parent resources with "Core" support:
-
* Gateway (Gateway conformance profile)
-
- * Service (Mesh conformance profile, experimental, ClusterIP Services only)
-
+ * Service (Mesh conformance profile, ClusterIP Services only)
+
This API may be extended in the future to support additional kinds of parent
resources.
-
ParentRefs must be _distinct_. This means either that:
-
* They select different objects. If this is the case, then parentRef
entries are distinct. In terms of fields, this means that the
multi-part key defined by `group`, `kind`, `namespace`, and `name` must
@@ -3752,10 +3995,8 @@ spec:
optional fields to different values. If one ParentRef sets a
combination of optional fields, all must set the same combination.
-
Some examples:
-
* If one ParentRef sets `sectionName`, all ParentRefs referencing the
same object must also set `sectionName`.
* If one ParentRef sets `port`, all ParentRefs referencing the same
@@ -3763,27 +4004,23 @@ spec:
* If one ParentRef sets `sectionName` and `port`, all ParentRefs
referencing the same object must also set `sectionName` and `port`.
-
It is possible to separately reference multiple distinct objects that may
be collapsed by an implementation. For example, some implementations may
choose to merge compatible Gateway Listeners together. If that is the
case, the list of routes attached to those resources should also be
merged.
-
Note that for ParentRefs that cross namespace boundaries, there are specific
rules. Cross-namespace references are only valid if they are explicitly
allowed by something in the namespace they are referring to. For example,
Gateway has the AllowedRoutes field, and ReferenceGrant provides a
generic way to enable other kinds of cross-namespace reference.
-
ParentRefs from a Route to a Service in the same namespace are "producer"
routes, which apply default routing rules to inbound connections from
any namespace to the Service.
-
ParentRefs from a Route to a Service in a different namespace are
"consumer" routes, and these routing rules are only applied to outbound
connections originating from the same namespace as the Route, for which
@@ -3791,7 +4028,6 @@ spec:
ParentRef of the Route.
-
@@ -3802,15 +4038,12 @@ spec:
a parent of this resource (usually a route). There are two kinds of parent resources
with "Core" support:
-
* Gateway (Gateway conformance profile)
- * Service (Mesh conformance profile, experimental, ClusterIP Services only)
-
+ * Service (Mesh conformance profile, ClusterIP Services only)
This API may be extended in the future to support additional kinds of parent
resources.
-
The API object must be valid in the cluster; the Group and Kind must
be registered in the cluster for this reference to be valid.
properties:
@@ -3822,7 +4055,6 @@ spec:
To set the core API group (such as for a "Service" kind referent),
Group must be explicitly set to "" (empty string).
-
Support: Core
maxLength: 253
pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
@@ -3832,13 +4064,10 @@ spec:
description: |-
Kind is kind of the referent.
-
There are two kinds of parent resources with "Core" support:
-
* Gateway (Gateway conformance profile)
- * Service (Mesh conformance profile, experimental, ClusterIP Services only)
-
+ * Service (Mesh conformance profile, ClusterIP Services only)
Support for other resources is Implementation-Specific.
maxLength: 63
@@ -3849,7 +4078,6 @@ spec:
description: |-
Name is the name of the referent.
-
Support: Core
maxLength: 253
minLength: 1
@@ -3859,20 +4087,17 @@ spec:
Namespace is the namespace of the referent. When unspecified, this refers
to the local namespace of the Route.
-
Note that there are specific rules for ParentRefs which cross namespace
boundaries. Cross-namespace references are only valid if they are explicitly
allowed by something in the namespace they are referring to. For example:
Gateway has the AllowedRoutes field, and ReferenceGrant provides a
generic way to enable any other kind of cross-namespace reference.
-
ParentRefs from a Route to a Service in the same namespace are "producer"
routes, which apply default routing rules to inbound connections from
any namespace to the Service.
-
ParentRefs from a Route to a Service in a different namespace are
"consumer" routes, and these routing rules are only applied to outbound
connections originating from the same namespace as the Route, for which
@@ -3880,7 +4105,6 @@ spec:
ParentRef of the Route.
-
Support: Core
maxLength: 63
minLength: 1
@@ -3891,7 +4115,6 @@ spec:
Port is the network port this Route targets. It can be interpreted
differently based on the type of parent resource.
-
When the parent resource is a Gateway, this targets all listeners
listening on the specified port that also support this kind of Route(and
select this Route). It's not recommended to set `Port` unless the
@@ -3900,19 +4123,16 @@ spec:
and SectionName are specified, the name and port of the selected listener
must match both specified values.
-
When the parent resource is a Service, this targets a specific port in the
Service spec. When both Port (experimental) and SectionName are specified,
the name and port of the selected port must match both specified values.
-
Implementations MAY choose to support other parent resources.
Implementations supporting other types of parent resources MUST clearly
document how/if Port is interpreted.
-
For the purpose of status, an attachment is considered successful as
long as the parent resource accepts it partially. For example, Gateway
listeners can restrict which Routes can attach to them by Route kind,
@@ -3921,11 +4141,7 @@ spec:
attached. If no Gateway listeners accept attachment from this Route,
the Route MUST be considered detached from the Gateway.
-
Support: Extended
-
-
-
format: int32
maximum: 65535
minimum: 1
@@ -3935,22 +4151,17 @@ spec:
SectionName is the name of a section within the target resource. In the
following resources, SectionName is interpreted as the following:
-
- * Gateway: Listener Name. When both Port (experimental) and SectionName
+ * Gateway: Listener name. When both Port (experimental) and SectionName
are specified, the name and port of the selected listener must match
both specified values.
- * Service: Port Name. When both Port (experimental) and SectionName
+ * Service: Port name. When both Port (experimental) and SectionName
are specified, the name and port of the selected listener must match
- both specified values. Note that attaching Routes to Services as Parents
- is part of experimental Mesh support and is not supported for any other
- purpose.
-
+ both specified values.
Implementations MAY choose to support attaching Routes to other resources.
If that is the case, they MUST clearly document how SectionName is
interpreted.
-
When unspecified (empty string), this will reference the entire resource.
For the purpose of status, an attachment is considered successful if at
least one section in the parent resource accepts it. For example, Gateway
@@ -3960,7 +4171,6 @@ spec:
attached. If no Gateway listeners accept attachment from this Route, the
Route MUST be considered detached from the Gateway.
-
Support: Core
maxLength: 253
minLength: 1
@@ -4056,13 +4266,11 @@ spec:
first sees the route and should update the entry as appropriate when the
route or gateway is modified.
-
Note that parent references that cannot be resolved by an implementation
of this API will not be added to this list. Implementations of this API
can only populate Route status for the Gateways/parent resources they are
responsible for.
-
A maximum of 32 Gateways will be represented in this list. An empty list
means the route has not been attached to any Gateway.
items:
@@ -4076,38 +4284,24 @@ spec:
Note that the route's availability is also subject to the Gateway's own
status conditions and listener status.
-
If the Route's ParentRef specifies an existing Gateway that supports
Routes of this kind AND that Gateway's controller has sufficient access,
then that Gateway's controller MUST set the "Accepted" condition on the
Route, to indicate whether the route has been accepted or rejected by the
Gateway, and why.
-
A Route MUST be considered "Accepted" if at least one of the Route's
rules is implemented by the Gateway.
-
There are a number of cases where the "Accepted" condition may not be set
due to lack of controller visibility, that includes when:
-
* The Route refers to a non-existent parent.
* The Route is of a type that the controller does not support.
* The Route is in a namespace the controller does not have access to.
items:
- description: "Condition contains details for one aspect of
- the current state of this API Resource.\n---\nThis struct
- is intended for direct use as an array at the field path
- .status.conditions. For example,\n\n\n\ttype FooStatus
- struct{\n\t // Represents the observations of a foo's
- current state.\n\t // Known .status.conditions.type are:
- \"Available\", \"Progressing\", and \"Degraded\"\n\t //
- +patchMergeKey=type\n\t // +patchStrategy=merge\n\t //
- +listType=map\n\t // +listMapKey=type\n\t Conditions
- []metav1.Condition `json:\"conditions,omitempty\" patchStrategy:\"merge\"
- patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t
- \ // other fields\n\t}"
+ description: Condition contains details for one aspect of
+ the current state of this API Resource.
properties:
lastTransitionTime:
description: |-
@@ -4149,12 +4343,7 @@ spec:
- Unknown
type: string
type:
- description: |-
- type of condition in CamelCase or in foo.example.com/CamelCase.
- ---
- Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be
- useful (see .node.status.conditions), the ability to deconflict is important.
- The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
+ description: type of condition in CamelCase or in foo.example.com/CamelCase.
maxLength: 316
pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
type: string
@@ -4177,15 +4366,12 @@ spec:
controller that wrote this status. This corresponds with the
controllerName field on GatewayClass.
-
Example: "example.net/gateway-controller".
-
The format of this field is DOMAIN "/" PATH, where DOMAIN and PATH are
valid Kubernetes names
(https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names).
-
Controllers MUST populate this field when writing status. Controllers should ensure that
entries to status populated with their ControllerName are cleaned up when they are no
longer necessary.
@@ -4206,7 +4392,6 @@ spec:
To set the core API group (such as for a "Service" kind referent),
Group must be explicitly set to "" (empty string).
-
Support: Core
maxLength: 253
pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
@@ -4216,13 +4401,10 @@ spec:
description: |-
Kind is kind of the referent.
-
There are two kinds of parent resources with "Core" support:
-
* Gateway (Gateway conformance profile)
- * Service (Mesh conformance profile, experimental, ClusterIP Services only)
-
+ * Service (Mesh conformance profile, ClusterIP Services only)
Support for other resources is Implementation-Specific.
maxLength: 63
@@ -4233,7 +4415,6 @@ spec:
description: |-
Name is the name of the referent.
-
Support: Core
maxLength: 253
minLength: 1
@@ -4243,20 +4424,17 @@ spec:
Namespace is the namespace of the referent. When unspecified, this refers
to the local namespace of the Route.
-
Note that there are specific rules for ParentRefs which cross namespace
boundaries. Cross-namespace references are only valid if they are explicitly
allowed by something in the namespace they are referring to. For example:
Gateway has the AllowedRoutes field, and ReferenceGrant provides a
generic way to enable any other kind of cross-namespace reference.
-
ParentRefs from a Route to a Service in the same namespace are "producer"
routes, which apply default routing rules to inbound connections from
any namespace to the Service.
-
ParentRefs from a Route to a Service in a different namespace are
"consumer" routes, and these routing rules are only applied to outbound
connections originating from the same namespace as the Route, for which
@@ -4264,7 +4442,6 @@ spec:
ParentRef of the Route.
-
Support: Core
maxLength: 63
minLength: 1
@@ -4275,7 +4452,6 @@ spec:
Port is the network port this Route targets. It can be interpreted
differently based on the type of parent resource.
-
When the parent resource is a Gateway, this targets all listeners
listening on the specified port that also support this kind of Route(and
select this Route). It's not recommended to set `Port` unless the
@@ -4284,19 +4460,16 @@ spec:
and SectionName are specified, the name and port of the selected listener
must match both specified values.
-
When the parent resource is a Service, this targets a specific port in the
Service spec. When both Port (experimental) and SectionName are specified,
the name and port of the selected port must match both specified values.
-
Implementations MAY choose to support other parent resources.
Implementations supporting other types of parent resources MUST clearly
document how/if Port is interpreted.
-
For the purpose of status, an attachment is considered successful as
long as the parent resource accepts it partially. For example, Gateway
listeners can restrict which Routes can attach to them by Route kind,
@@ -4305,11 +4478,7 @@ spec:
attached. If no Gateway listeners accept attachment from this Route,
the Route MUST be considered detached from the Gateway.
-
Support: Extended
-
-
-
format: int32
maximum: 65535
minimum: 1
@@ -4319,22 +4488,17 @@ spec:
SectionName is the name of a section within the target resource. In the
following resources, SectionName is interpreted as the following:
-
- * Gateway: Listener Name. When both Port (experimental) and SectionName
+ * Gateway: Listener name. When both Port (experimental) and SectionName
are specified, the name and port of the selected listener must match
both specified values.
- * Service: Port Name. When both Port (experimental) and SectionName
+ * Service: Port name. When both Port (experimental) and SectionName
are specified, the name and port of the selected listener must match
- both specified values. Note that attaching Routes to Services as Parents
- is part of experimental Mesh support and is not supported for any other
- purpose.
-
+ both specified values.
Implementations MAY choose to support attaching Routes to other resources.
If that is the case, they MUST clearly document how SectionName is
interpreted.
-
When unspecified (empty string), this will reference the entire resource.
For the purpose of status, an attachment is considered successful if at
least one section in the parent resource accepts it. For example, Gateway
@@ -4344,7 +4508,6 @@ spec:
attached. If no Gateway listeners accept attachment from this Route, the
Route MUST be considered detached from the Gateway.
-
Support: Core
maxLength: 253
minLength: 1
@@ -4369,3 +4532,4 @@ spec:
storage: true
subresources:
status: {}
+---
\ No newline at end of file
diff --git a/helm/stunner-gateway-operator/templates/stunner-gateway-operator.yaml b/helm/stunner-gateway-operator/templates/stunner-gateway-operator.yaml
index c72ad13..ab5c60d 100644
--- a/helm/stunner-gateway-operator/templates/stunner-gateway-operator.yaml
+++ b/helm/stunner-gateway-operator/templates/stunner-gateway-operator.yaml
@@ -48,32 +48,11 @@ kind: ClusterRole
metadata:
name: stunner-gateway-operator-manager-role
rules:
-- apiGroups:
- - apps
- resources:
- - deployments
- - daemonsets
- verbs:
- - create
- - delete
- - get
- - list
- - patch
- - update
- - watch
-- apiGroups:
- - apps
- resources:
- - deployments/finalizers
- - deployments/status
- verbs:
- - get
- - list
- - watch
- apiGroups:
- ""
resources:
- configmaps
+ - services
verbs:
- create
- delete
@@ -92,27 +71,21 @@ rules:
- ""
resources:
- endpoints
+ - endpoints/status
- namespaces
- nodes
- - secrets
- verbs:
- - get
- - list
- - watch
-- apiGroups:
- - ""
- resources:
- - endpoints/status
- nodes/status
+ - secrets
- services/status
verbs:
- get
- list
- watch
- apiGroups:
- - ""
+ - apps
resources:
- - services
+ - daemonsets
+ - deployments
verbs:
- create
- delete
@@ -122,9 +95,12 @@ rules:
- update
- watch
- apiGroups:
- - discovery.k8s.io
+ - apps
resources:
- - endpointslices
+ - daemonsets/finalizers
+ - daemonsets/status
+ - deployments/finalizers
+ - deployments/status
verbs:
- get
- list
@@ -132,6 +108,7 @@ rules:
- apiGroups:
- discovery.k8s.io
resources:
+ - endpointslices
- endpointslices/status
verbs:
- get
@@ -269,6 +246,15 @@ data:
resourceName: 92062b70.l7mp.io
---
apiVersion: v1
+kind: Secret
+metadata:
+ name: stunner-gateway-operator-customer-secret
+ namespace: {{ $.Values.namespace | default $.Release.Namespace }}
+type: Opaque
+data:
+ CUSTOMER_KEY: {{ .Values.stunnerGatewayOperator.customerKey | b64enc }}
+---
+apiVersion: v1
kind: Service
metadata:
labels:
@@ -356,6 +342,11 @@ spec:
fieldRef:
apiVersion: v1
fieldPath: status.podIP
+ - name: CUSTOMER_KEY
+ valueFrom:
+ secretKeyRef:
+ key: CUSTOMER_KEY
+ name: stunner-gateway-operator-customer-secret
image: "{{ .Values.stunnerGatewayOperator.deployment.container.manager.image.name }}:{{ .Values.stunnerGatewayOperator.deployment.container.manager.image.tag }}"
imagePullPolicy: {{ .Values.stunnerGatewayOperator.deployment.container.manager.image.pullPolicy }}
livenessProbe:
diff --git a/helm/stunner-gateway-operator/values.yaml b/helm/stunner-gateway-operator/values.yaml
index 751c15e..3ae2b84 100644
--- a/helm/stunner-gateway-operator/values.yaml
+++ b/helm/stunner-gateway-operator/values.yaml
@@ -6,6 +6,7 @@
stunnerGatewayOperator:
enabled: true
+ customerKey: ""
deployment:
name: stunner-gateway-operator
podLabels: {}