Documentation
¶
Index ¶
- Constants
- type CellDoc
- type CellMetadata
- type CellNetworkStatus
- type CellProfileDoc
- type CellProfileMetadata
- type CellProfileParameter
- type CellProfileSpec
- type CellSpec
- type CellState
- type CellStatus
- type CellTty
- type ClientConfigurationDoc
- type ClientConfigurationMetadata
- type ClientConfigurationSpec
- type ContainerCapabilities
- type ContainerDoc
- type ContainerMetadata
- type ContainerResources
- type ContainerSecret
- type ContainerSpec
- type ContainerState
- type ContainerStatus
- type ContainerTmpfsMount
- type ContainerTty
- type EgressAllowRule
- type EgressDefault
- type EgressPolicy
- type Kind
- type RealmDoc
- type RealmMetadata
- type RealmSpec
- type RealmState
- type RealmStatus
- type RegistryCredentials
- type ServerConfigurationDoc
- type ServerConfigurationMetadata
- type ServerConfigurationSpec
- type SpaceContainerDefaults
- type SpaceDefaults
- type SpaceDoc
- type SpaceMetadata
- type SpaceNetwork
- type SpaceSpec
- type SpaceState
- type SpaceStatus
- type StackDoc
- type StackMetadata
- type StackSpec
- type StackState
- type StackStatus
- type TtyStage
- type Version
- type VolumeKind
- type VolumeMount
Constants ¶
View Source
const ( StatePendingStr = "Pending" StateReadyStr = "Ready" StateStoppedStr = "Stopped" StatePausedStr = "Paused" StatePausingStr = "Pausing" StateFailedStr = "Failed" StateUnknownStr = "Unknown" StateCreatingStr = "Creating" StateDeletingStr = "Deleting" )
Common printable state strings.
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type CellDoc ¶
type CellDoc struct {
APIVersion Version `json:"apiVersion" yaml:"apiVersion"`
Kind Kind `json:"kind" yaml:"kind"`
Metadata CellMetadata `json:"metadata" yaml:"metadata"`
Spec CellSpec `json:"spec" yaml:"spec"`
Status CellStatus `json:"status" yaml:"status"`
}
func NewCellDoc ¶
NewCellDoc creates a CellDoc ensuring all nested structs are initialized.
type CellMetadata ¶
type CellNetworkStatus ¶ added in v0.3.0
type CellNetworkStatus struct {
BridgeName string `json:"bridgeName,omitempty" yaml:"bridgeName,omitempty"`
}
CellNetworkStatus exposes the host-side bridge a cell is attached to. Populated by the runner during cell provisioning so describe/get -o yaml surfaces the iface name without recomputing the hash. Always emitted in the canonical k-{8hex} form (see cni.SafeBridgeName).
type CellProfileDoc ¶ added in v0.3.0
type CellProfileDoc struct {
APIVersion Version `json:"apiVersion" yaml:"apiVersion"`
Kind Kind `json:"kind" yaml:"kind"`
Metadata CellProfileMetadata `json:"metadata" yaml:"metadata"`
Spec CellProfileSpec `json:"spec" yaml:"spec"`
}
CellProfileDoc is a per-user reusable cell template loaded from $HOME/.kuke/profiles.d/<name>.yaml (or $KUKE_PROFILES_DIR). It is never sent to the daemon: `kuke run -p` materializes a CellDoc from it locally and proceeds along the same `-f` path.
type CellProfileMetadata ¶ added in v0.3.0
type CellProfileParameter ¶ added in v0.4.0
type CellProfileParameter struct {
Name string `json:"name" yaml:"name"`
Description string `json:"description,omitempty" yaml:"description,omitempty"`
Default *string `json:"default,omitempty" yaml:"default,omitempty"`
Required bool `json:"required,omitempty" yaml:"required,omitempty"`
}
CellProfileParameter declares one substitution variable used by the profile body. Default is a pointer so YAML/JSON can distinguish "no default" (nil) from an explicit empty default (""). The substitution engine treats them differently: a missing default falls through to the env-var lookup, while an explicit empty default short-circuits there.
type CellProfileSpec ¶ added in v0.3.0
type CellProfileSpec struct {
Realm string `json:"realm,omitempty" yaml:"realm,omitempty"`
Space string `json:"space,omitempty" yaml:"space,omitempty"`
Stack string `json:"stack,omitempty" yaml:"stack,omitempty"`
Prefix string `json:"prefix,omitempty" yaml:"prefix,omitempty"`
Parameters []CellProfileParameter `json:"parameters,omitempty" yaml:"parameters,omitempty"`
Cell CellSpec `json:"cell" yaml:"cell"`
}
CellProfileSpec carries the location triple (realm/space/stack) plus a CellSpec body. The location uses the user-facing names rather than internal IDs so a profile is portable between hosts.
Prefix is an optional override for the prefix used when generating cell names; when unset, the prefix defaults to metadata.name. Every Materialize call appends a `-<6hex>` suffix so each invocation produces a fresh cell — CellProfile is always a template. Use the Cell kind for singleton workloads.
Parameters declares the `${KEY}` substitution variables the profile body references. `kuke run -p` resolves each declared parameter against the caller's --param map, the parameter's Default, and (when permitted) the kuke process's env, in that order. Profiles fail to load when the body references a key that is not declared here, so typos surface at install time rather than as a runtime mystery.
type CellSpec ¶
type CellSpec struct {
ID string `json:"id" yaml:"id"`
RealmID string `json:"realmId" yaml:"realmId"`
SpaceID string `json:"spaceId" yaml:"spaceId"`
StackID string `json:"stackId" yaml:"stackId"`
RootContainerID string `json:"rootContainerId,omitempty" yaml:"rootContainerId,omitempty"`
Tty *CellTty `json:"tty,omitempty" yaml:"tty,omitempty"`
Containers []ContainerSpec `json:"containers" yaml:"containers"`
// AutoDelete asks kukeond to delete this cell best-effort after its root
// container's task exits (any rc). Set by `kuke run --rm`. Cleanup is
// scoped to the cell only — never cascades to stack/space/realm.
// Cleanup is driven by kukeond's reconcile loop: the next pass that
// observes the root task as Stopped/Failed runs KillCell+DeleteCell on
// the cell. Latency is bounded by the reconcile interval, and the
// trigger survives daemon restarts (no per-cell goroutine needs to be
// re-installed on startup).
AutoDelete bool `json:"autoDelete,omitempty" yaml:"autoDelete,omitempty"`
// NestedCgroupRuntime opts the cell into delegating the full
// host-available cgroup-v2 controller set on its cgroup.subtree_control,
// rather than the kukeon resource subset (cpu/memory/io/pids). This is
// the knob a cell that hosts a nested cgroup runtime — an inner
// containerd, runc, or systemd that places its own children in
// sub-cgroups under the cell — needs so the inner runtime can in turn
// delegate any controller it wants to its workloads. Default false
// keeps the existing cell-as-leaf semantics (issue #312) untouched.
NestedCgroupRuntime bool `json:"nestedCgroupRuntime,omitempty" yaml:"nestedCgroupRuntime,omitempty"`
}
type CellState ¶
type CellState int
func (CellState) MarshalJSON ¶ added in v0.5.0
func (CellState) MarshalYAML ¶ added in v0.5.0
func (*CellState) UnmarshalJSON ¶ added in v0.5.0
type CellStatus ¶
type CellStatus struct {
State CellState `json:"state" yaml:"state"`
CgroupPath string `json:"cgroupPath" yaml:"cgroupPath"`
// SubtreeControllers is the cgroup-v2 controller set actually
// delegated on this cell's own cgroup.subtree_control after the
// host-root filter (issue #328). For NestedCgroupRuntime cells this
// is the full host-available set; for ordinary cells it's the
// kukeon resource subset (cpu/memory/io/pids).
SubtreeControllers []string `json:"subtreeControllers,omitempty" yaml:"subtreeControllers,omitempty"`
Network CellNetworkStatus `json:"network,omitempty" yaml:"network,omitempty"`
Containers []ContainerStatus `json:"containers" yaml:"containers"`
// ReadyObserved is the persisted form of the one-way latch the
// reconciler uses to gate Spec.AutoDelete cleanup. Once a cell has
// been observed Ready it stays true across daemon restarts so that
// cleanup of a `kuke run --rm` cell that was already Ready at
// shutdown still fires on the next tick after restart.
ReadyObserved bool `json:"readyObserved,omitempty" yaml:"readyObserved,omitempty"`
// Lifecycle and runtime-health fields — see RealmStatus for the
// per-field contract; the semantics carry across all four kinds.
CreatedAt time.Time `json:"createdAt,omitempty" yaml:"createdAt,omitempty"`
UpdatedAt time.Time `json:"updatedAt,omitempty" yaml:"updatedAt,omitempty"`
ReadyAt time.Time `json:"readyAt,omitempty" yaml:"readyAt,omitempty"`
Reason string `json:"reason,omitempty" yaml:"reason,omitempty"`
Message string `json:"message,omitempty" yaml:"message,omitempty"`
CgroupReady bool `json:"cgroupReady,omitempty" yaml:"cgroupReady,omitempty"`
}
type CellTty ¶ added in v0.3.0
type CellTty struct {
// Default names the attachable container the post-start attach
// (`kuke run`'s default mode) selects when no --container flag is
// given. Must reference an existing container in this cell whose
// Attachable=true (or be empty).
Default string `json:"default,omitempty" yaml:"default,omitempty"`
}
CellTty is cell-level tty/attach config. Kept intentionally minimal: only fields the container or container-level tty cannot express belong here.
type ClientConfigurationDoc ¶ added in v0.3.0
type ClientConfigurationDoc struct {
APIVersion Version `json:"apiVersion" yaml:"apiVersion"`
Kind Kind `json:"kind" yaml:"kind"`
Metadata ClientConfigurationMetadata `json:"metadata" yaml:"metadata"`
Spec ClientConfigurationSpec `json:"spec" yaml:"spec"`
}
ClientConfigurationDoc is the kuke-side configuration document. It is loaded by the `kuke` cobra root via `kuke --configuration <path>` (default `~/.kuke/kuke.yaml`) and seeds defaults for client-only settings such as the daemon endpoint and the default output format. It is not a server-side resource: `kuke apply` rejects it.
type ClientConfigurationMetadata ¶ added in v0.3.0
type ClientConfigurationSpec ¶ added in v0.3.0
type ClientConfigurationSpec struct {
// Host is the kukeond endpoint kuke dials by default
// (`unix:///run/kukeon/kukeond.sock` or `ssh://user@host`).
Host string `json:"host,omitempty" yaml:"host,omitempty"`
// RunPath is the kukeon runtime root used by `--no-daemon` operations
// that read /opt/kukeon directly instead of going through kukeond.
RunPath string `json:"runPath,omitempty" yaml:"runPath,omitempty"`
// ContainerdSocket is the containerd unix socket `--no-daemon`
// operations connect to.
ContainerdSocket string `json:"containerdSocket,omitempty" yaml:"containerdSocket,omitempty"`
// LogLevel is the client log level when `--verbose` is on
// (debug, info, warn, error).
LogLevel string `json:"logLevel,omitempty" yaml:"logLevel,omitempty"`
}
ClientConfigurationSpec carries kuke-only settings. Each field is optional: an absent or empty value falls back to the client's hardcoded default. Explicit command-line flags (`--host`, `--log-level`, …) and matching env vars (`KUKEON_HOST`, `KUKEON_LOG_LEVEL`, …) still take precedence over values loaded from this document.
type ContainerCapabilities ¶ added in v0.2.0
type ContainerCapabilities struct {
Drop []string `json:"drop,omitempty" yaml:"drop,omitempty"`
Add []string `json:"add,omitempty" yaml:"add,omitempty"`
}
ContainerCapabilities groups Linux capability deltas applied to the container process relative to the image default set.
type ContainerDoc ¶
type ContainerDoc struct {
APIVersion Version `json:"apiVersion" yaml:"apiVersion"`
Kind Kind `json:"kind" yaml:"kind"`
Metadata ContainerMetadata `json:"metadata" yaml:"metadata"`
Spec ContainerSpec `json:"spec" yaml:"spec"`
Status ContainerStatus `json:"status" yaml:"status"`
}
func NewContainerDoc ¶
func NewContainerDoc(from *ContainerDoc) *ContainerDoc
NewContainerDoc creates a ContainerDoc ensuring all nested structs are initialized.
type ContainerMetadata ¶
type ContainerResources ¶ added in v0.2.0
type ContainerResources struct {
MemoryLimitBytes *int64 `json:"memoryLimitBytes,omitempty" yaml:"memoryLimitBytes,omitempty"`
PidsLimit *int64 `json:"pidsLimit,omitempty" yaml:"pidsLimit,omitempty"`
}
ContainerResources exposes the cgroup v2 knobs the orchestrator supports for per-container resource limits.
type ContainerSecret ¶ added in v0.2.0
type ContainerSecret struct {
Name string `json:"name" yaml:"name"`
FromFile string `json:"fromFile,omitempty" yaml:"fromFile,omitempty"`
FromEnv string `json:"fromEnv,omitempty" yaml:"fromEnv,omitempty"`
MountPath string `json:"mountPath,omitempty" yaml:"mountPath,omitempty"`
}
ContainerSecret references a credential that the daemon resolves at apply time and injects into the container — either as an environment variable (default) or as a read-only file when MountPath is set. Only the reference is persisted; the resolved value is never written to status, metadata, or logs.
type ContainerSpec ¶
type ContainerSpec struct {
ID string `json:"id" yaml:"id"`
ContainerdID string `json:"containerdId,omitempty" yaml:"containerdId,omitempty"`
RealmID string `json:"realmId" yaml:"realmId"`
SpaceID string `json:"spaceId" yaml:"spaceId"`
StackID string `json:"stackId" yaml:"stackId"`
CellID string `json:"cellId" yaml:"cellId"`
Root bool `json:"root,omitempty" yaml:"root,omitempty"`
Image string `json:"image" yaml:"image"`
Command string `json:"command" yaml:"command"`
Args []string `json:"args" yaml:"args"`
// WorkingDir sets the cwd of the spawned container process — OCI
// process.cwd, Docker WORKDIR, K8s Container.workingDir. Empty falls
// back to the image's WORKDIR (no behavior change for existing specs).
WorkingDir string `json:"workingDir,omitempty" yaml:"workingDir,omitempty"`
Env []string `json:"env" yaml:"env"`
Ports []string `json:"ports" yaml:"ports"`
Volumes []VolumeMount `json:"volumes" yaml:"volumes"`
Networks []string `json:"networks" yaml:"networks"`
NetworksAliases []string `json:"networksAliases" yaml:"networksAliases"`
Privileged bool `json:"privileged" yaml:"privileged"`
// HostNetwork opts the container into the host's network namespace.
// When true, the runner omits the network LinuxNamespace from the OCI
// spec (containerd's WithHostNamespace) and does not invoke CNI attach,
// since a host-netns container has no per-container veth to wire up.
// Used by the kukeond bootstrap so daemon-installed bridges, veths, and
// iptables rules land in host scope where kubelet-style CNI plumbing
// belongs. Default false — no behavior change for existing specs.
HostNetwork bool `json:"hostNetwork,omitempty" yaml:"hostNetwork,omitempty"`
// HostPID opts the container into the host's PID namespace. When true,
// the runner omits the PID LinuxNamespace from the OCI spec so /proc
// inside the container reflects host PIDs. Used by the kukeond bootstrap
// so the CNI bridge plugin running inside the daemon can resolve the
// host PIDs containerd returns from task.Pid() — without this, attaching
// user cells to a network fails with `Statfs /proc/<host-pid>/ns/net:
// no such file or directory`. Default false — no behavior change for
// existing specs.
HostPID bool `json:"hostPID,omitempty" yaml:"hostPID,omitempty"`
// HostCgroup, when true, opts the container into its parent's cgroup
// namespace. Default false unshares the cgroup-ns: the container sees
// its own cgroup as / and any nested runtime (containerd, runc,
// dockerd, kuke init) writes its cgroup tree under the cell — which
// is the property that lets a nested kuke init complete the runc
// task-create step that otherwise trips the "cgroup not empty"
// precheck.
//
// Set true only for kukeond-style cells that need to write cgroups
// *outside* their own subtree to manage user workloads. For ordinary
// workload containers, leave false.
//
// Translates to omitting the LinuxNamespace{Type: cgroup} entry from
// the OCI spec when true; appending it when false.
HostCgroup bool `json:"hostCgroup,omitempty" yaml:"hostCgroup,omitempty"`
User string `json:"user,omitempty" yaml:"user,omitempty"`
ReadOnlyRootFilesystem bool `json:"readOnlyRootFilesystem,omitempty" yaml:"readOnlyRootFilesystem,omitempty"`
Capabilities *ContainerCapabilities `json:"capabilities,omitempty" yaml:"capabilities,omitempty"`
SecurityOpts []string `json:"securityOpts,omitempty" yaml:"securityOpts,omitempty"`
Tmpfs []ContainerTmpfsMount `json:"tmpfs,omitempty" yaml:"tmpfs,omitempty"`
Resources *ContainerResources `json:"resources,omitempty" yaml:"resources,omitempty"`
Secrets []ContainerSecret `json:"secrets,omitempty" yaml:"secrets,omitempty"`
CNIConfigPath string `json:"cniConfigPath,omitempty" yaml:"cniConfigPath,omitempty"`
RestartPolicy string `json:"restartPolicy" yaml:"restartPolicy"`
// Attachable opts the container into sbsh-wrapper injection. When true,
// the daemon prepends `sbsh terminal --run-path /run/kukeon/tty …` to
// process.args, bind-mounts the sbsh binary read-only at /.kukeon/bin/sbsh,
// and bind-mounts a per-container tty directory at /run/kukeon/tty (sbsh
// owns its socket, capture, and log files inside it). The host-visible
// peer of that directory lives in the per-container metadata dir and its
// `socket` entry is what `kuke attach` connects to. Default false — no
// behavior change for existing specs.
Attachable bool `json:"attachable,omitempty" yaml:"attachable,omitempty"`
// Tty configures shell-UX (prompt, init scripts) for the sbsh wrapper
// when Attachable=true. The container model already owns command, args,
// workingDir, and env, so Tty intentionally only adds layers the
// container model can't express. Setting any tty field with
// Attachable=false is a validation error.
Tty *ContainerTty `json:"tty,omitempty" yaml:"tty,omitempty"`
}
type ContainerState ¶
type ContainerState int
const ( ContainerStatePending ContainerState = iota ContainerStateReady ContainerStateStopped ContainerStatePaused ContainerStatePausing ContainerStateFailed ContainerStateUnknown )
func (ContainerState) MarshalJSON ¶ added in v0.5.0
func (s ContainerState) MarshalJSON() ([]byte, error)
func (ContainerState) MarshalYAML ¶ added in v0.5.0
func (s ContainerState) MarshalYAML() (interface{}, error)
func (*ContainerState) String ¶
func (c *ContainerState) String() string
func (*ContainerState) UnmarshalJSON ¶ added in v0.5.0
func (s *ContainerState) UnmarshalJSON(data []byte) error
func (*ContainerState) UnmarshalYAML ¶ added in v0.5.0
func (s *ContainerState) UnmarshalYAML(node *yaml.Node) error
type ContainerStatus ¶
type ContainerStatus struct {
Name string `json:"name" yaml:"name"`
ID string `json:"id" yaml:"id"`
State ContainerState `json:"state" yaml:"state"`
RestartCount int `json:"restartCount" yaml:"restartCount"`
RestartTime time.Time `json:"restartTime" yaml:"restartTime"`
StartTime time.Time `json:"startTime" yaml:"startTime"`
FinishTime time.Time `json:"finishTime" yaml:"finishTime"`
ExitCode int `json:"exitCode" yaml:"exitCode"`
ExitSignal string `json:"exitSignal" yaml:"exitSignal"`
}
type ContainerTmpfsMount ¶ added in v0.2.0
type ContainerTmpfsMount struct {
Path string `json:"path" yaml:"path"`
SizeBytes int64 `json:"sizeBytes,omitempty" yaml:"sizeBytes,omitempty"`
Options []string `json:"options,omitempty" yaml:"options,omitempty"`
}
ContainerTmpfsMount declares a tmpfs mount inside the container.
type ContainerTty ¶ added in v0.3.0
type ContainerTty struct {
// Prompt is the literal prompt expression sbsh stamps onto
// TerminalSpec.Prompt and flips SetPrompt on for. Empty leaves
// SetPrompt off (sbsh's wrapper skips PS1 injection).
Prompt string `json:"prompt,omitempty" yaml:"prompt,omitempty"`
// OnInit are scripts run once when the wrapped shell starts, in
// order. Forwarded to TerminalSpec.Stages.OnInit via sbsh's
// WithOnInit; an empty slice leaves Stages.OnInit zero.
OnInit []TtyStage `json:"onInit,omitempty" yaml:"onInit,omitempty"`
// LogFile is the in-container path where sbsh's runner writes its
// runtime/debug log. Empty (the default) means sbsh's runner skips
// log-writer setup entirely. Set this to a path inside the kuketty
// tty bind mount (e.g. "/run/kukeon/tty/log") if the operator wants
// the log file host-visible through the directory bind mount; any
// other in-container path is accepted and just stays inside the
// container's overlay. Mode and GID are not user-configurable here
// — the daemon applies its system-wide AttachableLogFileMode and
// the kukeon-group GID, gated on the kukeon group being configured
// (matches the SocketMode/CaptureMode treatment).
LogFile string `json:"logFile,omitempty" yaml:"logFile,omitempty"`
}
ContainerTty carries per-attach shell-UX config that the daemon threads into sbsh terminal on first attach. Has no effect unless Attachable=true.
All fields are stamped directly onto the rendered sbsh TerminalSpec via sbsh's inline builder lane (sbsh v0.11.2+, kukeon #494). The pre-#494 Profile / ProfilesDir fields that pointed at on-disk TerminalProfile YAML have been removed; cell YAML that still carries those keys is silently ignored by the default YAML decoder.
func (*ContainerTty) IsEmpty ¶ added in v0.3.0
func (t *ContainerTty) IsEmpty() bool
IsEmpty reports whether the tty block carries no user-supplied config — i.e. equivalent to omitting the block entirely. Used by validation to distinguish "explicitly empty" from "any field set".
type EgressAllowRule ¶ added in v0.2.0
type EgressAllowRule struct {
Host string `json:"host,omitempty" yaml:"host,omitempty"`
CIDR string `json:"cidr,omitempty" yaml:"cidr,omitempty"`
Ports []int `json:"ports,omitempty" yaml:"ports,omitempty"`
}
EgressAllowRule describes a single permitted destination. Exactly one of Host or CIDR must be set. Ports, when non-empty, constrains to those TCP destination ports; empty Ports means "any port on this destination".
Host entries are resolved to IPs by the daemon at apply time; the resulting iptables rules reflect the IPs known at that moment. See the Space manifest docs for the TTL caveat.
type EgressDefault ¶ added in v0.2.0
type EgressDefault string
EgressDefault is the fallthrough action when no allowlist rule matches.
const ( EgressDefaultAllow EgressDefault = "allow" EgressDefaultDeny EgressDefault = "deny" )
type EgressPolicy ¶ added in v0.2.0
type EgressPolicy struct {
Default EgressDefault `json:"default" yaml:"default"`
Allow []EgressAllowRule `json:"allow,omitempty" yaml:"allow,omitempty"`
}
EgressPolicy constrains outbound traffic leaving the space bridge toward the host or external networks. When nil, traffic is unconstrained (current behavior). An explicit Default=allow with no Allow rules also matches current behavior.
type Kind ¶
type Kind string
const ( // KindCell identifies cell documents. KindCell Kind = "Cell" // KindContainer identifies container documents. KindContainer Kind = "Container" // KindRealm identifies realm documents. KindRealm Kind = "Realm" // KindSpace identifies space documents. KindSpace Kind = "Space" // KindStack identifies stack documents. KindStack Kind = "Stack" // KindCellProfile identifies per-user cell-template documents loaded by // `kuke run -p`. Profiles are not server-side resources — `kuke apply` // rejects them. KindCellProfile Kind = "CellProfile" // KindServerConfiguration identifies the kukeond daemon's configuration // document loaded via `kukeond --configuration` (and consumed by // `kuke init --server-configuration`). Not a server-side resource — // `kuke apply` rejects it. KindServerConfiguration Kind = "ServerConfiguration" // KindClientConfiguration identifies the kuke client's configuration // document loaded via `kuke --configuration` (default // `~/.kuke/kuke.yaml`). Not a server-side resource — `kuke apply` // rejects it. KindClientConfiguration Kind = "ClientConfiguration" )
Kinds.
type RealmDoc ¶
type RealmDoc struct {
APIVersion Version `json:"apiVersion" yaml:"apiVersion"`
Kind Kind `json:"kind" yaml:"kind"`
Metadata RealmMetadata `json:"metadata" yaml:"metadata"`
Spec RealmSpec `json:"spec" yaml:"spec"`
Status RealmStatus `json:"status" yaml:"status"`
}
type RealmMetadata ¶
type RealmSpec ¶
type RealmSpec struct {
Namespace string `json:"namespace" yaml:"namespace"`
RegistryCredentials []RegistryCredentials `json:"registryCredentials,omitempty" yaml:"registryCredentials,omitempty"`
}
type RealmState ¶
type RealmState int
const ( RealmStatePending RealmState = iota RealmStateCreating RealmStateReady RealmStateDeleting RealmStateFailed RealmStateUnknown )
func (RealmState) MarshalJSON ¶ added in v0.5.0
func (s RealmState) MarshalJSON() ([]byte, error)
func (RealmState) MarshalYAML ¶ added in v0.5.0
func (s RealmState) MarshalYAML() (interface{}, error)
func (*RealmState) String ¶
func (r *RealmState) String() string
func (*RealmState) UnmarshalJSON ¶ added in v0.5.0
func (s *RealmState) UnmarshalJSON(data []byte) error
func (*RealmState) UnmarshalYAML ¶ added in v0.5.0
func (s *RealmState) UnmarshalYAML(node *yaml.Node) error
type RealmStatus ¶
type RealmStatus struct {
State RealmState `json:"state" yaml:"state"`
CgroupPath string `json:"cgroupPath,omitempty" yaml:"cgroupPath,omitempty"`
// SubtreeControllers is the cgroup-v2 controller set actually
// delegated on this realm's own cgroup.subtree_control after the
// host-root filter (issue #328).
SubtreeControllers []string `json:"subtreeControllers,omitempty" yaml:"subtreeControllers,omitempty"`
// CreatedAt is the wall-clock time of the first persist for this
// realm. Bumped only when zero so the value never moves once set.
CreatedAt time.Time `json:"createdAt,omitempty" yaml:"createdAt,omitempty"`
// UpdatedAt is the wall-clock time of the most recent persist.
UpdatedAt time.Time `json:"updatedAt,omitempty" yaml:"updatedAt,omitempty"`
// ReadyAt is the wall-clock time of the first State==Ready persist.
// Set-once: never overwritten by subsequent Ready transitions or
// state flaps, so it serves as an immutable "first reached Ready"
// marker.
ReadyAt time.Time `json:"readyAt,omitempty" yaml:"readyAt,omitempty"`
// Reason is a short reason code summarizing why State is in its
// current value. Empty when no reason has been recorded.
Reason string `json:"reason,omitempty" yaml:"reason,omitempty"`
// Message is the human-readable detail backing Reason; especially
// valuable on State==Failed where it captures the immediate cause.
Message string `json:"message,omitempty" yaml:"message,omitempty"`
// CgroupReady reports whether CgroupPath actually exists on the
// host filesystem as of the last status write. The CgroupPath
// field records the intent (the path where the cgroup should
// live); this re-verifies presence so callers can distinguish
// "configured" from "still mounted".
CgroupReady bool `json:"cgroupReady,omitempty" yaml:"cgroupReady,omitempty"`
// ContainerdNamespaceReady reports whether the containerd
// namespace recorded in Spec.Namespace was actually present as of
// the last status write. Like CgroupReady, this separates intent
// from observation.
ContainerdNamespaceReady bool `json:"containerdNamespaceReady,omitempty" yaml:"containerdNamespaceReady,omitempty"`
}
type RegistryCredentials ¶
type RegistryCredentials struct {
// Username is the registry username.
Username string `json:"username" yaml:"username"`
// Password is the registry password or token.
Password string `json:"password" yaml:"password"`
// ServerAddress is the registry server address (e.g., "docker.io", "registry.example.com").
// If empty, credentials apply to the registry extracted from the image reference.
ServerAddress string `json:"serverAddress,omitempty" yaml:"serverAddress,omitempty"`
}
RegistryCredentials contains authentication information for a container registry.
type ServerConfigurationDoc ¶ added in v0.3.0
type ServerConfigurationDoc struct {
APIVersion Version `json:"apiVersion" yaml:"apiVersion"`
Kind Kind `json:"kind" yaml:"kind"`
Metadata ServerConfigurationMetadata `json:"metadata" yaml:"metadata"`
Spec ServerConfigurationSpec `json:"spec" yaml:"spec"`
}
ServerConfigurationDoc is the kukeond-side configuration document. It is loaded by the kukeond daemon (via `kukeond --configuration <path>`) and by `kuke init --server-configuration <path>` when bootstrapping the daemon. It is not a server-side resource: `kuke apply` rejects it.
type ServerConfigurationMetadata ¶ added in v0.3.0
type ServerConfigurationSpec ¶ added in v0.3.0
type ServerConfigurationSpec struct {
// Socket is the unix socket path the daemon listens on.
Socket string `json:"socket,omitempty" yaml:"socket,omitempty"`
// SocketGID is the numeric group ID the daemon chowns its listener
// socket to (mode 0o660 with group). Zero means root-only access.
SocketGID int `json:"socketGID,omitempty" yaml:"socketGID,omitempty"`
// RunPath is the kukeon runtime root (e.g. /opt/kukeon).
RunPath string `json:"runPath,omitempty" yaml:"runPath,omitempty"`
// ContainerdSocket is the path to the containerd unix socket the
// daemon connects to.
ContainerdSocket string `json:"containerdSocket,omitempty" yaml:"containerdSocket,omitempty"`
// LogLevel is the daemon log level (debug, info, warn, error).
LogLevel string `json:"logLevel,omitempty" yaml:"logLevel,omitempty"`
// ReconcileInterval is the period of the daemon's background cell
// reconciliation loop, expressed as a Go time.Duration string (e.g.
// "30s", "1m"). Empty falls back to the in-binary default. A zero or
// negative duration disables the loop.
ReconcileInterval string `json:"reconcileInterval,omitempty" yaml:"reconcileInterval,omitempty"`
// KukeondImage is the container image `kuke init` provisions for the
// kukeond system cell. Read by `kuke init` only; the daemon ignores it.
KukeondImage string `json:"kukeondImage,omitempty" yaml:"kukeondImage,omitempty"`
// ContainerdNamespaceSuffix is the suffix appended to every realm name
// to form its containerd namespace. Realm "default" + suffix
// "kukeon.io" -> namespace "default.kukeon.io". Lets two kukeon
// instances coexist on the same host under disjoint namespaces.
// Default: kukeon.io.
ContainerdNamespaceSuffix string `json:"containerdNamespaceSuffix,omitempty" yaml:"containerdNamespaceSuffix,omitempty"`
// CgroupRoot is the cgroup root under which all realms / spaces /
// stacks / cells live (e.g. /kukeon-dev for a parallel dev instance on
// the same host). Default: /kukeon.
CgroupRoot string `json:"cgroupRoot,omitempty" yaml:"cgroupRoot,omitempty"`
}
ServerConfigurationSpec carries kukeond-only settings. Each field is optional: an absent or empty value falls back to the daemon's hardcoded default. Explicit command-line flags (`--socket`, `--run-path`, …) still take precedence over values loaded from this document.
type SpaceContainerDefaults ¶ added in v0.2.0
type SpaceContainerDefaults struct {
User string `json:"user,omitempty" yaml:"user,omitempty"`
ReadOnlyRootFilesystem *bool `json:"readOnlyRootFilesystem,omitempty" yaml:"readOnlyRootFilesystem,omitempty"`
Capabilities *ContainerCapabilities `json:"capabilities,omitempty" yaml:"capabilities,omitempty"`
SecurityOpts []string `json:"securityOpts,omitempty" yaml:"securityOpts,omitempty"`
Tmpfs []ContainerTmpfsMount `json:"tmpfs,omitempty" yaml:"tmpfs,omitempty"`
Resources *ContainerResources `json:"resources,omitempty" yaml:"resources,omitempty"`
}
SpaceContainerDefaults mirrors the isolation-related fields on ContainerSpec. Each field is applied to a Container only when the Container leaves it empty. Inheritance is shallow: a Container that sets Capabilities replaces the Space default outright — Drop and Add slices are not merged.
ReadOnlyRootFilesystem is a *bool so the default can distinguish "not set" from an explicit "false"; Container.Spec.ReadOnlyRootFilesystem is still a plain bool, so a Container cannot opt out of a Space default that enables it.
type SpaceDefaults ¶ added in v0.2.0
type SpaceDefaults struct {
Container *SpaceContainerDefaults `json:"container,omitempty" yaml:"container,omitempty"`
}
SpaceDefaults declares default values that Kukeon inherits into resources created inside the Space unless the resource's own spec overrides the field. It exists so the isolation envelope can be declared once on the Space and reused by every Container that lives in it.
type SpaceDoc ¶
type SpaceDoc struct {
APIVersion Version `json:"apiVersion" yaml:"apiVersion"`
Kind Kind `json:"kind" yaml:"kind"`
Metadata SpaceMetadata `json:"metadata" yaml:"metadata"`
Spec SpaceSpec `json:"spec" yaml:"spec"`
Status SpaceStatus `json:"status" yaml:"status"`
}
type SpaceMetadata ¶
type SpaceNetwork ¶ added in v0.2.0
type SpaceNetwork struct {
Egress *EgressPolicy `json:"egress,omitempty" yaml:"egress,omitempty"`
}
SpaceNetwork groups network-scoped policy applied to the space bridge.
type SpaceSpec ¶
type SpaceSpec struct {
RealmID string `json:"realmId" yaml:"realmId"`
CNIConfigPath string `json:"cniConfigPath,omitempty" yaml:"cniConfigPath,omitempty"`
Network *SpaceNetwork `json:"network,omitempty" yaml:"network,omitempty"`
Defaults *SpaceDefaults `json:"defaults,omitempty" yaml:"defaults,omitempty"`
}
type SpaceState ¶
type SpaceState int
const ( SpaceStatePending SpaceState = iota SpaceStateReady SpaceStateFailed SpaceStateUnknown )
func (SpaceState) MarshalJSON ¶ added in v0.5.0
func (s SpaceState) MarshalJSON() ([]byte, error)
func (SpaceState) MarshalYAML ¶ added in v0.5.0
func (s SpaceState) MarshalYAML() (interface{}, error)
func (*SpaceState) String ¶
func (s *SpaceState) String() string
func (*SpaceState) UnmarshalJSON ¶ added in v0.5.0
func (s *SpaceState) UnmarshalJSON(data []byte) error
func (*SpaceState) UnmarshalYAML ¶ added in v0.5.0
func (s *SpaceState) UnmarshalYAML(node *yaml.Node) error
type SpaceStatus ¶
type SpaceStatus struct {
State SpaceState `json:"state" yaml:"state"`
CgroupPath string `json:"cgroupPath,omitempty" yaml:"cgroupPath,omitempty"`
// SubtreeControllers is the cgroup-v2 controller set actually
// delegated on this space's own cgroup.subtree_control after the
// host-root filter (issue #328).
SubtreeControllers []string `json:"subtreeControllers,omitempty" yaml:"subtreeControllers,omitempty"`
// Lifecycle and runtime-health fields — see RealmStatus for the
// per-field contract; the semantics carry across all four kinds.
CreatedAt time.Time `json:"createdAt,omitempty" yaml:"createdAt,omitempty"`
UpdatedAt time.Time `json:"updatedAt,omitempty" yaml:"updatedAt,omitempty"`
ReadyAt time.Time `json:"readyAt,omitempty" yaml:"readyAt,omitempty"`
Reason string `json:"reason,omitempty" yaml:"reason,omitempty"`
Message string `json:"message,omitempty" yaml:"message,omitempty"`
CgroupReady bool `json:"cgroupReady,omitempty" yaml:"cgroupReady,omitempty"`
}
type StackDoc ¶
type StackDoc struct {
APIVersion Version `json:"apiVersion" yaml:"apiVersion"`
Kind Kind `json:"kind" yaml:"kind"`
Metadata StackMetadata `json:"metadata" yaml:"metadata"`
Spec StackSpec `json:"spec" yaml:"spec"`
Status StackStatus `json:"status" yaml:"status"`
}
type StackMetadata ¶
type StackState ¶
type StackState int
const ( StackStatePending StackState = iota StackStateReady StackStateFailed StackStateUnknown )
func (StackState) MarshalJSON ¶ added in v0.5.0
func (s StackState) MarshalJSON() ([]byte, error)
func (StackState) MarshalYAML ¶ added in v0.5.0
func (s StackState) MarshalYAML() (interface{}, error)
func (*StackState) String ¶
func (s *StackState) String() string
func (*StackState) UnmarshalJSON ¶ added in v0.5.0
func (s *StackState) UnmarshalJSON(data []byte) error
func (*StackState) UnmarshalYAML ¶ added in v0.5.0
func (s *StackState) UnmarshalYAML(node *yaml.Node) error
type StackStatus ¶
type StackStatus struct {
State StackState `json:"state" yaml:"state"`
CgroupPath string `json:"cgroupPath" yaml:"cgroupPath"`
// SubtreeControllers is the cgroup-v2 controller set actually
// delegated on this stack's own cgroup.subtree_control after the
// host-root filter (issue #328).
SubtreeControllers []string `json:"subtreeControllers,omitempty" yaml:"subtreeControllers,omitempty"`
// Lifecycle and runtime-health fields — see RealmStatus for the
// per-field contract; the semantics carry across all four kinds.
CreatedAt time.Time `json:"createdAt,omitempty" yaml:"createdAt,omitempty"`
UpdatedAt time.Time `json:"updatedAt,omitempty" yaml:"updatedAt,omitempty"`
ReadyAt time.Time `json:"readyAt,omitempty" yaml:"readyAt,omitempty"`
Reason string `json:"reason,omitempty" yaml:"reason,omitempty"`
Message string `json:"message,omitempty" yaml:"message,omitempty"`
CgroupReady bool `json:"cgroupReady,omitempty" yaml:"cgroupReady,omitempty"`
}
type TtyStage ¶ added in v0.3.0
type TtyStage struct {
Script string `json:"script,omitempty" yaml:"script,omitempty"`
}
TtyStage is a single onInit script entry. Wrapped in a struct rather than a bare string so future stage knobs (timeout, runOn, etc.) can land without breaking the YAML shape.
type Version ¶
type Version string
const ( // APIVersionV1Beta1 is the canonical API version for this package. APIVersionV1Beta1 Version = "v1beta1" )
type VolumeKind ¶ added in v0.4.0
type VolumeKind string
VolumeKind discriminates between the supported VolumeMount kinds. Mirrors intmodel.VolumeKind. An empty value deserializes as VolumeKindBind so YAML authored before the discriminator existed keeps its bind semantics.
const ( // VolumeKindBind is a host bind mount. Source and Target are required. VolumeKindBind VolumeKind = "bind" // VolumeKindTmpfs is an in-memory tmpfs mount. Only Target is required; // Source must be empty. SizeBytes and Mode tune the standard tmpfs // size= and mode= options when non-zero. VolumeKindTmpfs VolumeKind = "tmpfs" )
type VolumeMount ¶ added in v0.2.0
type VolumeMount struct {
Kind VolumeKind `json:"kind,omitempty" yaml:"kind,omitempty"`
Source string `json:"source,omitempty" yaml:"source,omitempty"`
Target string `json:"target" yaml:"target"`
ReadOnly bool `json:"readOnly,omitempty" yaml:"readOnly,omitempty"`
SizeBytes int64 `json:"sizeBytes,omitempty" yaml:"sizeBytes,omitempty"`
Mode uint32 `json:"mode,omitempty" yaml:"mode,omitempty"`
}
VolumeMount is a mount entry attached to a container. The Kind discriminator selects the OCI mount type the runtime emits: bind (host path → container path) or tmpfs (in-memory directory). Empty Kind means bind for back-compat with YAML authored before the discriminator existed.
Source Files
Click to show internal directories.
Click to hide internal directories.