Documentation
¶
Index ¶
- Constants
- Variables
- func AllowedListeningIPAddresses(ipv4, ipv6 bool) ([]string, error)
- func AllowedNICNames() ([]string, error)
- func HideUnsupportedFlags(flags *pflag.FlagSet)
- func StringInList(s string, list []string) bool
- type AccessLogging
- type AccessLoggingStatusEnum
- type ApiServer
- type AuditLog
- type CNIPlugin
- type CSIStorageDriver
- type Config
- func (c *Config) AddWarning(message string)
- func (cfg *Config) BootstrapKubeConfigExists() bool
- func (cfg *Config) BootstrapKubeConfigPath() string
- func (c *Config) CanonicalNodeName() string
- func (c *Config) EnsureNodeNameHasNotChanged() error
- func (cfg *Config) EtcdConfigPath() string
- func (c *Config) GetVerbosity() int
- func (c Config) IsIPv4() bool
- func (c Config) IsIPv6() bool
- func (cfg *Config) KubeConfigAdminPath(id string) string
- func (cfg *Config) KubeConfigPath(id KubeConfigID) string
- func (cfg *Config) KubeConfigRootAdminPath() string
- func (c Config) UserNodeIP() string
- func (c Config) UserNodeIPv6() string
- type CustomNoUpgrade
- type DNS
- type Debugging
- type DefaultHttpVersionPolicy
- type DeviceSpec
- type EtcdConfig
- type FeatureGates
- type GenericDevicePlugin
- type Group
- type HostsConfig
- type HostsStatusEnum
- type IngressConfig
- type IngressControllerTuningOptions
- type IngressPortsConfig
- type IngressStatusEnum
- type KubeConfigID
- type Manifests
- type MultiNodeConfig
- type Multus
- type MultusStatusEnum
- type NamedCertificateEntry
- type NamespaceOwnershipEnum
- type Network
- type Node
- type OptionalCsiComponent
- type Path
- type RouteAdmissionPolicy
- type Storage
- type TLSConfig
- type Telemetry
- type TelemetryStatusEnum
- type USBSpec
- type WildcardPolicy
Constants ¶
View Source
const ( FeatureSetCustomNoUpgrade = "CustomNoUpgrade" FeatureSetTechPreviewNoUpgrade = "TechPreviewNoUpgrade" FeatureSetDevPreviewNoUpgrade = "DevPreviewNoUpgrade" )
View Source
const ( ConfigFile = "/etc/microshift/config.yaml" DataDir = "/var/lib/microshift" BackupsDir = "/var/lib/microshift-backups" ConfigDropInDir = "/etc/microshift/config.d" )
View Source
const ( NamespaceOwnershipStrict NamespaceOwnershipEnum = "Strict" NamespaceOwnershipAllowed NamespaceOwnershipEnum = "InterNamespaceAllowed" StatusManaged IngressStatusEnum = "Managed" StatusRemoved IngressStatusEnum = "Removed" DefaultHttpVersionV1 DefaultHttpVersionPolicy = 1 DefaultHttpVersionV2 DefaultHttpVersionPolicy = 2 WildcardPolicyAllowed WildcardPolicy = "WildcardsAllowed" WildcardPolicyDisallowed WildcardPolicy = "WildcardsDisallowed" AccessLoggingEnabled AccessLoggingStatusEnum = "Enabled" AccessLoggingDisabled AccessLoggingStatusEnum = "Disabled" )
View Source
const ( // CniPluginUnset exists to support backwards compatibility with existing MicroShift clusters. When .network.cniPlugin is // "", MicroShift will default to deploying OVNK. This preserves the current deployment behavior of existing // clusters. CniPluginUnset CNIPlugin = "" // CniPluginNone signals MicroShift to not deploy the LVMS components. Setting the value for a cluster that has already // deployed LVMS will not cause LVMS to be deleted. Otherwise, volumes already deployed on the cluster would be // orphaned once their workloads stop or restart. CniPluginNone CNIPlugin = "none" // CniPluginOVNK is equivalent to CniPluginUnset, and explicitly tells MicroShift to deploy OVNK. This option exists to // provide a differentiation between OVNK and potential future CNI options. CniPluginOVNK CNIPlugin = "ovnk" // MultusEnabled signals MicroShift to deploy Multus CNI. MultusEnabled MultusStatusEnum = "Enabled" // MultusEnabled signals MicroShift to not deploy Multus CNI. MultusDisabled MultusStatusEnum = "Disabled" )
View Source
const (
// default DNS resolve file when systemd-resolved is used
DefaultSystemdResolvedFile = "/run/systemd/resolve/resolv.conf"
)
View Source
const ( // Etcd performance degrades significantly if the memory available // is less than 128MB, enforce this minimum. EtcdMinimumMemoryLimit = 128 )
Variables ¶
View Source
var RequiredFeatureGates = []string{"UserNamespacesSupport", "UserNamespacesPodSecurityStandards"}
RequiredFeatureGates are the feature gates that are always enabled by MicroShift. They are defined here to enable config validation. They are injected into the feature-gates field later by the microshift kube-apiserver controller.
Functions ¶
func AllowedNICNames ¶
func HideUnsupportedFlags ¶
func StringInList ¶
Types ¶
type AccessLogging ¶
type AccessLogging struct {
// Status of the access logging. If set to "Enabled", the router will
// log all requests to the access log. If set to "Disabled", the router
// will not log any requests to the access log.
//+kubebuilder:default=Disabled
//+kubebuilder:validation:Enum=Disabled;Enabled
Status AccessLoggingStatusEnum `json:"status"`
// destination is where access logs go.
//
// +required
Destination operatorv1.LoggingDestination `json:"destination"`
// httpLogFormat specifies the format of the log message for an HTTP
// request.
//
// If this field is empty, log messages use the implementation's default
// HTTP log format. For HAProxy's default HTTP log format, see the
// HAProxy documentation:
// http://cbonte.github.io/haproxy-dconv/2.0/configuration.html#8.2.3
//
// Note that this format only applies to cleartext HTTP connections
// and to secure HTTP connections for which the ingress controller
// terminates encryption (that is, edge-terminated or reencrypt
// connections). It does not affect the log format for TLS passthrough
// connections.
//
// +kubebuilder:validation:Optional
// +kubebuilder:validation:Type:=string
// +kubebuilder:default:=""
// +optional
HttpLogFormat string `json:"httpLogFormat,omitempty"`
// httpCaptureHeaders defines HTTP headers that should be captured in
// access logs. If this field is empty, no headers are captured.
//
// Note that this option only applies to cleartext HTTP connections
// and to secure HTTP connections for which the ingress controller
// terminates encryption (that is, edge-terminated or reencrypt
// connections). Headers cannot be captured for TLS passthrough
// connections.
//
// +optional
HttpCaptureHeaders operatorv1.IngressControllerCaptureHTTPHeaders `json:"httpCaptureHeaders,omitempty"`
// httpCaptureCookies specifies HTTP cookies that should be captured in
// access logs. If this field is empty, no cookies are captured.
//
// +nullable
// +optional
// +kubebuilder:validation:MaxItems=1
// +listType=atomic
HttpCaptureCookies []operatorv1.IngressControllerCaptureHTTPCookie `json:"httpCaptureCookies,omitempty"`
}
func (*AccessLogging) Validate ¶
func (a *AccessLogging) Validate() error
type AccessLoggingStatusEnum ¶
type AccessLoggingStatusEnum string
type ApiServer ¶
type ApiServer struct {
// SubjectAltNames added to API server certs
SubjectAltNames []string `json:"subjectAltNames"`
// Kube apiserver advertise address to work around the certificates issue
// when requiring external access using the node IP. This will turn into
// the IP configured in the endpoint slice for kubernetes service. Must be
// a reachable IP from pods. Defaults to service network CIDR first
// address.
AdvertiseAddress string `json:"advertiseAddress,omitempty"`
// List of custom certificates used to secure requests to specific host names
NamedCertificates []NamedCertificateEntry `json:"namedCertificates"`
// Determines if kube-apiserver controller should configure the
// AdvertiseAddress in the loopback interface. Automatically computed.
SkipInterface bool `json:"-"`
AuditLog AuditLog `json:"auditLog"`
TLS TLSConfig `json:"tls"`
FeatureGates FeatureGates `json:"featureGates"`
// The URL and Port of the API server cannot be changed by the user.
URL string `json:"-"`
Port int `json:"-"`
// In dual stack mode, ovnk requires ovn.OVNGatewayInterface to have one IP
// per family or else it wont start. When configuring advertiseAddress,
// whether that is manual or automatic, this IP is configured in that
// bridge afterwards in node package. Since there is only one IP, ovnk will
// return an error complaining about the other IP family for the secondary
// cluster/service network gateway. This variable holds all the different
// IP addresses that ovn.OVNGatewayInterface needs. Note that this IP is
// not configurable by users and it will not be used for apiserver
// advertising because of dual stack limitations there. This is only to
// make ovnk work properly.
AdvertiseAddresses []string `json:"-"`
}
type AuditLog ¶
type AuditLog struct {
// maxFileAge is the maximum number of days to retain old audit log files
// +kubebuilder:default=0
MaxFileAge int `json:"maxFileAge"`
// maxFiles is the maximum number of rotated audit log files to retain
// +kubebuilder:default=10
MaxFiles int `json:"maxFiles"`
// maxFileSize is the maximum size in megabytes of the audit log file before it gets rotated
// +kubebuilder:default=200
MaxFileSize int `json:"maxFileSize"`
// profile is the OpenShift profile specifying a specific logging policy
// +kubebuilder:default=Default
Profile string `json:"profile"`
}
type CNIPlugin ¶
type CNIPlugin string
CNIPlugin is an enum value that determines whether MicroShift deploys OVNK. +kubebuilder:validation:Enum:="";none;ovnk
type CSIStorageDriver ¶
type CSIStorageDriver string
CSIStorageDriver is an enum value that determines whether MicroShift deploys LVMS. +kubebuilder:validation:Enum:="";none;lvms
const ( // CsiDriverUnset exists to support backwards compatibility with existing MicroShift clusters. When .storage.driver is // "", MicroShift will default to deploying LVMS. This preserves the current deployment behavior of existing // clusters. CsiDriverUnset CSIStorageDriver = "" // CsiDriverNone signals MicroShift to not deploy the LVMS components. Setting the value for a cluster that has already // deployed LVMS will not cause LVMS to be deleted. Otherwise, volumes already deployed on the cluster would be // orphaned once their workloads stop or restart. CsiDriverNone CSIStorageDriver = "none" // CsiDriverLVMS is equivalent to CsiDriverUnset, and explicitly tells MicroShift to deploy LVMS. This option exists to // provide a differentiation between LVMS and potential future driver options. CsiDriverLVMS CSIStorageDriver = "lvms" )
type Config ¶
type Config struct {
DNS DNS `json:"dns"`
Network Network `json:"network"`
Node Node `json:"node"`
ApiServer ApiServer `json:"apiServer"`
Etcd EtcdConfig `json:"etcd"`
Debugging Debugging `json:"debugging"`
Manifests Manifests `json:"manifests"`
Ingress IngressConfig `json:"ingress"`
Storage Storage `json:"storage"`
Telemetry Telemetry `json:"telemetry"`
// Settings specified in this section are transferred as-is into the Kubelet config.
// +kubebuilder:validation:Schemaless
Kubelet map[string]any `json:"kubelet"`
GenericDevicePlugin GenericDevicePlugin `json:"genericDevicePlugin"`
MultiNode MultiNodeConfig `json:"-"` // the value read from commond line
Warnings []string `json:"-"` // Warnings that should not prevent the service from starting.
// contains filtered or unexported fields
}
func ActiveConfig ¶
ActiveConfig returns the active configuration which is default config with overrides from user provided config files.
func ConfigMultiNode ¶
ConfigMultiNode populates multinode configurations to Config.MultiNode
func NewDefault ¶
func NewDefault() *Config
NewDefault creates a new Config struct populated with the default values and with any computed values updated based on those defaults.
func (*Config) AddWarning ¶
AddWarning saves a warning message to be reported later.
func (*Config) BootstrapKubeConfigExists ¶
func (*Config) BootstrapKubeConfigPath ¶
func (*Config) CanonicalNodeName ¶
CanonicalNodeName returns the name to use for the node. The value is taken from either the HostnameOverride provided by the user in the config file, or the host name.
func (*Config) EnsureNodeNameHasNotChanged ¶
func (*Config) EtcdConfigPath ¶
func (*Config) GetVerbosity ¶
GetVerbosity returns the numerical value for LogLevel which is an enum.
func (*Config) KubeConfigAdminPath ¶
func (*Config) KubeConfigPath ¶
func (cfg *Config) KubeConfigPath(id KubeConfigID) string
KubeConfigPath returns the path to the specified kubeconfig file.
func (*Config) KubeConfigRootAdminPath ¶
func (Config) UserNodeIP ¶
UserNodeIP return the user configured NodeIP, or "" if it's unset.
func (Config) UserNodeIPv6 ¶
UserNodeIPv6 return the user configured NodeIPv6, or "" if it's unset.
type CustomNoUpgrade ¶
type DNS ¶
type DNS struct {
// baseDomain is the base domain of the cluster. All managed DNS records will
// be sub-domains of this base.
//
// For example, given the base domain `example.com`, router exposed
// domains will be formed as `*.apps.example.com` by default,
// and API service will have a DNS entry for `api.example.com`,
// as well as "api-int.example.com" for internal k8s API access.
//
// Once set, this field cannot be changed.
// +kubebuilder:default=example.com
// +kubebuilder:example=microshift.example.com
BaseDomain string `json:"baseDomain"`
// Hosts contains configuration for the hosts file.
Hosts HostsConfig `json:"hosts,omitempty"`
}
type Debugging ¶
type Debugging struct {
// Valid values are: "Normal", "Debug", "Trace", "TraceAll".
// Defaults to "Normal".
// +kubebuilder:default="Normal"
LogLevel string `json:"logLevel"`
}
type DefaultHttpVersionPolicy ¶
type DefaultHttpVersionPolicy int32
type DeviceSpec ¶
type DeviceSpec struct {
// Name is a unique string representing the kind of device this specification describes.
// +kubebuilder:default=serial
Name string `json:"name"`
// Groups is a list of groups of devices that should be scheduled under the same name.
Groups []*Group `json:"groups"`
}
DeviceSpec defines a device that should be discovered and scheduled. DeviceSpec allows multiple host devices to be selected and scheduled fungibly under the same name. Furthermore, host devices can be composed into groups of device nodes that should be scheduled as an atomic unit.
type EtcdConfig ¶
type EtcdConfig struct {
// Set a memory limit on the etcd process; etcd will begin paging
// memory when it gets to this value. 0 means no limit.
MemoryLimitMB uint64 `json:"memoryLimitMB"`
// The limit on the size of the etcd database; etcd will start
// failing writes if its size on disk reaches this value
QuotaBackendBytes int64 `json:"-"`
// If the backend is fragmented more than
// `maxFragmentedPercentage` and the database size is greater than
// `minDefragBytes`, do a defrag.
MinDefragBytes int64 `json:"-"`
MaxFragmentedPercentage float64 `json:"-"`
// How often to check the conditions for defragging (0 means no
// defrags, except for a single on startup).
DefragCheckFreq time.Duration `json:"-"`
}
type FeatureGates ¶
type FeatureGates struct {
FeatureSet string `json:"featureSet"`
CustomNoUpgrade CustomNoUpgrade `json:"customNoUpgrade"`
}
func (FeatureGates) GoString ¶
func (fg FeatureGates) GoString() string
Implement the GoStringer interface for better %#v printing
func (FeatureGates) ToApiserverArgs ¶
func (fg FeatureGates) ToApiserverArgs() ([]string, error)
type GenericDevicePlugin ¶
type GenericDevicePlugin struct {
// Generic Device Plugin status, can be Enabled or Disabled
// +kubebuilder:default=Disabled
// +kubebuilder:validation:Enum:=Enabled;Disabled;""
Status string `json:"status"`
// Domain with which devices will be present in the cluster,
// e.g. device.microshift.io/serial.
// +kubebuilder:default=device.microshift.io
Domain string `json:"domain"`
// Devices configuration
Devices []DeviceSpec `json:"devices"`
}
func (*GenericDevicePlugin) GetGDPDevices ¶
func (gdp *GenericDevicePlugin) GetGDPDevices() []deviceplugin.DeviceSpec
GetGDPDevices transforms the Devices to be of a type compatible with the Generic Device Plugin implementation.
type Group ¶
type Group struct {
// 'paths' is the list of devices of which the device group consists.
// Paths can be globs, in which case each device matched by the path will be schedulable `Count` times.
// When the paths have differing cardinalities, that is, the globs match different numbers of devices,
// the cardinality of each path is capped at the lowest cardinality.
// 'paths' is exclusive with 'usbs'.
Paths []*Path `json:"paths,omitempty"`
// 'usbs' is the list of USB specifications that this device group consists of.
// A USB device must match exactly on all the given attributes to pass.
// 'usbs' is exclusive with 'paths'.
USBSpecs []*USBSpec `json:"usbs,omitempty"`
// Count specifies how many times this group can be mounted concurrently.
// When unspecified, Count defaults to 1.
// +kubebuilder:default=1
Count uint `json:"count,omitempty"`
}
Group represents a set of devices that should be grouped and mounted into a container together as one single meta-device.
type HostsConfig ¶
type HostsConfig struct {
// File is the path to the hosts file to monitor.
// If not specified, defaults to "/etc/hosts".
// +kubebuilder:default="/etc/hosts"
// +kubebuilder:example="/etc/hosts"
File string `json:"file,omitempty"`
// Status controls whether the hosts file is enabled or disabled.
// Allowed values are "Enabled" and "Disabled".
// If not specified, defaults to "Disabled".
// +kubebuilder:default="Disabled"
// +kubebuilder:example="Enabled"
// +kubebuilder:validation:Enum=Enabled;Disabled
Status HostsStatusEnum `json:"status,omitempty"`
}
HostsConfig contains configuration for the hosts file .
type HostsStatusEnum ¶
type HostsStatusEnum string
const ( HostsStatusEnabled HostsStatusEnum = "Enabled" HostsStatusDisabled HostsStatusEnum = "Disabled" )
type IngressConfig ¶
type IngressConfig struct {
// Default router status, can be Managed or Removed.
// +kubebuilder:default=Managed
Status IngressStatusEnum `json:"status"`
AdmissionPolicy RouteAdmissionPolicy `json:"routeAdmissionPolicy"`
Ports IngressPortsConfig `json:"ports"`
TuningOptions IngressControllerTuningOptions `json:"tuningOptions"`
// List of IP addresses and NIC names where the router will be listening. The NIC
// names get translated to all their configured IPs dynamically. Defaults to the
// configured IPs in the host at MicroShift start.
ListenAddress []string `json:"listenAddress"`
ServingCertificate []byte `json:"-"`
ServingKey []byte `json:"-"`
// ServingCertificateSecret references a kubernetes.io/tls type secret containing the TLS cert info for serving secure traffic.
// The secret must exist in the openshift-ingress namespace and contain the following required fields:
// - Secret.Data["tls.key"] - TLS private key.
// - Secret.Data["tls.crt"] - TLS certificate.
//
// +optional
// +kubebuilder:default:="router-certs-default"
ServingCertificateSecret string `json:"certificateSecret"`
// logEmptyRequests specifies how connections on which no request is
// received should be logged. Typically, these empty requests come from
// load balancers' health probes or Web browsers' speculative
// connections ("preconnect"), in which case logging these requests may
// be undesirable. However, these requests may also be caused by
// network errors, in which case logging empty requests may be useful
// for diagnosing the errors. In addition, these requests may be caused
// by port scans, in which case logging empty requests may aid in
// detecting intrusion attempts. Allowed values for this field are
// "Log" and "Ignore". The default value is "Log".
//
// +optional
// +kubebuilder:default:="Log"
LogEmptyRequests operatorv1.LoggingPolicy `json:"logEmptyRequests,omitempty"`
// forwardedHeaderPolicy specifies when and how ingress router
// sets the Forwarded, X-Forwarded-For, X-Forwarded-Host,
// X-Forwarded-Port, X-Forwarded-Proto, and X-Forwarded-Proto-Version
// HTTP headers. The value may be one of the following:
//
// * "Append", which specifies that ingress router appends the
// headers, preserving existing headers.
//
// * "Replace", which specifies that ingress router sets the
// headers, replacing any existing Forwarded or X-Forwarded-* headers.
//
// * "IfNone", which specifies that ingress router sets the
// headers if they are not already set.
//
// * "Never", which specifies that ingress router never sets the
// headers, preserving any existing headers.
//
// By default, the policy is "Append".
//
// +optional
ForwardedHeaderPolicy operatorv1.IngressControllerHTTPHeaderPolicy `json:"forwardedHeaderPolicy,omitempty"`
// httpEmptyRequestsPolicy describes how HTTP connections should be
// handled if the connection times out before a request is received.
// Allowed values for this field are "Respond" and "Ignore". If the
// field is set to "Respond", the ingress controller sends an HTTP 400
// or 408 response, logs the connection (if access logging is enabled),
// and counts the connection in the appropriate metrics. If the field
// is set to "Ignore", the ingress controller closes the connection
// without sending a response, logging the connection, or incrementing
// metrics. The default value is "Respond".
//
// Typically, these connections come from load balancers' health probes
// or Web browsers' speculative connections ("preconnect") and can be
// safely ignored. However, these requests may also be caused by
// network errors, and so setting this field to "Ignore" may impede
// detection and diagnosis of problems. In addition, these requests may
// be caused by port scans, in which case logging empty requests may aid
// in detecting intrusion attempts.
//
// +optional
// +kubebuilder:default:="Respond"
HTTPEmptyRequestsPolicy operatorv1.HTTPEmptyRequestsPolicy `json:"httpEmptyRequestsPolicy,omitempty"`
// httpCompression defines a policy for HTTP traffic compression.
// By default, there is no HTTP compression.
//
// +optional
HTTPCompressionPolicy operatorv1.HTTPCompressionPolicy `json:"httpCompression,omitempty"`
// Determines default http version should be used for the ingress backends
// By default, using version 1.
//
// +optional
// +kubebuilder:default:="1"
DefaultHttpVersionPolicy DefaultHttpVersionPolicy `json:"defaultHTTPVersion,omitempty"`
// tlsSecurityProfile specifies settings for TLS connections for ingresscontrollers.
//
// If unset, the default is based on the apiservers.config.openshift.io/cluster resource.
//
// Note that when using the Old, Intermediate, and Modern profile types, the effective
// profile configuration is subject to change between releases. For example, given
// a specification to use the Intermediate profile deployed on release X.Y.Z, an upgrade
// to release X.Y.Z+1 may cause a new profile configuration to be applied to the ingress
// controller, resulting in a rollout.
//
// +optional
TLSSecurityProfile *configv1.TLSSecurityProfile `json:"tlsSecurityProfile,omitempty"`
// clientTLS specifies settings for requesting and verifying client
// certificates, which can be used to enable mutual TLS for
// edge-terminated and reencrypt routes.
//
// +optional
ClientTLS operatorv1.ClientTLS `json:"clientTLS,omitempty"`
// httpErrorCodePages specifies a configmap with custom error pages.
// The administrator must create this configmap in the openshift-config namespace.
// This configmap should have keys in the format "error-page-<error code>.http",
// where <error code> is an HTTP error code.
// For example, "error-page-503.http" defines an error page for HTTP 503 responses.
// Currently only error pages for 503 and 404 responses can be customized.
// Each value in the configmap should be the full response, including HTTP headers.
// Eg- https://raw.githubusercontent.com/openshift/router/fadab45747a9b30cc3f0a4b41ad2871f95827a93/images/router/haproxy/conf/error-page-503.http
// If this field is empty, the ingress controller uses the default error pages.
// +kubebuilder:validation:Optional
HttpErrorCodePages configv1.ConfigMapNameReference `json:"httpErrorCodePages,omitempty"`
// accessLogging describes how the client requests should be logged.
AccessLogging AccessLogging `json:"accessLogging,omitempty"`
}
type IngressControllerTuningOptions ¶
type IngressControllerTuningOptions struct {
// headerBufferBytes describes how much memory should be reserved
// (in bytes) for IngressController connection sessions.
// Note that this value must be at least 16384 if HTTP/2 is
// enabled for the IngressController (https://tools.ietf.org/html/rfc7540).
// If this field is empty, the IngressController will use a default value
// of 32768 bytes.
//
// Setting this field is generally not recommended as headerBufferBytes
// values that are too small may break the IngressController and
// headerBufferBytes values that are too large could cause the
// IngressController to use significantly more memory than necessary.
//
// +kubebuilder:validation:Optional
// +kubebuilder:validation:Minimum=16384
// +optional
HeaderBufferBytes int32 `json:"headerBufferBytes,omitempty"`
// headerBufferMaxRewriteBytes describes how much memory should be reserved
// (in bytes) from headerBufferBytes for HTTP header rewriting
// and appending for IngressController connection sessions.
// Note that incoming HTTP requests will be limited to
// (headerBufferBytes - headerBufferMaxRewriteBytes) bytes, meaning
// headerBufferBytes must be greater than headerBufferMaxRewriteBytes.
// If this field is empty, the IngressController will use a default value
// of 8192 bytes.
//
// Setting this field is generally not recommended as
// headerBufferMaxRewriteBytes values that are too small may break the
// IngressController and headerBufferMaxRewriteBytes values that are too
// large could cause the IngressController to use significantly more memory
// than necessary.
//
// +kubebuilder:validation:Optional
// +kubebuilder:validation:Minimum=4096
// +optional
HeaderBufferMaxRewriteBytes int32 `json:"headerBufferMaxRewriteBytes,omitempty"`
// threadCount defines the number of threads created per HAProxy process.
// Creating more threads allows each ingress controller pod to handle more
// connections, at the cost of more system resources being used. HAProxy
// currently supports up to 64 threads. If this field is empty, the
// IngressController will use the default value. The current default is 4
// threads, but this may change in future releases.
//
// Setting this field is generally not recommended. Increasing the number
// of HAProxy threads allows ingress controller pods to utilize more CPU
// time under load, potentially starving other pods if set too high.
// Reducing the number of threads may cause the ingress controller to
// perform poorly.
//
// +kubebuilder:validation:Optional
// +kubebuilder:validation:Minimum=1
// +kubebuilder:validation:Maximum=64
// +optional
ThreadCount int32 `json:"threadCount,omitempty"`
// clientTimeout defines how long a connection will be held open while
// waiting for a client response.
//
// If unset, the default timeout is 30s
// +kubebuilder:validation:Optional
// +kubebuilder:validation:Format=duration
// +kubebuilder:default:="30s"
// +optional
ClientTimeout *metav1.Duration `json:"clientTimeout,omitempty"`
// clientFinTimeout defines how long a connection will be held open while
// waiting for the client response to the server/backend closing the
// connection.
//
// If unset, the default timeout is 1s
// +kubebuilder:validation:Optional
// +kubebuilder:validation:Format=duration
// +kubebuilder:default:="1s"
// +optional
ClientFinTimeout *metav1.Duration `json:"clientFinTimeout,omitempty"`
// serverTimeout defines how long a connection will be held open while
// waiting for a server/backend response.
//
// If unset, the default timeout is 30s
// +kubebuilder:validation:Optional
// +kubebuilder:validation:Format=duration
// +kubebuilder:default:="30s"
// +optional
ServerTimeout *metav1.Duration `json:"serverTimeout,omitempty"`
// serverFinTimeout defines how long a connection will be held open while
// waiting for the server/backend response to the client closing the
// connection.
//
// If unset, the default timeout is 1s
// +kubebuilder:validation:Optional
// +kubebuilder:validation:Format=duration
// +kubebuilder:default:="1s"
// +optional
ServerFinTimeout *metav1.Duration `json:"serverFinTimeout,omitempty"`
// tunnelTimeout defines how long a tunnel connection (including
// websockets) will be held open while the tunnel is idle.
//
// If unset, the default timeout is 1h
// +kubebuilder:validation:Optional
// +kubebuilder:validation:Format=duration
// +kubebuilder:default:="1h"
// +optional
TunnelTimeout *metav1.Duration `json:"tunnelTimeout,omitempty"`
// tlsInspectDelay defines how long the router can hold data to find a
// matching route.
//
// Setting this too short can cause the router to fall back to the default
// certificate for edge-terminated or reencrypt routes even when a better
// matching certificate could be used.
//
// If unset, the default inspect delay is 5s
// +kubebuilder:validation:Optional
// +kubebuilder:validation:Format=duration
// +kubebuilder:default:="5s"
// +optional
TLSInspectDelay *metav1.Duration `json:"tlsInspectDelay,omitempty"`
// healthCheckInterval defines how long the router waits between two consecutive
// health checks on its configured backends. This value is applied globally as
// a default for all routes, but may be overridden per-route by the route annotation
// "router.openshift.io/haproxy.health.check.interval".
//
// Expects an unsigned duration string of decimal numbers, each with optional
// fraction and a unit suffix, eg "300ms", "1.5h" or "2h45m".
// Valid time units are "ns", "us" (or "µs" U+00B5 or "μs" U+03BC), "ms", "s", "m", "h".
//
// Setting this to less than 5s can cause excess traffic due to too frequent
// TCP health checks and accompanying SYN packet storms. Alternatively, setting
// this too high can result in increased latency, due to backend servers that are no
// longer available, but haven't yet been detected as such.
//
// An empty or zero healthCheckInterval means no opinion and IngressController chooses
// a default, which is subject to change over time.
// Currently the default healthCheckInterval value is 5s.
//
// Currently the minimum allowed value is 1s and the maximum allowed value is
// 2147483647ms (24.85 days). Both are subject to change over time.
//
// +kubebuilder:validation:Optional
// +kubebuilder:validation:Pattern=^(0|([0-9]+(\.[0-9]+)?(ns|us|µs|μs|ms|s|m|h))+)$
// +kubebuilder:validation:Type:=string
// +kubebuilder:default:="5s"
// +optional
HealthCheckInterval *metav1.Duration `json:"healthCheckInterval,omitempty"`
// maxConnections defines the maximum number of simultaneous
// connections that can be established per HAProxy process.
// Increasing this value allows each ingress controller pod to
// handle more connections but at the cost of additional
// system resources being consumed.
//
// Permitted values are: empty, 0, -1, and the range
// 2000-2000000.
//
// If this field is empty or 0, the IngressController will use
// the default value of 50000, but the default is subject to
// change in future releases.
//
// If the value is -1 then HAProxy will dynamically compute a
// maximum value based on the available ulimits in the running
// container. Selecting -1 (i.e., auto) will result in a large
// value being computed (~520000 on OpenShift >=4.10 clusters)
// and therefore each HAProxy process will incur significant
// memory usage compared to the current default of 50000.
//
// Setting a value that is greater than the current operating
// system limit will prevent the HAProxy process from
// starting.
//
// If you choose a discrete value (e.g., 750000) and the
// router pod is migrated to a new node, there's no guarantee
// that new node has identical ulimits configured. In
// such a scenario the pod would fail to start. If you have
// nodes with different ulimits configured (e.g., different
// tuned profiles) and you choose a discrete value then the
// guidance is to use -1 and let the value be computed
// dynamically at runtime.
//
// You can monitor memory usage for router containers with the
// following metric:
// 'container_memory_working_set_bytes{container="router",namespace="openshift-ingress"}'.
//
// You can monitor memory usage of individual HAProxy
// processes in router containers with the following metric:
// 'container_memory_working_set_bytes{container="router",namespace="openshift-ingress"}/container_processes{container="router",namespace="openshift-ingress"}'.
//
// +kubebuilder:validation:Optional
// +optional
MaxConnections int32 `json:"maxConnections,omitempty"`
}
IngressControllerTuningOptions specifies options for tuning the performance of ingress controller pods
type IngressPortsConfig ¶
type IngressStatusEnum ¶
type IngressStatusEnum string
type KubeConfigID ¶
type KubeConfigID string
KubeConfigID identifies the different kubeconfigs managed in the DataDir
const ( KubeAdmin KubeConfigID = "kubeadmin" KubeControllerManager KubeConfigID = "kube-controller-manager" KubeScheduler KubeConfigID = "kube-scheduler" Kubelet KubeConfigID = "kubelet" ClusterPolicyController KubeConfigID = "cluster-policy-controller" RouteControllerManager KubeConfigID = "route-controller-manager" ObservabilityClient KubeConfigID = "observability-client" )
type Manifests ¶
type Manifests struct {
// The locations on the filesystem to scan for kustomization
// files to use to load manifests. Set to a list of paths to scan
// only those paths. Set to an empty list to disable loading
// manifests. The entries in the list can be glob patterns to
// match multiple subdirectories.
//
// +kubebuilder:default={"/usr/lib/microshift/manifests","/usr/lib/microshift/manifests.d/*","/etc/microshift/manifests","/etc/microshift/manifests.d/*"}
KustomizePaths []string `json:"kustomizePaths"`
}
func (*Manifests) GetKustomizationDeletePaths ¶
func (*Manifests) GetKustomizationPaths ¶
GetKustomizationPaths returns the list of configured paths for which there are actual kustomization files to be loaded. The paths are returned in the order given in the configuration file. The results of any glob patterns are sorted lexicographically.
type MultiNodeConfig ¶
type Multus ¶
type Multus struct {
// Status controls the deployment of the Multus CNI.
// Changing from "Enabled" to "Disabled" will not cause Multus CNI to be deleted.
// Allowed values are: unset (disabled), "Enabled", or "Disabled"
//
// +kubebuilder:validation:Optional
// +kubebuilder:default=Disabled
Status MultusStatusEnum `json:"status"`
}
type MultusStatusEnum ¶
type MultusStatusEnum string
MultusStatusEnum is an enum value that determines whether MicroShift deploys Multus CNI. +kubebuilder:validation:Enum:=Enabled;Disabled
type NamedCertificateEntry ¶
type NamedCertificateEntry struct {
Names []string `json:"names"`
CertPath string `json:"certPath"`
KeyPath string `json:"keyPath"`
}
NamedCertificateEntry provides certificate details
type NamespaceOwnershipEnum ¶
type NamespaceOwnershipEnum string
type Network ¶
type Network struct {
// CNIPlugin is a user defined string value matching one of the above CNI values. MicroShift uses this
// value to decide whether to deploy the OVN-K as default CNI. An unset field defaults to "" during yaml parsing, and thus
// could mean that the cluster has been upgraded. In order to support the existing out-of-box behavior, MicroShift
// assumes an empty string to mean the OVN-K should be deployed.
// Allowed values are: unset or one of ["", "ovnk", "none"]
// +kubebuilder:validation:Optional
CNIPlugin CNIPlugin `json:"cniPlugin,omitempty"`
// IP address pool to use for pod IPs.
// This field is immutable after installation.
// +kubebuilder:default={"10.42.0.0/16"}
ClusterNetwork []string `json:"clusterNetwork"`
// IP address pool for services.
// Currently, we only support a single entry here.
// This field is immutable after installation.
// +kubebuilder:default={"10.43.0.0/16"}
ServiceNetwork []string `json:"serviceNetwork"`
// The port range allowed for Services of type NodePort.
// If not specified, the default of 30000-32767 will be used.
// Such Services without a NodePort specified will have one
// automatically allocated from this range.
// This parameter can be updated after the cluster is
// installed.
// +kubebuilder:validation:Pattern=`^([0-9]{1,4}|[1-5][0-9]{4}|6[0-4][0-9]{3}|65[0-4][0-9]{2}|655[0-2][0-9]|6553[0-5])-([0-9]{1,4}|[1-5][0-9]{4}|6[0-4][0-9]{3}|65[0-4][0-9]{2}|655[0-2][0-9]|6553[0-5])$`
// +kubebuilder:default="30000-32767"
ServiceNodePortRange string `json:"serviceNodePortRange"`
Multus Multus `json:"multus"`
// The DNS server to use
DNS string `json:"-"`
}
type Node ¶
type Node struct {
// If non-empty, will use this string to identify the node instead of the hostname
HostnameOverride string `json:"hostnameOverride"`
// IP address of the node, passed to the kubelet.
// If not specified, kubelet will use the node's default IP address.
NodeIP string `json:"nodeIP"`
// IPv6 address of the node, passed to the kubelet. This parameter
// is only allowed when dual stack deployment is configured.
NodeIPV6 string `json:"nodeIPv6"`
}
type OptionalCsiComponent ¶
type OptionalCsiComponent string
OptionalCsiComponent values determine which CSI components MicroShift should deploy. Currently only csi snapshot components are supported. +kubebuilder:validation:Enum:=none;snapshot-controller;""
const ( // CsiComponentNone exists to support backwards compatibility with existing MicroShift clusters. By default, // MicroShift will deploy snapshot controller when no components are specified. This preserves the // current deployment behavior of existing clusters. Users must set .storage.with-csi-components: [ "none" ] to // explicitly tell MicroShift not to deploy any CSI components. The CSI Driver is excluded as it is typically // deployed via the same manifest as the accompanying storage driver. Like DriverOpt, uninstallation is not // supported as this can lead to orphaned storage volumes. Mutually exclusive with all other ComponentOpt values. CsiComponentNone OptionalCsiComponent = "none" // CsiComponentSnapshot causes MicroShift to deploy the CSI Snapshot controller. CsiComponentSnapshot OptionalCsiComponent = "snapshot-controller" // CsiComponentNullAlias is equivalent to not specifying a value. It exists because controller-gen generates // default empty-array values as [""], instead of []. Failing to include this odd value would mean the generated // /etc/microshift/config.default.yaml would break if passed to MicroShift. CsiComponentNullAlias OptionalCsiComponent = "" )
type Path ¶
type Path struct {
// Path is the file path of a device in the host.
// +kubebuilder:default=/dev/ttyACM0
Path string `json:"path"`
// MountPath is the file path at which the host device should be mounted within the container.
// When unspecified, MountPath defaults to the Path.
// +kubebuilder:default=/dev/ttyACM0
MountPath string `json:"mountPath,omitempty"`
// Permissions is the file-system permissions given to the mounted device.
// Permissions apply only to mounts of type `Device`.
// This can be one or more of:
// * r - allows the container to read from the specified device.
// * w - allows the container to write to the specified device.
// * m - allows the container to create device files that do not yet exist.
// When unspecified, Permissions defaults to mrw.
// +kubebuilder:default=mrw
Permissions string `json:"permissions,omitempty"`
// ReadOnly specifies whether the path should be mounted read-only.
// ReadOnly applies only to mounts of type `Mount`.
// +kubebuilder:default=false
ReadOnly bool `json:"readOnly,omitempty"`
// Type describes what type of file-system node this Path represents and thus how it should be mounted.
// Allowed values: "Device", "Mount". When unspecified, type defaults to Device.
// +kubebuilder:default=Device
// +kubebuilder:validation:Enum:=Device;Mount;""
Type deviceplugin.PathType `json:"type,omitempty"`
// Limit specifies up to how many times this device can be used in the group concurrently when other devices
// in the group yield more matches.
// For example, if one path in the group matches 5 devices and another matches 1 device but has a limit of 10,
// then the group will provide 5 pairs of devices.
// When unspecified, Limit defaults to 1.
// +kubebuilder:default=1
Limit uint `json:"limit,omitempty"`
}
Path represents a file path that should be discovered.
type RouteAdmissionPolicy ¶
type RouteAdmissionPolicy struct {
// Describes how host name claims across namespaces should be handled.
//
// Value must be one of:
//
// - Strict: Do not allow routes in different namespaces to claim the same host.
//
// - InterNamespaceAllowed: Allow routes to claim different paths of the same
// host name across namespaces.
//
// If empty, the default is InterNamespaceAllowed.
// +kubebuilder:default="InterNamespaceAllowed"
NamespaceOwnership NamespaceOwnershipEnum `json:"namespaceOwnership"`
// wildcardPolicy describes how routes with wildcard policies should
// be handled for the ingress controller. WildcardPolicy controls use
// of routes [1] exposed by the ingress controller based on the route's
// wildcard policy.
//
// [1] https://github.com/openshift/api/blob/master/route/v1/types.go
//
// Note: Updating WildcardPolicy from WildcardsAllowed to WildcardsDisallowed
// will cause admitted routes with a wildcard policy of Subdomain to stop
// working. These routes must be updated to a wildcard policy of None to be
// readmitted by the ingress controller.
//
// WildcardPolicy supports WildcardsAllowed and WildcardsDisallowed values.
//
// If empty, defaults to "WildcardsDisallowed".
//
WildcardPolicy WildcardPolicy `json:"wildcardPolicy,omitempty"`
}
type Storage ¶
type Storage struct {
// Driver is a user defined string value matching one of the above CSIStorageDriver values. MicroShift uses this
// value to decide whether to deploy the LVMS operator. An unset field defaults to "" during yaml parsing, and thus
// could mean that the cluster has been upgraded. In order to support the existing out-of-box behavior, MicroShift
// assumes an empty string to mean the storage driver should be deployed.
// Allowed values are: unset or one of ["", "lvms", "none"]
// +kubebuilder:validation:Optional
Driver CSIStorageDriver `json:"driver,omitempty"`
// OptionalCSIComponents is a user defined slice of CSIComponent values. These value tell MicroShift which
// additional, non-driver, CSI controllers to deploy on start. MicroShift will deploy snapshot controller
// when no components are specified. This preserves the current deployment behavior of existing
// clusters. Users must set `.storage.optionalCsiComponents: []` to explicitly tell MicroShift not to deploy any CSI
// components. The CSI Driver is excluded as it is typically deployed via the same manifest as the accompanying
// storage driver. Like CSIStorageDriver, uninstallation is not supported as this can lead to orphaned storage
// objects.
// Allowed values are: unset, [], or one or more of ["snapshot-controller"]
// +kubebuilder:validation:Optional
// +kubebuilder:example={"snapshot-controller"}
OptionalCSIComponents []OptionalCsiComponent `json:"optionalCsiComponents,omitempty"`
}
Storage represents a subfield of the MicroShift config data structure. Its purpose to provide a user facing interface to control whether MicroShift should deploy LVMS on startup.
func (Storage) IsEnabled ¶
IsEnabled returns false only when .storage.driver: "none". An empty value is considered "enabled" for backwards compatibility. Otherwise, the meaning of the config would silently change after an upgrade from enabled-by-default to disabled-by-default.
type TLSConfig ¶
type TLSConfig struct {
// CipherSuites lists the allowed cipher suites that the API server will
// accept and serve. Defaults to cipher suites from the minVersion config
// parameter.
CipherSuites []string `json:"cipherSuites"`
// MinVersion specifies which TLS version is the minimum version of TLS
// to serve from the API server. Allowed values: VersionTLS12, VersionTLS13.
// Defaults to VersionTLS12.
// +kubebuilder:validation:Enum:=VersionTLS12;VersionTLS13
// +kubebuilder:default=VersionTLS12
MinVersion string `json:"minVersion"`
}
func (*TLSConfig) UpdateValues ¶
func (t *TLSConfig) UpdateValues()
type Telemetry ¶
type Telemetry struct {
// Telemetry status, which can be Enabled or Disabled. Defaults to Enabled.
// +kubebuilder:default=Enabled
Status TelemetryStatusEnum `json:"status"`
// Endpoint where to send telemetry data.
// +kubebuilder:default="https://infogw.api.openshift.com/metrics/v1/receive"
Endpoint string `json:"endpoint"`
// HTTP proxy to use exclusively for telemetry data. If unset telemetry will
// default to use the system configured proxy.
Proxy string `json:"proxy"`
}
type TelemetryStatusEnum ¶
type TelemetryStatusEnum string
const ( StatusEnabled TelemetryStatusEnum = "Enabled" StatusDisabled TelemetryStatusEnum = "Disabled" )
type USBSpec ¶
type USBSpec struct {
// Vendor is the USB Vendor ID of the device to match on.
// It should have the format "0x0123" or "0123".
Vendor string `json:"vendor"`
// Product is the USB Product ID of the device to match on.
// It should have the format "0x0123" or "0123".
Product string `json:"product"`
// Serial is the serial number of the device to match on.
// If specified, it must match exactly.
Serial string `json:"serial"`
}
USBSpec represents a USB device specification that should be discovered. A USB device must match exactly on all the given attributes to pass.
type WildcardPolicy ¶
type WildcardPolicy string
Source Files
¶
Directories
Click to show internal directories.
Click to hide internal directories.