|
1 | 1 | # Source: https://raw.githubusercontent.com/projectcontour/contour/v{version}/examples/contour/01-crds.yaml |
2 | | -# Version: 1.32.0 |
| 2 | +# Version: 1.33.0 |
3 | 3 | # Conditional: .Values.contour.manageCRDs |
4 | 4 | {{- if .Values.contour.manageCRDs }} |
5 | 5 | --- |
6 | 6 | apiVersion: apiextensions.k8s.io/v1 |
7 | 7 | kind: CustomResourceDefinition |
8 | 8 | metadata: |
9 | 9 | annotations: |
10 | | - controller-gen.kubebuilder.io/version: v0.18.0 |
| 10 | + controller-gen.kubebuilder.io/version: v0.19.0 |
11 | 11 | name: contourconfigurations.projectcontour.io |
12 | 12 | spec: |
13 | 13 | preserveUnknownFields: false |
@@ -1406,7 +1406,7 @@ apiVersion: apiextensions.k8s.io/v1 |
1406 | 1406 | kind: CustomResourceDefinition |
1407 | 1407 | metadata: |
1408 | 1408 | annotations: |
1409 | | - controller-gen.kubebuilder.io/version: v0.18.0 |
| 1409 | + controller-gen.kubebuilder.io/version: v0.19.0 |
1410 | 1410 | name: contourdeployments.projectcontour.io |
1411 | 1411 | spec: |
1412 | 1412 | preserveUnknownFields: false |
@@ -1625,7 +1625,7 @@ spec: |
1625 | 1625 | description: |- |
1626 | 1626 | Claims lists the names of resources, defined in spec.resourceClaims, |
1627 | 1627 | that are used by this container. |
1628 | | - This is an alpha field and requires enabling the |
| 1628 | + This field depends on the |
1629 | 1629 | DynamicResourceAllocation feature gate. |
1630 | 1630 | This field is immutable. It can only be set for containers. |
1631 | 1631 | items: |
@@ -1746,7 +1746,7 @@ spec: |
1746 | 1746 | pod is available (Ready for at least minReadySeconds) the old DaemonSet pod |
1747 | 1747 | on that node is marked deleted. If the old pod becomes unavailable for any |
1748 | 1748 | reason (Ready transitions to false, is evicted, or is drained) an updated |
1749 | | - pod is immediatedly created on that node without considering surge limits. |
| 1749 | + pod is immediately created on that node without considering surge limits. |
1750 | 1750 | Allowing surge implies the possibility that the resources consumed by the |
1751 | 1751 | daemonset on any given node can double if the readiness check fails, and |
1752 | 1752 | so resource intensive daemonsets should take into account that they may |
@@ -2569,15 +2569,13 @@ spec: |
2569 | 2569 | volumeAttributesClassName may be used to set the VolumeAttributesClass used by this claim. |
2570 | 2570 | If specified, the CSI driver will create or update the volume with the attributes defined |
2571 | 2571 | in the corresponding VolumeAttributesClass. This has a different purpose than storageClassName, |
2572 | | - it can be changed after the claim is created. An empty string value means that no VolumeAttributesClass |
2573 | | - will be applied to the claim but it's not allowed to reset this field to empty string once it is set. |
2574 | | - If unspecified and the PersistentVolumeClaim is unbound, the default VolumeAttributesClass |
2575 | | - will be set by the persistentvolume controller if it exists. |
| 2572 | + it can be changed after the claim is created. An empty string or nil value indicates that no |
| 2573 | + VolumeAttributesClass will be applied to the claim. If the claim enters an Infeasible error state, |
| 2574 | + this field can be reset to its previous value (including nil) to cancel the modification. |
2576 | 2575 | If the resource referred to by volumeAttributesClass does not exist, this PersistentVolumeClaim will be |
2577 | 2576 | set to a Pending state, as reflected by the modifyVolumeStatus field, until such as a resource |
2578 | 2577 | exists. |
2579 | 2578 | More info: https://kubernetes.io/docs/concepts/storage/volume-attributes-classes/ |
2580 | | - (Beta) Using this field requires the VolumeAttributesClass feature gate to be enabled (off by default). |
2581 | 2579 | type: string |
2582 | 2580 | volumeMode: |
2583 | 2581 | description: |- |
@@ -2759,12 +2757,10 @@ spec: |
2759 | 2757 | description: |- |
2760 | 2758 | glusterfs represents a Glusterfs mount on the host that shares a pod's lifetime. |
2761 | 2759 | Deprecated: Glusterfs is deprecated and the in-tree glusterfs type is no longer supported. |
2762 | | - More info: https://examples.k8s.io/volumes/glusterfs/README.md |
2763 | 2760 | properties: |
2764 | 2761 | endpoints: |
2765 | | - description: |- |
2766 | | - endpoints is the endpoint name that details Glusterfs topology. |
2767 | | - More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod |
| 2762 | + description: endpoints is the endpoint name that details |
| 2763 | + Glusterfs topology. |
2768 | 2764 | type: string |
2769 | 2765 | path: |
2770 | 2766 | description: |- |
@@ -2841,7 +2837,7 @@ spec: |
2841 | 2837 | description: |- |
2842 | 2838 | iscsi represents an ISCSI Disk resource that is attached to a |
2843 | 2839 | kubelet's host machine and then exposed to the pod. |
2844 | | - More info: https://examples.k8s.io/volumes/iscsi/README.md |
| 2840 | + More info: https://kubernetes.io/docs/concepts/storage/volumes/#iscsi |
2845 | 2841 | properties: |
2846 | 2842 | chapAuthDiscovery: |
2847 | 2843 | description: chapAuthDiscovery defines whether support |
@@ -3260,6 +3256,96 @@ spec: |
3260 | 3256 | type: array |
3261 | 3257 | x-kubernetes-list-type: atomic |
3262 | 3258 | type: object |
| 3259 | + podCertificate: |
| 3260 | + description: |- |
| 3261 | + Projects an auto-rotating credential bundle (private key and certificate |
| 3262 | + chain) that the pod can use either as a TLS client or server. |
| 3263 | + Kubelet generates a private key and uses it to send a |
| 3264 | + PodCertificateRequest to the named signer. Once the signer approves the |
| 3265 | + request and issues a certificate chain, Kubelet writes the key and |
| 3266 | + certificate chain to the pod filesystem. The pod does not start until |
| 3267 | + certificates have been issued for each podCertificate projected volume |
| 3268 | + source in its spec. |
| 3269 | + Kubelet will begin trying to rotate the certificate at the time indicated |
| 3270 | + by the signer using the PodCertificateRequest.Status.BeginRefreshAt |
| 3271 | + timestamp. |
| 3272 | + Kubelet can write a single file, indicated by the credentialBundlePath |
| 3273 | + field, or separate files, indicated by the keyPath and |
| 3274 | + certificateChainPath fields. |
| 3275 | + The credential bundle is a single file in PEM format. The first PEM |
| 3276 | + entry is the private key (in PKCS#8 format), and the remaining PEM |
| 3277 | + entries are the certificate chain issued by the signer (typically, |
| 3278 | + signers will return their certificate chain in leaf-to-root order). |
| 3279 | + Prefer using the credential bundle format, since your application code |
| 3280 | + can read it atomically. If you use keyPath and certificateChainPath, |
| 3281 | + your application must make two separate file reads. If these coincide |
| 3282 | + with a certificate rotation, it is possible that the private key and leaf |
| 3283 | + certificate you read may not correspond to each other. Your application |
| 3284 | + will need to check for this condition, and re-read until they are |
| 3285 | + consistent. |
| 3286 | + The named signer controls chooses the format of the certificate it |
| 3287 | + issues; consult the signer implementation's documentation to learn how to |
| 3288 | + use the certificates it issues. |
| 3289 | + properties: |
| 3290 | + certificateChainPath: |
| 3291 | + description: |- |
| 3292 | + Write the certificate chain at this path in the projected volume. |
| 3293 | + Most applications should use credentialBundlePath. When using keyPath |
| 3294 | + and certificateChainPath, your application needs to check that the key |
| 3295 | + and leaf certificate are consistent, because it is possible to read the |
| 3296 | + files mid-rotation. |
| 3297 | + type: string |
| 3298 | + credentialBundlePath: |
| 3299 | + description: |- |
| 3300 | + Write the credential bundle at this path in the projected volume. |
| 3301 | + The credential bundle is a single file that contains multiple PEM blocks. |
| 3302 | + The first PEM block is a PRIVATE KEY block, containing a PKCS#8 private |
| 3303 | + key. |
| 3304 | + The remaining blocks are CERTIFICATE blocks, containing the issued |
| 3305 | + certificate chain from the signer (leaf and any intermediates). |
| 3306 | + Using credentialBundlePath lets your Pod's application code make a single |
| 3307 | + atomic read that retrieves a consistent key and certificate chain. If you |
| 3308 | + project them to separate files, your application code will need to |
| 3309 | + additionally check that the leaf certificate was issued to the key. |
| 3310 | + type: string |
| 3311 | + keyPath: |
| 3312 | + description: |- |
| 3313 | + Write the key at this path in the projected volume. |
| 3314 | + Most applications should use credentialBundlePath. When using keyPath |
| 3315 | + and certificateChainPath, your application needs to check that the key |
| 3316 | + and leaf certificate are consistent, because it is possible to read the |
| 3317 | + files mid-rotation. |
| 3318 | + type: string |
| 3319 | + keyType: |
| 3320 | + description: |- |
| 3321 | + The type of keypair Kubelet will generate for the pod. |
| 3322 | + Valid values are "RSA3072", "RSA4096", "ECDSAP256", "ECDSAP384", |
| 3323 | + "ECDSAP521", and "ED25519". |
| 3324 | + type: string |
| 3325 | + maxExpirationSeconds: |
| 3326 | + description: |- |
| 3327 | + maxExpirationSeconds is the maximum lifetime permitted for the |
| 3328 | + certificate. |
| 3329 | + Kubelet copies this value verbatim into the PodCertificateRequests it |
| 3330 | + generates for this projection. |
| 3331 | + If omitted, kube-apiserver will set it to 86400(24 hours). kube-apiserver |
| 3332 | + will reject values shorter than 3600 (1 hour). The maximum allowable |
| 3333 | + value is 7862400 (91 days). |
| 3334 | + The signer implementation is then free to issue a certificate with any |
| 3335 | + lifetime *shorter* than MaxExpirationSeconds, but no shorter than 3600 |
| 3336 | + seconds (1 hour). This constraint is enforced by kube-apiserver. |
| 3337 | + `kubernetes.io` signers will never issue certificates with a lifetime |
| 3338 | + longer than 24 hours. |
| 3339 | + format: int32 |
| 3340 | + type: integer |
| 3341 | + signerName: |
| 3342 | + description: Kubelet's generated CSRs will |
| 3343 | + be addressed to this signer. |
| 3344 | + type: string |
| 3345 | + required: |
| 3346 | + - keyType |
| 3347 | + - signerName |
| 3348 | + type: object |
3263 | 3349 | secret: |
3264 | 3350 | description: secret information about the secret |
3265 | 3351 | data to project |
@@ -3394,7 +3480,6 @@ spec: |
3394 | 3480 | description: |- |
3395 | 3481 | rbd represents a Rados Block Device mount on the host that shares a pod's lifetime. |
3396 | 3482 | Deprecated: RBD is deprecated and the in-tree rbd type is no longer supported. |
3397 | | - More info: https://examples.k8s.io/volumes/rbd/README.md |
3398 | 3483 | properties: |
3399 | 3484 | fsType: |
3400 | 3485 | description: |- |
@@ -3841,7 +3926,7 @@ spec: |
3841 | 3926 | description: |- |
3842 | 3927 | Claims lists the names of resources, defined in spec.resourceClaims, |
3843 | 3928 | that are used by this container. |
3844 | | - This is an alpha field and requires enabling the |
| 3929 | + This field depends on the |
3845 | 3930 | DynamicResourceAllocation feature gate. |
3846 | 3931 | This field is immutable. It can only be set for containers. |
3847 | 3932 | items: |
@@ -5140,7 +5225,7 @@ apiVersion: apiextensions.k8s.io/v1 |
5140 | 5225 | kind: CustomResourceDefinition |
5141 | 5226 | metadata: |
5142 | 5227 | annotations: |
5143 | | - controller-gen.kubebuilder.io/version: v0.18.0 |
| 5228 | + controller-gen.kubebuilder.io/version: v0.19.0 |
5144 | 5229 | name: extensionservices.projectcontour.io |
5145 | 5230 | spec: |
5146 | 5231 | preserveUnknownFields: false |
@@ -5620,7 +5705,7 @@ apiVersion: apiextensions.k8s.io/v1 |
5620 | 5705 | kind: CustomResourceDefinition |
5621 | 5706 | metadata: |
5622 | 5707 | annotations: |
5623 | | - controller-gen.kubebuilder.io/version: v0.18.0 |
| 5708 | + controller-gen.kubebuilder.io/version: v0.19.0 |
5624 | 5709 | name: httpproxies.projectcontour.io |
5625 | 5710 | spec: |
5626 | 5711 | preserveUnknownFields: false |
@@ -8522,7 +8607,7 @@ apiVersion: apiextensions.k8s.io/v1 |
8522 | 8607 | kind: CustomResourceDefinition |
8523 | 8608 | metadata: |
8524 | 8609 | annotations: |
8525 | | - controller-gen.kubebuilder.io/version: v0.18.0 |
| 8610 | + controller-gen.kubebuilder.io/version: v0.19.0 |
8526 | 8611 | name: tlscertificatedelegations.projectcontour.io |
8527 | 8612 | spec: |
8528 | 8613 | preserveUnknownFields: false |
|
0 commit comments