# Copyright 2021 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. # [START anthosconfig_crd] apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: controller-gen.kubebuilder.io/version: v0.5.0 creationTimestamp: null name: configmanagements.configmanagement.gke.io spec: group: configmanagement.gke.io names: kind: ConfigManagement listKind: ConfigManagementList plural: configmanagements singular: configmanagement scope: Cluster versions: - name: v1 schema: openAPIV3Schema: description: ConfigManagement is the Schema for the ConfigManagement API. properties: apiVersion: description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' type: string kind: description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' type: string metadata: properties: name: pattern: config-management type: string type: object spec: description: ConfigManagementSpec defines the desired state of ConfigManagement. properties: ConfigSyncDisableFSWatcher: description: ConfigSyncDisableFSWatcher provides the ability to disable the fs-watcher process. This field is intentionally left hidden/undocumented since it is only meant to be used by customers who have very large repositories. Optional. type: boolean ConfigSyncLogLevel: description: ConfigSyncLogLevel overrides the logging verbosity for all ConfigSync pods. This field is intentionally left hidden/undocumented since it is really only used to gather extra logs for support cases. type: integer binauthz: description: 'Deprecated: Does nothing. binauthz can no longer be enabled/disabled with the ConfigManagement resource; the software is available as a standalone: https://cloud.google.com/binary-authorization' properties: enabled: description: 'Enable or disable BinAuthz. Default: false.' type: boolean policyRef: description: PolicyRef is a reference to the BinAuthz policy which will be evaluated. Required if BinAuthz is enabled. properties: gkeCluster: description: BinAuthz policy associated with this GKE-on-GCP cluster. properties: location: description: Location of this cluster type: string name: description: The name of this cluster according to GKE. This is not necessarily the same as the hub membership name. type: string project: description: The name of the GCP project containing this cluster type: string type: object type: object type: object channel: description: 'Channel specifies a channel that can be used to resolve a specific addon, eg: stable It will be ignored if Version is specified' type: string clusterName: description: ClusterName, if defined, sets the name for this cluster. If unset, the cluster is considered to be unnamed, and cannot use ClusterSelectors. type: string configConnector: description: 'Deprecated: Does nothing. ConfigConnector can no longer be enabled/disabled with the ConfigManagement resource; the software is available as a standalone: https://cloud.google.com/config-connector' properties: enabled: description: 'Enable or disable the Config Connector. Default: false.' type: boolean type: object enableLegacyFields: description: EnableLegacyFields instructs the operator to use spec.git for generating a RootSync resource in MultiRepo mode. Note that this should only be set to true if spec.enableMultiRepo is set to true. type: boolean enableMultiRepo: description: EnableMultiRepo instructs the operator to enable Multi Repo mode for Config Sync. type: boolean git: description: Git contains configuration specific to importing policies from a Git repo. properties: gcpServiceAccountEmail: description: 'GCPServiceAccountEmail specifies the GCP service account used to annotate the Config Sync Kubernetes Service Account. Note: The field is used when secretType: gcpServiceAccount.' type: string policyDir: description: 'PolicyDir is the absolute path of the directory that contains the local policy. Default: the root directory of the repo.' type: string proxy: description: Proxy is a struct that contains options for configuring access to the Git repo via a proxy. Only has an effect when secretType is one of ("cookiefile", "none"). Optional. properties: httpProxy: description: HTTPProxy defines a HTTP_PROXY env variable used to access the Git repo. If both HTTPProxy and HTTPSProxy are specified, HTTPProxy will be ignored. Optional. type: string httpsProxy: description: HTTPSProxy defines a HTTPS_PROXY env variable used to access the Git repo. If both HTTPProxy and HTTPSProxy are specified, HTTPProxy will be ignored. Optional. type: string type: object secretType: description: SecretType is the type of secret configured for access to the Git repo. Must be one of ssh, cookiefile, gcenode, token, gcpserviceaccount or none. Required. The validation of this is case-sensitive. pattern: ^(ssh|cookiefile|gcenode|gcpserviceaccount|token|none)$ type: string syncBranch: description: 'SyncBranch is the branch to sync from. Default: "master".' type: string syncRepo: pattern: ^(((https?|git|ssh):\/\/)|git@) type: string syncRev: description: 'SyncRev is the git revision (tag or hash) to check out. Default: HEAD.' type: string syncWait: description: 'SyncWaitSeconds is the time duration in seconds between consecutive syncs. Default: 15 seconds. Note that SyncWaitSecs is not a time.Duration on purpose. This provides a reminder to developers that customers specify this value using using integers like "3" in their ConfigManagement YAML. However, time.Duration is at a nanosecond granularity, and it''s easy to introduce a bug where it looks like the code is dealing with seconds but its actually nanoseconds (or vice versa).' type: integer type: object hierarchyController: description: Hierarchy Controller enables HierarchyController components as recognized by the "hierarchycontroller.configmanagement.gke.io" label set to "true". properties: enableHierarchicalResourceQuota: description: 'HierarchicalResourceQuota enforces resource quota in a hierarchical fashion: a resource quota set for one namespace provides constraints that limit aggregate resource consumption for that namespace and all its descendants. Disabling this will not delete user created hrq CRs, but will delete all the intermediate resources created by HRQ (specifically the resource quota singletons), which are labeled with hierarchycontroller.configmanagement.gke.io/hrq for easier cleanup.' type: boolean enablePodTreeLabels: description: PodTreeLabels copies the tree labels from namespaces to pods, allowing any system that uses pod logs (such as Stackdriver logging) to inspect the hierarchy. type: boolean enabled: description: 'Enable or disable the Hierarchy Controller. Default: false.' type: boolean type: object importer: description: Importer allows one to override the existing resource requirements for the importer pod properties: limits: additionalProperties: anyOf: - type: integer - type: string pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ x-kubernetes-int-or-string: true description: 'Limits describes the maximum amount of compute resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' type: object requests: additionalProperties: anyOf: - type: integer - type: string pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ x-kubernetes-int-or-string: true description: 'Requests describes the minimum amount of compute resources required. If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, otherwise to an implementation-defined value. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' type: object type: object metricsGCPServiceAccountEmail: description: MetricsGCPServiceAccountEmail specifies a Google Service Account (GSA) Email with the Monitoring Metric Writer (roles/monitoring.metricWriter) IAM role. This GSA Email is used to annotate the `default` Kubernetes ServiceAccount under the `config-management-monitoring` namespace, which allows Config Sync to export metrics to Cloud Monitoring. type: string patches: items: type: object type: array x-kubernetes-preserve-unknown-fields: true policyController: description: Policy Controller enables PolicyController components as recognized by the "gatekeeper.sh/manifest" label set to "true". properties: auditIntervalSeconds: description: AuditIntervalSeconds. The number of seconds between audit runs. Defaults to 60 seconds. To disable audit, set this to 0. format: int64 type: integer enabled: description: 'Enable or disable the Policy Controller. Default: false.' type: boolean exemptableNamespaces: description: ExemptableNamespaces. The namespaces in this list are able to have the admission.gatekeeper.sh/ignore label set. When the label is set, Policy Controller will not be called for that namespace or any resources contained in it. `gatekeeper-system` is always exempted. items: type: string type: array logDeniesEnabled: description: 'LogDeniesEnabled. If true, Policy Controller will log all denies and dryrun failures. No effect unless policyController is enabled. Default: false.' type: boolean monitoring: description: Monitoring specifies the configuration of monitoring. properties: backends: items: type: string type: array type: object mutation: description: Mutation specifies the configuration of mutation. This is a preview feature and may change before becoming generally available. properties: enabled: description: 'Enable or disable mutation in policy controller. If true, mutation CRDs, webhook and controller will be deployed to the cluster. Default: false.' type: boolean type: object referentialRulesEnabled: description: 'ReferentialRulesEnabled. If true, Policy Controller will allow `data.inventory` references in the contents of ConstraintTemplate Rego. No effect unless policyController is enabled. Default: false.' type: boolean templateLibraryInstalled: description: 'TemplateLibraryInstalled. If true, a set of default ConstraintTemplates will be deployed to the cluster. ConstraintTemplates will not be deployed if this is explicitly set to false or if policyController is not enabled. Default: true.' type: boolean type: object preventDrift: description: 'preventDrift, if set to `true`, enables the Config Sync admission webhook to prevent drifts. If set to `false`, disables the Config Sync admission webhook and does not prevent drifts. Default: false. Config Sync always corrects drifts no matter the value of preventDrift.' type: boolean sourceFormat: description: "SourceFormat specifies how the repository is formatted. See documentation for specifics of what these options do. \n Must be one of hierarchy, unstructured. Optional. Set to hierarchy if not specified. \n The validation of this is case-sensitive." pattern: ^(hierarchy|unstructured|)$ type: string syncer: description: Syncer allows one to override the existing resource requirements for the syncer pod properties: limits: additionalProperties: anyOf: - type: integer - type: string pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ x-kubernetes-int-or-string: true description: 'Limits describes the maximum amount of compute resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' type: object requests: additionalProperties: anyOf: - type: integer - type: string pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ x-kubernetes-int-or-string: true description: 'Requests describes the minimum amount of compute resources required. If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, otherwise to an implementation-defined value. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' type: object type: object version: description: Version specifies the exact addon version to be deployed, eg 1.2.3 It should not be specified if Channel is specified type: string type: object status: description: ConfigManagementStatus defines the observed state of ConfigManagement. properties: configManagementVersion: description: ConfigManagementVersion is the semantic version number of the config management system enforced by the currently running config management operator. type: string errors: items: type: string type: array healthy: type: boolean phase: type: string required: - healthy type: object required: - metadata - spec type: object served: true storage: true status: acceptedNames: kind: "" plural: "" conditions: [] storedVersions: [] # [END anthosconfig_crd]