From f328ca5aa563967535fdc5baf936d09f6c695ee2 Mon Sep 17 00:00:00 2001 From: Paul Hildebrandt Date: Mon, 17 Jun 2024 18:34:53 +0200 Subject: [PATCH 1/3] 1-30 var&patch Signed-off-by: Paul Hildebrandt --- .../templates/cluster-class.yaml | 23 +++++++++++++++++++ 1 file changed, 23 insertions(+) diff --git a/providers/openstack/alpha/1-30/cluster-class/templates/cluster-class.yaml b/providers/openstack/alpha/1-30/cluster-class/templates/cluster-class.yaml index 036eead0..f923bc8d 100644 --- a/providers/openstack/alpha/1-30/cluster-class/templates/cluster-class.yaml +++ b/providers/openstack/alpha/1-30/cluster-class/templates/cluster-class.yaml @@ -217,6 +217,16 @@ Issuer URL )# where ( Issuer URL ) is the value of --oidc-issuer-url. The value description: "Prefix prepended to group claims to prevent clashes with existing names (such as system: groups). For example, the value oidc: will create group names like oidc:engineering and oidc:infra." + - name: restrict_kubeapi + required: false + schema: + openAPIV3Schema: + type: array + default: [] + example: ["10.6.0.0/24"] + description: "Allows restricting access to kubernetes API by list of CIDRs. Empty list (default) means public, [ "none" ] means internal access only." + items: + type: string patches: - name: k8s_version description: "Sets the openstack node image for workers and the controlplane to the cluster-api image with the version mentioned in spec.topology.version." @@ -536,3 +546,16 @@ create group names like oidc:engineering and oidc:infra." path: "/spec/template/spec/kubeadmConfigSpec/clusterConfiguration/apiServer/extraArgs/oidc-groups-prefix" valueFrom: variable: oidc_config.groups_prefix + - name: restrict_kubeapi + description: "Sets list of CIDRS for restricting access to kubernetes API" + enabledIf: {{ `"{{ if .restrict_kubeapi }}true{{end}}"` }} + definitions: + - selector: + apiVersion: infrastructure.cluster.x-k8s.io/v1beta1 + kind: OpenStackClusterTemplate + matchResources: + controlPlane: true + jsonPatches: + - op: replace + path: "/spec/template/spec/apiServerLoadBalancer/allowedCIDRs" + value: restrict_kubeapi \ No newline at end of file From ec927e0b9f37897c2e3b64db04e2da449a9215d2 Mon Sep 17 00:00:00 2001 From: Paul Hildebrandt Date: Mon, 17 Jun 2024 21:22:09 +0200 Subject: [PATCH 2/3] 1-30 var&patch Signed-off-by: Paul Hildebrandt --- .../alpha/1-30/cluster-class/templates/cluster-class.yaml | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/providers/openstack/alpha/1-30/cluster-class/templates/cluster-class.yaml b/providers/openstack/alpha/1-30/cluster-class/templates/cluster-class.yaml index f923bc8d..e1dce3bf 100644 --- a/providers/openstack/alpha/1-30/cluster-class/templates/cluster-class.yaml +++ b/providers/openstack/alpha/1-30/cluster-class/templates/cluster-class.yaml @@ -52,9 +52,6 @@ spec: example: ["5.1.66.255", "185.150.99.255"] items: type: string - - name: controller_flavor - required: false - schema: openAPIV3Schema: type: string default: "SCS-2V-4-20" @@ -224,7 +221,7 @@ create group names like oidc:engineering and oidc:infra." type: array default: [] example: ["10.6.0.0/24"] - description: "Allows restricting access to kubernetes API by list of CIDRs. Empty list (default) means public, [ "none" ] means internal access only." + description: "Allows restricting access to kubernetes API by list of CIDRs. Empty list (default) means public, [ 'none' ] means internal access only." items: type: string patches: From 846ca69b4ca41ba47b9210a0f1050abccb58f82d Mon Sep 17 00:00:00 2001 From: Paul Hildebrandt Date: Mon, 17 Jun 2024 21:33:45 +0200 Subject: [PATCH 3/3] 1-30 var&patch Signed-off-by: Paul Hildebrandt --- .../alpha/1-30/cluster-class/templates/cluster-class.yaml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/providers/openstack/alpha/1-30/cluster-class/templates/cluster-class.yaml b/providers/openstack/alpha/1-30/cluster-class/templates/cluster-class.yaml index e1dce3bf..44442f70 100644 --- a/providers/openstack/alpha/1-30/cluster-class/templates/cluster-class.yaml +++ b/providers/openstack/alpha/1-30/cluster-class/templates/cluster-class.yaml @@ -52,6 +52,9 @@ spec: example: ["5.1.66.255", "185.150.99.255"] items: type: string + - name: controller_flavor + required: false + schema: openAPIV3Schema: type: string default: "SCS-2V-4-20"