Kubernetes Cluster API Provider OpenStack

Enabled defines whether a load balancer should be created.

AdditionalPorts adds additional tcp ports to the load balancer.

AllowedCIDRs restrict access to all API-Server listeners to the given address CIDRs.

Octavia Provider Used to create load balancer

Instance for the bastion itself

The FixedIP in the corresponding subnet

The subnet in which the FixedIP is used for the Gateway of this router

Subnet is an openstack subnet query that will return the id of a subnet to create the fixed IP of a port in. This query must not return more than one subnet.

Be careful when using APIServerLoadBalancer, because this field is optional and therefore not set in all cases

Optional UUID of the network. If specified this will not be validated prior to server creation. Required if Subnets specifies a subnet by UUID.

A fixed IPv4 address for the NIC.

Filters for optional network query

Subnet within a network to use

The name of the cloud to use from the clouds secret

NodeCIDR is the OpenStack Subnet to be created. Cluster actuator will create a network, a subnet with NodeCIDR, and a router connected to this subnet. If you leave this empty, no network will be created.

If NodeCIDR cannot be set this can be used to detect an existing network.

If NodeCIDR cannot be set this can be used to detect an existing subnet.

DNSNameservers is the list of nameservers for OpenStack Subnet being created. Set this value when you need create a new network/subnet while the access through DNS is required.

ExternalRouterIPs is an array of externalIPs on the respective subnets. This is necessary if the router needs a fixed ip in a specific subnet.

ExternalNetworkID is the ID of an external OpenStack Network. This is necessary to get public internet to the VMs.

APIServerLoadBalancer configures the optional LoadBalancer for the APIServer. It must be activated by setting enabled: true.

DisableAPIServerFloatingIP determines whether or not to attempt to attach a floating IP to the API server. This allows for the creation of clusters when attaching a floating IP to the API server (and hence, in many cases, exposing the API server to the internet) is not possible or desirable, e.g. if using a shared VLAN for communication between management and workload clusters or when the management cluster is inside the project network. This option requires that the API server use a VIP on the cluster network so that the underlying machines can change without changing ControlPlaneEndpoint.Host. When using a managed load balancer, this VIP will be managed automatically. If not using a managed load balancer, cluster configuration will fail without additional configuration to manage the VIP on the control plane machines, which falls outside of the scope of this controller.

APIServerFloatingIP is the floatingIP which will be associated with the API server. The floatingIP will be created if it does not already exist. If not specified, a new floatingIP is allocated. This field is not used if DisableAPIServerFloatingIP is set to true.

APIServerFixedIP is the fixed IP which will be associated with the API server. In the case where the API server has a floating IP but not a managed load balancer, this field is not used. If a managed load balancer is used and this field is not specified, a fixed IP will be dynamically allocated for the load balancer. If a managed load balancer is not used AND the API server floating IP is disabled, this field MUST be specified and should correspond to a pre-allocated port that holds the fixed IP to be used as a VIP.

APIServerPort is the port on which the listener on the APIServer will be created

ManagedSecurityGroups determines whether OpenStack security groups for the cluster will be managed by the OpenStack provider or whether pre-existing security groups will be specified as part of the configuration. By default, the managed security groups have rules that allow the Kubelet, etcd, the Kubernetes API server and the Calico CNI plugin to function correctly.

AllowAllInClusterTraffic is only used when managed security groups are in use. If set to true, the rules for the managed security groups are configured so that all ingress and egress between cluster nodes is permitted, allowing CNIs other than Calico to be used.

DisablePortSecurity disables the port security of the network created for the Kubernetes cluster, which also disables SecurityGroups

Tags for all resources in cluster

ControlPlaneEndpoint represents the endpoint used to communicate with the control plane.

ControlPlaneAvailabilityZones is the az to deploy control plane to

Indicates whether to omit the az for control plane nodes, allowing the Nova scheduler to make a decision on which az to use based on other scheduling constraints

Bastion is the OpenStack instance to login the nodes

As a rolling update is not ideal during a bastion host session, we prevent changes to a running bastion configuration. Set enabled: false to make changes.

IdentityRef is a reference to a identity to be used when reconciling this cluster

Network contains all information about the created OpenStack Network. It includes Subnets and Router.

External Network contains information about the created OpenStack external network.

FailureDomains represent OpenStack availability zones

ControlPlaneSecurityGroups contains all the information about the OpenStack Security Group that needs to be applied to control plane nodes. TODO: Maybe instead of two properties, we add a property to the group?

WorkerSecurityGroup contains all the information about the OpenStack Security Group that needs to be applied to worker nodes.

FailureReason will be set in the event that there is a terminal problem reconciling the OpenStackCluster and will contain a succinct value suitable for machine interpretation.

This field should not be set for transitive errors that a controller faces that are expected to be fixed automatically over time (like service outages), but instead indicate that something is fundamentally wrong with the OpenStackCluster’s spec or the configuration of the controller, and that manual intervention is required. Examples of terminal errors would be invalid combinations of settings in the spec, values that are unsupported by the controller, or the responsible controller itself being critically misconfigured.

Any transient errors that occur during the reconciliation of OpenStackClusters can be added as events to the OpenStackCluster object and/or logged in the controller’s output.

FailureMessage will be set in the event that there is a terminal problem reconciling the OpenStackCluster and will contain a more verbose string suitable for logging and human consumption.

This field should not be set for transitive errors that a controller faces that are expected to be fixed automatically over time (like service outages), but instead indicate that something is fundamentally wrong with the OpenStackCluster’s spec or the configuration of the controller, and that manual intervention is required. Examples of terminal errors would be invalid combinations of settings in the spec, values that are unsupported by the controller, or the responsible controller itself being critically misconfigured.

Any transient errors that occur during the reconciliation of OpenStackClusters can be added as events to the OpenStackCluster object and/or logged in the controller’s output.

Kind of the identity. Must be supported by the infrastructure provider and may be either cluster or namespace-scoped.

Name of the infrastructure identity to be used. Must be either a cluster-scoped resource, or namespaced-scoped resource the same namespace as the resource(s) being provisioned.

ProviderID is the unique identifier as specified by the cloud provider.

InstanceID is the OpenStack instance ID for this machine.

The name of the cloud to use from the clouds secret

The flavor reference for the flavor for your server instance.

The name of the image to use for your server instance. If the RootVolume is specified, this will be ignored and use rootVolume directly.

The uuid of the image to use for your server instance. if it’s empty, Image name will be used

The ssh key to inject in the instance

A networks object. Required parameter when there are multiple networks defined for the tenant. When you do not specify both networks and ports parameters, the server attaches to the only network created for the current tenant.

Ports to be attached to the server instance. They are created if a port with the given name does not already exist. When you do not specify both networks and ports parameters, the server attaches to the only network created for the current tenant.

UUID, IP address of a port from this subnet will be marked as AccessIPv4 on the created compute instance

The floatingIP which will be associated to the machine, only used for master. The floatingIP should have been created and haven’t been associated.

The names of the security groups to assign to the instance

Whether the server instance is created on a trunk port or not.

Machine tags Requires Nova api 2.52 minimum!

Metadata mapping. Allows you to create a map of key value pairs to add to the server instance.

Config Drive support

The volume metadata to boot from

The server group to assign the machine to

IdentityRef is a reference to a identity to be used when reconciling this cluster

Ready is true when the provider resource is ready.

Addresses contains the OpenStack instance associated addresses.

InstanceState is the state of the OpenStack instance for this machine.

FailureMessage will be set in the event that there is a terminal problem reconciling the Machine and will contain a more verbose string suitable for logging and human consumption.

This field should not be set for transitive errors that a controller faces that are expected to be fixed automatically over time (like service outages), but instead indicate that something is fundamentally wrong with the Machine’s spec or the configuration of the controller, and that manual intervention is required. Examples of terminal errors would be invalid combinations of settings in the spec, values that are unsupported by the controller, or the responsible controller itself being critically misconfigured.

Any transient errors that occur during the reconciliation of Machines can be added as events to the Machine object and/or logged in the controller’s output.

Spec is the specification of the desired behavior of the machine.

Network is a query for an openstack network that the port will be created or discovered on. This will fail if the query returns more than one network.

Used to make the name of the port unique. If unspecified, instead the 0-based index of the port in the list is used.

Specify pairs of subnet and/or IP address. These should be subnets of the network with the given NetworkID.

The uuids of the security groups to assign to the instance

The names, uuids, filters or any combination these of the security groups to assign to the instance

Enables and disables trunk at port level. If not provided, openStackMachine.Spec.Trunk is inherited.

The ID of the host where the port is allocated

The virtual network interface card (vNIC) type that is bound to the neutron port.

A dictionary that enables the application running on the specified host to pass and receive virtual network interface (VIF) port-specific information to the plug-in.

DisablePortSecurity enables or disables the port security when set. When not set, it takes the value of the corresponding field at the network level.

Tags applied to the port (and corresponding trunk, if a trunk is configured.) These tags are applied in addition to the instance’s tags, which will also be applied to the port.

Value specs are extra parameters to include in the API request with OpenStack. This is an extension point for the API, so what they do and if they are supported, depends on the specific OpenStack implementation.

Security Group UID

Security Group name

Filters used to query security groups in openstack

Optional UUID of the subnet. If specified this will not be validated prior to server creation. If specified, the enclosing NetworkParam must also be specified by UUID.

Filters for optional subnet query

Name is the name of the key-value pair. This is just for identifying the pair and will not be sent to the OpenStack API.

Key is the key in the key-value pair.

Value is the value in the key-value pair.