Kubernetes Cluster API Provider OpenStack

Enabled defines whether a load balancer should be created.

AdditionalPorts adds additional tcp ports to the load balancer.

AllowedCIDRs restrict access to all API-Server listeners to the given address CIDRs.

Octavia Provider Used to create load balancer

Name of the block device in the context of a machine. If the block device is a volume, the Cinder volume will be named as a combination of the machine name and this name. Also, this name will be used for tagging the block device. Information about the block device tag can be obtained from the OpenStack metadata API or the config drive.

SizeGiB is the size of the block device in gibibytes (GiB).

Storage specifies the storage type of the block device and additional storage options.

Instance for the bastion itself

OVSHWOffload enables or disables the OVS hardware offload feature.

TrustedVF enables or disables the “trusted mode” for the VF.

Type is the type of block device to create. This can be either “Volume” or “Local”.

Volume contains additional storage options for a volume block device.

"Local"

LocalBlockDevice is an ephemeral block device attached to the server.

"Volume"

VolumeBlockDevice is a volume block device attached to the server.

Type is the Cinder volume type of the volume. If omitted, the default Cinder volume type that is configured in the OpenStack cloud will be used.

AvailabilityZone is the volume availability zone to create the volume in. If omitted, the availability zone of the server will be used. The availability zone must NOT contain spaces otherwise it will lead to volume that belongs to this availability zone register failure, see kubernetes/cloud-provider-openstack#1379 for further information.

The FixedIP in the corresponding subnet

The subnet in which the FixedIP is used for the Gateway of this router

Subnet is an openstack subnet query that will return the id of a subnet to create the fixed IP of a port in. This query must not return more than one subnet.

(Members of NetworkStatus are embedded into this type.)

Subnets is a list of subnets associated with the default cluster network. Machines which use the default cluster network will get an address from all of these subnets.

The name of the cloud to use from the clouds secret

NodeCIDR is the OpenStack Subnet to be created. Cluster actuator will create a network, a subnet with NodeCIDR, and a router connected to this subnet. If you leave this empty, no network will be created.

If NodeCIDR is set this option can be used to detect an existing router. If specified, no new router will be created.

If NodeCIDR cannot be set this can be used to detect an existing network.

If NodeCIDR cannot be set this can be used to detect an existing subnet.

NetworkMTU sets the maximum transmission unit (MTU) value to address fragmentation for the private network ID. This value will be used only if the Cluster actuator creates the network. If leaved empty, the network will have the default MTU defined in Openstack network service. To use this field, the Openstack installation requires the net-mtu neutron API extension.

DNSNameservers is the list of nameservers for OpenStack Subnet being created. Set this value when you need create a new network/subnet while the access through DNS is required.

ExternalRouterIPs is an array of externalIPs on the respective subnets. This is necessary if the router needs a fixed ip in a specific subnet.

ExternalNetworkID is the ID of an external OpenStack Network. This is necessary to get public internet to the VMs.

APIServerLoadBalancer configures the optional LoadBalancer for the APIServer. It must be activated by setting enabled: true.

DisableAPIServerFloatingIP determines whether or not to attempt to attach a floating IP to the API server. This allows for the creation of clusters when attaching a floating IP to the API server (and hence, in many cases, exposing the API server to the internet) is not possible or desirable, e.g. if using a shared VLAN for communication between management and workload clusters or when the management cluster is inside the project network. This option requires that the API server use a VIP on the cluster network so that the underlying machines can change without changing ControlPlaneEndpoint.Host. When using a managed load balancer, this VIP will be managed automatically. If not using a managed load balancer, cluster configuration will fail without additional configuration to manage the VIP on the control plane machines, which falls outside of the scope of this controller.

APIServerFloatingIP is the floatingIP which will be associated with the API server. The floatingIP will be created if it does not already exist. If not specified, a new floatingIP is allocated. This field is not used if DisableAPIServerFloatingIP is set to true.

APIServerFixedIP is the fixed IP which will be associated with the API server. In the case where the API server has a floating IP but not a managed load balancer, this field is not used. If a managed load balancer is used and this field is not specified, a fixed IP will be dynamically allocated for the load balancer. If a managed load balancer is not used AND the API server floating IP is disabled, this field MUST be specified and should correspond to a pre-allocated port that holds the fixed IP to be used as a VIP.

APIServerPort is the port on which the listener on the APIServer will be created

ManagedSecurityGroups determines whether OpenStack security groups for the cluster will be managed by the OpenStack provider or whether pre-existing security groups will be specified as part of the configuration. By default, the managed security groups have rules that allow the Kubelet, etcd, the Kubernetes API server and the Calico CNI plugin to function correctly.

AllowAllInClusterTraffic is only used when managed security groups are in use. If set to true, the rules for the managed security groups are configured so that all ingress and egress between cluster nodes is permitted, allowing CNIs other than Calico to be used.

DisablePortSecurity disables the port security of the network created for the Kubernetes cluster, which also disables SecurityGroups

Tags for all resources in cluster

ControlPlaneEndpoint represents the endpoint used to communicate with the control plane.

ControlPlaneAvailabilityZones is the az to deploy control plane to

Indicates whether to omit the az for control plane nodes, allowing the Nova scheduler to make a decision on which az to use based on other scheduling constraints

Bastion is the OpenStack instance to login the nodes

As a rolling update is not ideal during a bastion host session, we prevent changes to a running bastion configuration. Set enabled: false to make changes.

IdentityRef is a reference to a identity to be used when reconciling this cluster

Network contains information about the created OpenStack Network.

externalNetwork contains information about the external network used for default ingress and egress traffic.

Router describes the default cluster router

APIServerLoadBalancer describes the api server load balancer if one exists

FailureDomains represent OpenStack availability zones

ControlPlaneSecurityGroups contains all the information about the OpenStack Security Group that needs to be applied to control plane nodes. TODO: Maybe instead of two properties, we add a property to the group?

WorkerSecurityGroup contains all the information about the OpenStack Security Group that needs to be applied to worker nodes.

FailureReason will be set in the event that there is a terminal problem reconciling the OpenStackCluster and will contain a succinct value suitable for machine interpretation.

This field should not be set for transitive errors that a controller faces that are expected to be fixed automatically over time (like service outages), but instead indicate that something is fundamentally wrong with the OpenStackCluster’s spec or the configuration of the controller, and that manual intervention is required. Examples of terminal errors would be invalid combinations of settings in the spec, values that are unsupported by the controller, or the responsible controller itself being critically misconfigured.

Any transient errors that occur during the reconciliation of OpenStackClusters can be added as events to the OpenStackCluster object and/or logged in the controller’s output.

FailureMessage will be set in the event that there is a terminal problem reconciling the OpenStackCluster and will contain a more verbose string suitable for logging and human consumption.

This field should not be set for transitive errors that a controller faces that are expected to be fixed automatically over time (like service outages), but instead indicate that something is fundamentally wrong with the OpenStackCluster’s spec or the configuration of the controller, and that manual intervention is required. Examples of terminal errors would be invalid combinations of settings in the spec, values that are unsupported by the controller, or the responsible controller itself being critically misconfigured.

Any transient errors that occur during the reconciliation of OpenStackClusters can be added as events to the OpenStackCluster object and/or logged in the controller’s output.

Kind of the identity. Must be supported by the infrastructure provider and may be either cluster or namespace-scoped.

Name of the infrastructure identity to be used. Must be either a cluster-scoped resource, or namespaced-scoped resource the same namespace as the resource(s) being provisioned.

ProviderID is the unique identifier as specified by the cloud provider.

InstanceID is the OpenStack instance ID for this machine.

The name of the cloud to use from the clouds secret

The flavor reference for the flavor for your server instance.

The name of the image to use for your server instance. If the RootVolume is specified, this will be ignored and use rootVolume directly.

The uuid of the image to use for your server instance. if it’s empty, Image name will be used

The ssh key to inject in the instance

Ports to be attached to the server instance. They are created if a port with the given name does not already exist. If not specified a default port will be added for the default cluster network.

The floatingIP which will be associated to the machine, only used for master. The floatingIP should have been created and haven’t been associated.

The names of the security groups to assign to the instance

Whether the server instance is created on a trunk port or not.

Machine tags Requires Nova api 2.52 minimum!

Metadata mapping. Allows you to create a map of key value pairs to add to the server instance.

Config Drive support

The volume metadata to boot from

AdditionalBlockDevices is a list of specifications for additional block devices to attach to the server instance

The server group to assign the machine to

IdentityRef is a reference to a identity to be used when reconciling this cluster. If not specified, the identity ref of the cluster will be used instead.

Ready is true when the provider resource is ready.

Addresses contains the OpenStack instance associated addresses.

InstanceState is the state of the OpenStack instance for this machine.

FailureMessage will be set in the event that there is a terminal problem reconciling the Machine and will contain a more verbose string suitable for logging and human consumption.

This field should not be set for transitive errors that a controller faces that are expected to be fixed automatically over time (like service outages), but instead indicate that something is fundamentally wrong with the Machine’s spec or the configuration of the controller, and that manual intervention is required. Examples of terminal errors would be invalid combinations of settings in the spec, values that are unsupported by the controller, or the responsible controller itself being critically misconfigured.

Any transient errors that occur during the reconciliation of Machines can be added as events to the Machine object and/or logged in the controller’s output.

Spec is the specification of the desired behavior of the machine.

Network is a query for an openstack network that the port will be created or discovered on. This will fail if the query returns more than one network.

Used to make the name of the port unique. If unspecified, instead the 0-based index of the port in the list is used.

Specify pairs of subnet and/or IP address. These should be subnets of the network with the given NetworkID.

The names, uuids, filters or any combination these of the security groups to assign to the instance

Enables and disables trunk at port level. If not provided, openStackMachine.Spec.Trunk is inherited.

The ID of the host where the port is allocated

The virtual network interface card (vNIC) type that is bound to the neutron port.

Profile is a set of key-value pairs that are used for binding details. We intentionally don’t expose this as a map[string]string because we only want to enable the users to set the values of the keys that are known to work in OpenStack Networking API. See https://docs.openstack.org/api-ref/network/v2/index.html?expanded=create-port-detail#create-port

DisablePortSecurity enables or disables the port security when set. When not set, it takes the value of the corresponding field at the network level.

PropageteUplinkStatus enables or disables the propagate uplink status on the port.

Tags applied to the port (and corresponding trunk, if a trunk is configured.) These tags are applied in addition to the instance’s tags, which will also be applied to the port.

Value specs are extra parameters to include in the API request with OpenStack. This is an extension point for the API, so what they do and if they are supported, depends on the specific OpenStack implementation.

Name is the name of the key-value pair. This is just for identifying the pair and will not be sent to the OpenStack API.

Key is the key in the key-value pair.

Value is the value in the key-value pair.