Kubernetes Cluster API Provider OpenStack

Enabled defines whether a load balancer should be created. This value defaults to true if an APIServerLoadBalancer is given.

There is no reason to set this to false. To disable creation of the API server loadbalancer, omit the APIServerLoadBalancer field in the cluster spec instead.

AdditionalPorts adds additional tcp ports to the load balancer.

AllowedCIDRs restrict access to all API-Server listeners to the given address CIDRs.

Provider specifies name of a specific Octavia provider to use for the API load balancer. The Octavia default will be used if it is not specified.

Network defines which network should the load balancer be allocated on.

Subnets define which subnets should the load balancer be allocated on. It is expected that subnets are located on the network specified in this resource. Only the first element is taken into account. kubebuilder:validation:MaxLength:=2

AvailabilityZone is the failure domain that will be used to create the APIServerLoadBalancer Spec.

Name of the block device in the context of a machine. If the block device is a volume, the Cinder volume will be named as a combination of the machine name and this name. Also, this name will be used for tagging the block device. Information about the block device tag can be obtained from the OpenStack metadata API or the config drive. Name cannot be ‘root’, which is reserved for the root volume.

SizeGiB is the size of the block device in gibibytes (GiB).

Storage specifies the storage type of the block device and additional storage options.

IPAddress is the IP address of the allowed address pair. Depending on the configuration of Neutron, it may be supported to specify a CIDR instead of a specific IP address.

MACAddress is the MAC address of the allowed address pair. If not specified, the MAC address will be the MAC address of the port.

Start represents the start of the AllocationPool, that is the lowest IP of the pool.

End represents the end of the AlloctionPool, that is the highest IP of the pool.

Enabled means that bastion is enabled. The bastion is enabled by default if this field is not specified. Set this field to false to disable the bastion.

It is not currently possible to remove the bastion from the cluster spec without first disabling it by setting this field to false and waiting until the bastion has been deleted.

Spec for the bastion itself

AvailabilityZone is the failure domain that will be used to create the Bastion Spec.

FloatingIP which will be associated to the bastion machine. It’s the IP address, not UUID. The floating IP should already exist and should not be associated with a port. If FIP of this address does not exist, CAPO will try to create it, but by default only OpenStack administrators have privileges to do so.

Resolved contains parts of the bastion’s machine spec with all external references fully resolved.

Resources contains references to OpenStack resources created for the bastion.

OVSHWOffload enables or disables the OVS hardware offload feature.

TrustedVF enables or disables the “trusted mode” for the VF.

Type is the type of block device to create. This can be either “Volume” or “Local”.

Volume contains additional storage options for a volume block device.

"Local"

LocalBlockDevice is an ephemeral block device attached to the server.

"Volume"

VolumeBlockDevice is a volume block device attached to the server.

Type is the Cinder volume type of the volume. If omitted, the default Cinder volume type that is configured in the OpenStack cloud will be used.

AvailabilityZone is the volume availability zone to create the volume in. If not specified, the volume will be created without an explicit availability zone.

The FixedIP in the corresponding subnet

The subnet in which the FixedIP is used for the Gateway of this router

Tags is a list of tags to filter by. If specified, the resource must have all of the tags specified to be included in the result.

TagsAny is a list of tags to filter by. If specified, the resource must have at least one of the tags specified to be included in the result.

NotTags is a list of tags to filter by. If specified, resources which contain all of the given tags will be excluded from the result.

NotTagsAny is a list of tags to filter by. If specified, resources which contain any of the given tags will be excluded from the result.

Subnet is an openstack subnet query that will return the id of a subnet to create the fixed IP of a port in. This query must not return more than one subnet.

IPAddress is a specific IP address to assign to the port. If Subnet is also specified, IPAddress must be a valid IP address in the subnet. If Subnet is not specified, IPAddress must be a valid IP address in any subnet of the port’s network.

The name of the desired image. If specified, the combination of name and tags must return a single matching image or an error will be raised.

The tags associated with the desired image. If specified, the combination of name and tags must return a single matching image or an error will be raised.

ID is the uuid of the image. ID will not be validated before use.

Filter describes a query for an image. If specified, the combination of name and tags must return a single matching image or an error will be raised.

LoadBalancerNetwork contains information about network and/or subnets which the loadbalancer is allocated on. If subnets are specified within the LoadBalancerNetwork currently only the first subnet in the list is taken into account.

Ports is the status of the ports created for the machine.

allNodesSecurityGroupRules defines the rules that should be applied to all nodes.

AllowAllInClusterTraffic allows all ingress and egress traffic between cluster nodes when set to true.

(Members of FilterByNeutronTags are embedded into this type.)

ID is the ID of the network to use. If ID is provided, the other filters cannot be provided. Must be in UUID format.

Filter specifies a filter to select an OpenStack network. If provided, cannot be empty.

(Members of NetworkStatus are embedded into this type.)

Subnets is a list of subnets associated with the default cluster network. Machines which use the default cluster network will get an address from all of these subnets.

ManagedSubnets describe OpenStack Subnets to be created. Cluster actuator will create a network, subnets with the defined CIDR, and a router connected to these subnets. Currently only one IPv4 subnet is supported. If you leave this empty, no network will be created.

Router specifies an existing router to be used if ManagedSubnets are specified. If specified, no new router will be created.

Network specifies an existing network to use if no ManagedSubnets are specified.

Subnets specifies existing subnets to use if not ManagedSubnets are specified. All subnets must be in the network specified by Network. There can be zero, one, or two subnets. If no subnets are specified, all subnets in Network will be used. If 2 subnets are specified, one must be IPv4 and the other IPv6.

NetworkMTU sets the maximum transmission unit (MTU) value to address fragmentation for the private network ID. This value will be used only if the Cluster actuator creates the network. If left empty, the network will have the default MTU defined in Openstack network service. To use this field, the Openstack installation requires the net-mtu neutron API extension.

ExternalRouterIPs is an array of externalIPs on the respective subnets. This is necessary if the router needs a fixed ip in a specific subnet.

ExternalNetwork is the OpenStack Network to be used to get public internet to the VMs. This option is ignored if DisableExternalNetwork is set to true.

If ExternalNetwork is defined it must refer to exactly one external network.

If ExternalNetwork is not defined or is empty the controller will use any existing external network as long as there is only one. It is an error if ExternalNetwork is not defined and there are multiple external networks unless DisableExternalNetwork is also set.

If ExternalNetwork is not defined and there are no external networks the controller will proceed as though DisableExternalNetwork was set.

DisableExternalNetwork specifies whether or not to attempt to connect the cluster to an external network. This allows for the creation of clusters when connecting to an external network is not possible or desirable, e.g. if using a provider network.

APIServerLoadBalancer configures the optional LoadBalancer for the APIServer. If not specified, no load balancer will be created for the API server.

DisableAPIServerFloatingIP determines whether or not to attempt to attach a floating IP to the API server. This allows for the creation of clusters when attaching a floating IP to the API server (and hence, in many cases, exposing the API server to the internet) is not possible or desirable, e.g. if using a shared VLAN for communication between management and workload clusters or when the management cluster is inside the project network. This option requires that the API server use a VIP on the cluster network so that the underlying machines can change without changing ControlPlaneEndpoint.Host. When using a managed load balancer, this VIP will be managed automatically. If not using a managed load balancer, cluster configuration will fail without additional configuration to manage the VIP on the control plane machines, which falls outside of the scope of this controller.

APIServerFloatingIP is the floatingIP which will be associated with the API server. The floatingIP will be created if it does not already exist. If not specified, a new floatingIP is allocated. This field is not used if DisableAPIServerFloatingIP is set to true.

APIServerFixedIP is the fixed IP which will be associated with the API server. In the case where the API server has a floating IP but not a managed load balancer, this field is not used. If a managed load balancer is used and this field is not specified, a fixed IP will be dynamically allocated for the load balancer. If a managed load balancer is not used AND the API server floating IP is disabled, this field MUST be specified and should correspond to a pre-allocated port that holds the fixed IP to be used as a VIP.

APIServerPort is the port on which the listener on the APIServer will be created

ManagedSecurityGroups determines whether OpenStack security groups for the cluster will be managed by the OpenStack provider or whether pre-existing security groups will be specified as part of the configuration. By default, the managed security groups have rules that allow the Kubelet, etcd, and the Kubernetes API server to function correctly. It’s possible to add additional rules to the managed security groups. When defined to an empty struct, the managed security groups will be created with the default rules.

DisablePortSecurity disables the port security of the network created for the Kubernetes cluster, which also disables SecurityGroups

Tags to set on all resources in cluster which support tags

ControlPlaneEndpoint represents the endpoint used to communicate with the control plane. It is normally populated automatically by the OpenStackCluster controller during cluster provisioning. If it is set on creation the control plane endpoint will use the values set here in preference to values set elsewhere. ControlPlaneEndpoint cannot be modified after ControlPlaneEndpoint.Host has been set.

ControlPlaneAvailabilityZones is the set of availability zones which control plane machines may be deployed to.

ControlPlaneOmitAvailabilityZone causes availability zone to be omitted when creating control plane nodes, allowing the Nova scheduler to make a decision on which availability zone to use based on other scheduling constraints

Bastion is the OpenStack instance to login the nodes

As a rolling update is not ideal during a bastion host session, we prevent changes to a running bastion configuration. To make changes, it’s required to first set enabled: false which will remove the bastion and then changes can be made.

IdentityRef is a reference to a secret holding OpenStack credentials to be used when reconciling this cluster. It is also to reconcile machines unless overridden in the machine spec.

Ready is true when the cluster infrastructure is ready.

Network contains information about the created OpenStack Network.

ExternalNetwork contains information about the external network used for default ingress and egress traffic.

Router describes the default cluster router

APIServerLoadBalancer describes the api server load balancer if one exists

FailureDomains represent OpenStack availability zones

ControlPlaneSecurityGroup contains the information about the OpenStack Security Group that needs to be applied to control plane nodes.

WorkerSecurityGroup contains the information about the OpenStack Security Group that needs to be applied to worker nodes.

BastionSecurityGroup contains the information about the OpenStack Security Group that needs to be applied to worker nodes.

Bastion contains the information about the deployed bastion host

FailureReason will be set in the event that there is a terminal problem reconciling the OpenStackCluster and will contain a succinct value suitable for machine interpretation.

This field should not be set for transitive errors that a controller faces that are expected to be fixed automatically over time (like service outages), but instead indicate that something is fundamentally wrong with the OpenStackCluster’s spec or the configuration of the controller, and that manual intervention is required. Examples of terminal errors would be invalid combinations of settings in the spec, values that are unsupported by the controller, or the responsible controller itself being critically misconfigured.

Any transient errors that occur during the reconciliation of OpenStackClusters can be added as events to the OpenStackCluster object and/or logged in the controller’s output.

FailureMessage will be set in the event that there is a terminal problem reconciling the OpenStackCluster and will contain a more verbose string suitable for logging and human consumption.

This field should not be set for transitive errors that a controller faces that are expected to be fixed automatically over time (like service outages), but instead indicate that something is fundamentally wrong with the OpenStackCluster’s spec or the configuration of the controller, and that manual intervention is required. Examples of terminal errors would be invalid combinations of settings in the spec, values that are unsupported by the controller, or the responsible controller itself being critically misconfigured.

Any transient errors that occur during the reconciliation of OpenStackClusters can be added as events to the OpenStackCluster object and/or logged in the controller’s output.

Name is the name of a secret in the same namespace as the resource being provisioned. The secret must contain a key named clouds.yaml which contains an OpenStack clouds.yaml file. The secret may optionally contain a key named cacert containing a PEM-encoded CA certificate.

CloudName specifies the name of the entry in the clouds.yaml file to use.

ProviderID is the unique identifier as specified by the cloud provider.

The flavor reference for the flavor for your server instance.

The image to use for your server instance. If the rootVolume is specified, this will be used when creating the root volume.

The ssh key to inject in the instance

Ports to be attached to the server instance. They are created if a port with the given name does not already exist. If not specified a default port will be added for the default cluster network.

The names of the security groups to assign to the instance

Whether the server instance is created on a trunk port or not.

Tags which will be added to the machine and all dependent resources which support them. These are in addition to Tags defined on the cluster. Requires Nova api 2.52 minimum!

Metadata mapping. Allows you to create a map of key value pairs to add to the server instance.

Config Drive support

The volume metadata to boot from

AdditionalBlockDevices is a list of specifications for additional block devices to attach to the server instance

The server group to assign the machine to.

IdentityRef is a reference to a secret holding OpenStack credentials to be used when reconciling this machine. If not specified, the credentials specified in the cluster will be used.

floatingIPPoolRef is a reference to a IPPool that will be assigned to an IPAddressClaim. Once the IPAddressClaim is fulfilled, the FloatingIP will be assigned to the OpenStackMachine.

Ready is true when the provider resource is ready.

InstanceID is the OpenStack instance ID for this machine.

Addresses contains the OpenStack instance associated addresses.

InstanceState is the state of the OpenStack instance for this machine.

Resolved contains parts of the machine spec with all external references fully resolved.

Resources contains references to OpenStack resources created for the machine.

FailureMessage will be set in the event that there is a terminal problem reconciling the Machine and will contain a more verbose string suitable for logging and human consumption.

This field should not be set for transitive errors that a controller faces that are expected to be fixed automatically over time (like service outages), but instead indicate that something is fundamentally wrong with the Machine’s spec or the configuration of the controller, and that manual intervention is required. Examples of terminal errors would be invalid combinations of settings in the spec, values that are unsupported by the controller, or the responsible controller itself being critically misconfigured.

Any transient errors that occur during the reconciliation of Machines can be added as events to the Machine object and/or logged in the controller’s output.

Spec is the specification of the desired behavior of the machine.

Network is a query for an openstack network that the port will be created or discovered on. This will fail if the query returns more than one network.

Description is a human-readable description for the port.

NameSuffix will be appended to the name of the port if specified. If unspecified, instead the 0-based index of the port in the list is used.

FixedIPs is a list of pairs of subnet and/or IP address to assign to the port. If specified, these must be subnets of the port’s network.

SecurityGroups is a list of the names, uuids, filters or any combination these of the security groups to assign to the instance.

Tags applied to the port (and corresponding trunk, if a trunk is configured.) These tags are applied in addition to the instance’s tags, which will also be applied to the port.

Trunk specifies whether trunking is enabled at the port level. If not provided the value is inherited from the machine, or false for a bastion host.

(Members of ResolvedPortSpecFields are embedded into this type.)

ID is the unique identifier of the port.

SubnetID is the id of a subnet to create the fixed IP of a port in.

IPAddress is a specific IP address to assign to the port. If SubnetID is also specified, IPAddress must be a valid IP address in the subnet. If Subnet is not specified, IPAddress must be a valid IP address in any subnet of the port’s network.

ServerGroupID is the ID of the server group the machine should be added to and is calculated based on ServerGroupFilter.

ImageID is the ID of the image to use for the machine and is calculated based on ImageFilter.

Ports is the fully resolved list of ports to create for the machine.

Name is the name of the port.

Description is a human-readable description for the port.

NetworkID is the ID of the network the port will be created in.

Tags applied to the port (and corresponding trunk, if a trunk is configured.)

Trunk specifies whether trunking is enabled at the port level.

FixedIPs is a list of pairs of subnet and/or IP address to assign to the port. If specified, these must be subnets of the port’s network.

SecurityGroups is a list of security group IDs to assign to the port.

(Members of ResolvedPortSpecFields are embedded into this type.)

AdminStateUp specifies whether the port should be created in the up (true) or down (false) state. The default is up.

MACAddress specifies the MAC address of the port. If not specified, the MAC address will be generated.

AllowedAddressPairs is a list of address pairs which Neutron will allow the port to send traffic from in addition to the port’s addresses. If not specified, the MAC Address will be the MAC Address of the port. Depending on the configuration of Neutron, it may be supported to specify a CIDR instead of a specific IP address.

HostID specifies the ID of the host where the port resides.

VNICType specifies the type of vNIC which this port should be attached to. This is used to determine which mechanism driver(s) to be used to bind the port. The valid values are normal, macvtap, direct, baremetal, direct-physical, virtio-forwarder, smart-nic and remote-managed, although these values will not be validated in this API to ensure compatibility with future neutron changes or custom implementations. What type of vNIC is actually available depends on deployments. If not specified, the Neutron default value is used.

Profile is a set of key-value pairs that are used for binding details. We intentionally don’t expose this as a map[string]string because we only want to enable the users to set the values of the keys that are known to work in OpenStack Networking API. See https://docs.openstack.org/api-ref/network/v2/index.html?expanded=create-port-detail#create-port To set profiles, your tenant needs permissions rule:create_port, and rule:create_port:binding:profile

DisablePortSecurity enables or disables the port security when set. When not set, it takes the value of the corresponding field at the network level.

PropageteUplinkStatus enables or disables the propagate uplink status on the port.

Value specs are extra parameters to include in the API request with OpenStack. This is an extension point for the API, so what they do and if they are supported, depends on the specific OpenStack implementation.

SizeGiB is the size of the block device in gibibytes (GiB).

(Members of BlockDeviceVolume are embedded into this type.)

(Members of FilterByNeutronTags are embedded into this type.)

ID is the ID of the router to use. If ID is provided, the other filters cannot be provided. Must be in UUID format.

Filter specifies a filter to select an OpenStack router. If provided, cannot be empty.

(Members of FilterByNeutronTags are embedded into this type.)

ID is the ID of the security group to use. If ID is provided, the other filters cannot be provided. Must be in UUID format.

Filter specifies a query to select an OpenStack security group. If provided, cannot be empty.

name of the security group rule. It’s used to identify the rule so it can be patched and will not be sent to the OpenStack API.

description of the security group rule.

direction in which the security group rule is applied. The only values allowed are “ingress” or “egress”. For a compute instance, an ingress security group rule is applied to incoming (ingress) traffic for that instance. An egress rule is applied to traffic leaving the instance.

etherType must be IPv4 or IPv6, and addresses represented in CIDR must match the ingress or egress rules.

portRangeMin is a number in the range that is matched by the security group rule. If the protocol is TCP or UDP, this value must be less than or equal to the value of the portRangeMax attribute.

portRangeMax is a number in the range that is matched by the security group rule. The portRangeMin attribute constrains the portRangeMax attribute.

protocol is the protocol that is matched by the security group rule.

remoteGroupID is the remote group ID to be associated with this security group rule. You can specify either remoteGroupID or remoteIPPrefix or remoteManagedGroups.

remoteIPPrefix is the remote IP prefix to be associated with this security group rule. You can specify either remoteGroupID or remoteIPPrefix or remoteManagedGroups.

remoteManagedGroups is the remote managed groups to be associated with this security group rule. You can specify either remoteGroupID or remoteIPPrefix or remoteManagedGroups.

name of the security group

id of the security group

Name is the name of a server group to look for.

ID is the ID of the server group to use.

Filter specifies a query to select an OpenStack server group. If provided, it cannot be empty.

Key is the server metadata key

Value is the server metadata value

(Members of FilterByNeutronTags are embedded into this type.)

ID is the uuid of the subnet. It will not be validated.

Filter specifies a filter to select the subnet. It must match exactly one subnet.

CIDR is representing the IP address range used to create the subnet, e.g. 10.0.0.0/24. This field is required when defining a subnet.

DNSNameservers holds a list of DNS server addresses that will be provided when creating the subnet. These addresses need to have the same IP version as CIDR.

AllocationPools is an array of AllocationPool objects that will be applied to OpenStack Subnet being created. If set, OpenStack will only allocate these IPs for Machines. It will still be possible to create ports from outside of these ranges manually.

Name is the name of the key-value pair. This is just for identifying the pair and will not be sent to the OpenStack API.

Key is the key in the key-value pair.

Value is the value in the key-value pair.

"Machine"

"Name"

From specifies where we will obtain the availability zone for the volume. The options are “Name” and “Machine”. If “Name” is specified then the Name field must also be specified. If “Machine” is specified the volume will use the value of FailureDomain, if any, from the associated Machine.

Name is the name of a volume availability zone to use. It is required if From is “Name”. The volume availability zone name may not contain spaces.