From ba85aa021b203a1ca4a929179ffe7c9e7b3e6e14 Mon Sep 17 00:00:00 2001 From: "Frank A. Zdarsky" Date: Sun, 6 Mar 2022 16:05:20 +0100 Subject: [PATCH 1/2] Reorganize assets Regroups assets by component rather than kind to simplify rebasing. Signed-off-by: Frank A. Zdarsky --- .../flannel/clusterrole.yaml} | 0 .../flannel/clusterrolebinding.yaml} | 0 .../flannel/configmap.yaml} | 0 .../flannel/daemonset.yaml} | 0 .../flannel/podsecuritypolicy.yaml} | 0 .../flannel/service-account.yaml} | 0 .../hostpath-provisioner/clusterrole.yaml} | 0 .../clusterrolebinding.yaml} | 0 .../hostpath-provisioner/daemonset.yaml} | 0 .../hostpath-provisioner/namespace.yaml} | 0 .../hostpath-provisioner/scc.yaml} | 0 .../service-account.yaml} | 0 .../hostpath-provisioner/storageclass.yaml} | 0 .../dns/cluster-role-binding.yaml} | 0 .../openshift-dns/dns/cluster-role.yaml} | 0 .../openshift-dns/dns/configmap.yaml} | 0 .../openshift-dns/dns/daemonset.yaml} | 0 .../openshift-dns/dns/namespace.yaml} | 0 .../openshift-dns/dns/service-account.yaml} | 0 .../openshift-dns/dns/service.yaml} | 0 .../node-resolver/daemonset.yaml} | 0 .../node-resolver/service-account.yaml} | 0 .../cluster-role-binding.yaml} | 0 .../openshift-router/cluster-role.yaml} | 0 .../openshift-router/configmap.yaml} | 0 .../openshift-router/deployment.yaml} | 0 .../openshift-router/namespace.yaml} | 0 .../openshift-router/service-account.yaml} | 0 .../openshift-router/service-cloud.yaml} | 0 .../openshift-router/service-internal.yaml} | 0 .../service-ca/clusterrole.yaml} | 0 .../service-ca/clusterrolebinding.yaml} | 0 .../service-ca/deployment.yaml} | 0 .../service-ca/ns.yaml} | 0 .../service-ca/role.yaml} | 0 .../service-ca/rolebinding.yaml} | 0 .../service-ca/sa.yaml} | 0 .../service-ca/signing-cabundle.yaml} | 0 .../service-ca/signing-secret.yaml} | 0 pkg/assets/applier.go | 0 pkg/assets/apps.go | 4 +- pkg/assets/core.go | 4 +- pkg/assets/crd.go | 5 +- pkg/assets/rbac.go | 4 +- pkg/assets/scc.go | 4 +- pkg/assets/storage.go | 4 +- pkg/components/controllers.go | 52 +++++++++---------- pkg/components/networking.go | 12 ++--- pkg/components/storage.go | 14 ++--- scripts/bindata.sh | 11 ++-- 50 files changed, 52 insertions(+), 62 deletions(-) rename assets/{rbac/0000_00_flannel-clusterrole.yaml => components/flannel/clusterrole.yaml} (100%) rename assets/{rbac/0000_00_flannel-clusterrolebinding.yaml => components/flannel/clusterrolebinding.yaml} (100%) rename assets/{core/0000_00_flannel-configmap.yaml => components/flannel/configmap.yaml} (100%) rename assets/{apps/0000_00_flannel-daemonset.yaml => components/flannel/daemonset.yaml} (100%) rename assets/{rbac/0000_00_podsecuritypolicy-flannel.yaml => components/flannel/podsecuritypolicy.yaml} (100%) rename assets/{core/0000_00_flannel-service-account.yaml => components/flannel/service-account.yaml} (100%) rename assets/{rbac/0000_80_hostpath-provisioner-clusterrole.yaml => components/hostpath-provisioner/clusterrole.yaml} (100%) rename assets/{rbac/0000_80_hostpath-provisioner-clusterrolebinding.yaml => components/hostpath-provisioner/clusterrolebinding.yaml} (100%) rename assets/{apps/000_80_hostpath-provisioner-daemonset.yaml => components/hostpath-provisioner/daemonset.yaml} (100%) rename assets/{core/0000_80_hostpath-provisioner-namespace.yaml => components/hostpath-provisioner/namespace.yaml} (100%) rename assets/{scc/0000_80_hostpath-provisioner-securitycontextconstraints.yaml => components/hostpath-provisioner/scc.yaml} (100%) rename assets/{core/0000_80_hostpath-provisioner-serviceaccount.yaml => components/hostpath-provisioner/service-account.yaml} (100%) rename assets/{storage/0000_80_hostpath-provisioner-storageclass.yaml => components/hostpath-provisioner/storageclass.yaml} (100%) rename assets/{rbac/0000_70_dns_01-cluster-role-binding.yaml => components/openshift-dns/dns/cluster-role-binding.yaml} (100%) rename assets/{rbac/0000_70_dns_01-cluster-role.yaml => components/openshift-dns/dns/cluster-role.yaml} (100%) rename assets/{core/0000_70_dns_01-configmap.yaml => components/openshift-dns/dns/configmap.yaml} (100%) rename assets/{apps/0000_70_dns_01-dns-daemonset.yaml => components/openshift-dns/dns/daemonset.yaml} (100%) rename assets/{core/0000_70_dns_00-namespace.yaml => components/openshift-dns/dns/namespace.yaml} (100%) rename assets/{core/0000_70_dns_01-dns-service-account.yaml => components/openshift-dns/dns/service-account.yaml} (100%) rename assets/{core/0000_70_dns_01-service.yaml => components/openshift-dns/dns/service.yaml} (100%) rename assets/{apps/0000_70_dns_01-node-resolver-daemonset.yaml => components/openshift-dns/node-resolver/daemonset.yaml} (100%) rename assets/{core/0000_70_dns_01-node-resolver-service-account.yaml => components/openshift-dns/node-resolver/service-account.yaml} (100%) rename assets/{rbac/0000_80_openshift-router-cluster-role-binding.yaml => components/openshift-router/cluster-role-binding.yaml} (100%) rename assets/{rbac/0000_80_openshift-router-cluster-role.yaml => components/openshift-router/cluster-role.yaml} (100%) rename assets/{core/0000_80_openshift-router-cm.yaml => components/openshift-router/configmap.yaml} (100%) rename assets/{apps/0000_80_openshift-router-deployment.yaml => components/openshift-router/deployment.yaml} (100%) rename assets/{core/0000_80_openshift-router-namespace.yaml => components/openshift-router/namespace.yaml} (100%) rename assets/{core/0000_80_openshift-router-service-account.yaml => components/openshift-router/service-account.yaml} (100%) rename assets/{core/0000_80_openshift-router-external-service.yaml => components/openshift-router/service-cloud.yaml} (100%) rename assets/{core/0000_80_openshift-router-service.yaml => components/openshift-router/service-internal.yaml} (100%) rename assets/{rbac/0000_60_service-ca_00_clusterrole.yaml => components/service-ca/clusterrole.yaml} (100%) rename assets/{rbac/0000_60_service-ca_00_clusterrolebinding.yaml => components/service-ca/clusterrolebinding.yaml} (100%) rename assets/{apps/0000_60_service-ca_05_deploy.yaml => components/service-ca/deployment.yaml} (100%) rename assets/{core/0000_60_service-ca_01_namespace.yaml => components/service-ca/ns.yaml} (100%) rename assets/{rbac/0000_60_service-ca_00_role.yaml => components/service-ca/role.yaml} (100%) rename assets/{rbac/0000_60_service-ca_00_rolebinding.yaml => components/service-ca/rolebinding.yaml} (100%) rename assets/{core/0000_60_service-ca_04_sa.yaml => components/service-ca/sa.yaml} (100%) rename assets/{core/0000_60_service-ca_04_configmap.yaml => components/service-ca/signing-cabundle.yaml} (100%) rename assets/{core/0000_60_service-ca_04_secret.yaml => components/service-ca/signing-secret.yaml} (100%) mode change 100755 => 100644 pkg/assets/applier.go mode change 100755 => 100644 pkg/assets/apps.go mode change 100755 => 100644 pkg/assets/core.go mode change 100755 => 100644 pkg/assets/crd.go mode change 100755 => 100644 pkg/assets/rbac.go diff --git a/assets/rbac/0000_00_flannel-clusterrole.yaml b/assets/components/flannel/clusterrole.yaml similarity index 100% rename from assets/rbac/0000_00_flannel-clusterrole.yaml rename to assets/components/flannel/clusterrole.yaml diff --git a/assets/rbac/0000_00_flannel-clusterrolebinding.yaml b/assets/components/flannel/clusterrolebinding.yaml similarity index 100% rename from assets/rbac/0000_00_flannel-clusterrolebinding.yaml rename to assets/components/flannel/clusterrolebinding.yaml diff --git a/assets/core/0000_00_flannel-configmap.yaml b/assets/components/flannel/configmap.yaml similarity index 100% rename from assets/core/0000_00_flannel-configmap.yaml rename to assets/components/flannel/configmap.yaml diff --git a/assets/apps/0000_00_flannel-daemonset.yaml b/assets/components/flannel/daemonset.yaml similarity index 100% rename from assets/apps/0000_00_flannel-daemonset.yaml rename to assets/components/flannel/daemonset.yaml diff --git a/assets/rbac/0000_00_podsecuritypolicy-flannel.yaml b/assets/components/flannel/podsecuritypolicy.yaml similarity index 100% rename from assets/rbac/0000_00_podsecuritypolicy-flannel.yaml rename to assets/components/flannel/podsecuritypolicy.yaml diff --git a/assets/core/0000_00_flannel-service-account.yaml b/assets/components/flannel/service-account.yaml similarity index 100% rename from assets/core/0000_00_flannel-service-account.yaml rename to assets/components/flannel/service-account.yaml diff --git a/assets/rbac/0000_80_hostpath-provisioner-clusterrole.yaml b/assets/components/hostpath-provisioner/clusterrole.yaml similarity index 100% rename from assets/rbac/0000_80_hostpath-provisioner-clusterrole.yaml rename to assets/components/hostpath-provisioner/clusterrole.yaml diff --git a/assets/rbac/0000_80_hostpath-provisioner-clusterrolebinding.yaml b/assets/components/hostpath-provisioner/clusterrolebinding.yaml similarity index 100% rename from assets/rbac/0000_80_hostpath-provisioner-clusterrolebinding.yaml rename to assets/components/hostpath-provisioner/clusterrolebinding.yaml diff --git a/assets/apps/000_80_hostpath-provisioner-daemonset.yaml b/assets/components/hostpath-provisioner/daemonset.yaml similarity index 100% rename from assets/apps/000_80_hostpath-provisioner-daemonset.yaml rename to assets/components/hostpath-provisioner/daemonset.yaml diff --git a/assets/core/0000_80_hostpath-provisioner-namespace.yaml b/assets/components/hostpath-provisioner/namespace.yaml similarity index 100% rename from assets/core/0000_80_hostpath-provisioner-namespace.yaml rename to assets/components/hostpath-provisioner/namespace.yaml diff --git a/assets/scc/0000_80_hostpath-provisioner-securitycontextconstraints.yaml b/assets/components/hostpath-provisioner/scc.yaml similarity index 100% rename from assets/scc/0000_80_hostpath-provisioner-securitycontextconstraints.yaml rename to assets/components/hostpath-provisioner/scc.yaml diff --git a/assets/core/0000_80_hostpath-provisioner-serviceaccount.yaml b/assets/components/hostpath-provisioner/service-account.yaml similarity index 100% rename from assets/core/0000_80_hostpath-provisioner-serviceaccount.yaml rename to assets/components/hostpath-provisioner/service-account.yaml diff --git a/assets/storage/0000_80_hostpath-provisioner-storageclass.yaml b/assets/components/hostpath-provisioner/storageclass.yaml similarity index 100% rename from assets/storage/0000_80_hostpath-provisioner-storageclass.yaml rename to assets/components/hostpath-provisioner/storageclass.yaml diff --git a/assets/rbac/0000_70_dns_01-cluster-role-binding.yaml b/assets/components/openshift-dns/dns/cluster-role-binding.yaml similarity index 100% rename from assets/rbac/0000_70_dns_01-cluster-role-binding.yaml rename to assets/components/openshift-dns/dns/cluster-role-binding.yaml diff --git a/assets/rbac/0000_70_dns_01-cluster-role.yaml b/assets/components/openshift-dns/dns/cluster-role.yaml similarity index 100% rename from assets/rbac/0000_70_dns_01-cluster-role.yaml rename to assets/components/openshift-dns/dns/cluster-role.yaml diff --git a/assets/core/0000_70_dns_01-configmap.yaml b/assets/components/openshift-dns/dns/configmap.yaml similarity index 100% rename from assets/core/0000_70_dns_01-configmap.yaml rename to assets/components/openshift-dns/dns/configmap.yaml diff --git a/assets/apps/0000_70_dns_01-dns-daemonset.yaml b/assets/components/openshift-dns/dns/daemonset.yaml similarity index 100% rename from assets/apps/0000_70_dns_01-dns-daemonset.yaml rename to assets/components/openshift-dns/dns/daemonset.yaml diff --git a/assets/core/0000_70_dns_00-namespace.yaml b/assets/components/openshift-dns/dns/namespace.yaml similarity index 100% rename from assets/core/0000_70_dns_00-namespace.yaml rename to assets/components/openshift-dns/dns/namespace.yaml diff --git a/assets/core/0000_70_dns_01-dns-service-account.yaml b/assets/components/openshift-dns/dns/service-account.yaml similarity index 100% rename from assets/core/0000_70_dns_01-dns-service-account.yaml rename to assets/components/openshift-dns/dns/service-account.yaml diff --git a/assets/core/0000_70_dns_01-service.yaml b/assets/components/openshift-dns/dns/service.yaml similarity index 100% rename from assets/core/0000_70_dns_01-service.yaml rename to assets/components/openshift-dns/dns/service.yaml diff --git a/assets/apps/0000_70_dns_01-node-resolver-daemonset.yaml b/assets/components/openshift-dns/node-resolver/daemonset.yaml similarity index 100% rename from assets/apps/0000_70_dns_01-node-resolver-daemonset.yaml rename to assets/components/openshift-dns/node-resolver/daemonset.yaml diff --git a/assets/core/0000_70_dns_01-node-resolver-service-account.yaml b/assets/components/openshift-dns/node-resolver/service-account.yaml similarity index 100% rename from assets/core/0000_70_dns_01-node-resolver-service-account.yaml rename to assets/components/openshift-dns/node-resolver/service-account.yaml diff --git a/assets/rbac/0000_80_openshift-router-cluster-role-binding.yaml b/assets/components/openshift-router/cluster-role-binding.yaml similarity index 100% rename from assets/rbac/0000_80_openshift-router-cluster-role-binding.yaml rename to assets/components/openshift-router/cluster-role-binding.yaml diff --git a/assets/rbac/0000_80_openshift-router-cluster-role.yaml b/assets/components/openshift-router/cluster-role.yaml similarity index 100% rename from assets/rbac/0000_80_openshift-router-cluster-role.yaml rename to assets/components/openshift-router/cluster-role.yaml diff --git a/assets/core/0000_80_openshift-router-cm.yaml b/assets/components/openshift-router/configmap.yaml similarity index 100% rename from assets/core/0000_80_openshift-router-cm.yaml rename to assets/components/openshift-router/configmap.yaml diff --git a/assets/apps/0000_80_openshift-router-deployment.yaml b/assets/components/openshift-router/deployment.yaml similarity index 100% rename from assets/apps/0000_80_openshift-router-deployment.yaml rename to assets/components/openshift-router/deployment.yaml diff --git a/assets/core/0000_80_openshift-router-namespace.yaml b/assets/components/openshift-router/namespace.yaml similarity index 100% rename from assets/core/0000_80_openshift-router-namespace.yaml rename to assets/components/openshift-router/namespace.yaml diff --git a/assets/core/0000_80_openshift-router-service-account.yaml b/assets/components/openshift-router/service-account.yaml similarity index 100% rename from assets/core/0000_80_openshift-router-service-account.yaml rename to assets/components/openshift-router/service-account.yaml diff --git a/assets/core/0000_80_openshift-router-external-service.yaml b/assets/components/openshift-router/service-cloud.yaml similarity index 100% rename from assets/core/0000_80_openshift-router-external-service.yaml rename to assets/components/openshift-router/service-cloud.yaml diff --git a/assets/core/0000_80_openshift-router-service.yaml b/assets/components/openshift-router/service-internal.yaml similarity index 100% rename from assets/core/0000_80_openshift-router-service.yaml rename to assets/components/openshift-router/service-internal.yaml diff --git a/assets/rbac/0000_60_service-ca_00_clusterrole.yaml b/assets/components/service-ca/clusterrole.yaml similarity index 100% rename from assets/rbac/0000_60_service-ca_00_clusterrole.yaml rename to assets/components/service-ca/clusterrole.yaml diff --git a/assets/rbac/0000_60_service-ca_00_clusterrolebinding.yaml b/assets/components/service-ca/clusterrolebinding.yaml similarity index 100% rename from assets/rbac/0000_60_service-ca_00_clusterrolebinding.yaml rename to assets/components/service-ca/clusterrolebinding.yaml diff --git a/assets/apps/0000_60_service-ca_05_deploy.yaml b/assets/components/service-ca/deployment.yaml similarity index 100% rename from assets/apps/0000_60_service-ca_05_deploy.yaml rename to assets/components/service-ca/deployment.yaml diff --git a/assets/core/0000_60_service-ca_01_namespace.yaml b/assets/components/service-ca/ns.yaml similarity index 100% rename from assets/core/0000_60_service-ca_01_namespace.yaml rename to assets/components/service-ca/ns.yaml diff --git a/assets/rbac/0000_60_service-ca_00_role.yaml b/assets/components/service-ca/role.yaml similarity index 100% rename from assets/rbac/0000_60_service-ca_00_role.yaml rename to assets/components/service-ca/role.yaml diff --git a/assets/rbac/0000_60_service-ca_00_rolebinding.yaml b/assets/components/service-ca/rolebinding.yaml similarity index 100% rename from assets/rbac/0000_60_service-ca_00_rolebinding.yaml rename to assets/components/service-ca/rolebinding.yaml diff --git a/assets/core/0000_60_service-ca_04_sa.yaml b/assets/components/service-ca/sa.yaml similarity index 100% rename from assets/core/0000_60_service-ca_04_sa.yaml rename to assets/components/service-ca/sa.yaml diff --git a/assets/core/0000_60_service-ca_04_configmap.yaml b/assets/components/service-ca/signing-cabundle.yaml similarity index 100% rename from assets/core/0000_60_service-ca_04_configmap.yaml rename to assets/components/service-ca/signing-cabundle.yaml diff --git a/assets/core/0000_60_service-ca_04_secret.yaml b/assets/components/service-ca/signing-secret.yaml similarity index 100% rename from assets/core/0000_60_service-ca_04_secret.yaml rename to assets/components/service-ca/signing-secret.yaml diff --git a/pkg/assets/applier.go b/pkg/assets/applier.go old mode 100755 new mode 100644 diff --git a/pkg/assets/apps.go b/pkg/assets/apps.go old mode 100755 new mode 100644 index 152688e772..93c1dbcdda --- a/pkg/assets/apps.go +++ b/pkg/assets/apps.go @@ -6,8 +6,6 @@ import ( "k8s.io/klog/v2" - appsassets "github.com/openshift/microshift/pkg/assets/apps" - "k8s.io/client-go/rest" "k8s.io/client-go/tools/clientcmd" @@ -101,7 +99,7 @@ func applyApps(apps []string, applier readerApplier, render RenderFunc, params R for _, app := range apps { klog.Infof("Applying apps api %s", app) - objBytes, err := appsassets.Asset(app) + objBytes, err := Asset(app) if err != nil { return fmt.Errorf("error getting asset %s: %v", app, err) } diff --git a/pkg/assets/core.go b/pkg/assets/core.go old mode 100755 new mode 100644 index 087e1a6246..1e840cf273 --- a/pkg/assets/core.go +++ b/pkg/assets/core.go @@ -4,8 +4,6 @@ import ( "context" "fmt" - coreassets "github.com/openshift/microshift/pkg/assets/core" - "k8s.io/klog/v2" "k8s.io/client-go/rest" @@ -190,7 +188,7 @@ func applyCore(cores []string, applier readerApplier, render RenderFunc, params for _, core := range cores { klog.Infof("Applying corev1 api %s", core) - objBytes, err := coreassets.Asset(core) + objBytes, err := Asset(core) if err != nil { return fmt.Errorf("error getting asset %s: %v", core, err) } diff --git a/pkg/assets/crd.go b/pkg/assets/crd.go old mode 100755 new mode 100644 index c2506f3b02..c1d74c136f --- a/pkg/assets/crd.go +++ b/pkg/assets/crd.go @@ -7,7 +7,6 @@ import ( klog "k8s.io/klog/v2" - crd_assets "github.com/openshift/microshift/pkg/assets/crd" "github.com/openshift/microshift/pkg/config" apiextv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1" @@ -78,7 +77,7 @@ func WaitForCrdsEstablished(cfg *config.MicroshiftConfig) error { for _, crd := range crds { klog.Infof("Waiting for crd %s condition.type: established", crd) var crdBytes []byte - crdBytes, err = crd_assets.Asset(crd) + crdBytes, err = Asset(crd) if err != nil { return fmt.Errorf("error getting asset %s: %v", crd, err) } @@ -152,7 +151,7 @@ func ApplyCRDs(cfg *config.MicroshiftConfig) error { for _, crd := range crds { klog.Infof("Applying openshift CRD %s", crd) - crdBytes, err := crd_assets.Asset(crd) + crdBytes, err := Asset(crd) if err != nil { return fmt.Errorf("error getting asset %s: %v", crd, err) } diff --git a/pkg/assets/rbac.go b/pkg/assets/rbac.go old mode 100755 new mode 100644 index f8928681f8..958e14ac9c --- a/pkg/assets/rbac.go +++ b/pkg/assets/rbac.go @@ -4,8 +4,6 @@ import ( "context" "fmt" - rbacassets "github.com/openshift/microshift/pkg/assets/rbac" - "k8s.io/klog/v2" "k8s.io/client-go/rest" @@ -164,7 +162,7 @@ func applyRbac(rbacs []string, applier readerApplier) error { for _, rbac := range rbacs { klog.Infof("Applying rbac %s", rbac) - objBytes, err := rbacassets.Asset(rbac) + objBytes, err := Asset(rbac) if err != nil { return fmt.Errorf("error getting asset %s: %v", rbac, err) } diff --git a/pkg/assets/scc.go b/pkg/assets/scc.go index 84e8b45dff..79888793af 100644 --- a/pkg/assets/scc.go +++ b/pkg/assets/scc.go @@ -6,8 +6,6 @@ import ( "k8s.io/klog/v2" - sccassets "github.com/openshift/microshift/pkg/assets/scc" - "k8s.io/client-go/rest" "k8s.io/client-go/tools/clientcmd" @@ -73,7 +71,7 @@ func applySCCs(sccs []string, applier readerApplier, render RenderFunc, params R for _, scc := range sccs { klog.Infof("Applying scc api %s", scc) - objBytes, err := sccassets.Asset(scc) + objBytes, err := Asset(scc) if err != nil { return fmt.Errorf("error getting asset %s: %v", scc, err) } diff --git a/pkg/assets/storage.go b/pkg/assets/storage.go index 899765a4d1..36181170c0 100644 --- a/pkg/assets/storage.go +++ b/pkg/assets/storage.go @@ -6,8 +6,6 @@ import ( "k8s.io/klog/v2" - scassets "github.com/openshift/microshift/pkg/assets/storage" - "k8s.io/client-go/rest" "k8s.io/client-go/tools/clientcmd" @@ -73,7 +71,7 @@ func applySCs(scs []string, applier readerApplier, render RenderFunc, params Ren for _, sc := range scs { klog.Infof("Applying sc %s", sc) - objBytes, err := scassets.Asset(sc) + objBytes, err := Asset(sc) if err != nil { return fmt.Errorf("error getting asset %s: %v", sc, err) } diff --git a/pkg/components/controllers.go b/pkg/components/controllers.go index 9e64194781..2ae9a31564 100644 --- a/pkg/components/controllers.go +++ b/pkg/components/controllers.go @@ -12,29 +12,29 @@ func startServiceCAController(cfg *config.MicroshiftConfig, kubeconfigPath strin var ( //TODO: fix the rolebinding and sa clusterRoleBinding = []string{ - "assets/rbac/0000_60_service-ca_00_clusterrolebinding.yaml", + "assets/components/service-ca/clusterrolebinding.yaml", } clusterRole = []string{ - "assets/rbac/0000_60_service-ca_00_clusterrole.yaml", + "assets/components/service-ca/clusterrole.yaml", } roleBinding = []string{ - "assets/rbac/0000_60_service-ca_00_rolebinding.yaml", + "assets/components/service-ca/rolebinding.yaml", } role = []string{ - "assets/rbac/0000_60_service-ca_00_role.yaml", + "assets/components/service-ca/role.yaml", } apps = []string{ - "assets/apps/0000_60_service-ca_05_deploy.yaml", + "assets/components/service-ca/deployment.yaml", } ns = []string{ - "assets/core/0000_60_service-ca_01_namespace.yaml", + "assets/components/service-ca/ns.yaml", } sa = []string{ - "assets/core/0000_60_service-ca_04_sa.yaml", + "assets/components/service-ca/sa.yaml", } - secret = "assets/core/0000_60_service-ca_04_secret.yaml" + secret = "assets/components/service-ca/signing-secret.yaml" secretName = "signing-key" - cm = "assets/core/0000_60_service-ca_04_configmap.yaml" + cm = "assets/components/service-ca/signing-cabundle.yaml" cmName = "signing-cabundle" ) caPath := cfg.DataDir + "/certs/ca-bundle/ca-bundle.crt" @@ -100,28 +100,28 @@ func startServiceCAController(cfg *config.MicroshiftConfig, kubeconfigPath strin func startIngressController(cfg *config.MicroshiftConfig, kubeconfigPath string) error { var ( clusterRoleBinding = []string{ - "assets/rbac/0000_80_openshift-router-cluster-role-binding.yaml", + "assets/components/openshift-router/cluster-role-binding.yaml", } clusterRole = []string{ - "assets/rbac/0000_80_openshift-router-cluster-role.yaml", + "assets/components/openshift-router/cluster-role.yaml", } apps = []string{ - "assets/apps/0000_80_openshift-router-deployment.yaml", + "assets/components/openshift-router/deployment.yaml", } ns = []string{ - "assets/core/0000_80_openshift-router-namespace.yaml", + "assets/components/openshift-router/namespace.yaml", } sa = []string{ - "assets/core/0000_80_openshift-router-service-account.yaml", + "assets/components/openshift-router/service-account.yaml", } cm = []string{ - "assets/core/0000_80_openshift-router-cm.yaml", + "assets/components/openshift-router/configmap.yaml", } svc = []string{ - "assets/core/0000_80_openshift-router-service.yaml", + "assets/components/openshift-router/service-internal.yaml", } extSvc = []string{ - "assets/core/0000_80_openshift-router-external-service.yaml", + "assets/components/openshift-router/service-cloud.yaml", } ) if err := assets.ApplyNamespaces(ns, kubeconfigPath); err != nil { @@ -162,27 +162,27 @@ func startIngressController(cfg *config.MicroshiftConfig, kubeconfigPath string) func startDNSController(cfg *config.MicroshiftConfig, kubeconfigPath string) error { var ( clusterRoleBinding = []string{ - "assets/rbac/0000_70_dns_01-cluster-role-binding.yaml", + "assets/components/openshift-dns/dns/cluster-role-binding.yaml", } clusterRole = []string{ - "assets/rbac/0000_70_dns_01-cluster-role.yaml", + "assets/components/openshift-dns/dns/cluster-role.yaml", } apps = []string{ - "assets/apps/0000_70_dns_01-dns-daemonset.yaml", - "assets/apps/0000_70_dns_01-node-resolver-daemonset.yaml", + "assets/components/openshift-dns/dns/daemonset.yaml", + "assets/components/openshift-dns/node-resolver/daemonset.yaml", } ns = []string{ - "assets/core/0000_70_dns_00-namespace.yaml", + "assets/components/openshift-dns/dns/namespace.yaml", } sa = []string{ - "assets/core/0000_70_dns_01-dns-service-account.yaml", - "assets/core/0000_70_dns_01-node-resolver-service-account.yaml", + "assets/components/openshift-dns/dns/service-account.yaml", + "assets/components/openshift-dns/node-resolver/service-account.yaml", } cm = []string{ - "assets/core/0000_70_dns_01-configmap.yaml", + "assets/components/openshift-dns/dns/configmap.yaml", } svc = []string{ - "assets/core/0000_70_dns_01-service.yaml", + "assets/components/openshift-dns/dns/service.yaml", } ) if err := assets.ApplyNamespaces(ns, kubeconfigPath); err != nil { diff --git a/pkg/components/networking.go b/pkg/components/networking.go index 58398032a1..a9783c6372 100644 --- a/pkg/components/networking.go +++ b/pkg/components/networking.go @@ -8,22 +8,22 @@ import ( func startFlannel(kubeconfigPath string) error { var ( // psp = []string{ - // "assets/rbac/0000_00_podsecuritypolicy-flannel.yaml", + // "assets/components/flannel/podsecuritypolicy.yaml", // } cr = []string{ - "assets/rbac/0000_00_flannel-clusterrole.yaml", + "assets/components/flannel/clusterrole.yaml", } crb = []string{ - "assets/rbac/0000_00_flannel-clusterrolebinding.yaml", + "assets/components/flannel/clusterrolebinding.yaml", } sa = []string{ - "assets/core/0000_00_flannel-service-account.yaml", + "assets/components/flannel/service-account.yaml", } cm = []string{ - "assets/core/0000_00_flannel-configmap.yaml", + "assets/components/flannel/configmap.yaml", } ds = []string{ - "assets/apps/0000_00_flannel-daemonset.yaml", + "assets/components/flannel/daemonset.yaml", } ) diff --git a/pkg/components/storage.go b/pkg/components/storage.go index 86bef55bba..7c8b1a9a48 100644 --- a/pkg/components/storage.go +++ b/pkg/components/storage.go @@ -8,25 +8,25 @@ import ( func startHostpathProvisioner(kubeconfigPath string) error { var ( ns = []string{ - "assets/core/0000_80_hostpath-provisioner-namespace.yaml", + "assets/components/hostpath-provisioner/namespace.yaml", } sa = []string{ - "assets/core/0000_80_hostpath-provisioner-serviceaccount.yaml", + "assets/components/hostpath-provisioner/service-account.yaml", } cr = []string{ - "assets/rbac/0000_80_hostpath-provisioner-clusterrole.yaml", + "assets/components/hostpath-provisioner/clusterrole.yaml", } crb = []string{ - "assets/rbac/0000_80_hostpath-provisioner-clusterrolebinding.yaml", + "assets/components/hostpath-provisioner/clusterrolebinding.yaml", } scc = []string{ - "assets/scc/0000_80_hostpath-provisioner-securitycontextconstraints.yaml", + "assets/components/hostpath-provisioner/scc.yaml", } ds = []string{ - "assets/apps/000_80_hostpath-provisioner-daemonset.yaml", + "assets/components/hostpath-provisioner/daemonset.yaml", } sc = []string{ - "assets/storage/0000_80_hostpath-provisioner-storageclass.yaml", + "assets/components/hostpath-provisioner/storageclass.yaml", } ) if err := assets.ApplyNamespaces(ns, kubeconfigPath); err != nil { diff --git a/scripts/bindata.sh b/scripts/bindata.sh index de7f7855ef..2cf1996084 100755 --- a/scripts/bindata.sh +++ b/scripts/bindata.sh @@ -1,6 +1,7 @@ +#!/bin/bash + go install github.com/go-bindata/go-bindata/... -for i in crd core rbac apps scc storage; do - OUTPUT="pkg/assets/${i}/bindata.go" - "${GOPATH}"/bin/go-bindata -nocompress -nometadata -prefix "pkg/assets/${i}" -pkg assets -o ${OUTPUT} "./assets/${i}/..." - gofmt -s -w "${OUTPUT}" -done + +OUTPUT="pkg/assets/bindata.go" +"${GOPATH}"/bin/go-bindata -nocompress -prefix "pkg/assets" -pkg assets -o ${OUTPUT} "./assets/..." +gofmt -s -w "${OUTPUT}" From 40a54da702de197bb819b2b85f594aa165251704 Mon Sep 17 00:00:00 2001 From: "Frank A. Zdarsky" Date: Sun, 6 Mar 2022 16:08:34 +0100 Subject: [PATCH 2/2] Regenerate bindata Signed-off-by: Frank A. Zdarsky --- pkg/assets/apps/bindata.go | 904 ----------- pkg/assets/{crd => }/bindata.go | 2525 ++++++++++++++++++++++++++++++- pkg/assets/core/bindata.go | 825 ---------- pkg/assets/rbac/bindata.go | 835 ---------- pkg/assets/scc/bindata.go | 705 --------- pkg/assets/storage/bindata.go | 228 --- 6 files changed, 2516 insertions(+), 3506 deletions(-) delete mode 100644 pkg/assets/apps/bindata.go rename pkg/assets/{crd => }/bindata.go (69%) delete mode 100644 pkg/assets/core/bindata.go delete mode 100644 pkg/assets/rbac/bindata.go delete mode 100644 pkg/assets/scc/bindata.go delete mode 100644 pkg/assets/storage/bindata.go diff --git a/pkg/assets/apps/bindata.go b/pkg/assets/apps/bindata.go deleted file mode 100644 index 87a822ae54..0000000000 --- a/pkg/assets/apps/bindata.go +++ /dev/null @@ -1,904 +0,0 @@ -// Package assets Code generated by go-bindata. (@generated) DO NOT EDIT. -// sources: -// assets/apps/0000_00_flannel-daemonset.yaml -// assets/apps/0000_60_service-ca_05_deploy.yaml -// assets/apps/0000_70_dns_01-dns-daemonset.yaml -// assets/apps/0000_70_dns_01-node-resolver-daemonset.yaml -// assets/apps/0000_80_openshift-router-deployment.yaml -// assets/apps/000_80_hostpath-provisioner-daemonset.yaml -package assets - -import ( - "fmt" - "io/ioutil" - "os" - "path/filepath" - "strings" - "time" -) - -type asset struct { - bytes []byte - info os.FileInfo -} - -type bindataFileInfo struct { - name string - size int64 - mode os.FileMode - modTime time.Time -} - -// Name return file name -func (fi bindataFileInfo) Name() string { - return fi.name -} - -// Size return file size -func (fi bindataFileInfo) Size() int64 { - return fi.size -} - -// Mode return file mode -func (fi bindataFileInfo) Mode() os.FileMode { - return fi.mode -} - -// Mode return file modify time -func (fi bindataFileInfo) ModTime() time.Time { - return fi.modTime -} - -// IsDir return file whether a directory -func (fi bindataFileInfo) IsDir() bool { - return fi.mode&os.ModeDir != 0 -} - -// Sys return file is sys mode -func (fi bindataFileInfo) Sys() interface{} { - return nil -} - -var _assetsApps0000_00_flannelDaemonsetYaml = []byte(`apiVersion: apps/v1 -kind: DaemonSet -metadata: - name: kube-flannel-ds - namespace: kube-system - labels: - tier: node - app: flannel -spec: - selector: - matchLabels: - app: flannel - template: - metadata: - labels: - tier: node - app: flannel - spec: - affinity: - nodeAffinity: - requiredDuringSchedulingIgnoredDuringExecution: - nodeSelectorTerms: - - matchExpressions: - - key: kubernetes.io/os - operator: In - values: - - linux - hostNetwork: true - priorityClassName: system-node-critical - tolerations: - - operator: Exists - effect: NoSchedule - serviceAccountName: flannel - initContainers: - - name: install-cni-bin - image: {{ .ReleaseImage.kube_flannel_cni }} - command: - - cp - args: - - -f - - /flannel - - /opt/cni/bin/flannel - volumeMounts: - - name: cni-plugin - mountPath: /opt/cni/bin - - name: install-cni - image: {{ .ReleaseImage.kube_flannel }} - command: - - cp - args: - - -f - - /etc/kube-flannel/cni-conf.json - - /etc/cni/net.d/10-flannel.conflist - volumeMounts: - - name: cni - mountPath: /etc/cni/net.d - - name: flannel-cfg - mountPath: /etc/kube-flannel/ - containers: - - name: kube-flannel - image: {{ .ReleaseImage.kube_flannel }} - command: - - /opt/bin/flanneld - args: - - --ip-masq - - --kube-subnet-mgr - resources: - requests: - cpu: "100m" - memory: "50Mi" - limits: - cpu: "100m" - memory: "50Mi" - securityContext: - privileged: false - capabilities: - add: ["NET_ADMIN", "NET_RAW"] - env: - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - volumeMounts: - - name: run - mountPath: /run/flannel - - name: flannel-cfg - mountPath: /etc/kube-flannel/ - volumes: - - name: run - hostPath: - path: /run/flannel - - name: cni - hostPath: - path: /etc/cni/net.d - - name: flannel-cfg - configMap: - name: kube-flannel-cfg - - name: cni-plugin - hostPath: - path: /opt/cni/bin`) - -func assetsApps0000_00_flannelDaemonsetYamlBytes() ([]byte, error) { - return _assetsApps0000_00_flannelDaemonsetYaml, nil -} - -func assetsApps0000_00_flannelDaemonsetYaml() (*asset, error) { - bytes, err := assetsApps0000_00_flannelDaemonsetYamlBytes() - if err != nil { - return nil, err - } - - info := bindataFileInfo{name: "assets/apps/0000_00_flannel-daemonset.yaml", size: 0, mode: os.FileMode(0), modTime: time.Unix(0, 0)} - a := &asset{bytes: bytes, info: info} - return a, nil -} - -var _assetsApps0000_60_serviceCa_05_deployYaml = []byte(`apiVersion: apps/v1 -kind: Deployment -metadata: - namespace: openshift-service-ca - name: service-ca - labels: - app: service-ca - service-ca: "true" -spec: - replicas: 1 - strategy: - type: Recreate - selector: - matchLabels: - app: service-ca - service-ca: "true" - template: - metadata: - name: service-ca - annotations: - target.workload.openshift.io/management: '{"effect": "PreferredDuringScheduling"}' - labels: - app: service-ca - service-ca: "true" - spec: - securityContext: {} - serviceAccount: service-ca - serviceAccountName: service-ca - containers: - - name: service-ca-controller - image: {{ .ReleaseImage.service_ca_operator }} - imagePullPolicy: IfNotPresent - command: ["service-ca-operator", "controller"] - ports: - - containerPort: 8443 - # securityContext: - # runAsNonRoot: true - resources: - requests: - memory: 120Mi - cpu: 10m - volumeMounts: - - mountPath: /var/run/secrets/signing-key - name: signing-key - - mountPath: /var/run/configmaps/signing-cabundle - name: signing-cabundle - volumes: - - name: signing-key - secret: - secretName: {{.TLSSecret}} - - name: signing-cabundle - configMap: - name: {{.CAConfigMap}} - # nodeSelector: - # node-role.kubernetes.io/master: "" - priorityClassName: "system-cluster-critical" - tolerations: - - key: node-role.kubernetes.io/master - operator: Exists - effect: "NoSchedule" - - key: "node.kubernetes.io/unreachable" - operator: "Exists" - effect: "NoExecute" - tolerationSeconds: 120 - - key: "node.kubernetes.io/not-ready" - operator: "Exists" - effect: "NoExecute" - tolerationSeconds: 120 -`) - -func assetsApps0000_60_serviceCa_05_deployYamlBytes() ([]byte, error) { - return _assetsApps0000_60_serviceCa_05_deployYaml, nil -} - -func assetsApps0000_60_serviceCa_05_deployYaml() (*asset, error) { - bytes, err := assetsApps0000_60_serviceCa_05_deployYamlBytes() - if err != nil { - return nil, err - } - - info := bindataFileInfo{name: "assets/apps/0000_60_service-ca_05_deploy.yaml", size: 0, mode: os.FileMode(0), modTime: time.Unix(0, 0)} - a := &asset{bytes: bytes, info: info} - return a, nil -} - -var _assetsApps0000_70_dns_01DnsDaemonsetYaml = []byte(`kind: DaemonSet -apiVersion: apps/v1 -metadata: - labels: - dns.operator.openshift.io/owning-dns: default - name: dns-default - namespace: openshift-dns -spec: - selector: - matchLabels: - dns.operator.openshift.io/daemonset-dns: default - template: - metadata: - labels: - dns.operator.openshift.io/daemonset-dns: default - annotations: - target.workload.openshift.io/management: '{"effect": "PreferredDuringScheduling"}' - spec: - serviceAccountName: dns - priorityClassName: system-node-critical - containers: - - name: dns - image: {{ .ReleaseImage.coredns }} - imagePullPolicy: IfNotPresent - terminationMessagePolicy: FallbackToLogsOnError - command: [ "coredns" ] - args: [ "-conf", "/etc/coredns/Corefile" ] - volumeMounts: - - name: config-volume - mountPath: /etc/coredns - readOnly: true - ports: - - containerPort: 5353 - name: dns - protocol: UDP - - containerPort: 5353 - name: dns-tcp - protocol: TCP - readinessProbe: - httpGet: - path: /ready - port: 8181 - scheme: HTTP - initialDelaySeconds: 10 - periodSeconds: 3 - successThreshold: 1 - failureThreshold: 3 - timeoutSeconds: 3 - livenessProbe: - httpGet: - path: /health - port: 8080 - scheme: HTTP - initialDelaySeconds: 60 - timeoutSeconds: 5 - successThreshold: 1 - failureThreshold: 5 - resources: - requests: - cpu: 50m - memory: 70Mi - - name: kube-rbac-proxy - image: {{ .ReleaseImage.kube_rbac_proxy }} - args: - - --secure-listen-address=:9154 - - --tls-cipher-suites=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 - - --upstream=http://127.0.0.1:9153/ - - --tls-cert-file=/etc/tls/private/tls.crt - - --tls-private-key-file=/etc/tls/private/tls.key - ports: - - containerPort: 9154 - name: metrics - resources: - requests: - cpu: 10m - memory: 40Mi - volumeMounts: - - mountPath: /etc/tls/private - name: metrics-tls - readOnly: true - dnsPolicy: Default - nodeSelector: - kubernetes.io/os: linux - volumes: - - name: config-volume - configMap: - items: - - key: Corefile - path: Corefile - name: dns-default - - name: metrics-tls - secret: - defaultMode: 420 - secretName: dns-default-metrics-tls - tolerations: - # DNS needs to run everywhere. Tolerate all taints - - operator: Exists - updateStrategy: - type: RollingUpdate - rollingUpdate: - # TODO: Consider setting maxSurge to a positive value. - maxSurge: 0 - # Note: The daemon controller rounds the percentage up - # (unlike the deployment controller, which rounds down). - maxUnavailable: 10% -`) - -func assetsApps0000_70_dns_01DnsDaemonsetYamlBytes() ([]byte, error) { - return _assetsApps0000_70_dns_01DnsDaemonsetYaml, nil -} - -func assetsApps0000_70_dns_01DnsDaemonsetYaml() (*asset, error) { - bytes, err := assetsApps0000_70_dns_01DnsDaemonsetYamlBytes() - if err != nil { - return nil, err - } - - info := bindataFileInfo{name: "assets/apps/0000_70_dns_01-dns-daemonset.yaml", size: 0, mode: os.FileMode(0), modTime: time.Unix(0, 0)} - a := &asset{bytes: bytes, info: info} - return a, nil -} - -var _assetsApps0000_70_dns_01NodeResolverDaemonsetYaml = []byte(`apiVersion: apps/v1 -kind: DaemonSet -metadata: - name: node-resolver - namespace: openshift-dns -spec: - revisionHistoryLimit: 10 - selector: - matchLabels: - dns.operator.openshift.io/daemonset-node-resolver: "" - template: - metadata: - annotations: - target.workload.openshift.io/management: '{"effect": "PreferredDuringScheduling"}' - labels: - dns.operator.openshift.io/daemonset-node-resolver: "" - spec: - containers: - - command: - - /bin/bash - - -c - - | - #!/bin/bash - set -uo pipefail - - trap 'jobs -p | xargs kill || true; wait; exit 0' TERM - - NAMESERVER=${DNS_DEFAULT_SERVICE_HOST} - OPENSHIFT_MARKER="openshift-generated-node-resolver" - HOSTS_FILE="/etc/hosts" - TEMP_FILE="/etc/hosts.tmp" - - IFS=', ' read -r -a services <<< "${SERVICES}" - - # Make a temporary file with the old hosts file's attributes. - cp -f --attributes-only "${HOSTS_FILE}" "${TEMP_FILE}" - - while true; do - declare -A svc_ips - for svc in "${services[@]}"; do - # Fetch service IP from cluster dns if present. We make several tries - # to do it: IPv4, IPv6, IPv4 over TCP and IPv6 over TCP. The two last ones - # are for deployments with Kuryr on older OpenStack (OSP13) - those do not - # support UDP loadbalancers and require reaching DNS through TCP. - cmds=('dig -t A @"${NAMESERVER}" +short "${svc}.${CLUSTER_DOMAIN}"|grep -v "^;"' - 'dig -t AAAA @"${NAMESERVER}" +short "${svc}.${CLUSTER_DOMAIN}"|grep -v "^;"' - 'dig -t A +tcp +retry=0 @"${NAMESERVER}" +short "${svc}.${CLUSTER_DOMAIN}"|grep -v "^;"' - 'dig -t AAAA +tcp +retry=0 @"${NAMESERVER}" +short "${svc}.${CLUSTER_DOMAIN}"|grep -v "^;"') - for i in ${!cmds[*]} - do - ips=($(eval "${cmds[i]}")) - if [[ "$?" -eq 0 && "${#ips[@]}" -ne 0 ]]; then - svc_ips["${svc}"]="${ips[@]}" - break - fi - done - done - - # Update /etc/hosts only if we get valid service IPs - # We will not update /etc/hosts when there is coredns service outage or api unavailability - # Stale entries could exist in /etc/hosts if the service is deleted - if [[ -n "${svc_ips[*]-}" ]]; then - # Build a new hosts file from /etc/hosts with our custom entries filtered out - grep -v "# ${OPENSHIFT_MARKER}" "${HOSTS_FILE}" > "${TEMP_FILE}" - - # Append resolver entries for services - for svc in "${!svc_ips[@]}"; do - for ip in ${svc_ips[${svc}]}; do - echo "${ip} ${svc} ${svc}.${CLUSTER_DOMAIN} # ${OPENSHIFT_MARKER}" >> "${TEMP_FILE}" - done - done - - # TODO: Update /etc/hosts atomically to avoid any inconsistent behavior - # Replace /etc/hosts with our modified version if needed - cmp "${TEMP_FILE}" "${HOSTS_FILE}" || cp -f "${TEMP_FILE}" "${HOSTS_FILE}" - # TEMP_FILE is not removed to avoid file create/delete and attributes copy churn - fi - sleep 60 & wait - unset svc_ips - done - env: - - name: SERVICES - # Comma or space separated list of services - # NOTE: For now, ensure these are relative names; for each relative name, - # an alias with the CLUSTER_DOMAIN suffix will also be added. - value: "image-registry.openshift-image-registry.svc" - - name: NAMESERVER - value: 172.30.0.10 - - name: CLUSTER_DOMAIN - value: cluster.local - image: {{ .ReleaseImage.cli }} - imagePullPolicy: IfNotPresent - name: dns-node-resolver - resources: - requests: - cpu: 5m - memory: 21Mi - securityContext: - privileged: true - terminationMessagePath: /dev/termination-log - terminationMessagePolicy: FallbackToLogsOnError - volumeMounts: - - mountPath: /etc/hosts - name: hosts-file - dnsPolicy: ClusterFirst - hostNetwork: true - nodeSelector: - kubernetes.io/os: linux - priorityClassName: system-node-critical - restartPolicy: Always - schedulerName: default-scheduler - securityContext: {} - serviceAccount: node-resolver - serviceAccountName: node-resolver - terminationGracePeriodSeconds: 30 - tolerations: - - operator: Exists - volumes: - - hostPath: - path: /etc/hosts - type: File - name: hosts-file - updateStrategy: - rollingUpdate: - maxSurge: 0 - maxUnavailable: 33% - type: RollingUpdate -`) - -func assetsApps0000_70_dns_01NodeResolverDaemonsetYamlBytes() ([]byte, error) { - return _assetsApps0000_70_dns_01NodeResolverDaemonsetYaml, nil -} - -func assetsApps0000_70_dns_01NodeResolverDaemonsetYaml() (*asset, error) { - bytes, err := assetsApps0000_70_dns_01NodeResolverDaemonsetYamlBytes() - if err != nil { - return nil, err - } - - info := bindataFileInfo{name: "assets/apps/0000_70_dns_01-node-resolver-daemonset.yaml", size: 0, mode: os.FileMode(0), modTime: time.Unix(0, 0)} - a := &asset{bytes: bytes, info: info} - return a, nil -} - -var _assetsApps0000_80_openshiftRouterDeploymentYaml = []byte(`# Deployment with default values -# Ingress Controller specific values are applied at runtime. -kind: Deployment -apiVersion: apps/v1 -metadata: - name: router-default - namespace: openshift-ingress - labels: - ingresscontroller.operator.openshift.io/deployment-ingresscontroller: default -spec: - progressDeadlineSeconds: 600 - replicas: 1 - revisionHistoryLimit: 10 - selector: - matchLabels: - ingresscontroller.operator.openshift.io/deployment-ingresscontroller: default - strategy: - rollingUpdate: - maxSurge: 0 - maxUnavailable: 25% - type: RollingUpdate - template: - metadata: - annotations: - "unsupported.do-not-use.openshift.io/override-liveness-grace-period-seconds": "10" - target.workload.openshift.io/management: '{"effect": "PreferredDuringScheduling"}' - labels: - ingresscontroller.operator.openshift.io/deployment-ingresscontroller: default - spec: - serviceAccountName: router - # nodeSelector is set at runtime. - priorityClassName: system-cluster-critical - containers: - - name: router - image: {{ .ReleaseImage.haproxy_router }} - imagePullPolicy: IfNotPresent - terminationMessagePolicy: FallbackToLogsOnError - ports: - - name: http - containerPort: 80 - hostPort: 80 - protocol: TCP - - name: https - containerPort: 443 - hostPort: 443 - protocol: TCP - - name: metrics - containerPort: 1936 - hostPort: 1936 - protocol: TCP - # Merged at runtime. - env: - # stats username and password are generated at runtime - - name: STATS_PORT - value: "1936" - - name: ROUTER_SERVICE_NAMESPACE - value: openshift-ingress - - name: DEFAULT_CERTIFICATE_DIR - value: /etc/pki/tls/private - - name: DEFAULT_DESTINATION_CA_PATH - value: /var/run/configmaps/service-ca/service-ca.crt - - name: ROUTER_CIPHERS - value: TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384 - - name: ROUTER_DISABLE_HTTP2 - value: "true" - - name: ROUTER_DISABLE_NAMESPACE_OWNERSHIP_CHECK - value: "false" - #FIXME: use metrics tls - - name: ROUTER_METRICS_TLS_CERT_FILE - value: /etc/pki/tls/private/tls.crt - - name: ROUTER_METRICS_TLS_KEY_FILE - value: /etc/pki/tls/private/tls.key - - name: ROUTER_METRICS_TYPE - value: haproxy - - name: ROUTER_SERVICE_NAME - value: default - - name: ROUTER_SET_FORWARDED_HEADERS - value: append - - name: ROUTER_THREADS - value: "4" - - name: SSL_MIN_VERSION - value: TLSv1.2 - livenessProbe: - failureThreshold: 3 - httpGet: - host: localhost - path: /healthz - port: 1936 - scheme: HTTP - initialDelaySeconds: 10 - periodSeconds: 10 - successThreshold: 1 - timeoutSeconds: 1 - readinessProbe: - failureThreshold: 3 - httpGet: - host: localhost - path: /healthz/ready - port: 1936 - scheme: HTTP - initialDelaySeconds: 10 - periodSeconds: 10 - successThreshold: 1 - timeoutSeconds: 1 - startupProbe: - failureThreshold: 120 - httpGet: - path: /healthz/ready - port: 1936 - periodSeconds: 1 - resources: - requests: - cpu: 100m - memory: 256Mi - volumeMounts: - - mountPath: /etc/pki/tls/private - name: default-certificate - readOnly: true - - mountPath: /var/run/configmaps/service-ca - name: service-ca-bundle - readOnly: true - dnsPolicy: ClusterFirstWithHostNet - hostNetwork: true - restartPolicy: Always - schedulerName: default-scheduler - securityContext: {} - serviceAccount: router - volumes: - - name: default-certificate - secret: - defaultMode: 420 - secretName: router-certs-default - - name: service-ca-bundle - configMap: - items: - - key: service-ca.crt - path: service-ca.crt - name: service-ca-bundle - optional: false - defaultMode: 420 -`) - -func assetsApps0000_80_openshiftRouterDeploymentYamlBytes() ([]byte, error) { - return _assetsApps0000_80_openshiftRouterDeploymentYaml, nil -} - -func assetsApps0000_80_openshiftRouterDeploymentYaml() (*asset, error) { - bytes, err := assetsApps0000_80_openshiftRouterDeploymentYamlBytes() - if err != nil { - return nil, err - } - - info := bindataFileInfo{name: "assets/apps/0000_80_openshift-router-deployment.yaml", size: 0, mode: os.FileMode(0), modTime: time.Unix(0, 0)} - a := &asset{bytes: bytes, info: info} - return a, nil -} - -var _assetsApps000_80_hostpathProvisionerDaemonsetYaml = []byte(`apiVersion: apps/v1 -kind: DaemonSet -metadata: - name: kubevirt-hostpath-provisioner - labels: - k8s-app: kubevirt-hostpath-provisioner - namespace: kubevirt-hostpath-provisioner -spec: - selector: - matchLabels: - k8s-app: kubevirt-hostpath-provisioner - template: - metadata: - labels: - k8s-app: kubevirt-hostpath-provisioner - spec: - serviceAccountName: kubevirt-hostpath-provisioner-admin - containers: - - name: kubevirt-hostpath-provisioner - image: {{ .ReleaseImage.kubevirt_hostpath_provisioner }} - imagePullPolicy: Always - env: - - name: USE_NAMING_PREFIX - value: "false" # change to true, to have the name of the pvc be part of the directory - - name: NODE_NAME - valueFrom: - fieldRef: - fieldPath: spec.nodeName - - name: PV_DIR - value: /var/hpvolumes - volumeMounts: - - name: pv-volume # root dir where your bind mounts will be on the node - mountPath: /var/hpvolumes - #nodeSelector: - #- name: xxxxxx - volumes: - - name: pv-volume - hostPath: - path: /var/hpvolumes -`) - -func assetsApps000_80_hostpathProvisionerDaemonsetYamlBytes() ([]byte, error) { - return _assetsApps000_80_hostpathProvisionerDaemonsetYaml, nil -} - -func assetsApps000_80_hostpathProvisionerDaemonsetYaml() (*asset, error) { - bytes, err := assetsApps000_80_hostpathProvisionerDaemonsetYamlBytes() - if err != nil { - return nil, err - } - - info := bindataFileInfo{name: "assets/apps/000_80_hostpath-provisioner-daemonset.yaml", size: 0, mode: os.FileMode(0), modTime: time.Unix(0, 0)} - a := &asset{bytes: bytes, info: info} - return a, nil -} - -// Asset loads and returns the asset for the given name. -// It returns an error if the asset could not be found or -// could not be loaded. -func Asset(name string) ([]byte, error) { - cannonicalName := strings.Replace(name, "\\", "/", -1) - if f, ok := _bindata[cannonicalName]; ok { - a, err := f() - if err != nil { - return nil, fmt.Errorf("Asset %s can't read by error: %v", name, err) - } - return a.bytes, nil - } - return nil, fmt.Errorf("Asset %s not found", name) -} - -// MustAsset is like Asset but panics when Asset would return an error. -// It simplifies safe initialization of global variables. -func MustAsset(name string) []byte { - a, err := Asset(name) - if err != nil { - panic("asset: Asset(" + name + "): " + err.Error()) - } - - return a -} - -// AssetInfo loads and returns the asset info for the given name. -// It returns an error if the asset could not be found or -// could not be loaded. -func AssetInfo(name string) (os.FileInfo, error) { - cannonicalName := strings.Replace(name, "\\", "/", -1) - if f, ok := _bindata[cannonicalName]; ok { - a, err := f() - if err != nil { - return nil, fmt.Errorf("AssetInfo %s can't read by error: %v", name, err) - } - return a.info, nil - } - return nil, fmt.Errorf("AssetInfo %s not found", name) -} - -// AssetNames returns the names of the assets. -func AssetNames() []string { - names := make([]string, 0, len(_bindata)) - for name := range _bindata { - names = append(names, name) - } - return names -} - -// _bindata is a table, holding each asset generator, mapped to its name. -var _bindata = map[string]func() (*asset, error){ - "assets/apps/0000_00_flannel-daemonset.yaml": assetsApps0000_00_flannelDaemonsetYaml, - "assets/apps/0000_60_service-ca_05_deploy.yaml": assetsApps0000_60_serviceCa_05_deployYaml, - "assets/apps/0000_70_dns_01-dns-daemonset.yaml": assetsApps0000_70_dns_01DnsDaemonsetYaml, - "assets/apps/0000_70_dns_01-node-resolver-daemonset.yaml": assetsApps0000_70_dns_01NodeResolverDaemonsetYaml, - "assets/apps/0000_80_openshift-router-deployment.yaml": assetsApps0000_80_openshiftRouterDeploymentYaml, - "assets/apps/000_80_hostpath-provisioner-daemonset.yaml": assetsApps000_80_hostpathProvisionerDaemonsetYaml, -} - -// AssetDir returns the file names below a certain -// directory embedded in the file by go-bindata. -// For example if you run go-bindata on data/... and data contains the -// following hierarchy: -// data/ -// foo.txt -// img/ -// a.png -// b.png -// then AssetDir("data") would return []string{"foo.txt", "img"} -// AssetDir("data/img") would return []string{"a.png", "b.png"} -// AssetDir("foo.txt") and AssetDir("notexist") would return an error -// AssetDir("") will return []string{"data"}. -func AssetDir(name string) ([]string, error) { - node := _bintree - if len(name) != 0 { - cannonicalName := strings.Replace(name, "\\", "/", -1) - pathList := strings.Split(cannonicalName, "/") - for _, p := range pathList { - node = node.Children[p] - if node == nil { - return nil, fmt.Errorf("Asset %s not found", name) - } - } - } - if node.Func != nil { - return nil, fmt.Errorf("Asset %s not found", name) - } - rv := make([]string, 0, len(node.Children)) - for childName := range node.Children { - rv = append(rv, childName) - } - return rv, nil -} - -type bintree struct { - Func func() (*asset, error) - Children map[string]*bintree -} - -var _bintree = &bintree{nil, map[string]*bintree{ - "assets": {nil, map[string]*bintree{ - "apps": {nil, map[string]*bintree{ - "0000_00_flannel-daemonset.yaml": {assetsApps0000_00_flannelDaemonsetYaml, map[string]*bintree{}}, - "0000_60_service-ca_05_deploy.yaml": {assetsApps0000_60_serviceCa_05_deployYaml, map[string]*bintree{}}, - "0000_70_dns_01-dns-daemonset.yaml": {assetsApps0000_70_dns_01DnsDaemonsetYaml, map[string]*bintree{}}, - "0000_70_dns_01-node-resolver-daemonset.yaml": {assetsApps0000_70_dns_01NodeResolverDaemonsetYaml, map[string]*bintree{}}, - "0000_80_openshift-router-deployment.yaml": {assetsApps0000_80_openshiftRouterDeploymentYaml, map[string]*bintree{}}, - "000_80_hostpath-provisioner-daemonset.yaml": {assetsApps000_80_hostpathProvisionerDaemonsetYaml, map[string]*bintree{}}, - }}, - }}, -}} - -// RestoreAsset restores an asset under the given directory -func RestoreAsset(dir, name string) error { - data, err := Asset(name) - if err != nil { - return err - } - info, err := AssetInfo(name) - if err != nil { - return err - } - err = os.MkdirAll(_filePath(dir, filepath.Dir(name)), os.FileMode(0755)) - if err != nil { - return err - } - err = ioutil.WriteFile(_filePath(dir, name), data, info.Mode()) - if err != nil { - return err - } - err = os.Chtimes(_filePath(dir, name), info.ModTime(), info.ModTime()) - if err != nil { - return err - } - return nil -} - -// RestoreAssets restores an asset under the given directory recursively -func RestoreAssets(dir, name string) error { - children, err := AssetDir(name) - // File - if err != nil { - return RestoreAsset(dir, name) - } - // Dir - for _, child := range children { - err = RestoreAssets(dir, filepath.Join(name, child)) - if err != nil { - return err - } - } - return nil -} - -func _filePath(dir, name string) string { - cannonicalName := strings.Replace(name, "\\", "/", -1) - return filepath.Join(append([]string{dir}, strings.Split(cannonicalName, "/")...)...) -} diff --git a/pkg/assets/crd/bindata.go b/pkg/assets/bindata.go similarity index 69% rename from pkg/assets/crd/bindata.go rename to pkg/assets/bindata.go index 7c6bd0dbe3..5af716fc41 100644 --- a/pkg/assets/crd/bindata.go +++ b/pkg/assets/bindata.go @@ -1,5 +1,45 @@ // Package assets Code generated by go-bindata. (@generated) DO NOT EDIT. // sources: +// assets/components/flannel/clusterrole.yaml +// assets/components/flannel/clusterrolebinding.yaml +// assets/components/flannel/configmap.yaml +// assets/components/flannel/daemonset.yaml +// assets/components/flannel/podsecuritypolicy.yaml +// assets/components/flannel/service-account.yaml +// assets/components/hostpath-provisioner/clusterrole.yaml +// assets/components/hostpath-provisioner/clusterrolebinding.yaml +// assets/components/hostpath-provisioner/daemonset.yaml +// assets/components/hostpath-provisioner/namespace.yaml +// assets/components/hostpath-provisioner/scc.yaml +// assets/components/hostpath-provisioner/service-account.yaml +// assets/components/hostpath-provisioner/storageclass.yaml +// assets/components/openshift-dns/dns/cluster-role-binding.yaml +// assets/components/openshift-dns/dns/cluster-role.yaml +// assets/components/openshift-dns/dns/configmap.yaml +// assets/components/openshift-dns/dns/daemonset.yaml +// assets/components/openshift-dns/dns/namespace.yaml +// assets/components/openshift-dns/dns/service-account.yaml +// assets/components/openshift-dns/dns/service.yaml +// assets/components/openshift-dns/node-resolver/daemonset.yaml +// assets/components/openshift-dns/node-resolver/service-account.yaml +// assets/components/openshift-router/cluster-role-binding.yaml +// assets/components/openshift-router/cluster-role.yaml +// assets/components/openshift-router/configmap.yaml +// assets/components/openshift-router/deployment.yaml +// assets/components/openshift-router/namespace.yaml +// assets/components/openshift-router/service-account.yaml +// assets/components/openshift-router/service-cloud.yaml +// assets/components/openshift-router/service-internal.yaml +// assets/components/service-ca/clusterrole.yaml +// assets/components/service-ca/clusterrolebinding.yaml +// assets/components/service-ca/deployment.yaml +// assets/components/service-ca/ns.yaml +// assets/components/service-ca/role.yaml +// assets/components/service-ca/rolebinding.yaml +// assets/components/service-ca/sa.yaml +// assets/components/service-ca/signing-cabundle.yaml +// assets/components/service-ca/signing-secret.yaml +// assets/core/0000_50_cluster-openshift-controller-manager_00_namespace.yaml // assets/crd/0000_03_authorization-openshift_01_rolebindingrestriction.crd.yaml // assets/crd/0000_03_config-operator_01_proxy.crd.yaml // assets/crd/0000_03_quota-openshift_01_clusterresourcequota.crd.yaml @@ -9,6 +49,13 @@ // assets/crd/0000_10_config-operator_01_image.crd.yaml // assets/crd/0000_10_config-operator_01_imagecontentsourcepolicy.crd.yaml // assets/crd/0000_11_imageregistry-configs.crd.yaml +// assets/scc/0000_20_kube-apiserver-operator_00_scc-anyuid.yaml +// assets/scc/0000_20_kube-apiserver-operator_00_scc-hostaccess.yaml +// assets/scc/0000_20_kube-apiserver-operator_00_scc-hostmount-anyuid.yaml +// assets/scc/0000_20_kube-apiserver-operator_00_scc-hostnetwork.yaml +// assets/scc/0000_20_kube-apiserver-operator_00_scc-nonroot.yaml +// assets/scc/0000_20_kube-apiserver-operator_00_scc-privileged.yaml +// assets/scc/0000_20_kube-apiserver-operator_00_scc-restricted.yaml package assets import ( @@ -62,6 +109,1914 @@ func (fi bindataFileInfo) Sys() interface{} { return nil } +var _assetsComponentsFlannelClusterroleYaml = []byte(`kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: flannel +rules: +- apiGroups: ['extensions'] + resources: ['podsecuritypolicies'] + verbs: ['use'] + resourceNames: ['psp.flannel.unprivileged'] +- apiGroups: + - "" + resources: + - pods + verbs: + - get +- apiGroups: + - "" + resources: + - nodes + verbs: + - list + - watch +- apiGroups: + - "" + resources: + - nodes/status + verbs: + - patch`) + +func assetsComponentsFlannelClusterroleYamlBytes() ([]byte, error) { + return _assetsComponentsFlannelClusterroleYaml, nil +} + +func assetsComponentsFlannelClusterroleYaml() (*asset, error) { + bytes, err := assetsComponentsFlannelClusterroleYamlBytes() + if err != nil { + return nil, err + } + + info := bindataFileInfo{name: "assets/components/flannel/clusterrole.yaml", size: 418, mode: os.FileMode(420), modTime: time.Unix(1646566396, 0)} + a := &asset{bytes: bytes, info: info} + return a, nil +} + +var _assetsComponentsFlannelClusterrolebindingYaml = []byte(`kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: flannel +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: flannel +subjects: +- kind: ServiceAccount + name: flannel + namespace: kube-system`) + +func assetsComponentsFlannelClusterrolebindingYamlBytes() ([]byte, error) { + return _assetsComponentsFlannelClusterrolebindingYaml, nil +} + +func assetsComponentsFlannelClusterrolebindingYaml() (*asset, error) { + bytes, err := assetsComponentsFlannelClusterrolebindingYamlBytes() + if err != nil { + return nil, err + } + + info := bindataFileInfo{name: "assets/components/flannel/clusterrolebinding.yaml", size: 248, mode: os.FileMode(420), modTime: time.Unix(1646566396, 0)} + a := &asset{bytes: bytes, info: info} + return a, nil +} + +var _assetsComponentsFlannelConfigmapYaml = []byte(`kind: ConfigMap +apiVersion: v1 +metadata: + name: kube-flannel-cfg + namespace: kube-system + labels: + tier: node + app: flannel +data: + cni-conf.json: | + { + "name": "cbr0", + "cniVersion": "0.3.1", + "plugins": [ + { + "type": "flannel", + "delegate": { + "hairpinMode": true, + "forceAddress": true, + "isDefaultGateway": true + } + }, + { + "type": "portmap", + "capabilities": { + "portMappings": true + } + } + ] + } + net-conf.json: | + { + "Network": "10.42.0.0/16", + "Backend": { + "Type": "vxlan" + } + }`) + +func assetsComponentsFlannelConfigmapYamlBytes() ([]byte, error) { + return _assetsComponentsFlannelConfigmapYaml, nil +} + +func assetsComponentsFlannelConfigmapYaml() (*asset, error) { + bytes, err := assetsComponentsFlannelConfigmapYamlBytes() + if err != nil { + return nil, err + } + + info := bindataFileInfo{name: "assets/components/flannel/configmap.yaml", size: 674, mode: os.FileMode(420), modTime: time.Unix(1646566396, 0)} + a := &asset{bytes: bytes, info: info} + return a, nil +} + +var _assetsComponentsFlannelDaemonsetYaml = []byte(`apiVersion: apps/v1 +kind: DaemonSet +metadata: + name: kube-flannel-ds + namespace: kube-system + labels: + tier: node + app: flannel +spec: + selector: + matchLabels: + app: flannel + template: + metadata: + labels: + tier: node + app: flannel + spec: + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: kubernetes.io/os + operator: In + values: + - linux + hostNetwork: true + priorityClassName: system-node-critical + tolerations: + - operator: Exists + effect: NoSchedule + serviceAccountName: flannel + initContainers: + - name: install-cni-bin + image: {{ .ReleaseImage.kube_flannel_cni }} + command: + - cp + args: + - -f + - /flannel + - /opt/cni/bin/flannel + volumeMounts: + - name: cni-plugin + mountPath: /opt/cni/bin + - name: install-cni + image: {{ .ReleaseImage.kube_flannel }} + command: + - cp + args: + - -f + - /etc/kube-flannel/cni-conf.json + - /etc/cni/net.d/10-flannel.conflist + volumeMounts: + - name: cni + mountPath: /etc/cni/net.d + - name: flannel-cfg + mountPath: /etc/kube-flannel/ + containers: + - name: kube-flannel + image: {{ .ReleaseImage.kube_flannel }} + command: + - /opt/bin/flanneld + args: + - --ip-masq + - --kube-subnet-mgr + resources: + requests: + cpu: "100m" + memory: "50Mi" + limits: + cpu: "100m" + memory: "50Mi" + securityContext: + privileged: false + capabilities: + add: ["NET_ADMIN", "NET_RAW"] + env: + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + volumeMounts: + - name: run + mountPath: /run/flannel + - name: flannel-cfg + mountPath: /etc/kube-flannel/ + volumes: + - name: run + hostPath: + path: /run/flannel + - name: cni + hostPath: + path: /etc/cni/net.d + - name: flannel-cfg + configMap: + name: kube-flannel-cfg + - name: cni-plugin + hostPath: + path: /opt/cni/bin`) + +func assetsComponentsFlannelDaemonsetYamlBytes() ([]byte, error) { + return _assetsComponentsFlannelDaemonsetYaml, nil +} + +func assetsComponentsFlannelDaemonsetYaml() (*asset, error) { + bytes, err := assetsComponentsFlannelDaemonsetYamlBytes() + if err != nil { + return nil, err + } + + info := bindataFileInfo{name: "assets/components/flannel/daemonset.yaml", size: 2543, mode: os.FileMode(420), modTime: time.Unix(1646566396, 0)} + a := &asset{bytes: bytes, info: info} + return a, nil +} + +var _assetsComponentsFlannelPodsecuritypolicyYaml = []byte(`apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: psp.flannel.unprivileged + annotations: + seccomp.security.alpha.kubernetes.io/allowedProfileNames: docker/default + seccomp.security.alpha.kubernetes.io/defaultProfileName: docker/default + apparmor.security.beta.kubernetes.io/allowedProfileNames: runtime/default + apparmor.security.beta.kubernetes.io/defaultProfileName: runtime/default +spec: + privileged: false + volumes: + - configMap + - secret + - emptyDir + - hostPath + allowedHostPaths: + - pathPrefix: "/etc/cni/net.d" + - pathPrefix: "/etc/kube-flannel" + - pathPrefix: "/run/flannel" + readOnlyRootFilesystem: false + # Users and groups + runAsUser: + rule: RunAsAny + supplementalGroups: + rule: RunAsAny + fsGroup: + rule: RunAsAny + # Privilege Escalation + allowPrivilegeEscalation: false + defaultAllowPrivilegeEscalation: false + # Capabilities + allowedCapabilities: ['NET_ADMIN', 'NET_RAW'] + defaultAddCapabilities: [] + requiredDropCapabilities: [] + # Host namespaces + hostPID: false + hostIPC: false + hostNetwork: true + hostPorts: + - min: 0 + max: 65535 + # SELinux + seLinux: + # SELinux is unused in CaaSP + rule: 'RunAsAny'`) + +func assetsComponentsFlannelPodsecuritypolicyYamlBytes() ([]byte, error) { + return _assetsComponentsFlannelPodsecuritypolicyYaml, nil +} + +func assetsComponentsFlannelPodsecuritypolicyYaml() (*asset, error) { + bytes, err := assetsComponentsFlannelPodsecuritypolicyYamlBytes() + if err != nil { + return nil, err + } + + info := bindataFileInfo{name: "assets/components/flannel/podsecuritypolicy.yaml", size: 1195, mode: os.FileMode(420), modTime: time.Unix(1646566396, 0)} + a := &asset{bytes: bytes, info: info} + return a, nil +} + +var _assetsComponentsFlannelServiceAccountYaml = []byte(`apiVersion: v1 +kind: ServiceAccount +metadata: + name: flannel + namespace: kube-system`) + +func assetsComponentsFlannelServiceAccountYamlBytes() ([]byte, error) { + return _assetsComponentsFlannelServiceAccountYaml, nil +} + +func assetsComponentsFlannelServiceAccountYaml() (*asset, error) { + bytes, err := assetsComponentsFlannelServiceAccountYamlBytes() + if err != nil { + return nil, err + } + + info := bindataFileInfo{name: "assets/components/flannel/service-account.yaml", size: 86, mode: os.FileMode(420), modTime: time.Unix(1646566396, 0)} + a := &asset{bytes: bytes, info: info} + return a, nil +} + +var _assetsComponentsHostpathProvisionerClusterroleYaml = []byte(`kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: kubevirt-hostpath-provisioner +rules: + - apiGroups: [""] + resources: ["nodes"] + verbs: ["get"] + - apiGroups: [""] + resources: ["persistentvolumes"] + verbs: ["get", "list", "watch", "create", "delete"] + - apiGroups: [""] + resources: ["persistentvolumeclaims"] + verbs: ["get", "list", "watch", "update"] + + - apiGroups: ["storage.k8s.io"] + resources: ["storageclasses"] + verbs: ["get", "list", "watch"] + + - apiGroups: [""] + resources: ["events"] + verbs: ["list", "watch", "create", "update", "patch"] +`) + +func assetsComponentsHostpathProvisionerClusterroleYamlBytes() ([]byte, error) { + return _assetsComponentsHostpathProvisionerClusterroleYaml, nil +} + +func assetsComponentsHostpathProvisionerClusterroleYaml() (*asset, error) { + bytes, err := assetsComponentsHostpathProvisionerClusterroleYamlBytes() + if err != nil { + return nil, err + } + + info := bindataFileInfo{name: "assets/components/hostpath-provisioner/clusterrole.yaml", size: 609, mode: os.FileMode(420), modTime: time.Unix(1646566396, 0)} + a := &asset{bytes: bytes, info: info} + return a, nil +} + +var _assetsComponentsHostpathProvisionerClusterrolebindingYaml = []byte(`apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: kubevirt-hostpath-provisioner +subjects: +- kind: ServiceAccount + name: kubevirt-hostpath-provisioner-admin + namespace: kubevirt-hostpath-provisioner +roleRef: + kind: ClusterRole + name: kubevirt-hostpath-provisioner + apiGroup: rbac.authorization.k8s.io`) + +func assetsComponentsHostpathProvisionerClusterrolebindingYamlBytes() ([]byte, error) { + return _assetsComponentsHostpathProvisionerClusterrolebindingYaml, nil +} + +func assetsComponentsHostpathProvisionerClusterrolebindingYaml() (*asset, error) { + bytes, err := assetsComponentsHostpathProvisionerClusterrolebindingYamlBytes() + if err != nil { + return nil, err + } + + info := bindataFileInfo{name: "assets/components/hostpath-provisioner/clusterrolebinding.yaml", size: 338, mode: os.FileMode(420), modTime: time.Unix(1646566396, 0)} + a := &asset{bytes: bytes, info: info} + return a, nil +} + +var _assetsComponentsHostpathProvisionerDaemonsetYaml = []byte(`apiVersion: apps/v1 +kind: DaemonSet +metadata: + name: kubevirt-hostpath-provisioner + labels: + k8s-app: kubevirt-hostpath-provisioner + namespace: kubevirt-hostpath-provisioner +spec: + selector: + matchLabels: + k8s-app: kubevirt-hostpath-provisioner + template: + metadata: + labels: + k8s-app: kubevirt-hostpath-provisioner + spec: + serviceAccountName: kubevirt-hostpath-provisioner-admin + containers: + - name: kubevirt-hostpath-provisioner + image: {{ .ReleaseImage.kubevirt_hostpath_provisioner }} + imagePullPolicy: Always + env: + - name: USE_NAMING_PREFIX + value: "false" # change to true, to have the name of the pvc be part of the directory + - name: NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + - name: PV_DIR + value: /var/hpvolumes + volumeMounts: + - name: pv-volume # root dir where your bind mounts will be on the node + mountPath: /var/hpvolumes + #nodeSelector: + #- name: xxxxxx + volumes: + - name: pv-volume + hostPath: + path: /var/hpvolumes +`) + +func assetsComponentsHostpathProvisionerDaemonsetYamlBytes() ([]byte, error) { + return _assetsComponentsHostpathProvisionerDaemonsetYaml, nil +} + +func assetsComponentsHostpathProvisionerDaemonsetYaml() (*asset, error) { + bytes, err := assetsComponentsHostpathProvisionerDaemonsetYamlBytes() + if err != nil { + return nil, err + } + + info := bindataFileInfo{name: "assets/components/hostpath-provisioner/daemonset.yaml", size: 1225, mode: os.FileMode(420), modTime: time.Unix(1646566396, 0)} + a := &asset{bytes: bytes, info: info} + return a, nil +} + +var _assetsComponentsHostpathProvisionerNamespaceYaml = []byte(`apiVersion: v1 +kind: Namespace +metadata: + name: kubevirt-hostpath-provisioner`) + +func assetsComponentsHostpathProvisionerNamespaceYamlBytes() ([]byte, error) { + return _assetsComponentsHostpathProvisionerNamespaceYaml, nil +} + +func assetsComponentsHostpathProvisionerNamespaceYaml() (*asset, error) { + bytes, err := assetsComponentsHostpathProvisionerNamespaceYamlBytes() + if err != nil { + return nil, err + } + + info := bindataFileInfo{name: "assets/components/hostpath-provisioner/namespace.yaml", size: 78, mode: os.FileMode(420), modTime: time.Unix(1646566396, 0)} + a := &asset{bytes: bytes, info: info} + return a, nil +} + +var _assetsComponentsHostpathProvisionerSccYaml = []byte(`kind: SecurityContextConstraints +apiVersion: security.openshift.io/v1 +metadata: + name: hostpath-provisioner +allowPrivilegedContainer: true +requiredDropCapabilities: +- KILL +- MKNOD +- SETUID +- SETGID +runAsUser: + type: RunAsAny +seLinuxContext: + type: RunAsAny +fsGroup: + type: RunAsAny +supplementalGroups: + type: RunAsAny +allowHostDirVolumePlugin: true +users: +- system:serviceaccount:kubevirt-hostpath-provisioner:kubevirt-hostpath-provisioner-admin +volumes: +- hostPath +- secret +`) + +func assetsComponentsHostpathProvisionerSccYamlBytes() ([]byte, error) { + return _assetsComponentsHostpathProvisionerSccYaml, nil +} + +func assetsComponentsHostpathProvisionerSccYaml() (*asset, error) { + bytes, err := assetsComponentsHostpathProvisionerSccYamlBytes() + if err != nil { + return nil, err + } + + info := bindataFileInfo{name: "assets/components/hostpath-provisioner/scc.yaml", size: 480, mode: os.FileMode(420), modTime: time.Unix(1646566396, 0)} + a := &asset{bytes: bytes, info: info} + return a, nil +} + +var _assetsComponentsHostpathProvisionerServiceAccountYaml = []byte(`apiVersion: v1 +kind: ServiceAccount +metadata: + name: kubevirt-hostpath-provisioner-admin + namespace: kubevirt-hostpath-provisioner`) + +func assetsComponentsHostpathProvisionerServiceAccountYamlBytes() ([]byte, error) { + return _assetsComponentsHostpathProvisionerServiceAccountYaml, nil +} + +func assetsComponentsHostpathProvisionerServiceAccountYaml() (*asset, error) { + bytes, err := assetsComponentsHostpathProvisionerServiceAccountYamlBytes() + if err != nil { + return nil, err + } + + info := bindataFileInfo{name: "assets/components/hostpath-provisioner/service-account.yaml", size: 132, mode: os.FileMode(420), modTime: time.Unix(1646566396, 0)} + a := &asset{bytes: bytes, info: info} + return a, nil +} + +var _assetsComponentsHostpathProvisionerStorageclassYaml = []byte(`apiVersion: storage.k8s.io/v1 +kind: StorageClass +metadata: + name: kubevirt-hostpath-provisioner +provisioner: kubevirt.io/hostpath-provisioner +reclaimPolicy: Delete +volumeBindingMode: WaitForFirstConsumer`) + +func assetsComponentsHostpathProvisionerStorageclassYamlBytes() ([]byte, error) { + return _assetsComponentsHostpathProvisionerStorageclassYaml, nil +} + +func assetsComponentsHostpathProvisionerStorageclassYaml() (*asset, error) { + bytes, err := assetsComponentsHostpathProvisionerStorageclassYamlBytes() + if err != nil { + return nil, err + } + + info := bindataFileInfo{name: "assets/components/hostpath-provisioner/storageclass.yaml", size: 204, mode: os.FileMode(420), modTime: time.Unix(1646566396, 0)} + a := &asset{bytes: bytes, info: info} + return a, nil +} + +var _assetsComponentsOpenshiftDnsDnsClusterRoleBindingYaml = []byte(`kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: openshift-dns +subjects: +- kind: ServiceAccount + name: dns + namespace: openshift-dns +roleRef: + kind: ClusterRole + name: openshift-dns +`) + +func assetsComponentsOpenshiftDnsDnsClusterRoleBindingYamlBytes() ([]byte, error) { + return _assetsComponentsOpenshiftDnsDnsClusterRoleBindingYaml, nil +} + +func assetsComponentsOpenshiftDnsDnsClusterRoleBindingYaml() (*asset, error) { + bytes, err := assetsComponentsOpenshiftDnsDnsClusterRoleBindingYamlBytes() + if err != nil { + return nil, err + } + + info := bindataFileInfo{name: "assets/components/openshift-dns/dns/cluster-role-binding.yaml", size: 223, mode: os.FileMode(420), modTime: time.Unix(1646566396, 0)} + a := &asset{bytes: bytes, info: info} + return a, nil +} + +var _assetsComponentsOpenshiftDnsDnsClusterRoleYaml = []byte(`kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: openshift-dns +rules: +- apiGroups: + - "" + resources: + - endpoints + - services + - pods + - namespaces + verbs: + - list + - watch + +- apiGroups: + - discovery.k8s.io + resources: + - endpointslices + verbs: + - list + - watch + +- apiGroups: + - authentication.k8s.io + resources: + - tokenreviews + verbs: + - create + +- apiGroups: + - authorization.k8s.io + resources: + - subjectaccessreviews + verbs: + - create +`) + +func assetsComponentsOpenshiftDnsDnsClusterRoleYamlBytes() ([]byte, error) { + return _assetsComponentsOpenshiftDnsDnsClusterRoleYaml, nil +} + +func assetsComponentsOpenshiftDnsDnsClusterRoleYaml() (*asset, error) { + bytes, err := assetsComponentsOpenshiftDnsDnsClusterRoleYamlBytes() + if err != nil { + return nil, err + } + + info := bindataFileInfo{name: "assets/components/openshift-dns/dns/cluster-role.yaml", size: 492, mode: os.FileMode(420), modTime: time.Unix(1646566396, 0)} + a := &asset{bytes: bytes, info: info} + return a, nil +} + +var _assetsComponentsOpenshiftDnsDnsConfigmapYaml = []byte(`apiVersion: v1 +data: + Corefile: | + .:5353 { + bufsize 512 + errors + health { + lameduck 20s + } + ready + kubernetes cluster.local in-addr.arpa ip6.arpa { + pods insecure + fallthrough in-addr.arpa ip6.arpa + } + prometheus 127.0.0.1:9153 + forward . /etc/resolv.conf { + policy sequential + } + cache 900 { + denial 9984 30 + } + reload + } +kind: ConfigMap +metadata: + labels: + dns.operator.openshift.io/owning-dns: default + name: dns-default + namespace: openshift-dns +`) + +func assetsComponentsOpenshiftDnsDnsConfigmapYamlBytes() ([]byte, error) { + return _assetsComponentsOpenshiftDnsDnsConfigmapYaml, nil +} + +func assetsComponentsOpenshiftDnsDnsConfigmapYaml() (*asset, error) { + bytes, err := assetsComponentsOpenshiftDnsDnsConfigmapYamlBytes() + if err != nil { + return nil, err + } + + info := bindataFileInfo{name: "assets/components/openshift-dns/dns/configmap.yaml", size: 610, mode: os.FileMode(420), modTime: time.Unix(1646566396, 0)} + a := &asset{bytes: bytes, info: info} + return a, nil +} + +var _assetsComponentsOpenshiftDnsDnsDaemonsetYaml = []byte(`kind: DaemonSet +apiVersion: apps/v1 +metadata: + labels: + dns.operator.openshift.io/owning-dns: default + name: dns-default + namespace: openshift-dns +spec: + selector: + matchLabels: + dns.operator.openshift.io/daemonset-dns: default + template: + metadata: + labels: + dns.operator.openshift.io/daemonset-dns: default + annotations: + target.workload.openshift.io/management: '{"effect": "PreferredDuringScheduling"}' + spec: + serviceAccountName: dns + priorityClassName: system-node-critical + containers: + - name: dns + image: {{ .ReleaseImage.coredns }} + imagePullPolicy: IfNotPresent + terminationMessagePolicy: FallbackToLogsOnError + command: [ "coredns" ] + args: [ "-conf", "/etc/coredns/Corefile" ] + volumeMounts: + - name: config-volume + mountPath: /etc/coredns + readOnly: true + ports: + - containerPort: 5353 + name: dns + protocol: UDP + - containerPort: 5353 + name: dns-tcp + protocol: TCP + readinessProbe: + httpGet: + path: /ready + port: 8181 + scheme: HTTP + initialDelaySeconds: 10 + periodSeconds: 3 + successThreshold: 1 + failureThreshold: 3 + timeoutSeconds: 3 + livenessProbe: + httpGet: + path: /health + port: 8080 + scheme: HTTP + initialDelaySeconds: 60 + timeoutSeconds: 5 + successThreshold: 1 + failureThreshold: 5 + resources: + requests: + cpu: 50m + memory: 70Mi + - name: kube-rbac-proxy + image: {{ .ReleaseImage.kube_rbac_proxy }} + args: + - --secure-listen-address=:9154 + - --tls-cipher-suites=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 + - --upstream=http://127.0.0.1:9153/ + - --tls-cert-file=/etc/tls/private/tls.crt + - --tls-private-key-file=/etc/tls/private/tls.key + ports: + - containerPort: 9154 + name: metrics + resources: + requests: + cpu: 10m + memory: 40Mi + volumeMounts: + - mountPath: /etc/tls/private + name: metrics-tls + readOnly: true + dnsPolicy: Default + nodeSelector: + kubernetes.io/os: linux + volumes: + - name: config-volume + configMap: + items: + - key: Corefile + path: Corefile + name: dns-default + - name: metrics-tls + secret: + defaultMode: 420 + secretName: dns-default-metrics-tls + tolerations: + # DNS needs to run everywhere. Tolerate all taints + - operator: Exists + updateStrategy: + type: RollingUpdate + rollingUpdate: + # TODO: Consider setting maxSurge to a positive value. + maxSurge: 0 + # Note: The daemon controller rounds the percentage up + # (unlike the deployment controller, which rounds down). + maxUnavailable: 10% +`) + +func assetsComponentsOpenshiftDnsDnsDaemonsetYamlBytes() ([]byte, error) { + return _assetsComponentsOpenshiftDnsDnsDaemonsetYaml, nil +} + +func assetsComponentsOpenshiftDnsDnsDaemonsetYaml() (*asset, error) { + bytes, err := assetsComponentsOpenshiftDnsDnsDaemonsetYamlBytes() + if err != nil { + return nil, err + } + + info := bindataFileInfo{name: "assets/components/openshift-dns/dns/daemonset.yaml", size: 3179, mode: os.FileMode(420), modTime: time.Unix(1646566396, 0)} + a := &asset{bytes: bytes, info: info} + return a, nil +} + +var _assetsComponentsOpenshiftDnsDnsNamespaceYaml = []byte(`kind: Namespace +apiVersion: v1 +metadata: + annotations: + openshift.io/node-selector: "" + workload.openshift.io/allowed: "management" + name: openshift-dns + labels: + # set value to avoid depending on kube admission that depends on openshift apis + openshift.io/run-level: "0" + # allow openshift-monitoring to look for ServiceMonitor objects in this namespace + openshift.io/cluster-monitoring: "true" +`) + +func assetsComponentsOpenshiftDnsDnsNamespaceYamlBytes() ([]byte, error) { + return _assetsComponentsOpenshiftDnsDnsNamespaceYaml, nil +} + +func assetsComponentsOpenshiftDnsDnsNamespaceYaml() (*asset, error) { + bytes, err := assetsComponentsOpenshiftDnsDnsNamespaceYamlBytes() + if err != nil { + return nil, err + } + + info := bindataFileInfo{name: "assets/components/openshift-dns/dns/namespace.yaml", size: 417, mode: os.FileMode(420), modTime: time.Unix(1646566396, 0)} + a := &asset{bytes: bytes, info: info} + return a, nil +} + +var _assetsComponentsOpenshiftDnsDnsServiceAccountYaml = []byte(`kind: ServiceAccount +apiVersion: v1 +metadata: + name: dns + namespace: openshift-dns +`) + +func assetsComponentsOpenshiftDnsDnsServiceAccountYamlBytes() ([]byte, error) { + return _assetsComponentsOpenshiftDnsDnsServiceAccountYaml, nil +} + +func assetsComponentsOpenshiftDnsDnsServiceAccountYaml() (*asset, error) { + bytes, err := assetsComponentsOpenshiftDnsDnsServiceAccountYamlBytes() + if err != nil { + return nil, err + } + + info := bindataFileInfo{name: "assets/components/openshift-dns/dns/service-account.yaml", size: 85, mode: os.FileMode(420), modTime: time.Unix(1646566396, 0)} + a := &asset{bytes: bytes, info: info} + return a, nil +} + +var _assetsComponentsOpenshiftDnsDnsServiceYaml = []byte(`kind: Service +apiVersion: v1 +metadata: + annotations: + service.beta.openshift.io/serving-cert-secret-name: dns-default-metrics-tls + labels: + dns.operator.openshift.io/owning-dns: default + name: dns-default + namespace: openshift-dns +spec: + clusterIP: {{.ClusterIP}} + selector: + dns.operator.openshift.io/daemonset-dns: default + ports: + - name: dns + port: 53 + targetPort: dns + protocol: UDP + - name: dns-tcp + port: 53 + targetPort: dns-tcp + protocol: TCP + - name: metrics + port: 9154 + targetPort: metrics + protocol: TCP + # TODO: Uncomment when service topology feature gate is enabled. + #topologyKeys: + # - "kubernetes.io/hostname" + # - "*" +`) + +func assetsComponentsOpenshiftDnsDnsServiceYamlBytes() ([]byte, error) { + return _assetsComponentsOpenshiftDnsDnsServiceYaml, nil +} + +func assetsComponentsOpenshiftDnsDnsServiceYaml() (*asset, error) { + bytes, err := assetsComponentsOpenshiftDnsDnsServiceYamlBytes() + if err != nil { + return nil, err + } + + info := bindataFileInfo{name: "assets/components/openshift-dns/dns/service.yaml", size: 691, mode: os.FileMode(420), modTime: time.Unix(1646566396, 0)} + a := &asset{bytes: bytes, info: info} + return a, nil +} + +var _assetsComponentsOpenshiftDnsNodeResolverDaemonsetYaml = []byte(`apiVersion: apps/v1 +kind: DaemonSet +metadata: + name: node-resolver + namespace: openshift-dns +spec: + revisionHistoryLimit: 10 + selector: + matchLabels: + dns.operator.openshift.io/daemonset-node-resolver: "" + template: + metadata: + annotations: + target.workload.openshift.io/management: '{"effect": "PreferredDuringScheduling"}' + labels: + dns.operator.openshift.io/daemonset-node-resolver: "" + spec: + containers: + - command: + - /bin/bash + - -c + - | + #!/bin/bash + set -uo pipefail + + trap 'jobs -p | xargs kill || true; wait; exit 0' TERM + + NAMESERVER=${DNS_DEFAULT_SERVICE_HOST} + OPENSHIFT_MARKER="openshift-generated-node-resolver" + HOSTS_FILE="/etc/hosts" + TEMP_FILE="/etc/hosts.tmp" + + IFS=', ' read -r -a services <<< "${SERVICES}" + + # Make a temporary file with the old hosts file's attributes. + cp -f --attributes-only "${HOSTS_FILE}" "${TEMP_FILE}" + + while true; do + declare -A svc_ips + for svc in "${services[@]}"; do + # Fetch service IP from cluster dns if present. We make several tries + # to do it: IPv4, IPv6, IPv4 over TCP and IPv6 over TCP. The two last ones + # are for deployments with Kuryr on older OpenStack (OSP13) - those do not + # support UDP loadbalancers and require reaching DNS through TCP. + cmds=('dig -t A @"${NAMESERVER}" +short "${svc}.${CLUSTER_DOMAIN}"|grep -v "^;"' + 'dig -t AAAA @"${NAMESERVER}" +short "${svc}.${CLUSTER_DOMAIN}"|grep -v "^;"' + 'dig -t A +tcp +retry=0 @"${NAMESERVER}" +short "${svc}.${CLUSTER_DOMAIN}"|grep -v "^;"' + 'dig -t AAAA +tcp +retry=0 @"${NAMESERVER}" +short "${svc}.${CLUSTER_DOMAIN}"|grep -v "^;"') + for i in ${!cmds[*]} + do + ips=($(eval "${cmds[i]}")) + if [[ "$?" -eq 0 && "${#ips[@]}" -ne 0 ]]; then + svc_ips["${svc}"]="${ips[@]}" + break + fi + done + done + + # Update /etc/hosts only if we get valid service IPs + # We will not update /etc/hosts when there is coredns service outage or api unavailability + # Stale entries could exist in /etc/hosts if the service is deleted + if [[ -n "${svc_ips[*]-}" ]]; then + # Build a new hosts file from /etc/hosts with our custom entries filtered out + grep -v "# ${OPENSHIFT_MARKER}" "${HOSTS_FILE}" > "${TEMP_FILE}" + + # Append resolver entries for services + for svc in "${!svc_ips[@]}"; do + for ip in ${svc_ips[${svc}]}; do + echo "${ip} ${svc} ${svc}.${CLUSTER_DOMAIN} # ${OPENSHIFT_MARKER}" >> "${TEMP_FILE}" + done + done + + # TODO: Update /etc/hosts atomically to avoid any inconsistent behavior + # Replace /etc/hosts with our modified version if needed + cmp "${TEMP_FILE}" "${HOSTS_FILE}" || cp -f "${TEMP_FILE}" "${HOSTS_FILE}" + # TEMP_FILE is not removed to avoid file create/delete and attributes copy churn + fi + sleep 60 & wait + unset svc_ips + done + env: + - name: SERVICES + # Comma or space separated list of services + # NOTE: For now, ensure these are relative names; for each relative name, + # an alias with the CLUSTER_DOMAIN suffix will also be added. + value: "image-registry.openshift-image-registry.svc" + - name: NAMESERVER + value: 172.30.0.10 + - name: CLUSTER_DOMAIN + value: cluster.local + image: {{ .ReleaseImage.cli }} + imagePullPolicy: IfNotPresent + name: dns-node-resolver + resources: + requests: + cpu: 5m + memory: 21Mi + securityContext: + privileged: true + terminationMessagePath: /dev/termination-log + terminationMessagePolicy: FallbackToLogsOnError + volumeMounts: + - mountPath: /etc/hosts + name: hosts-file + dnsPolicy: ClusterFirst + hostNetwork: true + nodeSelector: + kubernetes.io/os: linux + priorityClassName: system-node-critical + restartPolicy: Always + schedulerName: default-scheduler + securityContext: {} + serviceAccount: node-resolver + serviceAccountName: node-resolver + terminationGracePeriodSeconds: 30 + tolerations: + - operator: Exists + volumes: + - hostPath: + path: /etc/hosts + type: File + name: hosts-file + updateStrategy: + rollingUpdate: + maxSurge: 0 + maxUnavailable: 33% + type: RollingUpdate +`) + +func assetsComponentsOpenshiftDnsNodeResolverDaemonsetYamlBytes() ([]byte, error) { + return _assetsComponentsOpenshiftDnsNodeResolverDaemonsetYaml, nil +} + +func assetsComponentsOpenshiftDnsNodeResolverDaemonsetYaml() (*asset, error) { + bytes, err := assetsComponentsOpenshiftDnsNodeResolverDaemonsetYamlBytes() + if err != nil { + return nil, err + } + + info := bindataFileInfo{name: "assets/components/openshift-dns/node-resolver/daemonset.yaml", size: 4823, mode: os.FileMode(420), modTime: time.Unix(1646566396, 0)} + a := &asset{bytes: bytes, info: info} + return a, nil +} + +var _assetsComponentsOpenshiftDnsNodeResolverServiceAccountYaml = []byte(`kind: ServiceAccount +apiVersion: v1 +metadata: + name: node-resolver + namespace: openshift-dns +`) + +func assetsComponentsOpenshiftDnsNodeResolverServiceAccountYamlBytes() ([]byte, error) { + return _assetsComponentsOpenshiftDnsNodeResolverServiceAccountYaml, nil +} + +func assetsComponentsOpenshiftDnsNodeResolverServiceAccountYaml() (*asset, error) { + bytes, err := assetsComponentsOpenshiftDnsNodeResolverServiceAccountYamlBytes() + if err != nil { + return nil, err + } + + info := bindataFileInfo{name: "assets/components/openshift-dns/node-resolver/service-account.yaml", size: 95, mode: os.FileMode(420), modTime: time.Unix(1646566396, 0)} + a := &asset{bytes: bytes, info: info} + return a, nil +} + +var _assetsComponentsOpenshiftRouterClusterRoleBindingYaml = []byte(`# Binds the router role to its Service Account. +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: openshift-ingress-router +subjects: +- kind: ServiceAccount + name: router + namespace: openshift-ingress +roleRef: + kind: ClusterRole + name: openshift-ingress-router + namespace: openshift-ingress +`) + +func assetsComponentsOpenshiftRouterClusterRoleBindingYamlBytes() ([]byte, error) { + return _assetsComponentsOpenshiftRouterClusterRoleBindingYaml, nil +} + +func assetsComponentsOpenshiftRouterClusterRoleBindingYaml() (*asset, error) { + bytes, err := assetsComponentsOpenshiftRouterClusterRoleBindingYamlBytes() + if err != nil { + return nil, err + } + + info := bindataFileInfo{name: "assets/components/openshift-router/cluster-role-binding.yaml", size: 329, mode: os.FileMode(420), modTime: time.Unix(1646566396, 0)} + a := &asset{bytes: bytes, info: info} + return a, nil +} + +var _assetsComponentsOpenshiftRouterClusterRoleYaml = []byte(`# Cluster scoped role for routers. This should be as restrictive as possible. +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: openshift-ingress-router +rules: +- apiGroups: + - "" + resources: + - endpoints + - namespaces + - services + verbs: + - list + - watch + +- apiGroups: + - authentication.k8s.io + resources: + - tokenreviews + verbs: + - create + +- apiGroups: + - authorization.k8s.io + resources: + - subjectaccessreviews + verbs: + - create + +- apiGroups: + - route.openshift.io + resources: + - routes + verbs: + - list + - watch + +- apiGroups: + - route.openshift.io + resources: + - routes/status + verbs: + - update + +- apiGroups: + - security.openshift.io + resources: + - securitycontextconstraints + verbs: + - use + resourceNames: + - hostnetwork + +- apiGroups: + - discovery.k8s.io + resources: + - endpointslices + verbs: + - list + - watch +`) + +func assetsComponentsOpenshiftRouterClusterRoleYamlBytes() ([]byte, error) { + return _assetsComponentsOpenshiftRouterClusterRoleYaml, nil +} + +func assetsComponentsOpenshiftRouterClusterRoleYaml() (*asset, error) { + bytes, err := assetsComponentsOpenshiftRouterClusterRoleYamlBytes() + if err != nil { + return nil, err + } + + info := bindataFileInfo{name: "assets/components/openshift-router/cluster-role.yaml", size: 883, mode: os.FileMode(420), modTime: time.Unix(1646566396, 0)} + a := &asset{bytes: bytes, info: info} + return a, nil +} + +var _assetsComponentsOpenshiftRouterConfigmapYaml = []byte(`apiVersion: v1 +kind: ConfigMap +metadata: + namespace: openshift-ingress + name: service-ca-bundle + annotations: + service.beta.openshift.io/inject-cabundle: "true" +`) + +func assetsComponentsOpenshiftRouterConfigmapYamlBytes() ([]byte, error) { + return _assetsComponentsOpenshiftRouterConfigmapYaml, nil +} + +func assetsComponentsOpenshiftRouterConfigmapYaml() (*asset, error) { + bytes, err := assetsComponentsOpenshiftRouterConfigmapYamlBytes() + if err != nil { + return nil, err + } + + info := bindataFileInfo{name: "assets/components/openshift-router/configmap.yaml", size: 168, mode: os.FileMode(420), modTime: time.Unix(1646566396, 0)} + a := &asset{bytes: bytes, info: info} + return a, nil +} + +var _assetsComponentsOpenshiftRouterDeploymentYaml = []byte(`# Deployment with default values +# Ingress Controller specific values are applied at runtime. +kind: Deployment +apiVersion: apps/v1 +metadata: + name: router-default + namespace: openshift-ingress + labels: + ingresscontroller.operator.openshift.io/deployment-ingresscontroller: default +spec: + progressDeadlineSeconds: 600 + replicas: 1 + revisionHistoryLimit: 10 + selector: + matchLabels: + ingresscontroller.operator.openshift.io/deployment-ingresscontroller: default + strategy: + rollingUpdate: + maxSurge: 0 + maxUnavailable: 25% + type: RollingUpdate + template: + metadata: + annotations: + "unsupported.do-not-use.openshift.io/override-liveness-grace-period-seconds": "10" + target.workload.openshift.io/management: '{"effect": "PreferredDuringScheduling"}' + labels: + ingresscontroller.operator.openshift.io/deployment-ingresscontroller: default + spec: + serviceAccountName: router + # nodeSelector is set at runtime. + priorityClassName: system-cluster-critical + containers: + - name: router + image: {{ .ReleaseImage.haproxy_router }} + imagePullPolicy: IfNotPresent + terminationMessagePolicy: FallbackToLogsOnError + ports: + - name: http + containerPort: 80 + hostPort: 80 + protocol: TCP + - name: https + containerPort: 443 + hostPort: 443 + protocol: TCP + - name: metrics + containerPort: 1936 + hostPort: 1936 + protocol: TCP + # Merged at runtime. + env: + # stats username and password are generated at runtime + - name: STATS_PORT + value: "1936" + - name: ROUTER_SERVICE_NAMESPACE + value: openshift-ingress + - name: DEFAULT_CERTIFICATE_DIR + value: /etc/pki/tls/private + - name: DEFAULT_DESTINATION_CA_PATH + value: /var/run/configmaps/service-ca/service-ca.crt + - name: ROUTER_CIPHERS + value: TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384 + - name: ROUTER_DISABLE_HTTP2 + value: "true" + - name: ROUTER_DISABLE_NAMESPACE_OWNERSHIP_CHECK + value: "false" + #FIXME: use metrics tls + - name: ROUTER_METRICS_TLS_CERT_FILE + value: /etc/pki/tls/private/tls.crt + - name: ROUTER_METRICS_TLS_KEY_FILE + value: /etc/pki/tls/private/tls.key + - name: ROUTER_METRICS_TYPE + value: haproxy + - name: ROUTER_SERVICE_NAME + value: default + - name: ROUTER_SET_FORWARDED_HEADERS + value: append + - name: ROUTER_THREADS + value: "4" + - name: SSL_MIN_VERSION + value: TLSv1.2 + livenessProbe: + failureThreshold: 3 + httpGet: + host: localhost + path: /healthz + port: 1936 + scheme: HTTP + initialDelaySeconds: 10 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + readinessProbe: + failureThreshold: 3 + httpGet: + host: localhost + path: /healthz/ready + port: 1936 + scheme: HTTP + initialDelaySeconds: 10 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + startupProbe: + failureThreshold: 120 + httpGet: + path: /healthz/ready + port: 1936 + periodSeconds: 1 + resources: + requests: + cpu: 100m + memory: 256Mi + volumeMounts: + - mountPath: /etc/pki/tls/private + name: default-certificate + readOnly: true + - mountPath: /var/run/configmaps/service-ca + name: service-ca-bundle + readOnly: true + dnsPolicy: ClusterFirstWithHostNet + hostNetwork: true + restartPolicy: Always + schedulerName: default-scheduler + securityContext: {} + serviceAccount: router + volumes: + - name: default-certificate + secret: + defaultMode: 420 + secretName: router-certs-default + - name: service-ca-bundle + configMap: + items: + - key: service-ca.crt + path: service-ca.crt + name: service-ca-bundle + optional: false + defaultMode: 420 +`) + +func assetsComponentsOpenshiftRouterDeploymentYamlBytes() ([]byte, error) { + return _assetsComponentsOpenshiftRouterDeploymentYaml, nil +} + +func assetsComponentsOpenshiftRouterDeploymentYaml() (*asset, error) { + bytes, err := assetsComponentsOpenshiftRouterDeploymentYamlBytes() + if err != nil { + return nil, err + } + + info := bindataFileInfo{name: "assets/components/openshift-router/deployment.yaml", size: 4746, mode: os.FileMode(420), modTime: time.Unix(1646566396, 0)} + a := &asset{bytes: bytes, info: info} + return a, nil +} + +var _assetsComponentsOpenshiftRouterNamespaceYaml = []byte(`kind: Namespace +apiVersion: v1 +metadata: + name: openshift-ingress + annotations: + openshift.io/node-selector: "" + workload.openshift.io/allowed: "management" + labels: + # allow openshift-monitoring to look for ServiceMonitor objects in this namespace + openshift.io/cluster-monitoring: "true" + name: openshift-ingress + # old and new forms of the label for matching with NetworkPolicy + network.openshift.io/policy-group: ingress + policy-group.network.openshift.io/ingress: "" +`) + +func assetsComponentsOpenshiftRouterNamespaceYamlBytes() ([]byte, error) { + return _assetsComponentsOpenshiftRouterNamespaceYaml, nil +} + +func assetsComponentsOpenshiftRouterNamespaceYaml() (*asset, error) { + bytes, err := assetsComponentsOpenshiftRouterNamespaceYamlBytes() + if err != nil { + return nil, err + } + + info := bindataFileInfo{name: "assets/components/openshift-router/namespace.yaml", size: 499, mode: os.FileMode(420), modTime: time.Unix(1646566396, 0)} + a := &asset{bytes: bytes, info: info} + return a, nil +} + +var _assetsComponentsOpenshiftRouterServiceAccountYaml = []byte(`# Account for routers created by the operator. It will require cluster scoped +# permissions related to Route processing. +kind: ServiceAccount +apiVersion: v1 +metadata: + name: router + namespace: openshift-ingress +`) + +func assetsComponentsOpenshiftRouterServiceAccountYamlBytes() ([]byte, error) { + return _assetsComponentsOpenshiftRouterServiceAccountYaml, nil +} + +func assetsComponentsOpenshiftRouterServiceAccountYaml() (*asset, error) { + bytes, err := assetsComponentsOpenshiftRouterServiceAccountYamlBytes() + if err != nil { + return nil, err + } + + info := bindataFileInfo{name: "assets/components/openshift-router/service-account.yaml", size: 213, mode: os.FileMode(420), modTime: time.Unix(1646566396, 0)} + a := &asset{bytes: bytes, info: info} + return a, nil +} + +var _assetsComponentsOpenshiftRouterServiceCloudYaml = []byte(`kind: Service +apiVersion: v1 +metadata: + annotations: + service.alpha.openshift.io/serving-cert-secret-name: router-certs-default + labels: + ingresscontroller.operator.openshift.io/deployment-ingresscontroller: default + name: router-external-default + namespace: openshift-ingress +spec: + selector: + ingresscontroller.operator.openshift.io/deployment-ingresscontroller: default + type: NodePort + ports: + - name: http + port: 80 + targetPort: 80 + nodePort: 30001 + - name: https + port: 443 + targetPort: 443 + nodePort: 30002 +`) + +func assetsComponentsOpenshiftRouterServiceCloudYamlBytes() ([]byte, error) { + return _assetsComponentsOpenshiftRouterServiceCloudYaml, nil +} + +func assetsComponentsOpenshiftRouterServiceCloudYaml() (*asset, error) { + bytes, err := assetsComponentsOpenshiftRouterServiceCloudYamlBytes() + if err != nil { + return nil, err + } + + info := bindataFileInfo{name: "assets/components/openshift-router/service-cloud.yaml", size: 567, mode: os.FileMode(420), modTime: time.Unix(1646566396, 0)} + a := &asset{bytes: bytes, info: info} + return a, nil +} + +var _assetsComponentsOpenshiftRouterServiceInternalYaml = []byte(`# Cluster Service with default values +# Ingress Controller specific annotations are applied at runtime. +kind: Service +apiVersion: v1 +metadata: + annotations: + service.alpha.openshift.io/serving-cert-secret-name: router-certs-default + labels: + ingresscontroller.operator.openshift.io/deployment-ingresscontroller: default + name: router-internal-default + namespace: openshift-ingress +spec: + selector: + ingresscontroller.operator.openshift.io/deployment-ingresscontroller: default + type: ClusterIP + ports: + - name: http + port: 80 + protocol: TCP + targetPort: http + - name: https + port: 443 + protocol: TCP + targetPort: https + - name: metrics + port: 1936 + protocol: TCP + targetPort: 1936 +`) + +func assetsComponentsOpenshiftRouterServiceInternalYamlBytes() ([]byte, error) { + return _assetsComponentsOpenshiftRouterServiceInternalYaml, nil +} + +func assetsComponentsOpenshiftRouterServiceInternalYaml() (*asset, error) { + bytes, err := assetsComponentsOpenshiftRouterServiceInternalYamlBytes() + if err != nil { + return nil, err + } + + info := bindataFileInfo{name: "assets/components/openshift-router/service-internal.yaml", size: 727, mode: os.FileMode(420), modTime: time.Unix(1646566396, 0)} + a := &asset{bytes: bytes, info: info} + return a, nil +} + +var _assetsComponentsServiceCaClusterroleYaml = []byte(`apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: system:openshift:controller:service-ca +rules: +- apiGroups: + - "" + resources: + - secrets + verbs: + - get + - list + - watch + - create + - update + - patch +- apiGroups: + - "" + resources: + - services + verbs: + - get + - list + - watch + - update + - patch +- apiGroups: + - admissionregistration.k8s.io + resources: + - mutatingwebhookconfigurations + - validatingwebhookconfigurations + verbs: + - get + - list + - watch + - update +- apiGroups: + - apiextensions.k8s.io + resources: + - customresourcedefinitions + verbs: + - get + - list + - watch + - update +- apiGroups: + - apiregistration.k8s.io + resources: + - apiservices + verbs: + - get + - list + - watch + - update + - patch +- apiGroups: + - "" + resources: + - configmaps + verbs: + - get + - list + - watch + - update +`) + +func assetsComponentsServiceCaClusterroleYamlBytes() ([]byte, error) { + return _assetsComponentsServiceCaClusterroleYaml, nil +} + +func assetsComponentsServiceCaClusterroleYaml() (*asset, error) { + bytes, err := assetsComponentsServiceCaClusterroleYamlBytes() + if err != nil { + return nil, err + } + + info := bindataFileInfo{name: "assets/components/service-ca/clusterrole.yaml", size: 864, mode: os.FileMode(420), modTime: time.Unix(1646566396, 0)} + a := &asset{bytes: bytes, info: info} + return a, nil +} + +var _assetsComponentsServiceCaClusterrolebindingYaml = []byte(`apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: system:openshift:controller:service-ca +roleRef: + kind: ClusterRole + name: cluster-admin + apiGroup: rbac.authorization.k8s.io +subjects: +- kind: ServiceAccount + namespace: openshift-service-ca + name: service-ca +`) + +func assetsComponentsServiceCaClusterrolebindingYamlBytes() ([]byte, error) { + return _assetsComponentsServiceCaClusterrolebindingYaml, nil +} + +func assetsComponentsServiceCaClusterrolebindingYaml() (*asset, error) { + bytes, err := assetsComponentsServiceCaClusterrolebindingYamlBytes() + if err != nil { + return nil, err + } + + info := bindataFileInfo{name: "assets/components/service-ca/clusterrolebinding.yaml", size: 298, mode: os.FileMode(420), modTime: time.Unix(1646566396, 0)} + a := &asset{bytes: bytes, info: info} + return a, nil +} + +var _assetsComponentsServiceCaDeploymentYaml = []byte(`apiVersion: apps/v1 +kind: Deployment +metadata: + namespace: openshift-service-ca + name: service-ca + labels: + app: service-ca + service-ca: "true" +spec: + replicas: 1 + strategy: + type: Recreate + selector: + matchLabels: + app: service-ca + service-ca: "true" + template: + metadata: + name: service-ca + annotations: + target.workload.openshift.io/management: '{"effect": "PreferredDuringScheduling"}' + labels: + app: service-ca + service-ca: "true" + spec: + securityContext: {} + serviceAccount: service-ca + serviceAccountName: service-ca + containers: + - name: service-ca-controller + image: {{ .ReleaseImage.service_ca_operator }} + imagePullPolicy: IfNotPresent + command: ["service-ca-operator", "controller"] + ports: + - containerPort: 8443 + # securityContext: + # runAsNonRoot: true + resources: + requests: + memory: 120Mi + cpu: 10m + volumeMounts: + - mountPath: /var/run/secrets/signing-key + name: signing-key + - mountPath: /var/run/configmaps/signing-cabundle + name: signing-cabundle + volumes: + - name: signing-key + secret: + secretName: {{.TLSSecret}} + - name: signing-cabundle + configMap: + name: {{.CAConfigMap}} + # nodeSelector: + # node-role.kubernetes.io/master: "" + priorityClassName: "system-cluster-critical" + tolerations: + - key: node-role.kubernetes.io/master + operator: Exists + effect: "NoSchedule" + - key: "node.kubernetes.io/unreachable" + operator: "Exists" + effect: "NoExecute" + tolerationSeconds: 120 + - key: "node.kubernetes.io/not-ready" + operator: "Exists" + effect: "NoExecute" + tolerationSeconds: 120 +`) + +func assetsComponentsServiceCaDeploymentYamlBytes() ([]byte, error) { + return _assetsComponentsServiceCaDeploymentYaml, nil +} + +func assetsComponentsServiceCaDeploymentYaml() (*asset, error) { + bytes, err := assetsComponentsServiceCaDeploymentYamlBytes() + if err != nil { + return nil, err + } + + info := bindataFileInfo{name: "assets/components/service-ca/deployment.yaml", size: 1866, mode: os.FileMode(420), modTime: time.Unix(1646566396, 0)} + a := &asset{bytes: bytes, info: info} + return a, nil +} + +var _assetsComponentsServiceCaNsYaml = []byte(`apiVersion: v1 +kind: Namespace +metadata: + name: openshift-service-ca + annotations: + openshift.io/node-selector: "" + workload.openshift.io/allowed: "management" +`) + +func assetsComponentsServiceCaNsYamlBytes() ([]byte, error) { + return _assetsComponentsServiceCaNsYaml, nil +} + +func assetsComponentsServiceCaNsYaml() (*asset, error) { + bytes, err := assetsComponentsServiceCaNsYamlBytes() + if err != nil { + return nil, err + } + + info := bindataFileInfo{name: "assets/components/service-ca/ns.yaml", size: 168, mode: os.FileMode(420), modTime: time.Unix(1646566396, 0)} + a := &asset{bytes: bytes, info: info} + return a, nil +} + +var _assetsComponentsServiceCaRoleYaml = []byte(`apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: system:openshift:controller:service-ca + namespace: openshift-service-ca +rules: +- apiGroups: + - security.openshift.io + resources: + - securitycontextconstraints + resourceNames: + - restricted + verbs: + - use +- apiGroups: + - "" + resources: + - events + verbs: + - create +- apiGroups: + - "" + resources: + - configmaps + verbs: + - get + - list + - watch + - update + - create +- apiGroups: + - "" + resources: + - pods + verbs: + - get + - list + - watch +- apiGroups: + - "apps" + resources: + - replicasets + - deployments + verbs: + - get + - list + - watch`) + +func assetsComponentsServiceCaRoleYamlBytes() ([]byte, error) { + return _assetsComponentsServiceCaRoleYaml, nil +} + +func assetsComponentsServiceCaRoleYaml() (*asset, error) { + bytes, err := assetsComponentsServiceCaRoleYamlBytes() + if err != nil { + return nil, err + } + + info := bindataFileInfo{name: "assets/components/service-ca/role.yaml", size: 634, mode: os.FileMode(420), modTime: time.Unix(1646566396, 0)} + a := &asset{bytes: bytes, info: info} + return a, nil +} + +var _assetsComponentsServiceCaRolebindingYaml = []byte(`apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: system:openshift:controller:service-ca + namespace: openshift-service-ca +roleRef: + kind: Role + name: system:openshift:controller:service-ca + apiGroup: rbac.authorization.k8s.io +subjects: +- kind: ServiceAccount + namespace: openshift-service-ca + name: service-ca +`) + +func assetsComponentsServiceCaRolebindingYamlBytes() ([]byte, error) { + return _assetsComponentsServiceCaRolebindingYaml, nil +} + +func assetsComponentsServiceCaRolebindingYaml() (*asset, error) { + bytes, err := assetsComponentsServiceCaRolebindingYamlBytes() + if err != nil { + return nil, err + } + + info := bindataFileInfo{name: "assets/components/service-ca/rolebinding.yaml", size: 343, mode: os.FileMode(420), modTime: time.Unix(1646566396, 0)} + a := &asset{bytes: bytes, info: info} + return a, nil +} + +var _assetsComponentsServiceCaSaYaml = []byte(`apiVersion: v1 +kind: ServiceAccount +metadata: + namespace: openshift-service-ca + name: service-ca +`) + +func assetsComponentsServiceCaSaYamlBytes() ([]byte, error) { + return _assetsComponentsServiceCaSaYaml, nil +} + +func assetsComponentsServiceCaSaYaml() (*asset, error) { + bytes, err := assetsComponentsServiceCaSaYamlBytes() + if err != nil { + return nil, err + } + + info := bindataFileInfo{name: "assets/components/service-ca/sa.yaml", size: 99, mode: os.FileMode(420), modTime: time.Unix(1646566396, 0)} + a := &asset{bytes: bytes, info: info} + return a, nil +} + +var _assetsComponentsServiceCaSigningCabundleYaml = []byte(`apiVersion: v1 +kind: ConfigMap +metadata: + namespace: openshift-service-ca + name: signing-cabundle +data: + ca-bundle.crt: +`) + +func assetsComponentsServiceCaSigningCabundleYamlBytes() ([]byte, error) { + return _assetsComponentsServiceCaSigningCabundleYaml, nil +} + +func assetsComponentsServiceCaSigningCabundleYaml() (*asset, error) { + bytes, err := assetsComponentsServiceCaSigningCabundleYamlBytes() + if err != nil { + return nil, err + } + + info := bindataFileInfo{name: "assets/components/service-ca/signing-cabundle.yaml", size: 123, mode: os.FileMode(420), modTime: time.Unix(1646566396, 0)} + a := &asset{bytes: bytes, info: info} + return a, nil +} + +var _assetsComponentsServiceCaSigningSecretYaml = []byte(`apiVersion: v1 +kind: Secret +metadata: + namespace: openshift-service-ca + name: signing-key +type: kubernetes.io/tls +data: + tls.crt: + tls.key: +`) + +func assetsComponentsServiceCaSigningSecretYamlBytes() ([]byte, error) { + return _assetsComponentsServiceCaSigningSecretYaml, nil +} + +func assetsComponentsServiceCaSigningSecretYaml() (*asset, error) { + bytes, err := assetsComponentsServiceCaSigningSecretYamlBytes() + if err != nil { + return nil, err + } + + info := bindataFileInfo{name: "assets/components/service-ca/signing-secret.yaml", size: 144, mode: os.FileMode(420), modTime: time.Unix(1646566396, 0)} + a := &asset{bytes: bytes, info: info} + return a, nil +} + +var _assetsCore0000_50_clusterOpenshiftControllerManager_00_namespaceYaml = []byte(`apiVersion: v1 +kind: Namespace +metadata: + annotations: + include.release.openshift.io/self-managed-high-availability: "true" + openshift.io/node-selector: "" + labels: + openshift.io/cluster-monitoring: "true" + name: openshift-controller-manager +`) + +func assetsCore0000_50_clusterOpenshiftControllerManager_00_namespaceYamlBytes() ([]byte, error) { + return _assetsCore0000_50_clusterOpenshiftControllerManager_00_namespaceYaml, nil +} + +func assetsCore0000_50_clusterOpenshiftControllerManager_00_namespaceYaml() (*asset, error) { + bytes, err := assetsCore0000_50_clusterOpenshiftControllerManager_00_namespaceYamlBytes() + if err != nil { + return nil, err + } + + info := bindataFileInfo{name: "assets/core/0000_50_cluster-openshift-controller-manager_00_namespace.yaml", size: 254, mode: os.FileMode(420), modTime: time.Unix(1646566396, 0)} + a := &asset{bytes: bytes, info: info} + return a, nil +} + var _assetsCrd0000_03_authorizationOpenshift_01_rolebindingrestrictionCrdYaml = []byte(`apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: @@ -285,7 +2240,7 @@ func assetsCrd0000_03_authorizationOpenshift_01_rolebindingrestrictionCrdYaml() return nil, err } - info := bindataFileInfo{name: "assets/crd/0000_03_authorization-openshift_01_rolebindingrestriction.crd.yaml", size: 0, mode: os.FileMode(0), modTime: time.Unix(0, 0)} + info := bindataFileInfo{name: "assets/crd/0000_03_authorization-openshift_01_rolebindingrestriction.crd.yaml", size: 10910, mode: os.FileMode(420), modTime: time.Unix(1646566396, 0)} a := &asset{bytes: bytes, info: info} return a, nil } @@ -406,7 +2361,7 @@ func assetsCrd0000_03_configOperator_01_proxyCrdYaml() (*asset, error) { return nil, err } - info := bindataFileInfo{name: "assets/crd/0000_03_config-operator_01_proxy.crd.yaml", size: 0, mode: os.FileMode(0), modTime: time.Unix(0, 0)} + info := bindataFileInfo{name: "assets/crd/0000_03_config-operator_01_proxy.crd.yaml", size: 4972, mode: os.FileMode(420), modTime: time.Unix(1646566396, 0)} a := &asset{bytes: bytes, info: info} return a, nil } @@ -675,7 +2630,7 @@ func assetsCrd0000_03_quotaOpenshift_01_clusterresourcequotaCrdYaml() (*asset, e return nil, err } - info := bindataFileInfo{name: "assets/crd/0000_03_quota-openshift_01_clusterresourcequota.crd.yaml", size: 0, mode: os.FileMode(0), modTime: time.Unix(0, 0)} + info := bindataFileInfo{name: "assets/crd/0000_03_quota-openshift_01_clusterresourcequota.crd.yaml", size: 12895, mode: os.FileMode(420), modTime: time.Unix(1646566396, 0)} a := &asset{bytes: bytes, info: info} return a, nil } @@ -1062,7 +3017,7 @@ func assetsCrd0000_03_securityOpenshift_01_sccCrdYaml() (*asset, error) { return nil, err } - info := bindataFileInfo{name: "assets/crd/0000_03_security-openshift_01_scc.crd.yaml", size: 0, mode: os.FileMode(0), modTime: time.Unix(0, 0)} + info := bindataFileInfo{name: "assets/crd/0000_03_security-openshift_01_scc.crd.yaml", size: 17110, mode: os.FileMode(420), modTime: time.Unix(1646566396, 0)} a := &asset{bytes: bytes, info: info} return a, nil } @@ -1480,7 +3435,7 @@ func assetsCrd0000_10_configOperator_01_buildCrdYaml() (*asset, error) { return nil, err } - info := bindataFileInfo{name: "assets/crd/0000_10_config-operator_01_build.crd.yaml", size: 0, mode: os.FileMode(0), modTime: time.Unix(0, 0)} + info := bindataFileInfo{name: "assets/crd/0000_10_config-operator_01_build.crd.yaml", size: 22856, mode: os.FileMode(420), modTime: time.Unix(1646566396, 0)} a := &asset{bytes: bytes, info: info} return a, nil } @@ -1576,7 +3531,7 @@ func assetsCrd0000_10_configOperator_01_featuregateCrdYaml() (*asset, error) { return nil, err } - info := bindataFileInfo{name: "assets/crd/0000_10_config-operator_01_featuregate.crd.yaml", size: 0, mode: os.FileMode(0), modTime: time.Unix(0, 0)} + info := bindataFileInfo{name: "assets/crd/0000_10_config-operator_01_featuregate.crd.yaml", size: 3486, mode: os.FileMode(420), modTime: time.Unix(1646566396, 0)} a := &asset{bytes: bytes, info: info} return a, nil } @@ -1755,7 +3710,7 @@ func assetsCrd0000_10_configOperator_01_imageCrdYaml() (*asset, error) { return nil, err } - info := bindataFileInfo{name: "assets/crd/0000_10_config-operator_01_image.crd.yaml", size: 0, mode: os.FileMode(0), modTime: time.Unix(0, 0)} + info := bindataFileInfo{name: "assets/crd/0000_10_config-operator_01_image.crd.yaml", size: 8484, mode: os.FileMode(420), modTime: time.Unix(1646566396, 0)} a := &asset{bytes: bytes, info: info} return a, nil } @@ -1866,7 +3821,7 @@ func assetsCrd0000_10_configOperator_01_imagecontentsourcepolicyCrdYaml() (*asse return nil, err } - info := bindataFileInfo{name: "assets/crd/0000_10_config-operator_01_imagecontentsourcepolicy.crd.yaml", size: 0, mode: os.FileMode(0), modTime: time.Unix(0, 0)} + info := bindataFileInfo{name: "assets/crd/0000_10_config-operator_01_imagecontentsourcepolicy.crd.yaml", size: 5139, mode: os.FileMode(420), modTime: time.Unix(1646566396, 0)} a := &asset{bytes: bytes, info: info} return a, nil } @@ -3426,7 +5381,445 @@ func assetsCrd0000_11_imageregistryConfigsCrdYaml() (*asset, error) { return nil, err } - info := bindataFileInfo{name: "assets/crd/0000_11_imageregistry-configs.crd.yaml", size: 0, mode: os.FileMode(0), modTime: time.Unix(0, 0)} + info := bindataFileInfo{name: "assets/crd/0000_11_imageregistry-configs.crd.yaml", size: 90225, mode: os.FileMode(420), modTime: time.Unix(1646566396, 0)} + a := &asset{bytes: bytes, info: info} + return a, nil +} + +var _assetsScc0000_20_kubeApiserverOperator_00_sccAnyuidYaml = []byte(`allowHostDirVolumePlugin: false +allowHostIPC: false +allowHostNetwork: false +allowHostPID: false +allowHostPorts: false +allowPrivilegeEscalation: true +allowPrivilegedContainer: false +allowedCapabilities: +apiVersion: security.openshift.io/v1 +defaultAddCapabilities: +fsGroup: + type: RunAsAny +groups: +- system:cluster-admins +kind: SecurityContextConstraints +metadata: + annotations: + include.release.openshift.io/ibm-cloud-managed: "true" + include.release.openshift.io/self-managed-high-availability: "true" + include.release.openshift.io/single-node-developer: "true" + release.openshift.io/create-only: "true" + kubernetes.io/description: anyuid provides all features of the restricted SCC + but allows users to run with any UID and any GID. + name: anyuid +priority: 10 +readOnlyRootFilesystem: false +requiredDropCapabilities: +- MKNOD +runAsUser: + type: RunAsAny +seLinuxContext: + type: MustRunAs +supplementalGroups: + type: RunAsAny +users: [] +volumes: +- configMap +- downwardAPI +- emptyDir +- persistentVolumeClaim +- projected +- secret +`) + +func assetsScc0000_20_kubeApiserverOperator_00_sccAnyuidYamlBytes() ([]byte, error) { + return _assetsScc0000_20_kubeApiserverOperator_00_sccAnyuidYaml, nil +} + +func assetsScc0000_20_kubeApiserverOperator_00_sccAnyuidYaml() (*asset, error) { + bytes, err := assetsScc0000_20_kubeApiserverOperator_00_sccAnyuidYamlBytes() + if err != nil { + return nil, err + } + + info := bindataFileInfo{name: "assets/scc/0000_20_kube-apiserver-operator_00_scc-anyuid.yaml", size: 1048, mode: os.FileMode(420), modTime: time.Unix(1646566396, 0)} + a := &asset{bytes: bytes, info: info} + return a, nil +} + +var _assetsScc0000_20_kubeApiserverOperator_00_sccHostaccessYaml = []byte(`allowHostDirVolumePlugin: true +allowHostIPC: true +allowHostNetwork: true +allowHostPID: true +allowHostPorts: true +allowPrivilegeEscalation: true +allowPrivilegedContainer: false +allowedCapabilities: +apiVersion: security.openshift.io/v1 +defaultAddCapabilities: +fsGroup: + type: MustRunAs +groups: [] +kind: SecurityContextConstraints +metadata: + annotations: + include.release.openshift.io/ibm-cloud-managed: "true" + include.release.openshift.io/self-managed-high-availability: "true" + include.release.openshift.io/single-node-developer: "true" + release.openshift.io/create-only: "true" + kubernetes.io/description: 'hostaccess allows access to all host namespaces but + still requires pods to be run with a UID and SELinux context that are allocated + to the namespace. WARNING: this SCC allows host access to namespaces, file systems, + and PIDS. It should only be used by trusted pods. Grant with caution.' + name: hostaccess +priority: +readOnlyRootFilesystem: false +requiredDropCapabilities: +- KILL +- MKNOD +- SETUID +- SETGID +runAsUser: + type: MustRunAsRange +seLinuxContext: + type: MustRunAs +supplementalGroups: + type: RunAsAny +users: [] +volumes: +- configMap +- downwardAPI +- emptyDir +- hostPath +- persistentVolumeClaim +- projected +- secret +`) + +func assetsScc0000_20_kubeApiserverOperator_00_sccHostaccessYamlBytes() ([]byte, error) { + return _assetsScc0000_20_kubeApiserverOperator_00_sccHostaccessYaml, nil +} + +func assetsScc0000_20_kubeApiserverOperator_00_sccHostaccessYaml() (*asset, error) { + bytes, err := assetsScc0000_20_kubeApiserverOperator_00_sccHostaccessYamlBytes() + if err != nil { + return nil, err + } + + info := bindataFileInfo{name: "assets/scc/0000_20_kube-apiserver-operator_00_scc-hostaccess.yaml", size: 1267, mode: os.FileMode(420), modTime: time.Unix(1646566396, 0)} + a := &asset{bytes: bytes, info: info} + return a, nil +} + +var _assetsScc0000_20_kubeApiserverOperator_00_sccHostmountAnyuidYaml = []byte(`allowHostDirVolumePlugin: true +allowHostIPC: false +allowHostNetwork: false +allowHostPID: false +allowHostPorts: false +allowPrivilegeEscalation: true +allowPrivilegedContainer: false +allowedCapabilities: +apiVersion: security.openshift.io/v1 +defaultAddCapabilities: +fsGroup: + type: RunAsAny +groups: [] +kind: SecurityContextConstraints +metadata: + annotations: + include.release.openshift.io/ibm-cloud-managed: "true" + include.release.openshift.io/self-managed-high-availability: "true" + include.release.openshift.io/single-node-developer: "true" + release.openshift.io/create-only: "true" + kubernetes.io/description: |- + hostmount-anyuid provides all the features of the + restricted SCC but allows host mounts and any UID by a pod. This is primarily + used by the persistent volume recycler. WARNING: this SCC allows host file + system access as any UID, including UID 0. Grant with caution. + name: hostmount-anyuid +priority: +readOnlyRootFilesystem: false +requiredDropCapabilities: +- MKNOD +runAsUser: + type: RunAsAny +seLinuxContext: + type: MustRunAs +supplementalGroups: + type: RunAsAny +users: +- system:serviceaccount:openshift-infra:pv-recycler-controller +volumes: +- configMap +- downwardAPI +- emptyDir +- hostPath +- nfs +- persistentVolumeClaim +- projected +- secret +`) + +func assetsScc0000_20_kubeApiserverOperator_00_sccHostmountAnyuidYamlBytes() ([]byte, error) { + return _assetsScc0000_20_kubeApiserverOperator_00_sccHostmountAnyuidYaml, nil +} + +func assetsScc0000_20_kubeApiserverOperator_00_sccHostmountAnyuidYaml() (*asset, error) { + bytes, err := assetsScc0000_20_kubeApiserverOperator_00_sccHostmountAnyuidYamlBytes() + if err != nil { + return nil, err + } + + info := bindataFileInfo{name: "assets/scc/0000_20_kube-apiserver-operator_00_scc-hostmount-anyuid.yaml", size: 1298, mode: os.FileMode(420), modTime: time.Unix(1646566396, 0)} + a := &asset{bytes: bytes, info: info} + return a, nil +} + +var _assetsScc0000_20_kubeApiserverOperator_00_sccHostnetworkYaml = []byte(`allowHostDirVolumePlugin: false +allowHostIPC: false +allowHostNetwork: true +allowHostPID: false +allowHostPorts: true +allowPrivilegeEscalation: true +allowPrivilegedContainer: false +allowedCapabilities: +apiVersion: security.openshift.io/v1 +defaultAddCapabilities: +fsGroup: + type: MustRunAs +groups: [] +kind: SecurityContextConstraints +metadata: + annotations: + include.release.openshift.io/ibm-cloud-managed: "true" + include.release.openshift.io/self-managed-high-availability: "true" + include.release.openshift.io/single-node-developer: "true" + release.openshift.io/create-only: "true" + kubernetes.io/description: hostnetwork allows using host networking and host ports + but still requires pods to be run with a UID and SELinux context that are allocated + to the namespace. + name: hostnetwork +priority: +readOnlyRootFilesystem: false +requiredDropCapabilities: +- KILL +- MKNOD +- SETUID +- SETGID +runAsUser: + type: MustRunAsRange +seLinuxContext: + type: MustRunAs +supplementalGroups: + type: MustRunAs +users: [] +volumes: +- configMap +- downwardAPI +- emptyDir +- persistentVolumeClaim +- projected +- secret +`) + +func assetsScc0000_20_kubeApiserverOperator_00_sccHostnetworkYamlBytes() ([]byte, error) { + return _assetsScc0000_20_kubeApiserverOperator_00_sccHostnetworkYaml, nil +} + +func assetsScc0000_20_kubeApiserverOperator_00_sccHostnetworkYaml() (*asset, error) { + bytes, err := assetsScc0000_20_kubeApiserverOperator_00_sccHostnetworkYamlBytes() + if err != nil { + return nil, err + } + + info := bindataFileInfo{name: "assets/scc/0000_20_kube-apiserver-operator_00_scc-hostnetwork.yaml", size: 1123, mode: os.FileMode(420), modTime: time.Unix(1646566396, 0)} + a := &asset{bytes: bytes, info: info} + return a, nil +} + +var _assetsScc0000_20_kubeApiserverOperator_00_sccNonrootYaml = []byte(`allowHostDirVolumePlugin: false +allowHostIPC: false +allowHostNetwork: false +allowHostPID: false +allowHostPorts: false +allowPrivilegeEscalation: true +allowPrivilegedContainer: false +allowedCapabilities: +apiVersion: security.openshift.io/v1 +defaultAddCapabilities: +fsGroup: + type: RunAsAny +groups: [] +kind: SecurityContextConstraints +metadata: + annotations: + include.release.openshift.io/ibm-cloud-managed: "true" + include.release.openshift.io/self-managed-high-availability: "true" + include.release.openshift.io/single-node-developer: "true" + release.openshift.io/create-only: "true" + kubernetes.io/description: nonroot provides all features of the restricted SCC + but allows users to run with any non-root UID. The user must specify the UID + or it must be specified on the by the manifest of the container runtime. + name: nonroot +priority: +readOnlyRootFilesystem: false +requiredDropCapabilities: +- KILL +- MKNOD +- SETUID +- SETGID +runAsUser: + type: MustRunAsNonRoot +seLinuxContext: + type: MustRunAs +supplementalGroups: + type: RunAsAny +users: [] +volumes: +- configMap +- downwardAPI +- emptyDir +- persistentVolumeClaim +- projected +- secret +`) + +func assetsScc0000_20_kubeApiserverOperator_00_sccNonrootYamlBytes() ([]byte, error) { + return _assetsScc0000_20_kubeApiserverOperator_00_sccNonrootYaml, nil +} + +func assetsScc0000_20_kubeApiserverOperator_00_sccNonrootYaml() (*asset, error) { + bytes, err := assetsScc0000_20_kubeApiserverOperator_00_sccNonrootYamlBytes() + if err != nil { + return nil, err + } + + info := bindataFileInfo{name: "assets/scc/0000_20_kube-apiserver-operator_00_scc-nonroot.yaml", size: 1166, mode: os.FileMode(420), modTime: time.Unix(1646566396, 0)} + a := &asset{bytes: bytes, info: info} + return a, nil +} + +var _assetsScc0000_20_kubeApiserverOperator_00_sccPrivilegedYaml = []byte(`allowHostDirVolumePlugin: true +allowHostIPC: true +allowHostNetwork: true +allowHostPID: true +allowHostPorts: true +allowPrivilegeEscalation: true +allowPrivilegedContainer: true +allowedCapabilities: +- "*" +allowedUnsafeSysctls: +- "*" +apiVersion: security.openshift.io/v1 +defaultAddCapabilities: +fsGroup: + type: RunAsAny +groups: +- system:cluster-admins +- system:nodes +- system:masters +kind: SecurityContextConstraints +metadata: + annotations: + include.release.openshift.io/ibm-cloud-managed: "true" + include.release.openshift.io/self-managed-high-availability: "true" + include.release.openshift.io/single-node-developer: "true" + release.openshift.io/create-only: "true" + kubernetes.io/description: 'privileged allows access to all privileged and host + features and the ability to run as any user, any group, any fsGroup, and with + any SELinux context. WARNING: this is the most relaxed SCC and should be used + only for cluster administration. Grant with caution.' + name: privileged +priority: +readOnlyRootFilesystem: false +requiredDropCapabilities: +runAsUser: + type: RunAsAny +seLinuxContext: + type: RunAsAny +seccompProfiles: +- "*" +supplementalGroups: + type: RunAsAny +users: +- system:admin +- system:serviceaccount:openshift-infra:build-controller +volumes: +- "*" +`) + +func assetsScc0000_20_kubeApiserverOperator_00_sccPrivilegedYamlBytes() ([]byte, error) { + return _assetsScc0000_20_kubeApiserverOperator_00_sccPrivilegedYaml, nil +} + +func assetsScc0000_20_kubeApiserverOperator_00_sccPrivilegedYaml() (*asset, error) { + bytes, err := assetsScc0000_20_kubeApiserverOperator_00_sccPrivilegedYamlBytes() + if err != nil { + return nil, err + } + + info := bindataFileInfo{name: "assets/scc/0000_20_kube-apiserver-operator_00_scc-privileged.yaml", size: 1291, mode: os.FileMode(420), modTime: time.Unix(1646566396, 0)} + a := &asset{bytes: bytes, info: info} + return a, nil +} + +var _assetsScc0000_20_kubeApiserverOperator_00_sccRestrictedYaml = []byte(`allowHostDirVolumePlugin: false +allowHostIPC: false +allowHostNetwork: false +allowHostPID: false +allowHostPorts: false +allowPrivilegeEscalation: true +allowPrivilegedContainer: false +allowedCapabilities: +apiVersion: security.openshift.io/v1 +defaultAddCapabilities: +fsGroup: + type: MustRunAs +groups: +- system:authenticated +kind: SecurityContextConstraints +metadata: + annotations: + include.release.openshift.io/ibm-cloud-managed: "true" + include.release.openshift.io/self-managed-high-availability: "true" + include.release.openshift.io/single-node-developer: "true" + release.openshift.io/create-only: "true" + kubernetes.io/description: restricted denies access to all host features and requires + pods to be run with a UID, and SELinux context that are allocated to the namespace. This + is the most restrictive SCC and it is used by default for authenticated users. + name: restricted +priority: +readOnlyRootFilesystem: false +requiredDropCapabilities: +- KILL +- MKNOD +- SETUID +- SETGID +runAsUser: + type: MustRunAsRange +seLinuxContext: + type: MustRunAs +supplementalGroups: + type: RunAsAny +users: [] +volumes: +- configMap +- downwardAPI +- emptyDir +- persistentVolumeClaim +- projected +- secret +`) + +func assetsScc0000_20_kubeApiserverOperator_00_sccRestrictedYamlBytes() ([]byte, error) { + return _assetsScc0000_20_kubeApiserverOperator_00_sccRestrictedYaml, nil +} + +func assetsScc0000_20_kubeApiserverOperator_00_sccRestrictedYaml() (*asset, error) { + bytes, err := assetsScc0000_20_kubeApiserverOperator_00_sccRestrictedYamlBytes() + if err != nil { + return nil, err + } + + info := bindataFileInfo{name: "assets/scc/0000_20_kube-apiserver-operator_00_scc-restricted.yaml", size: 1213, mode: os.FileMode(420), modTime: time.Unix(1646566396, 0)} a := &asset{bytes: bytes, info: info} return a, nil } @@ -3483,6 +5876,46 @@ func AssetNames() []string { // _bindata is a table, holding each asset generator, mapped to its name. var _bindata = map[string]func() (*asset, error){ + "assets/components/flannel/clusterrole.yaml": assetsComponentsFlannelClusterroleYaml, + "assets/components/flannel/clusterrolebinding.yaml": assetsComponentsFlannelClusterrolebindingYaml, + "assets/components/flannel/configmap.yaml": assetsComponentsFlannelConfigmapYaml, + "assets/components/flannel/daemonset.yaml": assetsComponentsFlannelDaemonsetYaml, + "assets/components/flannel/podsecuritypolicy.yaml": assetsComponentsFlannelPodsecuritypolicyYaml, + "assets/components/flannel/service-account.yaml": assetsComponentsFlannelServiceAccountYaml, + "assets/components/hostpath-provisioner/clusterrole.yaml": assetsComponentsHostpathProvisionerClusterroleYaml, + "assets/components/hostpath-provisioner/clusterrolebinding.yaml": assetsComponentsHostpathProvisionerClusterrolebindingYaml, + "assets/components/hostpath-provisioner/daemonset.yaml": assetsComponentsHostpathProvisionerDaemonsetYaml, + "assets/components/hostpath-provisioner/namespace.yaml": assetsComponentsHostpathProvisionerNamespaceYaml, + "assets/components/hostpath-provisioner/scc.yaml": assetsComponentsHostpathProvisionerSccYaml, + "assets/components/hostpath-provisioner/service-account.yaml": assetsComponentsHostpathProvisionerServiceAccountYaml, + "assets/components/hostpath-provisioner/storageclass.yaml": assetsComponentsHostpathProvisionerStorageclassYaml, + "assets/components/openshift-dns/dns/cluster-role-binding.yaml": assetsComponentsOpenshiftDnsDnsClusterRoleBindingYaml, + "assets/components/openshift-dns/dns/cluster-role.yaml": assetsComponentsOpenshiftDnsDnsClusterRoleYaml, + "assets/components/openshift-dns/dns/configmap.yaml": assetsComponentsOpenshiftDnsDnsConfigmapYaml, + "assets/components/openshift-dns/dns/daemonset.yaml": assetsComponentsOpenshiftDnsDnsDaemonsetYaml, + "assets/components/openshift-dns/dns/namespace.yaml": assetsComponentsOpenshiftDnsDnsNamespaceYaml, + "assets/components/openshift-dns/dns/service-account.yaml": assetsComponentsOpenshiftDnsDnsServiceAccountYaml, + "assets/components/openshift-dns/dns/service.yaml": assetsComponentsOpenshiftDnsDnsServiceYaml, + "assets/components/openshift-dns/node-resolver/daemonset.yaml": assetsComponentsOpenshiftDnsNodeResolverDaemonsetYaml, + "assets/components/openshift-dns/node-resolver/service-account.yaml": assetsComponentsOpenshiftDnsNodeResolverServiceAccountYaml, + "assets/components/openshift-router/cluster-role-binding.yaml": assetsComponentsOpenshiftRouterClusterRoleBindingYaml, + "assets/components/openshift-router/cluster-role.yaml": assetsComponentsOpenshiftRouterClusterRoleYaml, + "assets/components/openshift-router/configmap.yaml": assetsComponentsOpenshiftRouterConfigmapYaml, + "assets/components/openshift-router/deployment.yaml": assetsComponentsOpenshiftRouterDeploymentYaml, + "assets/components/openshift-router/namespace.yaml": assetsComponentsOpenshiftRouterNamespaceYaml, + "assets/components/openshift-router/service-account.yaml": assetsComponentsOpenshiftRouterServiceAccountYaml, + "assets/components/openshift-router/service-cloud.yaml": assetsComponentsOpenshiftRouterServiceCloudYaml, + "assets/components/openshift-router/service-internal.yaml": assetsComponentsOpenshiftRouterServiceInternalYaml, + "assets/components/service-ca/clusterrole.yaml": assetsComponentsServiceCaClusterroleYaml, + "assets/components/service-ca/clusterrolebinding.yaml": assetsComponentsServiceCaClusterrolebindingYaml, + "assets/components/service-ca/deployment.yaml": assetsComponentsServiceCaDeploymentYaml, + "assets/components/service-ca/ns.yaml": assetsComponentsServiceCaNsYaml, + "assets/components/service-ca/role.yaml": assetsComponentsServiceCaRoleYaml, + "assets/components/service-ca/rolebinding.yaml": assetsComponentsServiceCaRolebindingYaml, + "assets/components/service-ca/sa.yaml": assetsComponentsServiceCaSaYaml, + "assets/components/service-ca/signing-cabundle.yaml": assetsComponentsServiceCaSigningCabundleYaml, + "assets/components/service-ca/signing-secret.yaml": assetsComponentsServiceCaSigningSecretYaml, + "assets/core/0000_50_cluster-openshift-controller-manager_00_namespace.yaml": assetsCore0000_50_clusterOpenshiftControllerManager_00_namespaceYaml, "assets/crd/0000_03_authorization-openshift_01_rolebindingrestriction.crd.yaml": assetsCrd0000_03_authorizationOpenshift_01_rolebindingrestrictionCrdYaml, "assets/crd/0000_03_config-operator_01_proxy.crd.yaml": assetsCrd0000_03_configOperator_01_proxyCrdYaml, "assets/crd/0000_03_quota-openshift_01_clusterresourcequota.crd.yaml": assetsCrd0000_03_quotaOpenshift_01_clusterresourcequotaCrdYaml, @@ -3492,6 +5925,13 @@ var _bindata = map[string]func() (*asset, error){ "assets/crd/0000_10_config-operator_01_image.crd.yaml": assetsCrd0000_10_configOperator_01_imageCrdYaml, "assets/crd/0000_10_config-operator_01_imagecontentsourcepolicy.crd.yaml": assetsCrd0000_10_configOperator_01_imagecontentsourcepolicyCrdYaml, "assets/crd/0000_11_imageregistry-configs.crd.yaml": assetsCrd0000_11_imageregistryConfigsCrdYaml, + "assets/scc/0000_20_kube-apiserver-operator_00_scc-anyuid.yaml": assetsScc0000_20_kubeApiserverOperator_00_sccAnyuidYaml, + "assets/scc/0000_20_kube-apiserver-operator_00_scc-hostaccess.yaml": assetsScc0000_20_kubeApiserverOperator_00_sccHostaccessYaml, + "assets/scc/0000_20_kube-apiserver-operator_00_scc-hostmount-anyuid.yaml": assetsScc0000_20_kubeApiserverOperator_00_sccHostmountAnyuidYaml, + "assets/scc/0000_20_kube-apiserver-operator_00_scc-hostnetwork.yaml": assetsScc0000_20_kubeApiserverOperator_00_sccHostnetworkYaml, + "assets/scc/0000_20_kube-apiserver-operator_00_scc-nonroot.yaml": assetsScc0000_20_kubeApiserverOperator_00_sccNonrootYaml, + "assets/scc/0000_20_kube-apiserver-operator_00_scc-privileged.yaml": assetsScc0000_20_kubeApiserverOperator_00_sccPrivilegedYaml, + "assets/scc/0000_20_kube-apiserver-operator_00_scc-restricted.yaml": assetsScc0000_20_kubeApiserverOperator_00_sccRestrictedYaml, } // AssetDir returns the file names below a certain @@ -3536,6 +5976,64 @@ type bintree struct { var _bintree = &bintree{nil, map[string]*bintree{ "assets": {nil, map[string]*bintree{ + "components": {nil, map[string]*bintree{ + "flannel": {nil, map[string]*bintree{ + "clusterrole.yaml": {assetsComponentsFlannelClusterroleYaml, map[string]*bintree{}}, + "clusterrolebinding.yaml": {assetsComponentsFlannelClusterrolebindingYaml, map[string]*bintree{}}, + "configmap.yaml": {assetsComponentsFlannelConfigmapYaml, map[string]*bintree{}}, + "daemonset.yaml": {assetsComponentsFlannelDaemonsetYaml, map[string]*bintree{}}, + "podsecuritypolicy.yaml": {assetsComponentsFlannelPodsecuritypolicyYaml, map[string]*bintree{}}, + "service-account.yaml": {assetsComponentsFlannelServiceAccountYaml, map[string]*bintree{}}, + }}, + "hostpath-provisioner": {nil, map[string]*bintree{ + "clusterrole.yaml": {assetsComponentsHostpathProvisionerClusterroleYaml, map[string]*bintree{}}, + "clusterrolebinding.yaml": {assetsComponentsHostpathProvisionerClusterrolebindingYaml, map[string]*bintree{}}, + "daemonset.yaml": {assetsComponentsHostpathProvisionerDaemonsetYaml, map[string]*bintree{}}, + "namespace.yaml": {assetsComponentsHostpathProvisionerNamespaceYaml, map[string]*bintree{}}, + "scc.yaml": {assetsComponentsHostpathProvisionerSccYaml, map[string]*bintree{}}, + "service-account.yaml": {assetsComponentsHostpathProvisionerServiceAccountYaml, map[string]*bintree{}}, + "storageclass.yaml": {assetsComponentsHostpathProvisionerStorageclassYaml, map[string]*bintree{}}, + }}, + "openshift-dns": {nil, map[string]*bintree{ + "dns": {nil, map[string]*bintree{ + "cluster-role-binding.yaml": {assetsComponentsOpenshiftDnsDnsClusterRoleBindingYaml, map[string]*bintree{}}, + "cluster-role.yaml": {assetsComponentsOpenshiftDnsDnsClusterRoleYaml, map[string]*bintree{}}, + "configmap.yaml": {assetsComponentsOpenshiftDnsDnsConfigmapYaml, map[string]*bintree{}}, + "daemonset.yaml": {assetsComponentsOpenshiftDnsDnsDaemonsetYaml, map[string]*bintree{}}, + "namespace.yaml": {assetsComponentsOpenshiftDnsDnsNamespaceYaml, map[string]*bintree{}}, + "service-account.yaml": {assetsComponentsOpenshiftDnsDnsServiceAccountYaml, map[string]*bintree{}}, + "service.yaml": {assetsComponentsOpenshiftDnsDnsServiceYaml, map[string]*bintree{}}, + }}, + "node-resolver": {nil, map[string]*bintree{ + "daemonset.yaml": {assetsComponentsOpenshiftDnsNodeResolverDaemonsetYaml, map[string]*bintree{}}, + "service-account.yaml": {assetsComponentsOpenshiftDnsNodeResolverServiceAccountYaml, map[string]*bintree{}}, + }}, + }}, + "openshift-router": {nil, map[string]*bintree{ + "cluster-role-binding.yaml": {assetsComponentsOpenshiftRouterClusterRoleBindingYaml, map[string]*bintree{}}, + "cluster-role.yaml": {assetsComponentsOpenshiftRouterClusterRoleYaml, map[string]*bintree{}}, + "configmap.yaml": {assetsComponentsOpenshiftRouterConfigmapYaml, map[string]*bintree{}}, + "deployment.yaml": {assetsComponentsOpenshiftRouterDeploymentYaml, map[string]*bintree{}}, + "namespace.yaml": {assetsComponentsOpenshiftRouterNamespaceYaml, map[string]*bintree{}}, + "service-account.yaml": {assetsComponentsOpenshiftRouterServiceAccountYaml, map[string]*bintree{}}, + "service-cloud.yaml": {assetsComponentsOpenshiftRouterServiceCloudYaml, map[string]*bintree{}}, + "service-internal.yaml": {assetsComponentsOpenshiftRouterServiceInternalYaml, map[string]*bintree{}}, + }}, + "service-ca": {nil, map[string]*bintree{ + "clusterrole.yaml": {assetsComponentsServiceCaClusterroleYaml, map[string]*bintree{}}, + "clusterrolebinding.yaml": {assetsComponentsServiceCaClusterrolebindingYaml, map[string]*bintree{}}, + "deployment.yaml": {assetsComponentsServiceCaDeploymentYaml, map[string]*bintree{}}, + "ns.yaml": {assetsComponentsServiceCaNsYaml, map[string]*bintree{}}, + "role.yaml": {assetsComponentsServiceCaRoleYaml, map[string]*bintree{}}, + "rolebinding.yaml": {assetsComponentsServiceCaRolebindingYaml, map[string]*bintree{}}, + "sa.yaml": {assetsComponentsServiceCaSaYaml, map[string]*bintree{}}, + "signing-cabundle.yaml": {assetsComponentsServiceCaSigningCabundleYaml, map[string]*bintree{}}, + "signing-secret.yaml": {assetsComponentsServiceCaSigningSecretYaml, map[string]*bintree{}}, + }}, + }}, + "core": {nil, map[string]*bintree{ + "0000_50_cluster-openshift-controller-manager_00_namespace.yaml": {assetsCore0000_50_clusterOpenshiftControllerManager_00_namespaceYaml, map[string]*bintree{}}, + }}, "crd": {nil, map[string]*bintree{ "0000_03_authorization-openshift_01_rolebindingrestriction.crd.yaml": {assetsCrd0000_03_authorizationOpenshift_01_rolebindingrestrictionCrdYaml, map[string]*bintree{}}, "0000_03_config-operator_01_proxy.crd.yaml": {assetsCrd0000_03_configOperator_01_proxyCrdYaml, map[string]*bintree{}}, @@ -3547,6 +6045,15 @@ var _bintree = &bintree{nil, map[string]*bintree{ "0000_10_config-operator_01_imagecontentsourcepolicy.crd.yaml": {assetsCrd0000_10_configOperator_01_imagecontentsourcepolicyCrdYaml, map[string]*bintree{}}, "0000_11_imageregistry-configs.crd.yaml": {assetsCrd0000_11_imageregistryConfigsCrdYaml, map[string]*bintree{}}, }}, + "scc": {nil, map[string]*bintree{ + "0000_20_kube-apiserver-operator_00_scc-anyuid.yaml": {assetsScc0000_20_kubeApiserverOperator_00_sccAnyuidYaml, map[string]*bintree{}}, + "0000_20_kube-apiserver-operator_00_scc-hostaccess.yaml": {assetsScc0000_20_kubeApiserverOperator_00_sccHostaccessYaml, map[string]*bintree{}}, + "0000_20_kube-apiserver-operator_00_scc-hostmount-anyuid.yaml": {assetsScc0000_20_kubeApiserverOperator_00_sccHostmountAnyuidYaml, map[string]*bintree{}}, + "0000_20_kube-apiserver-operator_00_scc-hostnetwork.yaml": {assetsScc0000_20_kubeApiserverOperator_00_sccHostnetworkYaml, map[string]*bintree{}}, + "0000_20_kube-apiserver-operator_00_scc-nonroot.yaml": {assetsScc0000_20_kubeApiserverOperator_00_sccNonrootYaml, map[string]*bintree{}}, + "0000_20_kube-apiserver-operator_00_scc-privileged.yaml": {assetsScc0000_20_kubeApiserverOperator_00_sccPrivilegedYaml, map[string]*bintree{}}, + "0000_20_kube-apiserver-operator_00_scc-restricted.yaml": {assetsScc0000_20_kubeApiserverOperator_00_sccRestrictedYaml, map[string]*bintree{}}, + }}, }}, }} diff --git a/pkg/assets/core/bindata.go b/pkg/assets/core/bindata.go deleted file mode 100644 index dfacf35ac9..0000000000 --- a/pkg/assets/core/bindata.go +++ /dev/null @@ -1,825 +0,0 @@ -// Package assets Code generated by go-bindata. (@generated) DO NOT EDIT. -// sources: -// assets/core/0000_00_flannel-configmap.yaml -// assets/core/0000_00_flannel-service-account.yaml -// assets/core/0000_50_cluster-openshift-controller-manager_00_namespace.yaml -// assets/core/0000_60_service-ca_01_namespace.yaml -// assets/core/0000_60_service-ca_04_configmap.yaml -// assets/core/0000_60_service-ca_04_sa.yaml -// assets/core/0000_60_service-ca_04_secret.yaml -// assets/core/0000_70_dns_00-namespace.yaml -// assets/core/0000_70_dns_01-configmap.yaml -// assets/core/0000_70_dns_01-dns-service-account.yaml -// assets/core/0000_70_dns_01-node-resolver-service-account.yaml -// assets/core/0000_70_dns_01-service.yaml -// assets/core/0000_80_hostpath-provisioner-namespace.yaml -// assets/core/0000_80_hostpath-provisioner-serviceaccount.yaml -// assets/core/0000_80_openshift-router-cm.yaml -// assets/core/0000_80_openshift-router-external-service.yaml -// assets/core/0000_80_openshift-router-namespace.yaml -// assets/core/0000_80_openshift-router-service-account.yaml -// assets/core/0000_80_openshift-router-service.yaml -package assets - -import ( - "fmt" - "io/ioutil" - "os" - "path/filepath" - "strings" - "time" -) - -type asset struct { - bytes []byte - info os.FileInfo -} - -type bindataFileInfo struct { - name string - size int64 - mode os.FileMode - modTime time.Time -} - -// Name return file name -func (fi bindataFileInfo) Name() string { - return fi.name -} - -// Size return file size -func (fi bindataFileInfo) Size() int64 { - return fi.size -} - -// Mode return file mode -func (fi bindataFileInfo) Mode() os.FileMode { - return fi.mode -} - -// Mode return file modify time -func (fi bindataFileInfo) ModTime() time.Time { - return fi.modTime -} - -// IsDir return file whether a directory -func (fi bindataFileInfo) IsDir() bool { - return fi.mode&os.ModeDir != 0 -} - -// Sys return file is sys mode -func (fi bindataFileInfo) Sys() interface{} { - return nil -} - -var _assetsCore0000_00_flannelConfigmapYaml = []byte(`kind: ConfigMap -apiVersion: v1 -metadata: - name: kube-flannel-cfg - namespace: kube-system - labels: - tier: node - app: flannel -data: - cni-conf.json: | - { - "name": "cbr0", - "cniVersion": "0.3.1", - "plugins": [ - { - "type": "flannel", - "delegate": { - "hairpinMode": true, - "forceAddress": true, - "isDefaultGateway": true - } - }, - { - "type": "portmap", - "capabilities": { - "portMappings": true - } - } - ] - } - net-conf.json: | - { - "Network": "10.42.0.0/16", - "Backend": { - "Type": "vxlan" - } - }`) - -func assetsCore0000_00_flannelConfigmapYamlBytes() ([]byte, error) { - return _assetsCore0000_00_flannelConfigmapYaml, nil -} - -func assetsCore0000_00_flannelConfigmapYaml() (*asset, error) { - bytes, err := assetsCore0000_00_flannelConfigmapYamlBytes() - if err != nil { - return nil, err - } - - info := bindataFileInfo{name: "assets/core/0000_00_flannel-configmap.yaml", size: 0, mode: os.FileMode(0), modTime: time.Unix(0, 0)} - a := &asset{bytes: bytes, info: info} - return a, nil -} - -var _assetsCore0000_00_flannelServiceAccountYaml = []byte(`apiVersion: v1 -kind: ServiceAccount -metadata: - name: flannel - namespace: kube-system`) - -func assetsCore0000_00_flannelServiceAccountYamlBytes() ([]byte, error) { - return _assetsCore0000_00_flannelServiceAccountYaml, nil -} - -func assetsCore0000_00_flannelServiceAccountYaml() (*asset, error) { - bytes, err := assetsCore0000_00_flannelServiceAccountYamlBytes() - if err != nil { - return nil, err - } - - info := bindataFileInfo{name: "assets/core/0000_00_flannel-service-account.yaml", size: 0, mode: os.FileMode(0), modTime: time.Unix(0, 0)} - a := &asset{bytes: bytes, info: info} - return a, nil -} - -var _assetsCore0000_50_clusterOpenshiftControllerManager_00_namespaceYaml = []byte(`apiVersion: v1 -kind: Namespace -metadata: - annotations: - include.release.openshift.io/self-managed-high-availability: "true" - openshift.io/node-selector: "" - labels: - openshift.io/cluster-monitoring: "true" - name: openshift-controller-manager -`) - -func assetsCore0000_50_clusterOpenshiftControllerManager_00_namespaceYamlBytes() ([]byte, error) { - return _assetsCore0000_50_clusterOpenshiftControllerManager_00_namespaceYaml, nil -} - -func assetsCore0000_50_clusterOpenshiftControllerManager_00_namespaceYaml() (*asset, error) { - bytes, err := assetsCore0000_50_clusterOpenshiftControllerManager_00_namespaceYamlBytes() - if err != nil { - return nil, err - } - - info := bindataFileInfo{name: "assets/core/0000_50_cluster-openshift-controller-manager_00_namespace.yaml", size: 0, mode: os.FileMode(0), modTime: time.Unix(0, 0)} - a := &asset{bytes: bytes, info: info} - return a, nil -} - -var _assetsCore0000_60_serviceCa_01_namespaceYaml = []byte(`apiVersion: v1 -kind: Namespace -metadata: - name: openshift-service-ca - annotations: - openshift.io/node-selector: "" - workload.openshift.io/allowed: "management" -`) - -func assetsCore0000_60_serviceCa_01_namespaceYamlBytes() ([]byte, error) { - return _assetsCore0000_60_serviceCa_01_namespaceYaml, nil -} - -func assetsCore0000_60_serviceCa_01_namespaceYaml() (*asset, error) { - bytes, err := assetsCore0000_60_serviceCa_01_namespaceYamlBytes() - if err != nil { - return nil, err - } - - info := bindataFileInfo{name: "assets/core/0000_60_service-ca_01_namespace.yaml", size: 0, mode: os.FileMode(0), modTime: time.Unix(0, 0)} - a := &asset{bytes: bytes, info: info} - return a, nil -} - -var _assetsCore0000_60_serviceCa_04_configmapYaml = []byte(`apiVersion: v1 -kind: ConfigMap -metadata: - namespace: openshift-service-ca - name: signing-cabundle -data: - ca-bundle.crt: -`) - -func assetsCore0000_60_serviceCa_04_configmapYamlBytes() ([]byte, error) { - return _assetsCore0000_60_serviceCa_04_configmapYaml, nil -} - -func assetsCore0000_60_serviceCa_04_configmapYaml() (*asset, error) { - bytes, err := assetsCore0000_60_serviceCa_04_configmapYamlBytes() - if err != nil { - return nil, err - } - - info := bindataFileInfo{name: "assets/core/0000_60_service-ca_04_configmap.yaml", size: 0, mode: os.FileMode(0), modTime: time.Unix(0, 0)} - a := &asset{bytes: bytes, info: info} - return a, nil -} - -var _assetsCore0000_60_serviceCa_04_saYaml = []byte(`apiVersion: v1 -kind: ServiceAccount -metadata: - namespace: openshift-service-ca - name: service-ca -`) - -func assetsCore0000_60_serviceCa_04_saYamlBytes() ([]byte, error) { - return _assetsCore0000_60_serviceCa_04_saYaml, nil -} - -func assetsCore0000_60_serviceCa_04_saYaml() (*asset, error) { - bytes, err := assetsCore0000_60_serviceCa_04_saYamlBytes() - if err != nil { - return nil, err - } - - info := bindataFileInfo{name: "assets/core/0000_60_service-ca_04_sa.yaml", size: 0, mode: os.FileMode(0), modTime: time.Unix(0, 0)} - a := &asset{bytes: bytes, info: info} - return a, nil -} - -var _assetsCore0000_60_serviceCa_04_secretYaml = []byte(`apiVersion: v1 -kind: Secret -metadata: - namespace: openshift-service-ca - name: signing-key -type: kubernetes.io/tls -data: - tls.crt: - tls.key: -`) - -func assetsCore0000_60_serviceCa_04_secretYamlBytes() ([]byte, error) { - return _assetsCore0000_60_serviceCa_04_secretYaml, nil -} - -func assetsCore0000_60_serviceCa_04_secretYaml() (*asset, error) { - bytes, err := assetsCore0000_60_serviceCa_04_secretYamlBytes() - if err != nil { - return nil, err - } - - info := bindataFileInfo{name: "assets/core/0000_60_service-ca_04_secret.yaml", size: 0, mode: os.FileMode(0), modTime: time.Unix(0, 0)} - a := &asset{bytes: bytes, info: info} - return a, nil -} - -var _assetsCore0000_70_dns_00NamespaceYaml = []byte(`kind: Namespace -apiVersion: v1 -metadata: - annotations: - openshift.io/node-selector: "" - workload.openshift.io/allowed: "management" - name: openshift-dns - labels: - # set value to avoid depending on kube admission that depends on openshift apis - openshift.io/run-level: "0" - # allow openshift-monitoring to look for ServiceMonitor objects in this namespace - openshift.io/cluster-monitoring: "true" -`) - -func assetsCore0000_70_dns_00NamespaceYamlBytes() ([]byte, error) { - return _assetsCore0000_70_dns_00NamespaceYaml, nil -} - -func assetsCore0000_70_dns_00NamespaceYaml() (*asset, error) { - bytes, err := assetsCore0000_70_dns_00NamespaceYamlBytes() - if err != nil { - return nil, err - } - - info := bindataFileInfo{name: "assets/core/0000_70_dns_00-namespace.yaml", size: 0, mode: os.FileMode(0), modTime: time.Unix(0, 0)} - a := &asset{bytes: bytes, info: info} - return a, nil -} - -var _assetsCore0000_70_dns_01ConfigmapYaml = []byte(`apiVersion: v1 -data: - Corefile: | - .:5353 { - bufsize 512 - errors - health { - lameduck 20s - } - ready - kubernetes cluster.local in-addr.arpa ip6.arpa { - pods insecure - fallthrough in-addr.arpa ip6.arpa - } - prometheus 127.0.0.1:9153 - forward . /etc/resolv.conf { - policy sequential - } - cache 900 { - denial 9984 30 - } - reload - } -kind: ConfigMap -metadata: - labels: - dns.operator.openshift.io/owning-dns: default - name: dns-default - namespace: openshift-dns -`) - -func assetsCore0000_70_dns_01ConfigmapYamlBytes() ([]byte, error) { - return _assetsCore0000_70_dns_01ConfigmapYaml, nil -} - -func assetsCore0000_70_dns_01ConfigmapYaml() (*asset, error) { - bytes, err := assetsCore0000_70_dns_01ConfigmapYamlBytes() - if err != nil { - return nil, err - } - - info := bindataFileInfo{name: "assets/core/0000_70_dns_01-configmap.yaml", size: 0, mode: os.FileMode(0), modTime: time.Unix(0, 0)} - a := &asset{bytes: bytes, info: info} - return a, nil -} - -var _assetsCore0000_70_dns_01DnsServiceAccountYaml = []byte(`kind: ServiceAccount -apiVersion: v1 -metadata: - name: dns - namespace: openshift-dns -`) - -func assetsCore0000_70_dns_01DnsServiceAccountYamlBytes() ([]byte, error) { - return _assetsCore0000_70_dns_01DnsServiceAccountYaml, nil -} - -func assetsCore0000_70_dns_01DnsServiceAccountYaml() (*asset, error) { - bytes, err := assetsCore0000_70_dns_01DnsServiceAccountYamlBytes() - if err != nil { - return nil, err - } - - info := bindataFileInfo{name: "assets/core/0000_70_dns_01-dns-service-account.yaml", size: 0, mode: os.FileMode(0), modTime: time.Unix(0, 0)} - a := &asset{bytes: bytes, info: info} - return a, nil -} - -var _assetsCore0000_70_dns_01NodeResolverServiceAccountYaml = []byte(`kind: ServiceAccount -apiVersion: v1 -metadata: - name: node-resolver - namespace: openshift-dns -`) - -func assetsCore0000_70_dns_01NodeResolverServiceAccountYamlBytes() ([]byte, error) { - return _assetsCore0000_70_dns_01NodeResolverServiceAccountYaml, nil -} - -func assetsCore0000_70_dns_01NodeResolverServiceAccountYaml() (*asset, error) { - bytes, err := assetsCore0000_70_dns_01NodeResolverServiceAccountYamlBytes() - if err != nil { - return nil, err - } - - info := bindataFileInfo{name: "assets/core/0000_70_dns_01-node-resolver-service-account.yaml", size: 0, mode: os.FileMode(0), modTime: time.Unix(0, 0)} - a := &asset{bytes: bytes, info: info} - return a, nil -} - -var _assetsCore0000_70_dns_01ServiceYaml = []byte(`kind: Service -apiVersion: v1 -metadata: - annotations: - service.beta.openshift.io/serving-cert-secret-name: dns-default-metrics-tls - labels: - dns.operator.openshift.io/owning-dns: default - name: dns-default - namespace: openshift-dns -spec: - clusterIP: {{.ClusterIP}} - selector: - dns.operator.openshift.io/daemonset-dns: default - ports: - - name: dns - port: 53 - targetPort: dns - protocol: UDP - - name: dns-tcp - port: 53 - targetPort: dns-tcp - protocol: TCP - - name: metrics - port: 9154 - targetPort: metrics - protocol: TCP - # TODO: Uncomment when service topology feature gate is enabled. - #topologyKeys: - # - "kubernetes.io/hostname" - # - "*" -`) - -func assetsCore0000_70_dns_01ServiceYamlBytes() ([]byte, error) { - return _assetsCore0000_70_dns_01ServiceYaml, nil -} - -func assetsCore0000_70_dns_01ServiceYaml() (*asset, error) { - bytes, err := assetsCore0000_70_dns_01ServiceYamlBytes() - if err != nil { - return nil, err - } - - info := bindataFileInfo{name: "assets/core/0000_70_dns_01-service.yaml", size: 0, mode: os.FileMode(0), modTime: time.Unix(0, 0)} - a := &asset{bytes: bytes, info: info} - return a, nil -} - -var _assetsCore0000_80_hostpathProvisionerNamespaceYaml = []byte(`apiVersion: v1 -kind: Namespace -metadata: - name: kubevirt-hostpath-provisioner`) - -func assetsCore0000_80_hostpathProvisionerNamespaceYamlBytes() ([]byte, error) { - return _assetsCore0000_80_hostpathProvisionerNamespaceYaml, nil -} - -func assetsCore0000_80_hostpathProvisionerNamespaceYaml() (*asset, error) { - bytes, err := assetsCore0000_80_hostpathProvisionerNamespaceYamlBytes() - if err != nil { - return nil, err - } - - info := bindataFileInfo{name: "assets/core/0000_80_hostpath-provisioner-namespace.yaml", size: 0, mode: os.FileMode(0), modTime: time.Unix(0, 0)} - a := &asset{bytes: bytes, info: info} - return a, nil -} - -var _assetsCore0000_80_hostpathProvisionerServiceaccountYaml = []byte(`apiVersion: v1 -kind: ServiceAccount -metadata: - name: kubevirt-hostpath-provisioner-admin - namespace: kubevirt-hostpath-provisioner`) - -func assetsCore0000_80_hostpathProvisionerServiceaccountYamlBytes() ([]byte, error) { - return _assetsCore0000_80_hostpathProvisionerServiceaccountYaml, nil -} - -func assetsCore0000_80_hostpathProvisionerServiceaccountYaml() (*asset, error) { - bytes, err := assetsCore0000_80_hostpathProvisionerServiceaccountYamlBytes() - if err != nil { - return nil, err - } - - info := bindataFileInfo{name: "assets/core/0000_80_hostpath-provisioner-serviceaccount.yaml", size: 0, mode: os.FileMode(0), modTime: time.Unix(0, 0)} - a := &asset{bytes: bytes, info: info} - return a, nil -} - -var _assetsCore0000_80_openshiftRouterCmYaml = []byte(`apiVersion: v1 -kind: ConfigMap -metadata: - namespace: openshift-ingress - name: service-ca-bundle - annotations: - service.beta.openshift.io/inject-cabundle: "true" -`) - -func assetsCore0000_80_openshiftRouterCmYamlBytes() ([]byte, error) { - return _assetsCore0000_80_openshiftRouterCmYaml, nil -} - -func assetsCore0000_80_openshiftRouterCmYaml() (*asset, error) { - bytes, err := assetsCore0000_80_openshiftRouterCmYamlBytes() - if err != nil { - return nil, err - } - - info := bindataFileInfo{name: "assets/core/0000_80_openshift-router-cm.yaml", size: 0, mode: os.FileMode(0), modTime: time.Unix(0, 0)} - a := &asset{bytes: bytes, info: info} - return a, nil -} - -var _assetsCore0000_80_openshiftRouterExternalServiceYaml = []byte(`kind: Service -apiVersion: v1 -metadata: - annotations: - service.alpha.openshift.io/serving-cert-secret-name: router-certs-default - labels: - ingresscontroller.operator.openshift.io/deployment-ingresscontroller: default - name: router-external-default - namespace: openshift-ingress -spec: - selector: - ingresscontroller.operator.openshift.io/deployment-ingresscontroller: default - type: NodePort - ports: - - name: http - port: 80 - targetPort: 80 - nodePort: 30001 - - name: https - port: 443 - targetPort: 443 - nodePort: 30002 -`) - -func assetsCore0000_80_openshiftRouterExternalServiceYamlBytes() ([]byte, error) { - return _assetsCore0000_80_openshiftRouterExternalServiceYaml, nil -} - -func assetsCore0000_80_openshiftRouterExternalServiceYaml() (*asset, error) { - bytes, err := assetsCore0000_80_openshiftRouterExternalServiceYamlBytes() - if err != nil { - return nil, err - } - - info := bindataFileInfo{name: "assets/core/0000_80_openshift-router-external-service.yaml", size: 0, mode: os.FileMode(0), modTime: time.Unix(0, 0)} - a := &asset{bytes: bytes, info: info} - return a, nil -} - -var _assetsCore0000_80_openshiftRouterNamespaceYaml = []byte(`kind: Namespace -apiVersion: v1 -metadata: - name: openshift-ingress - annotations: - openshift.io/node-selector: "" - workload.openshift.io/allowed: "management" - labels: - # allow openshift-monitoring to look for ServiceMonitor objects in this namespace - openshift.io/cluster-monitoring: "true" - name: openshift-ingress - # old and new forms of the label for matching with NetworkPolicy - network.openshift.io/policy-group: ingress - policy-group.network.openshift.io/ingress: "" -`) - -func assetsCore0000_80_openshiftRouterNamespaceYamlBytes() ([]byte, error) { - return _assetsCore0000_80_openshiftRouterNamespaceYaml, nil -} - -func assetsCore0000_80_openshiftRouterNamespaceYaml() (*asset, error) { - bytes, err := assetsCore0000_80_openshiftRouterNamespaceYamlBytes() - if err != nil { - return nil, err - } - - info := bindataFileInfo{name: "assets/core/0000_80_openshift-router-namespace.yaml", size: 0, mode: os.FileMode(0), modTime: time.Unix(0, 0)} - a := &asset{bytes: bytes, info: info} - return a, nil -} - -var _assetsCore0000_80_openshiftRouterServiceAccountYaml = []byte(`# Account for routers created by the operator. It will require cluster scoped -# permissions related to Route processing. -kind: ServiceAccount -apiVersion: v1 -metadata: - name: router - namespace: openshift-ingress -`) - -func assetsCore0000_80_openshiftRouterServiceAccountYamlBytes() ([]byte, error) { - return _assetsCore0000_80_openshiftRouterServiceAccountYaml, nil -} - -func assetsCore0000_80_openshiftRouterServiceAccountYaml() (*asset, error) { - bytes, err := assetsCore0000_80_openshiftRouterServiceAccountYamlBytes() - if err != nil { - return nil, err - } - - info := bindataFileInfo{name: "assets/core/0000_80_openshift-router-service-account.yaml", size: 0, mode: os.FileMode(0), modTime: time.Unix(0, 0)} - a := &asset{bytes: bytes, info: info} - return a, nil -} - -var _assetsCore0000_80_openshiftRouterServiceYaml = []byte(`# Cluster Service with default values -# Ingress Controller specific annotations are applied at runtime. -kind: Service -apiVersion: v1 -metadata: - annotations: - service.alpha.openshift.io/serving-cert-secret-name: router-certs-default - labels: - ingresscontroller.operator.openshift.io/deployment-ingresscontroller: default - name: router-internal-default - namespace: openshift-ingress -spec: - selector: - ingresscontroller.operator.openshift.io/deployment-ingresscontroller: default - type: ClusterIP - ports: - - name: http - port: 80 - protocol: TCP - targetPort: http - - name: https - port: 443 - protocol: TCP - targetPort: https - - name: metrics - port: 1936 - protocol: TCP - targetPort: 1936 -`) - -func assetsCore0000_80_openshiftRouterServiceYamlBytes() ([]byte, error) { - return _assetsCore0000_80_openshiftRouterServiceYaml, nil -} - -func assetsCore0000_80_openshiftRouterServiceYaml() (*asset, error) { - bytes, err := assetsCore0000_80_openshiftRouterServiceYamlBytes() - if err != nil { - return nil, err - } - - info := bindataFileInfo{name: "assets/core/0000_80_openshift-router-service.yaml", size: 0, mode: os.FileMode(0), modTime: time.Unix(0, 0)} - a := &asset{bytes: bytes, info: info} - return a, nil -} - -// Asset loads and returns the asset for the given name. -// It returns an error if the asset could not be found or -// could not be loaded. -func Asset(name string) ([]byte, error) { - cannonicalName := strings.Replace(name, "\\", "/", -1) - if f, ok := _bindata[cannonicalName]; ok { - a, err := f() - if err != nil { - return nil, fmt.Errorf("Asset %s can't read by error: %v", name, err) - } - return a.bytes, nil - } - return nil, fmt.Errorf("Asset %s not found", name) -} - -// MustAsset is like Asset but panics when Asset would return an error. -// It simplifies safe initialization of global variables. -func MustAsset(name string) []byte { - a, err := Asset(name) - if err != nil { - panic("asset: Asset(" + name + "): " + err.Error()) - } - - return a -} - -// AssetInfo loads and returns the asset info for the given name. -// It returns an error if the asset could not be found or -// could not be loaded. -func AssetInfo(name string) (os.FileInfo, error) { - cannonicalName := strings.Replace(name, "\\", "/", -1) - if f, ok := _bindata[cannonicalName]; ok { - a, err := f() - if err != nil { - return nil, fmt.Errorf("AssetInfo %s can't read by error: %v", name, err) - } - return a.info, nil - } - return nil, fmt.Errorf("AssetInfo %s not found", name) -} - -// AssetNames returns the names of the assets. -func AssetNames() []string { - names := make([]string, 0, len(_bindata)) - for name := range _bindata { - names = append(names, name) - } - return names -} - -// _bindata is a table, holding each asset generator, mapped to its name. -var _bindata = map[string]func() (*asset, error){ - "assets/core/0000_00_flannel-configmap.yaml": assetsCore0000_00_flannelConfigmapYaml, - "assets/core/0000_00_flannel-service-account.yaml": assetsCore0000_00_flannelServiceAccountYaml, - "assets/core/0000_50_cluster-openshift-controller-manager_00_namespace.yaml": assetsCore0000_50_clusterOpenshiftControllerManager_00_namespaceYaml, - "assets/core/0000_60_service-ca_01_namespace.yaml": assetsCore0000_60_serviceCa_01_namespaceYaml, - "assets/core/0000_60_service-ca_04_configmap.yaml": assetsCore0000_60_serviceCa_04_configmapYaml, - "assets/core/0000_60_service-ca_04_sa.yaml": assetsCore0000_60_serviceCa_04_saYaml, - "assets/core/0000_60_service-ca_04_secret.yaml": assetsCore0000_60_serviceCa_04_secretYaml, - "assets/core/0000_70_dns_00-namespace.yaml": assetsCore0000_70_dns_00NamespaceYaml, - "assets/core/0000_70_dns_01-configmap.yaml": assetsCore0000_70_dns_01ConfigmapYaml, - "assets/core/0000_70_dns_01-dns-service-account.yaml": assetsCore0000_70_dns_01DnsServiceAccountYaml, - "assets/core/0000_70_dns_01-node-resolver-service-account.yaml": assetsCore0000_70_dns_01NodeResolverServiceAccountYaml, - "assets/core/0000_70_dns_01-service.yaml": assetsCore0000_70_dns_01ServiceYaml, - "assets/core/0000_80_hostpath-provisioner-namespace.yaml": assetsCore0000_80_hostpathProvisionerNamespaceYaml, - "assets/core/0000_80_hostpath-provisioner-serviceaccount.yaml": assetsCore0000_80_hostpathProvisionerServiceaccountYaml, - "assets/core/0000_80_openshift-router-cm.yaml": assetsCore0000_80_openshiftRouterCmYaml, - "assets/core/0000_80_openshift-router-external-service.yaml": assetsCore0000_80_openshiftRouterExternalServiceYaml, - "assets/core/0000_80_openshift-router-namespace.yaml": assetsCore0000_80_openshiftRouterNamespaceYaml, - "assets/core/0000_80_openshift-router-service-account.yaml": assetsCore0000_80_openshiftRouterServiceAccountYaml, - "assets/core/0000_80_openshift-router-service.yaml": assetsCore0000_80_openshiftRouterServiceYaml, -} - -// AssetDir returns the file names below a certain -// directory embedded in the file by go-bindata. -// For example if you run go-bindata on data/... and data contains the -// following hierarchy: -// data/ -// foo.txt -// img/ -// a.png -// b.png -// then AssetDir("data") would return []string{"foo.txt", "img"} -// AssetDir("data/img") would return []string{"a.png", "b.png"} -// AssetDir("foo.txt") and AssetDir("notexist") would return an error -// AssetDir("") will return []string{"data"}. -func AssetDir(name string) ([]string, error) { - node := _bintree - if len(name) != 0 { - cannonicalName := strings.Replace(name, "\\", "/", -1) - pathList := strings.Split(cannonicalName, "/") - for _, p := range pathList { - node = node.Children[p] - if node == nil { - return nil, fmt.Errorf("Asset %s not found", name) - } - } - } - if node.Func != nil { - return nil, fmt.Errorf("Asset %s not found", name) - } - rv := make([]string, 0, len(node.Children)) - for childName := range node.Children { - rv = append(rv, childName) - } - return rv, nil -} - -type bintree struct { - Func func() (*asset, error) - Children map[string]*bintree -} - -var _bintree = &bintree{nil, map[string]*bintree{ - "assets": {nil, map[string]*bintree{ - "core": {nil, map[string]*bintree{ - "0000_00_flannel-configmap.yaml": {assetsCore0000_00_flannelConfigmapYaml, map[string]*bintree{}}, - "0000_00_flannel-service-account.yaml": {assetsCore0000_00_flannelServiceAccountYaml, map[string]*bintree{}}, - "0000_50_cluster-openshift-controller-manager_00_namespace.yaml": {assetsCore0000_50_clusterOpenshiftControllerManager_00_namespaceYaml, map[string]*bintree{}}, - "0000_60_service-ca_01_namespace.yaml": {assetsCore0000_60_serviceCa_01_namespaceYaml, map[string]*bintree{}}, - "0000_60_service-ca_04_configmap.yaml": {assetsCore0000_60_serviceCa_04_configmapYaml, map[string]*bintree{}}, - "0000_60_service-ca_04_sa.yaml": {assetsCore0000_60_serviceCa_04_saYaml, map[string]*bintree{}}, - "0000_60_service-ca_04_secret.yaml": {assetsCore0000_60_serviceCa_04_secretYaml, map[string]*bintree{}}, - "0000_70_dns_00-namespace.yaml": {assetsCore0000_70_dns_00NamespaceYaml, map[string]*bintree{}}, - "0000_70_dns_01-configmap.yaml": {assetsCore0000_70_dns_01ConfigmapYaml, map[string]*bintree{}}, - "0000_70_dns_01-dns-service-account.yaml": {assetsCore0000_70_dns_01DnsServiceAccountYaml, map[string]*bintree{}}, - "0000_70_dns_01-node-resolver-service-account.yaml": {assetsCore0000_70_dns_01NodeResolverServiceAccountYaml, map[string]*bintree{}}, - "0000_70_dns_01-service.yaml": {assetsCore0000_70_dns_01ServiceYaml, map[string]*bintree{}}, - "0000_80_hostpath-provisioner-namespace.yaml": {assetsCore0000_80_hostpathProvisionerNamespaceYaml, map[string]*bintree{}}, - "0000_80_hostpath-provisioner-serviceaccount.yaml": {assetsCore0000_80_hostpathProvisionerServiceaccountYaml, map[string]*bintree{}}, - "0000_80_openshift-router-cm.yaml": {assetsCore0000_80_openshiftRouterCmYaml, map[string]*bintree{}}, - "0000_80_openshift-router-external-service.yaml": {assetsCore0000_80_openshiftRouterExternalServiceYaml, map[string]*bintree{}}, - "0000_80_openshift-router-namespace.yaml": {assetsCore0000_80_openshiftRouterNamespaceYaml, map[string]*bintree{}}, - "0000_80_openshift-router-service-account.yaml": {assetsCore0000_80_openshiftRouterServiceAccountYaml, map[string]*bintree{}}, - "0000_80_openshift-router-service.yaml": {assetsCore0000_80_openshiftRouterServiceYaml, map[string]*bintree{}}, - }}, - }}, -}} - -// RestoreAsset restores an asset under the given directory -func RestoreAsset(dir, name string) error { - data, err := Asset(name) - if err != nil { - return err - } - info, err := AssetInfo(name) - if err != nil { - return err - } - err = os.MkdirAll(_filePath(dir, filepath.Dir(name)), os.FileMode(0755)) - if err != nil { - return err - } - err = ioutil.WriteFile(_filePath(dir, name), data, info.Mode()) - if err != nil { - return err - } - err = os.Chtimes(_filePath(dir, name), info.ModTime(), info.ModTime()) - if err != nil { - return err - } - return nil -} - -// RestoreAssets restores an asset under the given directory recursively -func RestoreAssets(dir, name string) error { - children, err := AssetDir(name) - // File - if err != nil { - return RestoreAsset(dir, name) - } - // Dir - for _, child := range children { - err = RestoreAssets(dir, filepath.Join(name, child)) - if err != nil { - return err - } - } - return nil -} - -func _filePath(dir, name string) string { - cannonicalName := strings.Replace(name, "\\", "/", -1) - return filepath.Join(append([]string{dir}, strings.Split(cannonicalName, "/")...)...) -} diff --git a/pkg/assets/rbac/bindata.go b/pkg/assets/rbac/bindata.go deleted file mode 100644 index 6f5979161a..0000000000 --- a/pkg/assets/rbac/bindata.go +++ /dev/null @@ -1,835 +0,0 @@ -// Package assets Code generated by go-bindata. (@generated) DO NOT EDIT. -// sources: -// assets/rbac/0000_00_flannel-clusterrole.yaml -// assets/rbac/0000_00_flannel-clusterrolebinding.yaml -// assets/rbac/0000_00_podsecuritypolicy-flannel.yaml -// assets/rbac/0000_60_service-ca_00_clusterrole.yaml -// assets/rbac/0000_60_service-ca_00_clusterrolebinding.yaml -// assets/rbac/0000_60_service-ca_00_role.yaml -// assets/rbac/0000_60_service-ca_00_rolebinding.yaml -// assets/rbac/0000_70_dns_01-cluster-role-binding.yaml -// assets/rbac/0000_70_dns_01-cluster-role.yaml -// assets/rbac/0000_80_hostpath-provisioner-clusterrole.yaml -// assets/rbac/0000_80_hostpath-provisioner-clusterrolebinding.yaml -// assets/rbac/0000_80_openshift-router-cluster-role-binding.yaml -// assets/rbac/0000_80_openshift-router-cluster-role.yaml -package assets - -import ( - "fmt" - "io/ioutil" - "os" - "path/filepath" - "strings" - "time" -) - -type asset struct { - bytes []byte - info os.FileInfo -} - -type bindataFileInfo struct { - name string - size int64 - mode os.FileMode - modTime time.Time -} - -// Name return file name -func (fi bindataFileInfo) Name() string { - return fi.name -} - -// Size return file size -func (fi bindataFileInfo) Size() int64 { - return fi.size -} - -// Mode return file mode -func (fi bindataFileInfo) Mode() os.FileMode { - return fi.mode -} - -// Mode return file modify time -func (fi bindataFileInfo) ModTime() time.Time { - return fi.modTime -} - -// IsDir return file whether a directory -func (fi bindataFileInfo) IsDir() bool { - return fi.mode&os.ModeDir != 0 -} - -// Sys return file is sys mode -func (fi bindataFileInfo) Sys() interface{} { - return nil -} - -var _assetsRbac0000_00_flannelClusterroleYaml = []byte(`kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: flannel -rules: -- apiGroups: ['extensions'] - resources: ['podsecuritypolicies'] - verbs: ['use'] - resourceNames: ['psp.flannel.unprivileged'] -- apiGroups: - - "" - resources: - - pods - verbs: - - get -- apiGroups: - - "" - resources: - - nodes - verbs: - - list - - watch -- apiGroups: - - "" - resources: - - nodes/status - verbs: - - patch`) - -func assetsRbac0000_00_flannelClusterroleYamlBytes() ([]byte, error) { - return _assetsRbac0000_00_flannelClusterroleYaml, nil -} - -func assetsRbac0000_00_flannelClusterroleYaml() (*asset, error) { - bytes, err := assetsRbac0000_00_flannelClusterroleYamlBytes() - if err != nil { - return nil, err - } - - info := bindataFileInfo{name: "assets/rbac/0000_00_flannel-clusterrole.yaml", size: 0, mode: os.FileMode(0), modTime: time.Unix(0, 0)} - a := &asset{bytes: bytes, info: info} - return a, nil -} - -var _assetsRbac0000_00_flannelClusterrolebindingYaml = []byte(`kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: flannel -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: flannel -subjects: -- kind: ServiceAccount - name: flannel - namespace: kube-system`) - -func assetsRbac0000_00_flannelClusterrolebindingYamlBytes() ([]byte, error) { - return _assetsRbac0000_00_flannelClusterrolebindingYaml, nil -} - -func assetsRbac0000_00_flannelClusterrolebindingYaml() (*asset, error) { - bytes, err := assetsRbac0000_00_flannelClusterrolebindingYamlBytes() - if err != nil { - return nil, err - } - - info := bindataFileInfo{name: "assets/rbac/0000_00_flannel-clusterrolebinding.yaml", size: 0, mode: os.FileMode(0), modTime: time.Unix(0, 0)} - a := &asset{bytes: bytes, info: info} - return a, nil -} - -var _assetsRbac0000_00_podsecuritypolicyFlannelYaml = []byte(`apiVersion: policy/v1beta1 -kind: PodSecurityPolicy -metadata: - name: psp.flannel.unprivileged - annotations: - seccomp.security.alpha.kubernetes.io/allowedProfileNames: docker/default - seccomp.security.alpha.kubernetes.io/defaultProfileName: docker/default - apparmor.security.beta.kubernetes.io/allowedProfileNames: runtime/default - apparmor.security.beta.kubernetes.io/defaultProfileName: runtime/default -spec: - privileged: false - volumes: - - configMap - - secret - - emptyDir - - hostPath - allowedHostPaths: - - pathPrefix: "/etc/cni/net.d" - - pathPrefix: "/etc/kube-flannel" - - pathPrefix: "/run/flannel" - readOnlyRootFilesystem: false - # Users and groups - runAsUser: - rule: RunAsAny - supplementalGroups: - rule: RunAsAny - fsGroup: - rule: RunAsAny - # Privilege Escalation - allowPrivilegeEscalation: false - defaultAllowPrivilegeEscalation: false - # Capabilities - allowedCapabilities: ['NET_ADMIN', 'NET_RAW'] - defaultAddCapabilities: [] - requiredDropCapabilities: [] - # Host namespaces - hostPID: false - hostIPC: false - hostNetwork: true - hostPorts: - - min: 0 - max: 65535 - # SELinux - seLinux: - # SELinux is unused in CaaSP - rule: 'RunAsAny'`) - -func assetsRbac0000_00_podsecuritypolicyFlannelYamlBytes() ([]byte, error) { - return _assetsRbac0000_00_podsecuritypolicyFlannelYaml, nil -} - -func assetsRbac0000_00_podsecuritypolicyFlannelYaml() (*asset, error) { - bytes, err := assetsRbac0000_00_podsecuritypolicyFlannelYamlBytes() - if err != nil { - return nil, err - } - - info := bindataFileInfo{name: "assets/rbac/0000_00_podsecuritypolicy-flannel.yaml", size: 0, mode: os.FileMode(0), modTime: time.Unix(0, 0)} - a := &asset{bytes: bytes, info: info} - return a, nil -} - -var _assetsRbac0000_60_serviceCa_00_clusterroleYaml = []byte(`apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: system:openshift:controller:service-ca -rules: -- apiGroups: - - "" - resources: - - secrets - verbs: - - get - - list - - watch - - create - - update - - patch -- apiGroups: - - "" - resources: - - services - verbs: - - get - - list - - watch - - update - - patch -- apiGroups: - - admissionregistration.k8s.io - resources: - - mutatingwebhookconfigurations - - validatingwebhookconfigurations - verbs: - - get - - list - - watch - - update -- apiGroups: - - apiextensions.k8s.io - resources: - - customresourcedefinitions - verbs: - - get - - list - - watch - - update -- apiGroups: - - apiregistration.k8s.io - resources: - - apiservices - verbs: - - get - - list - - watch - - update - - patch -- apiGroups: - - "" - resources: - - configmaps - verbs: - - get - - list - - watch - - update -`) - -func assetsRbac0000_60_serviceCa_00_clusterroleYamlBytes() ([]byte, error) { - return _assetsRbac0000_60_serviceCa_00_clusterroleYaml, nil -} - -func assetsRbac0000_60_serviceCa_00_clusterroleYaml() (*asset, error) { - bytes, err := assetsRbac0000_60_serviceCa_00_clusterroleYamlBytes() - if err != nil { - return nil, err - } - - info := bindataFileInfo{name: "assets/rbac/0000_60_service-ca_00_clusterrole.yaml", size: 0, mode: os.FileMode(0), modTime: time.Unix(0, 0)} - a := &asset{bytes: bytes, info: info} - return a, nil -} - -var _assetsRbac0000_60_serviceCa_00_clusterrolebindingYaml = []byte(`apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: system:openshift:controller:service-ca -roleRef: - kind: ClusterRole - name: cluster-admin - apiGroup: rbac.authorization.k8s.io -subjects: -- kind: ServiceAccount - namespace: openshift-service-ca - name: service-ca -`) - -func assetsRbac0000_60_serviceCa_00_clusterrolebindingYamlBytes() ([]byte, error) { - return _assetsRbac0000_60_serviceCa_00_clusterrolebindingYaml, nil -} - -func assetsRbac0000_60_serviceCa_00_clusterrolebindingYaml() (*asset, error) { - bytes, err := assetsRbac0000_60_serviceCa_00_clusterrolebindingYamlBytes() - if err != nil { - return nil, err - } - - info := bindataFileInfo{name: "assets/rbac/0000_60_service-ca_00_clusterrolebinding.yaml", size: 0, mode: os.FileMode(0), modTime: time.Unix(0, 0)} - a := &asset{bytes: bytes, info: info} - return a, nil -} - -var _assetsRbac0000_60_serviceCa_00_roleYaml = []byte(`apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: system:openshift:controller:service-ca - namespace: openshift-service-ca -rules: -- apiGroups: - - security.openshift.io - resources: - - securitycontextconstraints - resourceNames: - - restricted - verbs: - - use -- apiGroups: - - "" - resources: - - events - verbs: - - create -- apiGroups: - - "" - resources: - - configmaps - verbs: - - get - - list - - watch - - update - - create -- apiGroups: - - "" - resources: - - pods - verbs: - - get - - list - - watch -- apiGroups: - - "apps" - resources: - - replicasets - - deployments - verbs: - - get - - list - - watch`) - -func assetsRbac0000_60_serviceCa_00_roleYamlBytes() ([]byte, error) { - return _assetsRbac0000_60_serviceCa_00_roleYaml, nil -} - -func assetsRbac0000_60_serviceCa_00_roleYaml() (*asset, error) { - bytes, err := assetsRbac0000_60_serviceCa_00_roleYamlBytes() - if err != nil { - return nil, err - } - - info := bindataFileInfo{name: "assets/rbac/0000_60_service-ca_00_role.yaml", size: 0, mode: os.FileMode(0), modTime: time.Unix(0, 0)} - a := &asset{bytes: bytes, info: info} - return a, nil -} - -var _assetsRbac0000_60_serviceCa_00_rolebindingYaml = []byte(`apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: system:openshift:controller:service-ca - namespace: openshift-service-ca -roleRef: - kind: Role - name: system:openshift:controller:service-ca - apiGroup: rbac.authorization.k8s.io -subjects: -- kind: ServiceAccount - namespace: openshift-service-ca - name: service-ca -`) - -func assetsRbac0000_60_serviceCa_00_rolebindingYamlBytes() ([]byte, error) { - return _assetsRbac0000_60_serviceCa_00_rolebindingYaml, nil -} - -func assetsRbac0000_60_serviceCa_00_rolebindingYaml() (*asset, error) { - bytes, err := assetsRbac0000_60_serviceCa_00_rolebindingYamlBytes() - if err != nil { - return nil, err - } - - info := bindataFileInfo{name: "assets/rbac/0000_60_service-ca_00_rolebinding.yaml", size: 0, mode: os.FileMode(0), modTime: time.Unix(0, 0)} - a := &asset{bytes: bytes, info: info} - return a, nil -} - -var _assetsRbac0000_70_dns_01ClusterRoleBindingYaml = []byte(`kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: openshift-dns -subjects: -- kind: ServiceAccount - name: dns - namespace: openshift-dns -roleRef: - kind: ClusterRole - name: openshift-dns -`) - -func assetsRbac0000_70_dns_01ClusterRoleBindingYamlBytes() ([]byte, error) { - return _assetsRbac0000_70_dns_01ClusterRoleBindingYaml, nil -} - -func assetsRbac0000_70_dns_01ClusterRoleBindingYaml() (*asset, error) { - bytes, err := assetsRbac0000_70_dns_01ClusterRoleBindingYamlBytes() - if err != nil { - return nil, err - } - - info := bindataFileInfo{name: "assets/rbac/0000_70_dns_01-cluster-role-binding.yaml", size: 0, mode: os.FileMode(0), modTime: time.Unix(0, 0)} - a := &asset{bytes: bytes, info: info} - return a, nil -} - -var _assetsRbac0000_70_dns_01ClusterRoleYaml = []byte(`kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: openshift-dns -rules: -- apiGroups: - - "" - resources: - - endpoints - - services - - pods - - namespaces - verbs: - - list - - watch - -- apiGroups: - - discovery.k8s.io - resources: - - endpointslices - verbs: - - list - - watch - -- apiGroups: - - authentication.k8s.io - resources: - - tokenreviews - verbs: - - create - -- apiGroups: - - authorization.k8s.io - resources: - - subjectaccessreviews - verbs: - - create -`) - -func assetsRbac0000_70_dns_01ClusterRoleYamlBytes() ([]byte, error) { - return _assetsRbac0000_70_dns_01ClusterRoleYaml, nil -} - -func assetsRbac0000_70_dns_01ClusterRoleYaml() (*asset, error) { - bytes, err := assetsRbac0000_70_dns_01ClusterRoleYamlBytes() - if err != nil { - return nil, err - } - - info := bindataFileInfo{name: "assets/rbac/0000_70_dns_01-cluster-role.yaml", size: 0, mode: os.FileMode(0), modTime: time.Unix(0, 0)} - a := &asset{bytes: bytes, info: info} - return a, nil -} - -var _assetsRbac0000_80_hostpathProvisionerClusterroleYaml = []byte(`kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: kubevirt-hostpath-provisioner -rules: - - apiGroups: [""] - resources: ["nodes"] - verbs: ["get"] - - apiGroups: [""] - resources: ["persistentvolumes"] - verbs: ["get", "list", "watch", "create", "delete"] - - apiGroups: [""] - resources: ["persistentvolumeclaims"] - verbs: ["get", "list", "watch", "update"] - - - apiGroups: ["storage.k8s.io"] - resources: ["storageclasses"] - verbs: ["get", "list", "watch"] - - - apiGroups: [""] - resources: ["events"] - verbs: ["list", "watch", "create", "update", "patch"] -`) - -func assetsRbac0000_80_hostpathProvisionerClusterroleYamlBytes() ([]byte, error) { - return _assetsRbac0000_80_hostpathProvisionerClusterroleYaml, nil -} - -func assetsRbac0000_80_hostpathProvisionerClusterroleYaml() (*asset, error) { - bytes, err := assetsRbac0000_80_hostpathProvisionerClusterroleYamlBytes() - if err != nil { - return nil, err - } - - info := bindataFileInfo{name: "assets/rbac/0000_80_hostpath-provisioner-clusterrole.yaml", size: 0, mode: os.FileMode(0), modTime: time.Unix(0, 0)} - a := &asset{bytes: bytes, info: info} - return a, nil -} - -var _assetsRbac0000_80_hostpathProvisionerClusterrolebindingYaml = []byte(`apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: kubevirt-hostpath-provisioner -subjects: -- kind: ServiceAccount - name: kubevirt-hostpath-provisioner-admin - namespace: kubevirt-hostpath-provisioner -roleRef: - kind: ClusterRole - name: kubevirt-hostpath-provisioner - apiGroup: rbac.authorization.k8s.io`) - -func assetsRbac0000_80_hostpathProvisionerClusterrolebindingYamlBytes() ([]byte, error) { - return _assetsRbac0000_80_hostpathProvisionerClusterrolebindingYaml, nil -} - -func assetsRbac0000_80_hostpathProvisionerClusterrolebindingYaml() (*asset, error) { - bytes, err := assetsRbac0000_80_hostpathProvisionerClusterrolebindingYamlBytes() - if err != nil { - return nil, err - } - - info := bindataFileInfo{name: "assets/rbac/0000_80_hostpath-provisioner-clusterrolebinding.yaml", size: 0, mode: os.FileMode(0), modTime: time.Unix(0, 0)} - a := &asset{bytes: bytes, info: info} - return a, nil -} - -var _assetsRbac0000_80_openshiftRouterClusterRoleBindingYaml = []byte(`# Binds the router role to its Service Account. -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: openshift-ingress-router -subjects: -- kind: ServiceAccount - name: router - namespace: openshift-ingress -roleRef: - kind: ClusterRole - name: openshift-ingress-router - namespace: openshift-ingress -`) - -func assetsRbac0000_80_openshiftRouterClusterRoleBindingYamlBytes() ([]byte, error) { - return _assetsRbac0000_80_openshiftRouterClusterRoleBindingYaml, nil -} - -func assetsRbac0000_80_openshiftRouterClusterRoleBindingYaml() (*asset, error) { - bytes, err := assetsRbac0000_80_openshiftRouterClusterRoleBindingYamlBytes() - if err != nil { - return nil, err - } - - info := bindataFileInfo{name: "assets/rbac/0000_80_openshift-router-cluster-role-binding.yaml", size: 0, mode: os.FileMode(0), modTime: time.Unix(0, 0)} - a := &asset{bytes: bytes, info: info} - return a, nil -} - -var _assetsRbac0000_80_openshiftRouterClusterRoleYaml = []byte(`# Cluster scoped role for routers. This should be as restrictive as possible. -kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: openshift-ingress-router -rules: -- apiGroups: - - "" - resources: - - endpoints - - namespaces - - services - verbs: - - list - - watch - -- apiGroups: - - authentication.k8s.io - resources: - - tokenreviews - verbs: - - create - -- apiGroups: - - authorization.k8s.io - resources: - - subjectaccessreviews - verbs: - - create - -- apiGroups: - - route.openshift.io - resources: - - routes - verbs: - - list - - watch - -- apiGroups: - - route.openshift.io - resources: - - routes/status - verbs: - - update - -- apiGroups: - - security.openshift.io - resources: - - securitycontextconstraints - verbs: - - use - resourceNames: - - hostnetwork - -- apiGroups: - - discovery.k8s.io - resources: - - endpointslices - verbs: - - list - - watch -`) - -func assetsRbac0000_80_openshiftRouterClusterRoleYamlBytes() ([]byte, error) { - return _assetsRbac0000_80_openshiftRouterClusterRoleYaml, nil -} - -func assetsRbac0000_80_openshiftRouterClusterRoleYaml() (*asset, error) { - bytes, err := assetsRbac0000_80_openshiftRouterClusterRoleYamlBytes() - if err != nil { - return nil, err - } - - info := bindataFileInfo{name: "assets/rbac/0000_80_openshift-router-cluster-role.yaml", size: 0, mode: os.FileMode(0), modTime: time.Unix(0, 0)} - a := &asset{bytes: bytes, info: info} - return a, nil -} - -// Asset loads and returns the asset for the given name. -// It returns an error if the asset could not be found or -// could not be loaded. -func Asset(name string) ([]byte, error) { - cannonicalName := strings.Replace(name, "\\", "/", -1) - if f, ok := _bindata[cannonicalName]; ok { - a, err := f() - if err != nil { - return nil, fmt.Errorf("Asset %s can't read by error: %v", name, err) - } - return a.bytes, nil - } - return nil, fmt.Errorf("Asset %s not found", name) -} - -// MustAsset is like Asset but panics when Asset would return an error. -// It simplifies safe initialization of global variables. -func MustAsset(name string) []byte { - a, err := Asset(name) - if err != nil { - panic("asset: Asset(" + name + "): " + err.Error()) - } - - return a -} - -// AssetInfo loads and returns the asset info for the given name. -// It returns an error if the asset could not be found or -// could not be loaded. -func AssetInfo(name string) (os.FileInfo, error) { - cannonicalName := strings.Replace(name, "\\", "/", -1) - if f, ok := _bindata[cannonicalName]; ok { - a, err := f() - if err != nil { - return nil, fmt.Errorf("AssetInfo %s can't read by error: %v", name, err) - } - return a.info, nil - } - return nil, fmt.Errorf("AssetInfo %s not found", name) -} - -// AssetNames returns the names of the assets. -func AssetNames() []string { - names := make([]string, 0, len(_bindata)) - for name := range _bindata { - names = append(names, name) - } - return names -} - -// _bindata is a table, holding each asset generator, mapped to its name. -var _bindata = map[string]func() (*asset, error){ - "assets/rbac/0000_00_flannel-clusterrole.yaml": assetsRbac0000_00_flannelClusterroleYaml, - "assets/rbac/0000_00_flannel-clusterrolebinding.yaml": assetsRbac0000_00_flannelClusterrolebindingYaml, - "assets/rbac/0000_00_podsecuritypolicy-flannel.yaml": assetsRbac0000_00_podsecuritypolicyFlannelYaml, - "assets/rbac/0000_60_service-ca_00_clusterrole.yaml": assetsRbac0000_60_serviceCa_00_clusterroleYaml, - "assets/rbac/0000_60_service-ca_00_clusterrolebinding.yaml": assetsRbac0000_60_serviceCa_00_clusterrolebindingYaml, - "assets/rbac/0000_60_service-ca_00_role.yaml": assetsRbac0000_60_serviceCa_00_roleYaml, - "assets/rbac/0000_60_service-ca_00_rolebinding.yaml": assetsRbac0000_60_serviceCa_00_rolebindingYaml, - "assets/rbac/0000_70_dns_01-cluster-role-binding.yaml": assetsRbac0000_70_dns_01ClusterRoleBindingYaml, - "assets/rbac/0000_70_dns_01-cluster-role.yaml": assetsRbac0000_70_dns_01ClusterRoleYaml, - "assets/rbac/0000_80_hostpath-provisioner-clusterrole.yaml": assetsRbac0000_80_hostpathProvisionerClusterroleYaml, - "assets/rbac/0000_80_hostpath-provisioner-clusterrolebinding.yaml": assetsRbac0000_80_hostpathProvisionerClusterrolebindingYaml, - "assets/rbac/0000_80_openshift-router-cluster-role-binding.yaml": assetsRbac0000_80_openshiftRouterClusterRoleBindingYaml, - "assets/rbac/0000_80_openshift-router-cluster-role.yaml": assetsRbac0000_80_openshiftRouterClusterRoleYaml, -} - -// AssetDir returns the file names below a certain -// directory embedded in the file by go-bindata. -// For example if you run go-bindata on data/... and data contains the -// following hierarchy: -// data/ -// foo.txt -// img/ -// a.png -// b.png -// then AssetDir("data") would return []string{"foo.txt", "img"} -// AssetDir("data/img") would return []string{"a.png", "b.png"} -// AssetDir("foo.txt") and AssetDir("notexist") would return an error -// AssetDir("") will return []string{"data"}. -func AssetDir(name string) ([]string, error) { - node := _bintree - if len(name) != 0 { - cannonicalName := strings.Replace(name, "\\", "/", -1) - pathList := strings.Split(cannonicalName, "/") - for _, p := range pathList { - node = node.Children[p] - if node == nil { - return nil, fmt.Errorf("Asset %s not found", name) - } - } - } - if node.Func != nil { - return nil, fmt.Errorf("Asset %s not found", name) - } - rv := make([]string, 0, len(node.Children)) - for childName := range node.Children { - rv = append(rv, childName) - } - return rv, nil -} - -type bintree struct { - Func func() (*asset, error) - Children map[string]*bintree -} - -var _bintree = &bintree{nil, map[string]*bintree{ - "assets": {nil, map[string]*bintree{ - "rbac": {nil, map[string]*bintree{ - "0000_00_flannel-clusterrole.yaml": {assetsRbac0000_00_flannelClusterroleYaml, map[string]*bintree{}}, - "0000_00_flannel-clusterrolebinding.yaml": {assetsRbac0000_00_flannelClusterrolebindingYaml, map[string]*bintree{}}, - "0000_00_podsecuritypolicy-flannel.yaml": {assetsRbac0000_00_podsecuritypolicyFlannelYaml, map[string]*bintree{}}, - "0000_60_service-ca_00_clusterrole.yaml": {assetsRbac0000_60_serviceCa_00_clusterroleYaml, map[string]*bintree{}}, - "0000_60_service-ca_00_clusterrolebinding.yaml": {assetsRbac0000_60_serviceCa_00_clusterrolebindingYaml, map[string]*bintree{}}, - "0000_60_service-ca_00_role.yaml": {assetsRbac0000_60_serviceCa_00_roleYaml, map[string]*bintree{}}, - "0000_60_service-ca_00_rolebinding.yaml": {assetsRbac0000_60_serviceCa_00_rolebindingYaml, map[string]*bintree{}}, - "0000_70_dns_01-cluster-role-binding.yaml": {assetsRbac0000_70_dns_01ClusterRoleBindingYaml, map[string]*bintree{}}, - "0000_70_dns_01-cluster-role.yaml": {assetsRbac0000_70_dns_01ClusterRoleYaml, map[string]*bintree{}}, - "0000_80_hostpath-provisioner-clusterrole.yaml": {assetsRbac0000_80_hostpathProvisionerClusterroleYaml, map[string]*bintree{}}, - "0000_80_hostpath-provisioner-clusterrolebinding.yaml": {assetsRbac0000_80_hostpathProvisionerClusterrolebindingYaml, map[string]*bintree{}}, - "0000_80_openshift-router-cluster-role-binding.yaml": {assetsRbac0000_80_openshiftRouterClusterRoleBindingYaml, map[string]*bintree{}}, - "0000_80_openshift-router-cluster-role.yaml": {assetsRbac0000_80_openshiftRouterClusterRoleYaml, map[string]*bintree{}}, - }}, - }}, -}} - -// RestoreAsset restores an asset under the given directory -func RestoreAsset(dir, name string) error { - data, err := Asset(name) - if err != nil { - return err - } - info, err := AssetInfo(name) - if err != nil { - return err - } - err = os.MkdirAll(_filePath(dir, filepath.Dir(name)), os.FileMode(0755)) - if err != nil { - return err - } - err = ioutil.WriteFile(_filePath(dir, name), data, info.Mode()) - if err != nil { - return err - } - err = os.Chtimes(_filePath(dir, name), info.ModTime(), info.ModTime()) - if err != nil { - return err - } - return nil -} - -// RestoreAssets restores an asset under the given directory recursively -func RestoreAssets(dir, name string) error { - children, err := AssetDir(name) - // File - if err != nil { - return RestoreAsset(dir, name) - } - // Dir - for _, child := range children { - err = RestoreAssets(dir, filepath.Join(name, child)) - if err != nil { - return err - } - } - return nil -} - -func _filePath(dir, name string) string { - cannonicalName := strings.Replace(name, "\\", "/", -1) - return filepath.Join(append([]string{dir}, strings.Split(cannonicalName, "/")...)...) -} diff --git a/pkg/assets/scc/bindata.go b/pkg/assets/scc/bindata.go deleted file mode 100644 index cef68c477f..0000000000 --- a/pkg/assets/scc/bindata.go +++ /dev/null @@ -1,705 +0,0 @@ -// Package assets Code generated by go-bindata. (@generated) DO NOT EDIT. -// sources: -// assets/scc/0000_20_kube-apiserver-operator_00_scc-anyuid.yaml -// assets/scc/0000_20_kube-apiserver-operator_00_scc-hostaccess.yaml -// assets/scc/0000_20_kube-apiserver-operator_00_scc-hostmount-anyuid.yaml -// assets/scc/0000_20_kube-apiserver-operator_00_scc-hostnetwork.yaml -// assets/scc/0000_20_kube-apiserver-operator_00_scc-nonroot.yaml -// assets/scc/0000_20_kube-apiserver-operator_00_scc-privileged.yaml -// assets/scc/0000_20_kube-apiserver-operator_00_scc-restricted.yaml -// assets/scc/0000_80_hostpath-provisioner-securitycontextconstraints.yaml -package assets - -import ( - "fmt" - "io/ioutil" - "os" - "path/filepath" - "strings" - "time" -) - -type asset struct { - bytes []byte - info os.FileInfo -} - -type bindataFileInfo struct { - name string - size int64 - mode os.FileMode - modTime time.Time -} - -// Name return file name -func (fi bindataFileInfo) Name() string { - return fi.name -} - -// Size return file size -func (fi bindataFileInfo) Size() int64 { - return fi.size -} - -// Mode return file mode -func (fi bindataFileInfo) Mode() os.FileMode { - return fi.mode -} - -// Mode return file modify time -func (fi bindataFileInfo) ModTime() time.Time { - return fi.modTime -} - -// IsDir return file whether a directory -func (fi bindataFileInfo) IsDir() bool { - return fi.mode&os.ModeDir != 0 -} - -// Sys return file is sys mode -func (fi bindataFileInfo) Sys() interface{} { - return nil -} - -var _assetsScc0000_20_kubeApiserverOperator_00_sccAnyuidYaml = []byte(`allowHostDirVolumePlugin: false -allowHostIPC: false -allowHostNetwork: false -allowHostPID: false -allowHostPorts: false -allowPrivilegeEscalation: true -allowPrivilegedContainer: false -allowedCapabilities: -apiVersion: security.openshift.io/v1 -defaultAddCapabilities: -fsGroup: - type: RunAsAny -groups: -- system:cluster-admins -kind: SecurityContextConstraints -metadata: - annotations: - include.release.openshift.io/ibm-cloud-managed: "true" - include.release.openshift.io/self-managed-high-availability: "true" - include.release.openshift.io/single-node-developer: "true" - release.openshift.io/create-only: "true" - kubernetes.io/description: anyuid provides all features of the restricted SCC - but allows users to run with any UID and any GID. - name: anyuid -priority: 10 -readOnlyRootFilesystem: false -requiredDropCapabilities: -- MKNOD -runAsUser: - type: RunAsAny -seLinuxContext: - type: MustRunAs -supplementalGroups: - type: RunAsAny -users: [] -volumes: -- configMap -- downwardAPI -- emptyDir -- persistentVolumeClaim -- projected -- secret -`) - -func assetsScc0000_20_kubeApiserverOperator_00_sccAnyuidYamlBytes() ([]byte, error) { - return _assetsScc0000_20_kubeApiserverOperator_00_sccAnyuidYaml, nil -} - -func assetsScc0000_20_kubeApiserverOperator_00_sccAnyuidYaml() (*asset, error) { - bytes, err := assetsScc0000_20_kubeApiserverOperator_00_sccAnyuidYamlBytes() - if err != nil { - return nil, err - } - - info := bindataFileInfo{name: "assets/scc/0000_20_kube-apiserver-operator_00_scc-anyuid.yaml", size: 0, mode: os.FileMode(0), modTime: time.Unix(0, 0)} - a := &asset{bytes: bytes, info: info} - return a, nil -} - -var _assetsScc0000_20_kubeApiserverOperator_00_sccHostaccessYaml = []byte(`allowHostDirVolumePlugin: true -allowHostIPC: true -allowHostNetwork: true -allowHostPID: true -allowHostPorts: true -allowPrivilegeEscalation: true -allowPrivilegedContainer: false -allowedCapabilities: -apiVersion: security.openshift.io/v1 -defaultAddCapabilities: -fsGroup: - type: MustRunAs -groups: [] -kind: SecurityContextConstraints -metadata: - annotations: - include.release.openshift.io/ibm-cloud-managed: "true" - include.release.openshift.io/self-managed-high-availability: "true" - include.release.openshift.io/single-node-developer: "true" - release.openshift.io/create-only: "true" - kubernetes.io/description: 'hostaccess allows access to all host namespaces but - still requires pods to be run with a UID and SELinux context that are allocated - to the namespace. WARNING: this SCC allows host access to namespaces, file systems, - and PIDS. It should only be used by trusted pods. Grant with caution.' - name: hostaccess -priority: -readOnlyRootFilesystem: false -requiredDropCapabilities: -- KILL -- MKNOD -- SETUID -- SETGID -runAsUser: - type: MustRunAsRange -seLinuxContext: - type: MustRunAs -supplementalGroups: - type: RunAsAny -users: [] -volumes: -- configMap -- downwardAPI -- emptyDir -- hostPath -- persistentVolumeClaim -- projected -- secret -`) - -func assetsScc0000_20_kubeApiserverOperator_00_sccHostaccessYamlBytes() ([]byte, error) { - return _assetsScc0000_20_kubeApiserverOperator_00_sccHostaccessYaml, nil -} - -func assetsScc0000_20_kubeApiserverOperator_00_sccHostaccessYaml() (*asset, error) { - bytes, err := assetsScc0000_20_kubeApiserverOperator_00_sccHostaccessYamlBytes() - if err != nil { - return nil, err - } - - info := bindataFileInfo{name: "assets/scc/0000_20_kube-apiserver-operator_00_scc-hostaccess.yaml", size: 0, mode: os.FileMode(0), modTime: time.Unix(0, 0)} - a := &asset{bytes: bytes, info: info} - return a, nil -} - -var _assetsScc0000_20_kubeApiserverOperator_00_sccHostmountAnyuidYaml = []byte(`allowHostDirVolumePlugin: true -allowHostIPC: false -allowHostNetwork: false -allowHostPID: false -allowHostPorts: false -allowPrivilegeEscalation: true -allowPrivilegedContainer: false -allowedCapabilities: -apiVersion: security.openshift.io/v1 -defaultAddCapabilities: -fsGroup: - type: RunAsAny -groups: [] -kind: SecurityContextConstraints -metadata: - annotations: - include.release.openshift.io/ibm-cloud-managed: "true" - include.release.openshift.io/self-managed-high-availability: "true" - include.release.openshift.io/single-node-developer: "true" - release.openshift.io/create-only: "true" - kubernetes.io/description: |- - hostmount-anyuid provides all the features of the - restricted SCC but allows host mounts and any UID by a pod. This is primarily - used by the persistent volume recycler. WARNING: this SCC allows host file - system access as any UID, including UID 0. Grant with caution. - name: hostmount-anyuid -priority: -readOnlyRootFilesystem: false -requiredDropCapabilities: -- MKNOD -runAsUser: - type: RunAsAny -seLinuxContext: - type: MustRunAs -supplementalGroups: - type: RunAsAny -users: -- system:serviceaccount:openshift-infra:pv-recycler-controller -volumes: -- configMap -- downwardAPI -- emptyDir -- hostPath -- nfs -- persistentVolumeClaim -- projected -- secret -`) - -func assetsScc0000_20_kubeApiserverOperator_00_sccHostmountAnyuidYamlBytes() ([]byte, error) { - return _assetsScc0000_20_kubeApiserverOperator_00_sccHostmountAnyuidYaml, nil -} - -func assetsScc0000_20_kubeApiserverOperator_00_sccHostmountAnyuidYaml() (*asset, error) { - bytes, err := assetsScc0000_20_kubeApiserverOperator_00_sccHostmountAnyuidYamlBytes() - if err != nil { - return nil, err - } - - info := bindataFileInfo{name: "assets/scc/0000_20_kube-apiserver-operator_00_scc-hostmount-anyuid.yaml", size: 0, mode: os.FileMode(0), modTime: time.Unix(0, 0)} - a := &asset{bytes: bytes, info: info} - return a, nil -} - -var _assetsScc0000_20_kubeApiserverOperator_00_sccHostnetworkYaml = []byte(`allowHostDirVolumePlugin: false -allowHostIPC: false -allowHostNetwork: true -allowHostPID: false -allowHostPorts: true -allowPrivilegeEscalation: true -allowPrivilegedContainer: false -allowedCapabilities: -apiVersion: security.openshift.io/v1 -defaultAddCapabilities: -fsGroup: - type: MustRunAs -groups: [] -kind: SecurityContextConstraints -metadata: - annotations: - include.release.openshift.io/ibm-cloud-managed: "true" - include.release.openshift.io/self-managed-high-availability: "true" - include.release.openshift.io/single-node-developer: "true" - release.openshift.io/create-only: "true" - kubernetes.io/description: hostnetwork allows using host networking and host ports - but still requires pods to be run with a UID and SELinux context that are allocated - to the namespace. - name: hostnetwork -priority: -readOnlyRootFilesystem: false -requiredDropCapabilities: -- KILL -- MKNOD -- SETUID -- SETGID -runAsUser: - type: MustRunAsRange -seLinuxContext: - type: MustRunAs -supplementalGroups: - type: MustRunAs -users: [] -volumes: -- configMap -- downwardAPI -- emptyDir -- persistentVolumeClaim -- projected -- secret -`) - -func assetsScc0000_20_kubeApiserverOperator_00_sccHostnetworkYamlBytes() ([]byte, error) { - return _assetsScc0000_20_kubeApiserverOperator_00_sccHostnetworkYaml, nil -} - -func assetsScc0000_20_kubeApiserverOperator_00_sccHostnetworkYaml() (*asset, error) { - bytes, err := assetsScc0000_20_kubeApiserverOperator_00_sccHostnetworkYamlBytes() - if err != nil { - return nil, err - } - - info := bindataFileInfo{name: "assets/scc/0000_20_kube-apiserver-operator_00_scc-hostnetwork.yaml", size: 0, mode: os.FileMode(0), modTime: time.Unix(0, 0)} - a := &asset{bytes: bytes, info: info} - return a, nil -} - -var _assetsScc0000_20_kubeApiserverOperator_00_sccNonrootYaml = []byte(`allowHostDirVolumePlugin: false -allowHostIPC: false -allowHostNetwork: false -allowHostPID: false -allowHostPorts: false -allowPrivilegeEscalation: true -allowPrivilegedContainer: false -allowedCapabilities: -apiVersion: security.openshift.io/v1 -defaultAddCapabilities: -fsGroup: - type: RunAsAny -groups: [] -kind: SecurityContextConstraints -metadata: - annotations: - include.release.openshift.io/ibm-cloud-managed: "true" - include.release.openshift.io/self-managed-high-availability: "true" - include.release.openshift.io/single-node-developer: "true" - release.openshift.io/create-only: "true" - kubernetes.io/description: nonroot provides all features of the restricted SCC - but allows users to run with any non-root UID. The user must specify the UID - or it must be specified on the by the manifest of the container runtime. - name: nonroot -priority: -readOnlyRootFilesystem: false -requiredDropCapabilities: -- KILL -- MKNOD -- SETUID -- SETGID -runAsUser: - type: MustRunAsNonRoot -seLinuxContext: - type: MustRunAs -supplementalGroups: - type: RunAsAny -users: [] -volumes: -- configMap -- downwardAPI -- emptyDir -- persistentVolumeClaim -- projected -- secret -`) - -func assetsScc0000_20_kubeApiserverOperator_00_sccNonrootYamlBytes() ([]byte, error) { - return _assetsScc0000_20_kubeApiserverOperator_00_sccNonrootYaml, nil -} - -func assetsScc0000_20_kubeApiserverOperator_00_sccNonrootYaml() (*asset, error) { - bytes, err := assetsScc0000_20_kubeApiserverOperator_00_sccNonrootYamlBytes() - if err != nil { - return nil, err - } - - info := bindataFileInfo{name: "assets/scc/0000_20_kube-apiserver-operator_00_scc-nonroot.yaml", size: 0, mode: os.FileMode(0), modTime: time.Unix(0, 0)} - a := &asset{bytes: bytes, info: info} - return a, nil -} - -var _assetsScc0000_20_kubeApiserverOperator_00_sccPrivilegedYaml = []byte(`allowHostDirVolumePlugin: true -allowHostIPC: true -allowHostNetwork: true -allowHostPID: true -allowHostPorts: true -allowPrivilegeEscalation: true -allowPrivilegedContainer: true -allowedCapabilities: -- "*" -allowedUnsafeSysctls: -- "*" -apiVersion: security.openshift.io/v1 -defaultAddCapabilities: -fsGroup: - type: RunAsAny -groups: -- system:cluster-admins -- system:nodes -- system:masters -kind: SecurityContextConstraints -metadata: - annotations: - include.release.openshift.io/ibm-cloud-managed: "true" - include.release.openshift.io/self-managed-high-availability: "true" - include.release.openshift.io/single-node-developer: "true" - release.openshift.io/create-only: "true" - kubernetes.io/description: 'privileged allows access to all privileged and host - features and the ability to run as any user, any group, any fsGroup, and with - any SELinux context. WARNING: this is the most relaxed SCC and should be used - only for cluster administration. Grant with caution.' - name: privileged -priority: -readOnlyRootFilesystem: false -requiredDropCapabilities: -runAsUser: - type: RunAsAny -seLinuxContext: - type: RunAsAny -seccompProfiles: -- "*" -supplementalGroups: - type: RunAsAny -users: -- system:admin -- system:serviceaccount:openshift-infra:build-controller -volumes: -- "*" -`) - -func assetsScc0000_20_kubeApiserverOperator_00_sccPrivilegedYamlBytes() ([]byte, error) { - return _assetsScc0000_20_kubeApiserverOperator_00_sccPrivilegedYaml, nil -} - -func assetsScc0000_20_kubeApiserverOperator_00_sccPrivilegedYaml() (*asset, error) { - bytes, err := assetsScc0000_20_kubeApiserverOperator_00_sccPrivilegedYamlBytes() - if err != nil { - return nil, err - } - - info := bindataFileInfo{name: "assets/scc/0000_20_kube-apiserver-operator_00_scc-privileged.yaml", size: 0, mode: os.FileMode(0), modTime: time.Unix(0, 0)} - a := &asset{bytes: bytes, info: info} - return a, nil -} - -var _assetsScc0000_20_kubeApiserverOperator_00_sccRestrictedYaml = []byte(`allowHostDirVolumePlugin: false -allowHostIPC: false -allowHostNetwork: false -allowHostPID: false -allowHostPorts: false -allowPrivilegeEscalation: true -allowPrivilegedContainer: false -allowedCapabilities: -apiVersion: security.openshift.io/v1 -defaultAddCapabilities: -fsGroup: - type: MustRunAs -groups: -- system:authenticated -kind: SecurityContextConstraints -metadata: - annotations: - include.release.openshift.io/ibm-cloud-managed: "true" - include.release.openshift.io/self-managed-high-availability: "true" - include.release.openshift.io/single-node-developer: "true" - release.openshift.io/create-only: "true" - kubernetes.io/description: restricted denies access to all host features and requires - pods to be run with a UID, and SELinux context that are allocated to the namespace. This - is the most restrictive SCC and it is used by default for authenticated users. - name: restricted -priority: -readOnlyRootFilesystem: false -requiredDropCapabilities: -- KILL -- MKNOD -- SETUID -- SETGID -runAsUser: - type: MustRunAsRange -seLinuxContext: - type: MustRunAs -supplementalGroups: - type: RunAsAny -users: [] -volumes: -- configMap -- downwardAPI -- emptyDir -- persistentVolumeClaim -- projected -- secret -`) - -func assetsScc0000_20_kubeApiserverOperator_00_sccRestrictedYamlBytes() ([]byte, error) { - return _assetsScc0000_20_kubeApiserverOperator_00_sccRestrictedYaml, nil -} - -func assetsScc0000_20_kubeApiserverOperator_00_sccRestrictedYaml() (*asset, error) { - bytes, err := assetsScc0000_20_kubeApiserverOperator_00_sccRestrictedYamlBytes() - if err != nil { - return nil, err - } - - info := bindataFileInfo{name: "assets/scc/0000_20_kube-apiserver-operator_00_scc-restricted.yaml", size: 0, mode: os.FileMode(0), modTime: time.Unix(0, 0)} - a := &asset{bytes: bytes, info: info} - return a, nil -} - -var _assetsScc0000_80_hostpathProvisionerSecuritycontextconstraintsYaml = []byte(`kind: SecurityContextConstraints -apiVersion: security.openshift.io/v1 -metadata: - name: hostpath-provisioner -allowPrivilegedContainer: true -requiredDropCapabilities: -- KILL -- MKNOD -- SETUID -- SETGID -runAsUser: - type: RunAsAny -seLinuxContext: - type: RunAsAny -fsGroup: - type: RunAsAny -supplementalGroups: - type: RunAsAny -allowHostDirVolumePlugin: true -users: -- system:serviceaccount:kubevirt-hostpath-provisioner:kubevirt-hostpath-provisioner-admin -volumes: -- hostPath -- secret -`) - -func assetsScc0000_80_hostpathProvisionerSecuritycontextconstraintsYamlBytes() ([]byte, error) { - return _assetsScc0000_80_hostpathProvisionerSecuritycontextconstraintsYaml, nil -} - -func assetsScc0000_80_hostpathProvisionerSecuritycontextconstraintsYaml() (*asset, error) { - bytes, err := assetsScc0000_80_hostpathProvisionerSecuritycontextconstraintsYamlBytes() - if err != nil { - return nil, err - } - - info := bindataFileInfo{name: "assets/scc/0000_80_hostpath-provisioner-securitycontextconstraints.yaml", size: 0, mode: os.FileMode(0), modTime: time.Unix(0, 0)} - a := &asset{bytes: bytes, info: info} - return a, nil -} - -// Asset loads and returns the asset for the given name. -// It returns an error if the asset could not be found or -// could not be loaded. -func Asset(name string) ([]byte, error) { - cannonicalName := strings.Replace(name, "\\", "/", -1) - if f, ok := _bindata[cannonicalName]; ok { - a, err := f() - if err != nil { - return nil, fmt.Errorf("Asset %s can't read by error: %v", name, err) - } - return a.bytes, nil - } - return nil, fmt.Errorf("Asset %s not found", name) -} - -// MustAsset is like Asset but panics when Asset would return an error. -// It simplifies safe initialization of global variables. -func MustAsset(name string) []byte { - a, err := Asset(name) - if err != nil { - panic("asset: Asset(" + name + "): " + err.Error()) - } - - return a -} - -// AssetInfo loads and returns the asset info for the given name. -// It returns an error if the asset could not be found or -// could not be loaded. -func AssetInfo(name string) (os.FileInfo, error) { - cannonicalName := strings.Replace(name, "\\", "/", -1) - if f, ok := _bindata[cannonicalName]; ok { - a, err := f() - if err != nil { - return nil, fmt.Errorf("AssetInfo %s can't read by error: %v", name, err) - } - return a.info, nil - } - return nil, fmt.Errorf("AssetInfo %s not found", name) -} - -// AssetNames returns the names of the assets. -func AssetNames() []string { - names := make([]string, 0, len(_bindata)) - for name := range _bindata { - names = append(names, name) - } - return names -} - -// _bindata is a table, holding each asset generator, mapped to its name. -var _bindata = map[string]func() (*asset, error){ - "assets/scc/0000_20_kube-apiserver-operator_00_scc-anyuid.yaml": assetsScc0000_20_kubeApiserverOperator_00_sccAnyuidYaml, - "assets/scc/0000_20_kube-apiserver-operator_00_scc-hostaccess.yaml": assetsScc0000_20_kubeApiserverOperator_00_sccHostaccessYaml, - "assets/scc/0000_20_kube-apiserver-operator_00_scc-hostmount-anyuid.yaml": assetsScc0000_20_kubeApiserverOperator_00_sccHostmountAnyuidYaml, - "assets/scc/0000_20_kube-apiserver-operator_00_scc-hostnetwork.yaml": assetsScc0000_20_kubeApiserverOperator_00_sccHostnetworkYaml, - "assets/scc/0000_20_kube-apiserver-operator_00_scc-nonroot.yaml": assetsScc0000_20_kubeApiserverOperator_00_sccNonrootYaml, - "assets/scc/0000_20_kube-apiserver-operator_00_scc-privileged.yaml": assetsScc0000_20_kubeApiserverOperator_00_sccPrivilegedYaml, - "assets/scc/0000_20_kube-apiserver-operator_00_scc-restricted.yaml": assetsScc0000_20_kubeApiserverOperator_00_sccRestrictedYaml, - "assets/scc/0000_80_hostpath-provisioner-securitycontextconstraints.yaml": assetsScc0000_80_hostpathProvisionerSecuritycontextconstraintsYaml, -} - -// AssetDir returns the file names below a certain -// directory embedded in the file by go-bindata. -// For example if you run go-bindata on data/... and data contains the -// following hierarchy: -// data/ -// foo.txt -// img/ -// a.png -// b.png -// then AssetDir("data") would return []string{"foo.txt", "img"} -// AssetDir("data/img") would return []string{"a.png", "b.png"} -// AssetDir("foo.txt") and AssetDir("notexist") would return an error -// AssetDir("") will return []string{"data"}. -func AssetDir(name string) ([]string, error) { - node := _bintree - if len(name) != 0 { - cannonicalName := strings.Replace(name, "\\", "/", -1) - pathList := strings.Split(cannonicalName, "/") - for _, p := range pathList { - node = node.Children[p] - if node == nil { - return nil, fmt.Errorf("Asset %s not found", name) - } - } - } - if node.Func != nil { - return nil, fmt.Errorf("Asset %s not found", name) - } - rv := make([]string, 0, len(node.Children)) - for childName := range node.Children { - rv = append(rv, childName) - } - return rv, nil -} - -type bintree struct { - Func func() (*asset, error) - Children map[string]*bintree -} - -var _bintree = &bintree{nil, map[string]*bintree{ - "assets": {nil, map[string]*bintree{ - "scc": {nil, map[string]*bintree{ - "0000_20_kube-apiserver-operator_00_scc-anyuid.yaml": {assetsScc0000_20_kubeApiserverOperator_00_sccAnyuidYaml, map[string]*bintree{}}, - "0000_20_kube-apiserver-operator_00_scc-hostaccess.yaml": {assetsScc0000_20_kubeApiserverOperator_00_sccHostaccessYaml, map[string]*bintree{}}, - "0000_20_kube-apiserver-operator_00_scc-hostmount-anyuid.yaml": {assetsScc0000_20_kubeApiserverOperator_00_sccHostmountAnyuidYaml, map[string]*bintree{}}, - "0000_20_kube-apiserver-operator_00_scc-hostnetwork.yaml": {assetsScc0000_20_kubeApiserverOperator_00_sccHostnetworkYaml, map[string]*bintree{}}, - "0000_20_kube-apiserver-operator_00_scc-nonroot.yaml": {assetsScc0000_20_kubeApiserverOperator_00_sccNonrootYaml, map[string]*bintree{}}, - "0000_20_kube-apiserver-operator_00_scc-privileged.yaml": {assetsScc0000_20_kubeApiserverOperator_00_sccPrivilegedYaml, map[string]*bintree{}}, - "0000_20_kube-apiserver-operator_00_scc-restricted.yaml": {assetsScc0000_20_kubeApiserverOperator_00_sccRestrictedYaml, map[string]*bintree{}}, - "0000_80_hostpath-provisioner-securitycontextconstraints.yaml": {assetsScc0000_80_hostpathProvisionerSecuritycontextconstraintsYaml, map[string]*bintree{}}, - }}, - }}, -}} - -// RestoreAsset restores an asset under the given directory -func RestoreAsset(dir, name string) error { - data, err := Asset(name) - if err != nil { - return err - } - info, err := AssetInfo(name) - if err != nil { - return err - } - err = os.MkdirAll(_filePath(dir, filepath.Dir(name)), os.FileMode(0755)) - if err != nil { - return err - } - err = ioutil.WriteFile(_filePath(dir, name), data, info.Mode()) - if err != nil { - return err - } - err = os.Chtimes(_filePath(dir, name), info.ModTime(), info.ModTime()) - if err != nil { - return err - } - return nil -} - -// RestoreAssets restores an asset under the given directory recursively -func RestoreAssets(dir, name string) error { - children, err := AssetDir(name) - // File - if err != nil { - return RestoreAsset(dir, name) - } - // Dir - for _, child := range children { - err = RestoreAssets(dir, filepath.Join(name, child)) - if err != nil { - return err - } - } - return nil -} - -func _filePath(dir, name string) string { - cannonicalName := strings.Replace(name, "\\", "/", -1) - return filepath.Join(append([]string{dir}, strings.Split(cannonicalName, "/")...)...) -} diff --git a/pkg/assets/storage/bindata.go b/pkg/assets/storage/bindata.go deleted file mode 100644 index 3bbe255f75..0000000000 --- a/pkg/assets/storage/bindata.go +++ /dev/null @@ -1,228 +0,0 @@ -// Package assets Code generated by go-bindata. (@generated) DO NOT EDIT. -// sources: -// assets/storage/0000_80_hostpath-provisioner-storageclass.yaml -package assets - -import ( - "fmt" - "io/ioutil" - "os" - "path/filepath" - "strings" - "time" -) - -type asset struct { - bytes []byte - info os.FileInfo -} - -type bindataFileInfo struct { - name string - size int64 - mode os.FileMode - modTime time.Time -} - -// Name return file name -func (fi bindataFileInfo) Name() string { - return fi.name -} - -// Size return file size -func (fi bindataFileInfo) Size() int64 { - return fi.size -} - -// Mode return file mode -func (fi bindataFileInfo) Mode() os.FileMode { - return fi.mode -} - -// Mode return file modify time -func (fi bindataFileInfo) ModTime() time.Time { - return fi.modTime -} - -// IsDir return file whether a directory -func (fi bindataFileInfo) IsDir() bool { - return fi.mode&os.ModeDir != 0 -} - -// Sys return file is sys mode -func (fi bindataFileInfo) Sys() interface{} { - return nil -} - -var _assetsStorage0000_80_hostpathProvisionerStorageclassYaml = []byte(`apiVersion: storage.k8s.io/v1 -kind: StorageClass -metadata: - name: kubevirt-hostpath-provisioner -provisioner: kubevirt.io/hostpath-provisioner -reclaimPolicy: Delete -volumeBindingMode: WaitForFirstConsumer`) - -func assetsStorage0000_80_hostpathProvisionerStorageclassYamlBytes() ([]byte, error) { - return _assetsStorage0000_80_hostpathProvisionerStorageclassYaml, nil -} - -func assetsStorage0000_80_hostpathProvisionerStorageclassYaml() (*asset, error) { - bytes, err := assetsStorage0000_80_hostpathProvisionerStorageclassYamlBytes() - if err != nil { - return nil, err - } - - info := bindataFileInfo{name: "assets/storage/0000_80_hostpath-provisioner-storageclass.yaml", size: 0, mode: os.FileMode(0), modTime: time.Unix(0, 0)} - a := &asset{bytes: bytes, info: info} - return a, nil -} - -// Asset loads and returns the asset for the given name. -// It returns an error if the asset could not be found or -// could not be loaded. -func Asset(name string) ([]byte, error) { - cannonicalName := strings.Replace(name, "\\", "/", -1) - if f, ok := _bindata[cannonicalName]; ok { - a, err := f() - if err != nil { - return nil, fmt.Errorf("Asset %s can't read by error: %v", name, err) - } - return a.bytes, nil - } - return nil, fmt.Errorf("Asset %s not found", name) -} - -// MustAsset is like Asset but panics when Asset would return an error. -// It simplifies safe initialization of global variables. -func MustAsset(name string) []byte { - a, err := Asset(name) - if err != nil { - panic("asset: Asset(" + name + "): " + err.Error()) - } - - return a -} - -// AssetInfo loads and returns the asset info for the given name. -// It returns an error if the asset could not be found or -// could not be loaded. -func AssetInfo(name string) (os.FileInfo, error) { - cannonicalName := strings.Replace(name, "\\", "/", -1) - if f, ok := _bindata[cannonicalName]; ok { - a, err := f() - if err != nil { - return nil, fmt.Errorf("AssetInfo %s can't read by error: %v", name, err) - } - return a.info, nil - } - return nil, fmt.Errorf("AssetInfo %s not found", name) -} - -// AssetNames returns the names of the assets. -func AssetNames() []string { - names := make([]string, 0, len(_bindata)) - for name := range _bindata { - names = append(names, name) - } - return names -} - -// _bindata is a table, holding each asset generator, mapped to its name. -var _bindata = map[string]func() (*asset, error){ - "assets/storage/0000_80_hostpath-provisioner-storageclass.yaml": assetsStorage0000_80_hostpathProvisionerStorageclassYaml, -} - -// AssetDir returns the file names below a certain -// directory embedded in the file by go-bindata. -// For example if you run go-bindata on data/... and data contains the -// following hierarchy: -// data/ -// foo.txt -// img/ -// a.png -// b.png -// then AssetDir("data") would return []string{"foo.txt", "img"} -// AssetDir("data/img") would return []string{"a.png", "b.png"} -// AssetDir("foo.txt") and AssetDir("notexist") would return an error -// AssetDir("") will return []string{"data"}. -func AssetDir(name string) ([]string, error) { - node := _bintree - if len(name) != 0 { - cannonicalName := strings.Replace(name, "\\", "/", -1) - pathList := strings.Split(cannonicalName, "/") - for _, p := range pathList { - node = node.Children[p] - if node == nil { - return nil, fmt.Errorf("Asset %s not found", name) - } - } - } - if node.Func != nil { - return nil, fmt.Errorf("Asset %s not found", name) - } - rv := make([]string, 0, len(node.Children)) - for childName := range node.Children { - rv = append(rv, childName) - } - return rv, nil -} - -type bintree struct { - Func func() (*asset, error) - Children map[string]*bintree -} - -var _bintree = &bintree{nil, map[string]*bintree{ - "assets": {nil, map[string]*bintree{ - "storage": {nil, map[string]*bintree{ - "0000_80_hostpath-provisioner-storageclass.yaml": {assetsStorage0000_80_hostpathProvisionerStorageclassYaml, map[string]*bintree{}}, - }}, - }}, -}} - -// RestoreAsset restores an asset under the given directory -func RestoreAsset(dir, name string) error { - data, err := Asset(name) - if err != nil { - return err - } - info, err := AssetInfo(name) - if err != nil { - return err - } - err = os.MkdirAll(_filePath(dir, filepath.Dir(name)), os.FileMode(0755)) - if err != nil { - return err - } - err = ioutil.WriteFile(_filePath(dir, name), data, info.Mode()) - if err != nil { - return err - } - err = os.Chtimes(_filePath(dir, name), info.ModTime(), info.ModTime()) - if err != nil { - return err - } - return nil -} - -// RestoreAssets restores an asset under the given directory recursively -func RestoreAssets(dir, name string) error { - children, err := AssetDir(name) - // File - if err != nil { - return RestoreAsset(dir, name) - } - // Dir - for _, child := range children { - err = RestoreAssets(dir, filepath.Join(name, child)) - if err != nil { - return err - } - } - return nil -} - -func _filePath(dir, name string) string { - cannonicalName := strings.Replace(name, "\\", "/", -1) - return filepath.Join(append([]string{dir}, strings.Split(cannonicalName, "/")...)...) -}