# This file is generated. Do not edit. --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: cert-manager.io/inject-ca-from: brupop-bottlerocket-aws/brupop-apiserver-certificate name: bottlerocketshadows.brupop.bottlerocket.aws spec: conversion: strategy: Webhook webhook: clientConfig: service: name: brupop-apiserver namespace: brupop-bottlerocket-aws path: /crdconvert port: 443 conversionReviewVersions: - v1 - v2 group: brupop.bottlerocket.aws names: kind: BottlerocketShadow plural: bottlerocketshadows shortNames: - brs singular: bottlerocketshadow scope: Namespaced versions: - additionalPrinterColumns: - jsonPath: ".status.current_state" name: State type: string - jsonPath: ".status.current_version" name: Version type: string - jsonPath: ".spec.state" name: Target State type: string - jsonPath: ".spec.version" name: Target Version type: string - jsonPath: ".status.crash_count" name: Crash Count type: string name: v2 schema: openAPIV3Schema: description: "Auto-generated derived type for BottlerocketShadowSpec via `CustomResource`" properties: spec: description: "The `BottlerocketShadowSpec` can be used to drive a node through the update state machine. A node linearly drives towards the desired state. The brupop controller updates the spec to specify a node's desired state, and the host agent drives state changes forward and updates the `BottlerocketShadowStatus`." properties: state: description: "Records the desired state of the `BottlerocketShadow`" enum: - Idle - StagedAndPerformedUpdate - RebootedIntoUpdate - MonitoringUpdate - ErrorReset type: string state_transition_timestamp: description: The time at which the most recent state was set as the desired state. nullable: true type: string version: description: "The desired update version, if any." nullable: true pattern: "^(0|[1-9]\\d*)\\.(0|[1-9]\\d*)\\.(0|[1-9]\\d*)(?:-((?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\\.(?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\\+([0-9a-zA-Z-]+(?:\\.[0-9a-zA-Z-]+)*))?$" type: string required: - state type: object status: description: "`BottlerocketShadowStatus` surfaces the current state of a bottlerocket node. The status is updated by the host agent, while the spec is updated by the brupop controller." nullable: true properties: crash_count: format: uint32 minimum: 0.0 type: integer current_state: description: "BottlerocketShadowState represents a node's state in the update state machine." enum: - Idle - StagedAndPerformedUpdate - RebootedIntoUpdate - MonitoringUpdate - ErrorReset type: string current_version: pattern: "^(0|[1-9]\\d*)\\.(0|[1-9]\\d*)\\.(0|[1-9]\\d*)(?:-((?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\\.(?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\\+([0-9a-zA-Z-]+(?:\\.[0-9a-zA-Z-]+)*))?$" type: string state_transition_failure_timestamp: nullable: true type: string target_version: pattern: "^(0|[1-9]\\d*)\\.(0|[1-9]\\d*)\\.(0|[1-9]\\d*)(?:-((?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\\.(?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\\+([0-9a-zA-Z-]+(?:\\.[0-9a-zA-Z-]+)*))?$" type: string required: - crash_count - current_state - current_version - target_version type: object required: - spec title: BottlerocketShadow type: object served: true storage: true subresources: status: {} - additionalPrinterColumns: - jsonPath: ".status.current_state" name: State type: string - jsonPath: ".status.current_version" name: Version type: string - jsonPath: ".spec.state" name: Target State type: string - jsonPath: ".spec.version" name: Target Version type: string name: v1 schema: openAPIV3Schema: description: "Auto-generated derived type for BottlerocketShadowSpec via `CustomResource`" properties: spec: description: "The `BottlerocketShadowSpec` can be used to drive a node through the update state machine. A node linearly drives towards the desired state. The brupop controller updates the spec to specify a node's desired state, and the host agent drives state changes forward and updates the `BottlerocketShadowStatus`." properties: state: description: "Records the desired state of the `BottlerocketShadow`" enum: - Idle - StagedUpdate - PerformedUpdate - RebootedIntoUpdate - MonitoringUpdate type: string state_transition_timestamp: description: The time at which the most recent state was set as the desired state. nullable: true type: string version: description: "The desired update version, if any." nullable: true pattern: "^(0|[1-9]\\d*)\\.(0|[1-9]\\d*)\\.(0|[1-9]\\d*)(?:-((?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\\.(?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\\+([0-9a-zA-Z-]+(?:\\.[0-9a-zA-Z-]+)*))?$" type: string required: - state type: object status: description: "`BottlerocketShadowStatus` surfaces the current state of a bottlerocket node. The status is updated by the host agent, while the spec is updated by the brupop controller." nullable: true properties: current_state: description: "BottlerocketShadowState represents a node's state in the update state machine." enum: - Idle - StagedUpdate - PerformedUpdate - RebootedIntoUpdate - MonitoringUpdate type: string current_version: pattern: "^(0|[1-9]\\d*)\\.(0|[1-9]\\d*)\\.(0|[1-9]\\d*)(?:-((?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\\.(?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\\+([0-9a-zA-Z-]+(?:\\.[0-9a-zA-Z-]+)*))?$" type: string target_version: pattern: "^(0|[1-9]\\d*)\\.(0|[1-9]\\d*)\\.(0|[1-9]\\d*)(?:-((?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\\.(?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\\+([0-9a-zA-Z-]+(?:\\.[0-9a-zA-Z-]+)*))?$" type: string required: - current_state - current_version - target_version type: object required: - spec title: BottlerocketShadow type: object served: true storage: false subresources: status: {} --- apiVersion: v1 kind: Namespace metadata: labels: name: brupop name: brupop-bottlerocket-aws --- apiVersion: cert-manager.io/v1 kind: ClusterIssuer metadata: name: selfsigned-issuer spec: selfSigned: {} --- apiVersion: cert-manager.io/v1 kind: Issuer metadata: name: my-ca-issuer namespace: brupop-bottlerocket-aws spec: ca: secretName: brupop-tls --- apiVersion: cert-manager.io/v1 kind: Certificate metadata: name: brupop-apiserver-certificate namespace: brupop-bottlerocket-aws spec: isCA: true commonName: my-selfsigned-ca secretName: brupop-tls privateKey: algorithm: RSA encoding: PKCS8 dnsNames: - brupop-apiserver.brupop-bottlerocket-aws.svc.cluster.local - brupop-apiserver.brupop-bottlerocket-aws.svc issuerRef: name: selfsigned-issuer kind: ClusterIssuer group: cert-manager.io --- apiVersion: v1 kind: ServiceAccount metadata: annotations: kubernetes.io/service-account.name: brupop-apiserver-service-account labels: app.kubernetes.io/component: apiserver app.kubernetes.io/managed-by: brupop app.kubernetes.io/part-of: brupop brupop.bottlerocket.aws/component: apiserver name: brupop-apiserver-service-account namespace: brupop-bottlerocket-aws --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: labels: app.kubernetes.io/component: apiserver app.kubernetes.io/managed-by: brupop app.kubernetes.io/part-of: brupop brupop.bottlerocket.aws/component: apiserver name: brupop-apiserver-role namespace: brupop-bottlerocket-aws rules: - apiGroups: - brupop.bottlerocket.aws resources: - bottlerocketshadows - bottlerocketshadows/status verbs: - create - get - list - patch - update - watch - apiGroups: - apps resources: - deployments verbs: - create - delete - deletecollection - get - list - patch - update - apiGroups: - "" resources: - pods verbs: - get - list - watch - apiGroups: - "" resources: - nodes verbs: - get - list - patch - apiGroups: - "" resources: - pods/eviction verbs: - create --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: labels: app.kubernetes.io/component: apiserver app.kubernetes.io/managed-by: brupop app.kubernetes.io/part-of: brupop brupop.bottlerocket.aws/component: apiserver name: brupop-apiserver-role-binding namespace: brupop-bottlerocket-aws roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: brupop-apiserver-role subjects: - kind: ServiceAccount name: brupop-apiserver-service-account namespace: brupop-bottlerocket-aws --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: labels: app.kubernetes.io/component: apiserver app.kubernetes.io/managed-by: brupop app.kubernetes.io/part-of: brupop brupop.bottlerocket.aws/component: apiserver name: brupop-apiserver-auth-delegator-role-binding namespace: brupop-bottlerocket-aws roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: "system:auth-delegator" subjects: - kind: ServiceAccount name: brupop-apiserver-service-account namespace: brupop-bottlerocket-aws --- apiVersion: apps/v1 kind: Deployment metadata: labels: app.kubernetes.io/component: apiserver app.kubernetes.io/managed-by: brupop app.kubernetes.io/part-of: brupop brupop.bottlerocket.aws/component: apiserver name: brupop-apiserver namespace: brupop-bottlerocket-aws spec: replicas: 3 selector: matchLabels: brupop.bottlerocket.aws/component: apiserver strategy: rollingUpdate: maxUnavailable: 33% template: metadata: labels: brupop.bottlerocket.aws/component: apiserver namespace: brupop-bottlerocket-aws spec: affinity: nodeAffinity: requiredDuringSchedulingIgnoredDuringExecution: nodeSelectorTerms: - matchExpressions: - key: kubernetes.io/os operator: In values: - linux - key: kubernetes.io/arch operator: In values: - amd64 - arm64 containers: - command: - "./apiserver" image: "public.ecr.aws/bottlerocket/bottlerocket-update-operator:v0.2.2" livenessProbe: httpGet: path: /ping port: 8443 scheme: HTTPS initialDelaySeconds: 5 name: brupop ports: - containerPort: 8443 readinessProbe: httpGet: path: /ping port: 8443 scheme: HTTPS initialDelaySeconds: 5 volumeMounts: - mountPath: /etc/brupop-tls-keys name: bottlerocket-tls-keys serviceAccountName: brupop-apiserver-service-account volumes: - name: bottlerocket-tls-keys secret: optional: false secretName: brupop-tls --- apiVersion: v1 kind: Service metadata: labels: app.kubernetes.io/component: apiserver app.kubernetes.io/managed-by: brupop app.kubernetes.io/part-of: brupop brupop.bottlerocket.aws/component: apiserver name: brupop-apiserver namespace: brupop-bottlerocket-aws spec: ports: - port: 443 targetPort: 8443 selector: brupop.bottlerocket.aws/component: apiserver --- apiVersion: v1 kind: ServiceAccount metadata: annotations: kubernetes.io/service-account.name: brupop-agent-service-account labels: app.kubernetes.io/component: agent app.kubernetes.io/managed-by: brupop app.kubernetes.io/part-of: brupop brupop.bottlerocket.aws/component: agent name: brupop-agent-service-account namespace: brupop-bottlerocket-aws --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: labels: app.kubernetes.io/component: agent app.kubernetes.io/managed-by: brupop app.kubernetes.io/part-of: brupop brupop.bottlerocket.aws/component: agent name: brupop-agent-role namespace: brupop-bottlerocket-aws rules: - apiGroups: - "" resources: - nodes verbs: - get - list - watch - apiGroups: - brupop.bottlerocket.aws resources: - bottlerocketshadows - bottlerocketshadows/status verbs: - get - list - watch --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: labels: app.kubernetes.io/component: agent app.kubernetes.io/managed-by: brupop app.kubernetes.io/part-of: brupop brupop.bottlerocket.aws/component: agent name: brupop-agent-role-binding namespace: brupop-bottlerocket-aws roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: brupop-agent-role subjects: - kind: ServiceAccount name: brupop-agent-service-account namespace: brupop-bottlerocket-aws --- apiVersion: apps/v1 kind: DaemonSet metadata: labels: app.kubernetes.io/component: agent app.kubernetes.io/managed-by: brupop app.kubernetes.io/part-of: brupop brupop.bottlerocket.aws/component: agent name: brupop-agent namespace: brupop-bottlerocket-aws spec: selector: matchLabels: brupop.bottlerocket.aws/component: agent template: metadata: labels: brupop.bottlerocket.aws/component: agent namespace: brupop-bottlerocket-aws spec: affinity: nodeAffinity: requiredDuringSchedulingIgnoredDuringExecution: nodeSelectorTerms: - matchExpressions: - key: kubernetes.io/os operator: In values: - linux - key: bottlerocket.aws/updater-interface-version operator: In values: - 2.0.0 - key: kubernetes.io/arch operator: In values: - amd64 - arm64 containers: - command: - "./agent" env: - name: MY_NODE_NAME valueFrom: fieldRef: fieldPath: spec.nodeName image: "public.ecr.aws/bottlerocket/bottlerocket-update-operator:v0.2.2" name: brupop resources: limits: memory: 50Mi requests: cpu: 10m memory: 50Mi securityContext: seLinuxOptions: level: s0 role: system_r type: super_t user: system_u volumeMounts: - mountPath: /run/api.sock name: bottlerocket-api-socket - mountPath: /bin/apiclient name: bottlerocket-apiclient - mountPath: /var/run/secrets/tokens/ name: bottlerocket-agent-service-account-token - mountPath: /etc/brupop-tls-keys name: bottlerocket-tls-keys serviceAccountName: brupop-agent-service-account volumes: - hostPath: path: /run/api.sock type: Socket name: bottlerocket-api-socket - hostPath: path: /bin/apiclient type: File name: bottlerocket-apiclient - name: bottlerocket-agent-service-account-token projected: sources: - serviceAccountToken: audience: brupop-apiserver path: bottlerocket-agent-service-account-token - name: bottlerocket-tls-keys secret: optional: false secretName: brupop-tls --- apiVersion: v1 kind: ServiceAccount metadata: annotations: kubernetes.io/service-account.name: brupop-controller-service-account labels: app.kubernetes.io/component: brupop-controller app.kubernetes.io/managed-by: brupop app.kubernetes.io/part-of: brupop brupop.bottlerocket.aws/component: brupop-controller name: brupop-controller-service-account namespace: brupop-bottlerocket-aws --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: labels: app.kubernetes.io/component: brupop-controller app.kubernetes.io/managed-by: brupop app.kubernetes.io/part-of: brupop brupop.bottlerocket.aws/component: brupop-controller name: brupop-controller-role namespace: brupop-bottlerocket-aws rules: - apiGroups: - brupop.bottlerocket.aws resources: - bottlerocketshadows - bottlerocketshadows/status verbs: - get - list - watch - apiGroups: - brupop.bottlerocket.aws resources: - bottlerocketshadows verbs: - create - patch - update - apiGroups: - apps resources: - deployments verbs: - create - delete - deletecollection - get - list - patch - update --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: labels: app.kubernetes.io/component: brupop-controller app.kubernetes.io/managed-by: brupop app.kubernetes.io/part-of: brupop brupop.bottlerocket.aws/component: brupop-controller name: brupop-controller-role-binding namespace: brupop-bottlerocket-aws roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: brupop-controller-role subjects: - kind: ServiceAccount name: brupop-controller-service-account namespace: brupop-bottlerocket-aws --- apiVersion: scheduling.k8s.io/v1 kind: PriorityClass metadata: name: brupop-controller-high-priority namespace: brupop-bottlerocket-aws preemptionPolicy: Never value: 1000000 --- apiVersion: apps/v1 kind: Deployment metadata: labels: app.kubernetes.io/component: brupop-controller app.kubernetes.io/managed-by: brupop app.kubernetes.io/part-of: brupop brupop.bottlerocket.aws/component: brupop-controller name: brupop-controller-deployment namespace: brupop-bottlerocket-aws spec: replicas: 1 selector: matchLabels: brupop.bottlerocket.aws/component: brupop-controller strategy: type: Recreate template: metadata: labels: brupop.bottlerocket.aws/component: brupop-controller namespace: brupop-bottlerocket-aws spec: affinity: nodeAffinity: requiredDuringSchedulingIgnoredDuringExecution: nodeSelectorTerms: - matchExpressions: - key: kubernetes.io/os operator: In values: - linux - key: kubernetes.io/arch operator: In values: - amd64 - arm64 containers: - command: - "./controller" env: - name: MY_NODE_NAME valueFrom: fieldRef: fieldPath: spec.nodeName image: "public.ecr.aws/bottlerocket/bottlerocket-update-operator:v0.2.2" name: brupop priorityClassName: brupop-controller-high-priority serviceAccountName: brupop-controller-service-account --- apiVersion: v1 kind: Service metadata: labels: app.kubernetes.io/component: brupop-controller app.kubernetes.io/managed-by: brupop app.kubernetes.io/part-of: brupop brupop.bottlerocket.aws/component: brupop-controller name: brupop-controller-server namespace: brupop-bottlerocket-aws spec: ports: - port: 80 targetPort: 8080 selector: brupop.bottlerocket.aws/component: brupop-controller