Andrey Smirnov bdb96189fa
refactor: make maintenance service controller-based
Fixes #7430

Introduce a set of resources which look similar to other API
implementations: CA, certs, cert SANs, etc.

Introduce a controller which manages the service based on resource
state.

Signed-off-by: Andrey Smirnov <andrey.smirnov@talos-systems.com>
2023-07-10 15:41:52 +04:00

101 lines
3.0 KiB
Protocol Buffer
Executable File

syntax = "proto3";
package talos.resource.definitions.secrets;
option go_package = "github.com/siderolabs/talos/pkg/machinery/api/resource/definitions/secrets";
import "common/common.proto";
// APICertsSpec describes etcd certs secrets.
message APICertsSpec {
common.PEMEncodedCertificateAndKey ca = 1;
common.PEMEncodedCertificateAndKey client = 2;
common.PEMEncodedCertificateAndKey server = 3;
}
// CertSANSpec describes fields of the cert SANs.
message CertSANSpec {
repeated common.NetIP i_ps = 1;
repeated string dns_names = 2;
string fqdn = 3;
}
// EtcdCertsSpec describes etcd certs secrets.
message EtcdCertsSpec {
common.PEMEncodedCertificateAndKey etcd = 1;
common.PEMEncodedCertificateAndKey etcd_peer = 2;
common.PEMEncodedCertificateAndKey etcd_admin = 3;
common.PEMEncodedCertificateAndKey etcd_api_server = 4;
}
// EtcdRootSpec describes etcd CA secrets.
message EtcdRootSpec {
common.PEMEncodedCertificateAndKey etcd_ca = 1;
}
// KubeletSpec describes root Kubernetes secrets.
message KubeletSpec {
common.URL endpoint = 1;
common.PEMEncodedCertificateAndKey ca = 2;
string bootstrap_token_id = 3;
string bootstrap_token_secret = 4;
}
// KubernetesCertsSpec describes generated Kubernetes certificates.
message KubernetesCertsSpec {
string scheduler_kubeconfig = 4;
string controller_manager_kubeconfig = 5;
string localhost_admin_kubeconfig = 6;
string admin_kubeconfig = 7;
}
// KubernetesDynamicCertsSpec describes generated KubernetesCerts certificates.
message KubernetesDynamicCertsSpec {
common.PEMEncodedCertificateAndKey api_server = 1;
common.PEMEncodedCertificateAndKey api_server_kubelet_client = 2;
common.PEMEncodedCertificateAndKey front_proxy = 3;
}
// KubernetesRootSpec describes root Kubernetes secrets.
message KubernetesRootSpec {
string name = 1;
common.URL endpoint = 2;
common.URL local_endpoint = 3;
repeated string cert_sa_ns = 4;
string dns_domain = 6;
common.PEMEncodedCertificateAndKey ca = 7;
common.PEMEncodedKey service_account = 8;
common.PEMEncodedCertificateAndKey aggregator_ca = 9;
string aescbc_encryption_secret = 10;
string bootstrap_token_id = 11;
string bootstrap_token_secret = 12;
string secretbox_encryption_secret = 13;
repeated common.NetIP api_server_ips = 14;
}
// MaintenanceRootSpec describes maintenance service CA.
message MaintenanceRootSpec {
common.PEMEncodedCertificateAndKey ca = 1;
}
// MaintenanceServiceCertsSpec describes maintenance service certs secrets.
message MaintenanceServiceCertsSpec {
common.PEMEncodedCertificateAndKey ca = 1;
common.PEMEncodedCertificateAndKey server = 2;
}
// OSRootSpec describes operating system CA.
message OSRootSpec {
common.PEMEncodedCertificateAndKey ca = 1;
repeated common.NetIP cert_sani_ps = 2;
repeated string cert_sandns_names = 3;
string token = 4;
}
// TrustdCertsSpec describes etcd certs secrets.
message TrustdCertsSpec {
common.PEMEncodedCertificateAndKey ca = 1;
common.PEMEncodedCertificateAndKey server = 2;
}