diff --git a/operators/ack-ssm-controller/1.0.0/bundle.Dockerfile b/operators/ack-ssm-controller/1.0.0/bundle.Dockerfile new file mode 100644 index 00000000000..904a5a4ecd4 --- /dev/null +++ b/operators/ack-ssm-controller/1.0.0/bundle.Dockerfile @@ -0,0 +1,21 @@ +FROM scratch + +# Core bundle labels. +LABEL operators.operatorframework.io.bundle.mediatype.v1=registry+v1 +LABEL operators.operatorframework.io.bundle.manifests.v1=manifests/ +LABEL operators.operatorframework.io.bundle.metadata.v1=metadata/ +LABEL operators.operatorframework.io.bundle.package.v1=ack-ssm-controller +LABEL operators.operatorframework.io.bundle.channels.v1=alpha +LABEL operators.operatorframework.io.bundle.channel.default.v1=alpha +LABEL operators.operatorframework.io.metrics.builder=operator-sdk-v1.28.0 +LABEL operators.operatorframework.io.metrics.mediatype.v1=metrics+v1 +LABEL operators.operatorframework.io.metrics.project_layout=unknown + +# Labels for testing. +LABEL operators.operatorframework.io.test.mediatype.v1=scorecard+v1 +LABEL operators.operatorframework.io.test.config.v1=tests/scorecard/ + +# Copy files to locations specified by labels. +COPY bundle/manifests /manifests/ +COPY bundle/metadata /metadata/ +COPY bundle/tests/scorecard /tests/scorecard/ diff --git a/operators/ack-ssm-controller/1.0.0/manifests/ack-ssm-controller.clusterserviceversion.yaml b/operators/ack-ssm-controller/1.0.0/manifests/ack-ssm-controller.clusterserviceversion.yaml new file mode 100644 index 00000000000..4b70bb57911 --- /dev/null +++ b/operators/ack-ssm-controller/1.0.0/manifests/ack-ssm-controller.clusterserviceversion.yaml @@ -0,0 +1,264 @@ +apiVersion: operators.coreos.com/v1alpha1 +kind: ClusterServiceVersion +metadata: + annotations: + alm-examples: '[]' + capabilities: Basic Install + categories: Cloud Provider + certified: "false" + containerImage: public.ecr.aws/aws-controllers-k8s/ssm-controller:1.0.0 + createdAt: "2024-12-02T21:23:58Z" + description: AWS SSM controller is a service controller for managing SSM resources + in Kubernetes + operatorframework.io/suggested-namespace: ack-system + operators.operatorframework.io/builder: operator-sdk-v1.28.0 + operators.operatorframework.io/project_layout: unknown + repository: https://github.com/aws-controllers-k8s + support: Community + labels: + operatorframework.io/arch.amd64: supported + operatorframework.io/arch.arm64: supported + operatorframework.io/os.linux: supported + name: ack-ssm-controller.v1.0.0 + namespace: placeholder +spec: + apiservicedefinitions: {} + customresourcedefinitions: + owned: + - description: Document represents the state of an AWS ssm Document resource. + displayName: Document + kind: Document + name: documents.ssm.services.k8s.aws + version: v1alpha1 + - description: PatchBaseline represents the state of an AWS ssm PatchBaseline + resource. + displayName: PatchBaseline + kind: PatchBaseline + name: patchbaselines.ssm.services.k8s.aws + version: v1alpha1 + - description: ResourceDataSync represents the state of an AWS ssm ResourceDataSync + resource. + displayName: ResourceDataSync + kind: ResourceDataSync + name: resourcedatasyncs.ssm.services.k8s.aws + version: v1alpha1 + description: |- + Manage Amazon SSM resources in AWS from within your Kubernetes cluster. + + **About Amazon SSM** + + {ADD YOUR DESCRIPTION HERE} + + **About the AWS Controllers for Kubernetes** + + This controller is a component of the [AWS Controller for Kubernetes](https://github.com/aws/aws-controllers-k8s) project. This project is currently in **developer preview**. + displayName: AWS Controllers for Kubernetes - Amazon SSM + icon: + - base64data: PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz4KPCEtLSBHZW5lcmF0b3I6IEFkb2JlIElsbHVzdHJhdG9yIDE5LjAuMSwgU1ZHIEV4cG9ydCBQbHVnLUluIC4gU1ZHIFZlcnNpb246IDYuMDAgQnVpbGQgMCkgIC0tPgo8c3ZnIHZlcnNpb249IjEuMSIgaWQ9IkxheWVyXzEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgeG1sbnM6eGxpbms9Imh0dHA6Ly93d3cudzMub3JnLzE5OTkveGxpbmsiIHg9IjBweCIgeT0iMHB4IiB2aWV3Qm94PSIwIDAgMzA0IDE4MiIgc3R5bGU9ImVuYWJsZS1iYWNrZ3JvdW5kOm5ldyAwIDAgMzA0IDE4MjsiIHhtbDpzcGFjZT0icHJlc2VydmUiPgo8c3R5bGUgdHlwZT0idGV4dC9jc3MiPgoJLnN0MHtmaWxsOiMyNTJGM0U7fQoJLnN0MXtmaWxsLXJ1bGU6ZXZlbm9kZDtjbGlwLXJ1bGU6ZXZlbm9kZDtmaWxsOiNGRjk5MDA7fQo8L3N0eWxlPgo8Zz4KCTxwYXRoIGNsYXNzPSJzdDAiIGQ9Ik04Ni40LDY2LjRjMCwzLjcsMC40LDYuNywxLjEsOC45YzAuOCwyLjIsMS44LDQuNiwzLjIsNy4yYzAuNSwwLjgsMC43LDEuNiwwLjcsMi4zYzAsMS0wLjYsMi0xLjksM2wtNi4zLDQuMiAgIGMtMC45LDAuNi0xLjgsMC45LTIuNiwwLjljLTEsMC0yLTAuNS0zLTEuNEM3Ni4yLDkwLDc1LDg4LjQsNzQsODYuOGMtMS0xLjctMi0zLjYtMy4xLTUuOWMtNy44LDkuMi0xNy42LDEzLjgtMjkuNCwxMy44ICAgYy04LjQsMC0xNS4xLTIuNC0yMC03LjJjLTQuOS00LjgtNy40LTExLjItNy40LTE5LjJjMC04LjUsMy0xNS40LDkuMS0yMC42YzYuMS01LjIsMTQuMi03LjgsMjQuNS03LjhjMy40LDAsNi45LDAuMywxMC42LDAuOCAgIGMzLjcsMC41LDcuNSwxLjMsMTEuNSwyLjJ2LTcuM2MwLTcuNi0xLjYtMTIuOS00LjctMTZjLTMuMi0zLjEtOC42LTQuNi0xNi4zLTQuNmMtMy41LDAtNy4xLDAuNC0xMC44LDEuM2MtMy43LDAuOS03LjMsMi0xMC44LDMuNCAgIGMtMS42LDAuNy0yLjgsMS4xLTMuNSwxLjNjLTAuNywwLjItMS4yLDAuMy0xLjYsMC4zYy0xLjQsMC0yLjEtMS0yLjEtMy4xdi00LjljMC0xLjYsMC4yLTIuOCwwLjctMy41YzAuNS0wLjcsMS40LTEuNCwyLjgtMi4xICAgYzMuNS0xLjgsNy43LTMuMywxMi42LTQuNWM0LjktMS4zLDEwLjEtMS45LDE1LjYtMS45YzExLjksMCwyMC42LDIuNywyNi4yLDguMWM1LjUsNS40LDguMywxMy42LDguMywyNC42VjY2LjR6IE00NS44LDgxLjYgICBjMy4zLDAsNi43LTAuNiwxMC4zLTEuOGMzLjYtMS4yLDYuOC0zLjQsOS41LTYuNGMxLjYtMS45LDIuOC00LDMuNC02LjRjMC42LTIuNCwxLTUuMywxLTguN3YtNC4yYy0yLjktMC43LTYtMS4zLTkuMi0xLjcgICBjLTMuMi0wLjQtNi4zLTAuNi05LjQtMC42Yy02LjcsMC0xMS42LDEuMy0xNC45LDRjLTMuMywyLjctNC45LDYuNS00LjksMTEuNWMwLDQuNywxLjIsOC4yLDMuNywxMC42ICAgQzM3LjcsODAuNCw0MS4yLDgxLjYsNDUuOCw4MS42eiBNMTI2LjEsOTIuNGMtMS44LDAtMy0wLjMtMy44LTFjLTAuOC0wLjYtMS41LTItMi4xLTMuOUw5Ni43LDEwLjJjLTAuNi0yLTAuOS0zLjMtMC45LTQgICBjMC0xLjYsMC44LTIuNSwyLjQtMi41aDkuOGMxLjksMCwzLjIsMC4zLDMuOSwxYzAuOCwwLjYsMS40LDIsMiwzLjlsMTYuOCw2Ni4ybDE1LjYtNjYuMmMwLjUtMiwxLjEtMy4zLDEuOS0zLjljMC44LTAuNiwyLjItMSw0LTEgICBoOGMxLjksMCwzLjIsMC4zLDQsMWMwLjgsMC42LDEuNSwyLDEuOSwzLjlsMTUuOCw2N2wxNy4zLTY3YzAuNi0yLDEuMy0zLjMsMi0zLjljMC44LTAuNiwyLjEtMSwzLjktMWg5LjNjMS42LDAsMi41LDAuOCwyLjUsMi41ICAgYzAsMC41LTAuMSwxLTAuMiwxLjZjLTAuMSwwLjYtMC4zLDEuNC0wLjcsMi41bC0yNC4xLDc3LjNjLTAuNiwyLTEuMywzLjMtMi4xLDMuOWMtMC44LDAuNi0yLjEsMS0zLjgsMWgtOC42Yy0xLjksMC0zLjItMC4zLTQtMSAgIGMtMC44LTAuNy0xLjUtMi0xLjktNEwxNTYsMjNsLTE1LjQsNjQuNGMtMC41LDItMS4xLDMuMy0xLjksNGMtMC44LDAuNy0yLjIsMS00LDFIMTI2LjF6IE0yNTQuNiw5NS4xYy01LjIsMC0xMC40LTAuNi0xNS40LTEuOCAgIGMtNS0xLjItOC45LTIuNS0xMS41LTRjLTEuNi0wLjktMi43LTEuOS0zLjEtMi44Yy0wLjQtMC45LTAuNi0xLjktMC42LTIuOHYtNS4xYzAtMi4xLDAuOC0zLjEsMi4zLTMuMWMwLjYsMCwxLjIsMC4xLDEuOCwwLjMgICBjMC42LDAuMiwxLjUsMC42LDIuNSwxYzMuNCwxLjUsNy4xLDIuNywxMSwzLjVjNCwwLjgsNy45LDEuMiwxMS45LDEuMmM2LjMsMCwxMS4yLTEuMSwxNC42LTMuM2MzLjQtMi4yLDUuMi01LjQsNS4yLTkuNSAgIGMwLTIuOC0wLjktNS4xLTIuNy03Yy0xLjgtMS45LTUuMi0zLjYtMTAuMS01LjJMMjQ2LDUyYy03LjMtMi4zLTEyLjctNS43LTE2LTEwLjJjLTMuMy00LjQtNS05LjMtNS0xNC41YzAtNC4yLDAuOS03LjksMi43LTExLjEgICBjMS44LTMuMiw0LjItNiw3LjItOC4yYzMtMi4zLDYuNC00LDEwLjQtNS4yYzQtMS4yLDguMi0xLjcsMTIuNi0xLjdjMi4yLDAsNC41LDAuMSw2LjcsMC40YzIuMywwLjMsNC40LDAuNyw2LjUsMS4xICAgYzIsMC41LDMuOSwxLDUuNywxLjZjMS44LDAuNiwzLjIsMS4yLDQuMiwxLjhjMS40LDAuOCwyLjQsMS42LDMsMi41YzAuNiwwLjgsMC45LDEuOSwwLjksMy4zdjQuN2MwLDIuMS0wLjgsMy4yLTIuMywzLjIgICBjLTAuOCwwLTIuMS0wLjQtMy44LTEuMmMtNS43LTIuNi0xMi4xLTMuOS0xOS4yLTMuOWMtNS43LDAtMTAuMiwwLjktMTMuMywyLjhjLTMuMSwxLjktNC43LDQuOC00LjcsOC45YzAsMi44LDEsNS4yLDMsNy4xICAgYzIsMS45LDUuNywzLjgsMTEsNS41bDE0LjIsNC41YzcuMiwyLjMsMTIuNCw1LjUsMTUuNSw5LjZjMy4xLDQuMSw0LjYsOC44LDQuNiwxNGMwLDQuMy0wLjksOC4yLTIuNiwxMS42ICAgYy0xLjgsMy40LTQuMiw2LjQtNy4zLDguOGMtMy4xLDIuNS02LjgsNC4zLTExLjEsNS42QzI2NC40LDk0LjQsMjU5LjcsOTUuMSwyNTQuNiw5NS4xeiIvPgoJPGc+CgkJPHBhdGggY2xhc3M9InN0MSIgZD0iTTI3My41LDE0My43Yy0zMi45LDI0LjMtODAuNywzNy4yLTEyMS44LDM3LjJjLTU3LjYsMC0xMDkuNS0yMS4zLTE0OC43LTU2LjdjLTMuMS0yLjgtMC4zLTYuNiwzLjQtNC40ICAgIGM0Mi40LDI0LjYsOTQuNywzOS41LDE0OC44LDM5LjVjMzYuNSwwLDc2LjYtNy42LDExMy41LTIzLjJDMjc0LjIsMTMzLjYsMjc4LjksMTM5LjcsMjczLjUsMTQzLjd6Ii8+CgkJPHBhdGggY2xhc3M9InN0MSIgZD0iTTI4Ny4yLDEyOC4xYy00LjItNS40LTI3LjgtMi42LTM4LjUtMS4zYy0zLjIsMC40LTMuNy0yLjQtMC44LTQuNWMxOC44LTEzLjIsNDkuNy05LjQsNTMuMy01ICAgIGMzLjYsNC41LTEsMzUuNC0xOC42LDUwLjJjLTIuNywyLjMtNS4zLDEuMS00LjEtMS45QzI4Mi41LDE1NS43LDI5MS40LDEzMy40LDI4Ny4yLDEyOC4xeiIvPgoJPC9nPgo8L2c+Cjwvc3ZnPg== + mediatype: image/svg+xml + install: + spec: + clusterPermissions: + - rules: + - apiGroups: + - "" + resources: + - configmaps + - secrets + verbs: + - get + - list + - patch + - watch + - apiGroups: + - "" + resources: + - namespaces + verbs: + - get + - list + - watch + - apiGroups: + - services.k8s.aws + resources: + - adoptedresources + - fieldexports + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - apiGroups: + - services.k8s.aws + resources: + - adoptedresources/status + - fieldexports/status + verbs: + - get + - patch + - update + - apiGroups: + - ssm.services.k8s.aws + resources: + - documents + - patchbaselines + - resourcedatasyncs + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - apiGroups: + - ssm.services.k8s.aws + resources: + - documents/status + - patchbaselines/status + - resourcedatasyncs/status + verbs: + - get + - patch + - update + serviceAccountName: ack-ssm-controller + deployments: + - label: + app.kubernetes.io/name: ack-ssm-controller + app.kubernetes.io/part-of: ack-system + name: ack-ssm-controller + spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/name: ack-ssm-controller + strategy: {} + template: + metadata: + labels: + app.kubernetes.io/name: ack-ssm-controller + spec: + containers: + - args: + - --aws-region + - $(AWS_REGION) + - --aws-endpoint-url + - $(AWS_ENDPOINT_URL) + - --enable-development-logging=$(ACK_ENABLE_DEVELOPMENT_LOGGING) + - --log-level + - $(ACK_LOG_LEVEL) + - --resource-tags + - $(ACK_RESOURCE_TAGS) + - --watch-namespace + - $(ACK_WATCH_NAMESPACE) + - --enable-leader-election=$(ENABLE_LEADER_ELECTION) + - --leader-election-namespace + - $(LEADER_ELECTION_NAMESPACE) + - --reconcile-default-max-concurrent-syncs + - $(RECONCILE_DEFAULT_MAX_CONCURRENT_SYNCS) + command: + - ./bin/controller + env: + - name: ACK_SYSTEM_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + envFrom: + - configMapRef: + name: ack-ssm-user-config + optional: false + - secretRef: + name: ack-ssm-user-secrets + optional: true + image: public.ecr.aws/aws-controllers-k8s/ssm-controller:1.0.0 + livenessProbe: + httpGet: + path: /healthz + port: 8081 + initialDelaySeconds: 15 + periodSeconds: 20 + name: controller + ports: + - containerPort: 8080 + name: http + readinessProbe: + httpGet: + path: /readyz + port: 8081 + initialDelaySeconds: 5 + periodSeconds: 10 + resources: + limits: + cpu: 100m + memory: 300Mi + requests: + cpu: 100m + memory: 200Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + runAsNonRoot: true + dnsPolicy: ClusterFirst + securityContext: + seccompProfile: + type: RuntimeDefault + serviceAccountName: ack-ssm-controller + terminationGracePeriodSeconds: 10 + permissions: + - rules: + - apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - get + - list + - watch + - create + - update + - patch + - delete + - apiGroups: + - "" + resources: + - events + verbs: + - create + - patch + serviceAccountName: ack-ssm-controller + strategy: deployment + installModes: + - supported: true + type: OwnNamespace + - supported: true + type: SingleNamespace + - supported: true + type: MultiNamespace + - supported: true + type: AllNamespaces + keywords: + - ssm + - aws + - amazon + - ack + links: + - name: AWS Controllers for Kubernetes + url: https://github.com/aws-controllers-k8s/community + - name: Documentation + url: https://aws-controllers-k8s.github.io/community/ + - name: Amazon SSM Developer Resources + url: https://aws.amazon.com/SSM/developer-resources/ + maintainers: + - email: ack-maintainers@amazon.com + name: ssm maintainer team + maturity: alpha + provider: + name: Amazon, Inc. + url: https://aws.amazon.com + version: 1.0.0 diff --git a/operators/ack-ssm-controller/1.0.0/manifests/ack-ssm-metrics-service_v1_service.yaml b/operators/ack-ssm-controller/1.0.0/manifests/ack-ssm-metrics-service_v1_service.yaml new file mode 100644 index 00000000000..4ba6f4c998b --- /dev/null +++ b/operators/ack-ssm-controller/1.0.0/manifests/ack-ssm-metrics-service_v1_service.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Service +metadata: + creationTimestamp: null + name: ack-ssm-metrics-service +spec: + ports: + - name: metricsport + port: 8080 + protocol: TCP + targetPort: http + selector: + app.kubernetes.io/name: ack-ssm-controller + type: NodePort +status: + loadBalancer: {} diff --git a/operators/ack-ssm-controller/1.0.0/manifests/ack-ssm-reader_rbac.authorization.k8s.io_v1_role.yaml b/operators/ack-ssm-controller/1.0.0/manifests/ack-ssm-reader_rbac.authorization.k8s.io_v1_role.yaml new file mode 100644 index 00000000000..e2e46f8f04e --- /dev/null +++ b/operators/ack-ssm-controller/1.0.0/manifests/ack-ssm-reader_rbac.authorization.k8s.io_v1_role.yaml @@ -0,0 +1,16 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + creationTimestamp: null + name: ack-ssm-reader +rules: +- apiGroups: + - ssm.services.k8s.aws + resources: + - documents + - patchbaselines + - resourcedatasyncs + verbs: + - get + - list + - watch diff --git a/operators/ack-ssm-controller/1.0.0/manifests/ack-ssm-writer_rbac.authorization.k8s.io_v1_role.yaml b/operators/ack-ssm-controller/1.0.0/manifests/ack-ssm-writer_rbac.authorization.k8s.io_v1_role.yaml new file mode 100644 index 00000000000..1f8ec4ed1c9 --- /dev/null +++ b/operators/ack-ssm-controller/1.0.0/manifests/ack-ssm-writer_rbac.authorization.k8s.io_v1_role.yaml @@ -0,0 +1,30 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + creationTimestamp: null + name: ack-ssm-writer +rules: +- apiGroups: + - ssm.services.k8s.aws + resources: + - documents + - patchbaselines + - resourcedatasyncs + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - ssm.services.k8s.aws + resources: + - documents + - patchbaselines + - resourcedatasyncs + verbs: + - get + - patch + - update diff --git a/operators/ack-ssm-controller/1.0.0/manifests/ssm.services.k8s.aws_documents.yaml b/operators/ack-ssm-controller/1.0.0/manifests/ssm.services.k8s.aws_documents.yaml new file mode 100644 index 00000000000..85058cdee6e --- /dev/null +++ b/operators/ack-ssm-controller/1.0.0/manifests/ssm.services.k8s.aws_documents.yaml @@ -0,0 +1,377 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.16.2 + creationTimestamp: null + name: documents.ssm.services.k8s.aws +spec: + group: ssm.services.k8s.aws + names: + kind: Document + listKind: DocumentList + plural: documents + singular: document + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: Document is the Schema for the Documents API + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: DocumentSpec defines the desired state of Document. + properties: + attachments: + description: A list of key-value pairs that describe attachments to + a version of a document. + items: + description: |- + Identifying information about a document attachment, including the file name + and a key-value pair that identifies the location of an attachment to a document. + properties: + key: + type: string + name: + type: string + values: + items: + type: string + type: array + type: object + type: array + content: + description: |- + The content for the new SSM document in JSON or YAML format. The content + of the document must not exceed 64KB. This quota also includes the content + specified for input parameters at runtime. We recommend storing the contents + for your new document in an external JSON or YAML file and referencing the + file in a command. + + For examples, see the following topics in the Amazon Web Services Systems + Manager User Guide. + + * Create an SSM document (Amazon Web Services API) (https://docs.aws.amazon.com/systems-manager/latest/userguide/create-ssm-document-api.html) + + * Create an SSM document (Amazon Web Services CLI) (https://docs.aws.amazon.com/systems-manager/latest/userguide/create-ssm-document-cli.html) + + * Create an SSM document (API) (https://docs.aws.amazon.com/systems-manager/latest/userguide/create-ssm-document-api.html) + type: string + displayName: + description: |- + An optional field where you can specify a friendly name for the SSM document. + This value can differ for each version of the document. You can update this + value at a later time using the UpdateDocument operation. + type: string + documentFormat: + description: |- + Specify the document format for the request. The document format can be JSON, + YAML, or TEXT. JSON is the default format. + type: string + documentType: + description: |- + The type of document to create. + + The DeploymentStrategy document type is an internal-use-only document type + reserved for AppConfig. + type: string + name: + description: |- + A name for the SSM document. + + You can't use the following strings as document name prefixes. These are + reserved by Amazon Web Services for use as document name prefixes: + + * aws + + * amazon + + * amzn + type: string + requires: + description: |- + A list of SSM documents required by a document. This parameter is used exclusively + by AppConfig. When a user creates an AppConfig configuration in an SSM document, + the user must also specify a required document for validation purposes. In + this case, an ApplicationConfiguration document requires an ApplicationConfigurationSchema + document for validation purposes. For more information, see What is AppConfig? + (https://docs.aws.amazon.com/appconfig/latest/userguide/what-is-appconfig.html) + in the AppConfig User Guide. + items: + description: An SSM document required by the current document. + properties: + name: + type: string + requireType: + type: string + version: + type: string + versionName: + type: string + type: object + type: array + tags: + description: |- + Optional metadata that you assign to a resource. Tags enable you to categorize + a resource in different ways, such as by purpose, owner, or environment. + For example, you might want to tag an SSM document to identify the types + of targets or the environment where it will run. In this case, you could + specify the following key-value pairs: + + * Key=OS,Value=Windows + + * Key=Environment,Value=Production + + To add tags to an existing SSM document, use the AddTagsToResource operation. + items: + description: |- + Metadata that you assign to your Amazon Web Services resources. Tags enable + you to categorize your resources in different ways, for example, by purpose, + owner, or environment. In Amazon Web Services Systems Manager, you can apply + tags to Systems Manager documents (SSM documents), managed nodes, maintenance + windows, parameters, patch baselines, OpsItems, and OpsMetadata. + properties: + key: + type: string + value: + type: string + type: object + type: array + targetType: + description: |- + Specify a target type to define the kinds of resources the document can run + on. For example, to run a document on EC2 instances, specify the following + value: /AWS::EC2::Instance. If you specify a value of '/' the document can + run on all types of resources. If you don't specify a value, the document + can't run on any resources. For a list of valid resource types, see Amazon + Web Services resource and property types reference (https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-template-resource-type-ref.html) + in the CloudFormation User Guide. + type: string + versionName: + description: |- + An optional field specifying the version of the artifact you are creating + with the document. For example, Release12.1. This value is unique across + all versions of a document, and can't be changed. + type: string + required: + - content + - name + type: object + status: + description: DocumentStatus defines the observed state of Document + properties: + ackResourceMetadata: + description: |- + All CRs managed by ACK have a common `Status.ACKResourceMetadata` member + that is used to contain resource sync state, account ownership, + constructed ARN for the resource + properties: + arn: + description: |- + ARN is the Amazon Resource Name for the resource. This is a + globally-unique identifier and is set only by the ACK service controller + once the controller has orchestrated the creation of the resource OR + when it has verified that an "adopted" resource (a resource where the + ARN annotation was set by the Kubernetes user on the CR) exists and + matches the supplied CR's Spec field values. + https://github.com/aws/aws-controllers-k8s/issues/270 + type: string + ownerAccountID: + description: |- + OwnerAccountID is the AWS Account ID of the account that owns the + backend AWS service API resource. + type: string + region: + description: Region is the AWS region in which the resource exists + or will exist. + type: string + required: + - ownerAccountID + - region + type: object + approvedVersion: + description: The version of the document currently approved for use + in the organization. + type: string + attachmentsInformation: + description: |- + Details about the document attachments, including names, locations, sizes, + and so on. + items: + description: An attribute of an attachment, such as the attachment + name. + properties: + name: + type: string + type: object + type: array + author: + description: The user in your organization who created the document. + type: string + category: + description: |- + The classification of a document to help you identify and categorize its + use. + items: + type: string + type: array + categoryEnum: + description: The value that identifies a document's category. + items: + type: string + type: array + conditions: + description: |- + All CRS managed by ACK have a common `Status.Conditions` member that + contains a collection of `ackv1alpha1.Condition` objects that describe + the various terminal states of the CR and its backend AWS service API + resource + items: + description: |- + Condition is the common struct used by all CRDs managed by ACK service + controllers to indicate terminal states of the CR and its backend AWS + service API resource + properties: + lastTransitionTime: + description: Last time the condition transitioned from one status + to another. + format: date-time + type: string + message: + description: A human readable message indicating details about + the transition. + type: string + reason: + description: The reason for the condition's last transition. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type is the type of the Condition + type: string + required: + - status + - type + type: object + type: array + createdDate: + description: The date when the document was created. + format: date-time + type: string + defaultVersion: + description: The default version. + type: string + description: + description: A description of the document. + type: string + documentVersion: + description: The document version. + type: string + hash: + description: |- + The Sha256 or Sha1 hash created by the system when the document was created. + + Sha1 hashes have been deprecated. + type: string + hashType: + description: |- + The hash type of the document. Valid values include Sha256 or Sha1. + + Sha1 hashes have been deprecated. + type: string + latestVersion: + description: The latest version of the document. + type: string + owner: + description: The Amazon Web Services user that created the document. + type: string + parameters: + description: A description of the parameters for a document. + items: + description: |- + Parameters specified in a Systems Manager document that run on the server + when the command is run. + properties: + defaultValue: + type: string + description: + type: string + name: + type: string + type_: + type: string + type: object + type: array + pendingReviewVersion: + description: The version of the document that is currently under review. + type: string + platformTypes: + description: The list of operating system (OS) platforms compatible + with this SSM document. + items: + type: string + type: array + reviewInformation: + description: Details about the review of a document. + items: + description: Information about the result of a document review request. + properties: + reviewedTime: + format: date-time + type: string + reviewer: + type: string + status: + type: string + type: object + type: array + reviewStatus: + description: The current status of the review. + type: string + schemaVersion: + description: The schema version. + type: string + sha1: + description: The SHA1 hash of the document, which you can use for + verification. + type: string + status: + description: The status of the SSM document. + type: string + statusInformation: + description: |- + A message returned by Amazon Web Services Systems Manager that explains the + Status value. For example, a Failed status might be explained by the StatusInformation + message, "The specified S3 bucket doesn't exist. Verify that the URL of the + S3 bucket is correct." + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: null + storedVersions: null diff --git a/operators/ack-ssm-controller/1.0.0/manifests/ssm.services.k8s.aws_patchbaselines.yaml b/operators/ack-ssm-controller/1.0.0/manifests/ssm.services.k8s.aws_patchbaselines.yaml new file mode 100644 index 00000000000..898998e9734 --- /dev/null +++ b/operators/ack-ssm-controller/1.0.0/manifests/ssm.services.k8s.aws_patchbaselines.yaml @@ -0,0 +1,323 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.16.2 + creationTimestamp: null + name: patchbaselines.ssm.services.k8s.aws +spec: + group: ssm.services.k8s.aws + names: + kind: PatchBaseline + listKind: PatchBaselineList + plural: patchbaselines + singular: patchbaseline + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: PatchBaseline is the Schema for the PatchBaselines API + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: PatchBaselineSpec defines the desired state of PatchBaseline. + properties: + approvalRules: + description: A set of rules used to include patches in the baseline. + properties: + patchRules: + items: + description: Defines an approval rule for a patch baseline. + properties: + approveAfterDays: + format: int64 + type: integer + approveUntilDate: + type: string + complianceLevel: + type: string + enableNonSecurity: + type: boolean + patchFilterGroup: + description: A set of patch filters, typically used for + approval rules. + properties: + patchFilters: + items: + description: |- + Defines which patches should be included in a patch baseline. + + A patch filter consists of a key and a set of values. The filter key is a + patch property. For example, the available filter keys for WINDOWS are PATCH_SET, + PRODUCT, PRODUCT_FAMILY, CLASSIFICATION, and MSRC_SEVERITY. + + The filter values define a matching criterion for the patch property indicated + by the key. For example, if the filter key is PRODUCT and the filter values + are ["Office 2013", "Office 2016"], then the filter accepts all patches where + product name is either "Office 2013" or "Office 2016". The filter values + can be exact values for the patch property given as a key, or a wildcard + (*), which matches all values. + + You can view lists of valid values for the patch properties by running the + DescribePatchProperties command. For information about which patch properties + can be used with each major operating system, see DescribePatchProperties. + properties: + key: + type: string + values: + items: + type: string + type: array + type: object + type: array + type: object + type: object + type: array + type: object + approvedPatches: + description: |- + A list of explicitly approved patches for the baseline. + + For information about accepted formats for lists of approved patches and + rejected patches, see About package name formats for approved and rejected + patch lists (https://docs.aws.amazon.com/systems-manager/latest/userguide/patch-manager-approved-rejected-package-name-formats.html) + in the Amazon Web Services Systems Manager User Guide. + items: + type: string + type: array + approvedPatchesComplianceLevel: + description: |- + Defines the compliance level for approved patches. When an approved patch + is reported as missing, this value describes the severity of the compliance + violation. The default value is UNSPECIFIED. + type: string + approvedPatchesEnableNonSecurity: + description: |- + Indicates whether the list of approved patches includes non-security updates + that should be applied to the managed nodes. The default value is false. + Applies to Linux managed nodes only. + type: boolean + clientToken: + description: User-provided idempotency token. + type: string + description: + description: A description of the patch baseline. + type: string + globalFilters: + description: A set of global filters used to include patches in the + baseline. + properties: + patchFilters: + items: + description: |- + Defines which patches should be included in a patch baseline. + + A patch filter consists of a key and a set of values. The filter key is a + patch property. For example, the available filter keys for WINDOWS are PATCH_SET, + PRODUCT, PRODUCT_FAMILY, CLASSIFICATION, and MSRC_SEVERITY. + + The filter values define a matching criterion for the patch property indicated + by the key. For example, if the filter key is PRODUCT and the filter values + are ["Office 2013", "Office 2016"], then the filter accepts all patches where + product name is either "Office 2013" or "Office 2016". The filter values + can be exact values for the patch property given as a key, or a wildcard + (*), which matches all values. + + You can view lists of valid values for the patch properties by running the + DescribePatchProperties command. For information about which patch properties + can be used with each major operating system, see DescribePatchProperties. + properties: + key: + type: string + values: + items: + type: string + type: array + type: object + type: array + type: object + name: + description: The name of the patch baseline. + type: string + operatingSystem: + description: |- + Defines the operating system the patch baseline applies to. The default value + is WINDOWS. + type: string + rejectedPatches: + description: |- + A list of explicitly rejected patches for the baseline. + + For information about accepted formats for lists of approved patches and + rejected patches, see About package name formats for approved and rejected + patch lists (https://docs.aws.amazon.com/systems-manager/latest/userguide/patch-manager-approved-rejected-package-name-formats.html) + in the Amazon Web Services Systems Manager User Guide. + items: + type: string + type: array + rejectedPatchesAction: + description: |- + The action for Patch Manager to take on patches included in the RejectedPackages + list. + + * ALLOW_AS_DEPENDENCY : A package in the Rejected patches list is installed + only if it is a dependency of another package. It is considered compliant + with the patch baseline, and its status is reported as InstalledOther. + This is the default action if no option is specified. + + * BLOCK : Packages in the RejectedPatches list, and packages that include + them as dependencies, aren't installed under any circumstances. If a package + was installed before it was added to the Rejected patches list, it is + considered non-compliant with the patch baseline, and its status is reported + as InstalledRejected. + type: string + sources: + description: |- + Information about the patches to use to update the managed nodes, including + target operating systems and source repositories. Applies to Linux managed + nodes only. + items: + description: |- + Information about the patches to use to update the managed nodes, including + target operating systems and source repository. Applies to Linux managed + nodes only. + properties: + configuration: + type: string + name: + type: string + products: + items: + type: string + type: array + type: object + type: array + tags: + description: |- + Optional metadata that you assign to a resource. Tags enable you to categorize + a resource in different ways, such as by purpose, owner, or environment. + For example, you might want to tag a patch baseline to identify the severity + level of patches it specifies and the operating system family it applies + to. In this case, you could specify the following key-value pairs: + + * Key=PatchSeverity,Value=Critical + + * Key=OS,Value=Windows + + To add tags to an existing patch baseline, use the AddTagsToResource operation. + items: + description: |- + Metadata that you assign to your Amazon Web Services resources. Tags enable + you to categorize your resources in different ways, for example, by purpose, + owner, or environment. In Amazon Web Services Systems Manager, you can apply + tags to Systems Manager documents (SSM documents), managed nodes, maintenance + windows, parameters, patch baselines, OpsItems, and OpsMetadata. + properties: + key: + type: string + value: + type: string + type: object + type: array + required: + - name + type: object + status: + description: PatchBaselineStatus defines the observed state of PatchBaseline + properties: + ackResourceMetadata: + description: |- + All CRs managed by ACK have a common `Status.ACKResourceMetadata` member + that is used to contain resource sync state, account ownership, + constructed ARN for the resource + properties: + arn: + description: |- + ARN is the Amazon Resource Name for the resource. This is a + globally-unique identifier and is set only by the ACK service controller + once the controller has orchestrated the creation of the resource OR + when it has verified that an "adopted" resource (a resource where the + ARN annotation was set by the Kubernetes user on the CR) exists and + matches the supplied CR's Spec field values. + https://github.com/aws/aws-controllers-k8s/issues/270 + type: string + ownerAccountID: + description: |- + OwnerAccountID is the AWS Account ID of the account that owns the + backend AWS service API resource. + type: string + region: + description: Region is the AWS region in which the resource exists + or will exist. + type: string + required: + - ownerAccountID + - region + type: object + baselineID: + description: The ID of the created patch baseline. + type: string + conditions: + description: |- + All CRS managed by ACK have a common `Status.Conditions` member that + contains a collection of `ackv1alpha1.Condition` objects that describe + the various terminal states of the CR and its backend AWS service API + resource + items: + description: |- + Condition is the common struct used by all CRDs managed by ACK service + controllers to indicate terminal states of the CR and its backend AWS + service API resource + properties: + lastTransitionTime: + description: Last time the condition transitioned from one status + to another. + format: date-time + type: string + message: + description: A human readable message indicating details about + the transition. + type: string + reason: + description: The reason for the condition's last transition. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type is the type of the Condition + type: string + required: + - status + - type + type: object + type: array + type: object + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: null + storedVersions: null diff --git a/operators/ack-ssm-controller/1.0.0/manifests/ssm.services.k8s.aws_resourcedatasyncs.yaml b/operators/ack-ssm-controller/1.0.0/manifests/ssm.services.k8s.aws_resourcedatasyncs.yaml new file mode 100644 index 00000000000..f4790d0ddaf --- /dev/null +++ b/operators/ack-ssm-controller/1.0.0/manifests/ssm.services.k8s.aws_resourcedatasyncs.yaml @@ -0,0 +1,198 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.16.2 + creationTimestamp: null + name: resourcedatasyncs.ssm.services.k8s.aws +spec: + group: ssm.services.k8s.aws + names: + kind: ResourceDataSync + listKind: ResourceDataSyncList + plural: resourcedatasyncs + singular: resourcedatasync + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: ResourceDataSync is the Schema for the ResourceDataSyncs API + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: ResourceDataSyncSpec defines the desired state of ResourceDataSync. + properties: + s3Destination: + description: |- + Amazon S3 configuration details for the sync. This parameter is required + if the SyncType value is SyncToDestination. + properties: + awsKMSKeyARN: + type: string + bucketName: + type: string + destinationDataSharing: + description: |- + Synchronize Amazon Web Services Systems Manager Inventory data from multiple + Amazon Web Services accounts defined in Organizations to a centralized Amazon + S3 bucket. Data is synchronized to individual key prefixes in the central + bucket. Each key prefix represents a different Amazon Web Services account + ID. + properties: + destinationDataSharingType: + type: string + type: object + prefix: + type: string + region: + type: string + syncFormat: + type: string + type: object + syncName: + description: A name for the configuration. + type: string + syncSource: + description: |- + Specify information about the data sources to synchronize. This parameter + is required if the SyncType value is SyncFromSource. + properties: + awsOrganizationsSource: + description: |- + Information about the AwsOrganizationsSource resource data sync source. A + sync source of this type can synchronize data from Organizations or, if an + Amazon Web Services organization isn't present, from multiple Amazon Web + Services Regions. + properties: + organizationSourceType: + type: string + organizationalUnits: + items: + description: The Organizations organizational unit data + source for the sync. + properties: + organizationalUnitID: + type: string + type: object + type: array + type: object + enableAllOpsDataSources: + type: boolean + includeFutureRegions: + type: boolean + sourceRegions: + items: + type: string + type: array + sourceType: + type: string + type: object + syncType: + description: |- + Specify SyncToDestination to create a resource data sync that synchronizes + data to an S3 bucket for Inventory. If you specify SyncToDestination, you + must provide a value for S3Destination. Specify SyncFromSource to synchronize + data from a single account and multiple Regions, or multiple Amazon Web Services + accounts and Amazon Web Services Regions, as listed in Organizations for + Explorer. If you specify SyncFromSource, you must provide a value for SyncSource. + The default value is SyncToDestination. + type: string + required: + - syncName + type: object + status: + description: ResourceDataSyncStatus defines the observed state of ResourceDataSync + properties: + ackResourceMetadata: + description: |- + All CRs managed by ACK have a common `Status.ACKResourceMetadata` member + that is used to contain resource sync state, account ownership, + constructed ARN for the resource + properties: + arn: + description: |- + ARN is the Amazon Resource Name for the resource. This is a + globally-unique identifier and is set only by the ACK service controller + once the controller has orchestrated the creation of the resource OR + when it has verified that an "adopted" resource (a resource where the + ARN annotation was set by the Kubernetes user on the CR) exists and + matches the supplied CR's Spec field values. + https://github.com/aws/aws-controllers-k8s/issues/270 + type: string + ownerAccountID: + description: |- + OwnerAccountID is the AWS Account ID of the account that owns the + backend AWS service API resource. + type: string + region: + description: Region is the AWS region in which the resource exists + or will exist. + type: string + required: + - ownerAccountID + - region + type: object + conditions: + description: |- + All CRS managed by ACK have a common `Status.Conditions` member that + contains a collection of `ackv1alpha1.Condition` objects that describe + the various terminal states of the CR and its backend AWS service API + resource + items: + description: |- + Condition is the common struct used by all CRDs managed by ACK service + controllers to indicate terminal states of the CR and its backend AWS + service API resource + properties: + lastTransitionTime: + description: Last time the condition transitioned from one status + to another. + format: date-time + type: string + message: + description: A human readable message indicating details about + the transition. + type: string + reason: + description: The reason for the condition's last transition. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type is the type of the Condition + type: string + required: + - status + - type + type: object + type: array + type: object + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: null + storedVersions: null diff --git a/operators/ack-ssm-controller/1.0.0/metadata/annotations.yaml b/operators/ack-ssm-controller/1.0.0/metadata/annotations.yaml new file mode 100644 index 00000000000..135d94901b1 --- /dev/null +++ b/operators/ack-ssm-controller/1.0.0/metadata/annotations.yaml @@ -0,0 +1,15 @@ +annotations: + # Core bundle annotations. + operators.operatorframework.io.bundle.mediatype.v1: registry+v1 + operators.operatorframework.io.bundle.manifests.v1: manifests/ + operators.operatorframework.io.bundle.metadata.v1: metadata/ + operators.operatorframework.io.bundle.package.v1: ack-ssm-controller + operators.operatorframework.io.bundle.channels.v1: alpha + operators.operatorframework.io.bundle.channel.default.v1: alpha + operators.operatorframework.io.metrics.builder: operator-sdk-v1.28.0 + operators.operatorframework.io.metrics.mediatype.v1: metrics+v1 + operators.operatorframework.io.metrics.project_layout: unknown + + # Annotations for testing. + operators.operatorframework.io.test.mediatype.v1: scorecard+v1 + operators.operatorframework.io.test.config.v1: tests/scorecard/ diff --git a/operators/ack-ssm-controller/1.0.0/tests/scorecard/config.yaml b/operators/ack-ssm-controller/1.0.0/tests/scorecard/config.yaml new file mode 100644 index 00000000000..382ddefd156 --- /dev/null +++ b/operators/ack-ssm-controller/1.0.0/tests/scorecard/config.yaml @@ -0,0 +1,50 @@ +apiVersion: scorecard.operatorframework.io/v1alpha3 +kind: Configuration +metadata: + name: config +stages: +- parallel: true + tests: + - entrypoint: + - scorecard-test + - basic-check-spec + image: quay.io/operator-framework/scorecard-test:v1.7.1 + labels: + suite: basic + test: basic-check-spec-test + storage: + spec: + mountPath: {} + - entrypoint: + - scorecard-test + - olm-bundle-validation + image: quay.io/operator-framework/scorecard-test:v1.7.1 + labels: + suite: olm + test: olm-bundle-validation-test + storage: + spec: + mountPath: {} + - entrypoint: + - scorecard-test + - olm-crds-have-validation + image: quay.io/operator-framework/scorecard-test:v1.7.1 + labels: + suite: olm + test: olm-crds-have-validation-test + storage: + spec: + mountPath: {} + - entrypoint: + - scorecard-test + - olm-spec-descriptors + image: quay.io/operator-framework/scorecard-test:v1.7.1 + labels: + suite: olm + test: olm-spec-descriptors-test + storage: + spec: + mountPath: {} +storage: + spec: + mountPath: {}