From 749f9b72a505e27bf1819c68441e5b8fa5ed334d Mon Sep 17 00:00:00 2001 From: Isabella Janssen Date: Fri, 12 Sep 2025 08:45:27 -0400 Subject: [PATCH 1/2] bump(api & client-go): bump api to commit 2acafd4 and client-go to commit 1bc0cb0 --- go.mod | 4 +- go.sum | 8 +- vendor/github.com/openshift/api/OWNERS | 2 +- .../api/config/v1/types_apiserver.go | 5 +- .../api/config/v1/types_cluster_operator.go | 7 +- .../api/config/v1/types_cluster_version.go | 2 +- .../api/config/v1/types_infrastructure.go | 19 +- ...sion-operator_01_clusteroperators.crd.yaml | 7 +- ...1_clusterversions-CustomNoUpgrade.crd.yaml | 2 +- ...erator_01_clusterversions-Default.crd.yaml | 2 +- ...usterversions-DevPreviewNoUpgrade.crd.yaml | 2 +- ...sterversions-TechPreviewNoUpgrade.crd.yaml | 2 +- ...tor_01_apiservers-CustomNoUpgrade.crd.yaml | 5 +- ...ig-operator_01_apiservers-Default.crd.yaml | 5 +- ...01_apiservers-DevPreviewNoUpgrade.crd.yaml | 5 +- ...1_apiservers-TechPreviewNoUpgrade.crd.yaml | 5 +- ...r_01_clusterimagepolicies-Default.crd.yaml | 415 +++++++++++++++++ ...operator_01_imagepolicies-Default.crd.yaml | 416 ++++++++++++++++++ ...1_infrastructures-CustomNoUpgrade.crd.yaml | 11 +- ...erator_01_infrastructures-Default.crd.yaml | 106 ++++- ...frastructures-DevPreviewNoUpgrade.crd.yaml | 11 +- ...rastructures-TechPreviewNoUpgrade.crd.yaml | 11 +- .../v1/zz_generated.swagger_doc_generated.go | 12 +- ...r_01_clusterimagepolicies-Default.crd.yaml | 350 +++++++++++++++ ...operator_01_imagepolicies-Default.crd.yaml | 350 +++++++++++++++ vendor/github.com/openshift/api/features.md | 20 +- .../openshift/api/features/features.go | 65 ++- .../api/features/legacyfeaturegates.go | 2 - .../openshift/api/imageregistry/v1/types.go | 1 - ..._generated.featuregated-crd-manifests.yaml | 3 +- .../openshift/api/legacyconfig/v1/types.go | 2 +- .../v1/zz_generated.swagger_doc_generated.go | 2 +- .../v1/types_controlplanemachineset.go | 2 +- .../v1/zz_generated.swagger_doc_generated.go | 2 +- .../v1beta1/types_machinehealthcheck.go | 1 + .../zz_generated.swagger_doc_generated.go | 2 +- .../v1/types_machineconfignode.go | 59 +++ .../v1/types_machineosconfig.go | 1 + ...controllerconfigs-CustomNoUpgrade.crd.yaml | 11 +- ...nfig_01_controllerconfigs-Default.crd.yaml | 106 ++++- ...rollerconfigs-DevPreviewNoUpgrade.crd.yaml | 11 +- ...ollerconfigs-TechPreviewNoUpgrade.crd.yaml | 11 +- ...achineconfignodes-CustomNoUpgrade.crd.yaml | 72 +++ ...fig_01_machineconfignodes-Default.crd.yaml | 2 + ...neconfignodes-DevPreviewNoUpgrade.crd.yaml | 72 +++ ...econfignodes-TechPreviewNoUpgrade.crd.yaml | 72 +++ ...achine-config_01_machineosconfigs.crd.yaml | 6 + .../v1/zz_generated.deepcopy.go | 34 ++ ..._generated.featuregated-crd-manifests.yaml | 1 + .../v1/zz_generated.swagger_doc_generated.go | 23 +- ...ionoperators-TechPreviewNoUpgrade.crd.yaml | 90 ++++ .../render/legacyfeaturegates.go | 2 - .../v1/machineconfignodespec.go | 9 + .../v1/machineconfignodespecconfigimage.go | 27 ++ .../v1/machineconfignodestatus.go | 9 + .../v1/machineconfignodestatusconfigimage.go | 36 ++ .../applyconfigurations/utils.go | 4 + vendor/modules.txt | 4 +- 58 files changed, 2408 insertions(+), 120 deletions(-) create mode 100644 vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_clusterimagepolicies-Default.crd.yaml create mode 100644 vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_imagepolicies-Default.crd.yaml create mode 100644 vendor/github.com/openshift/api/config/v1alpha1/zz_generated.crd-manifests/0000_10_config-operator_01_clusterimagepolicies-Default.crd.yaml create mode 100644 vendor/github.com/openshift/api/config/v1alpha1/zz_generated.crd-manifests/0000_10_config-operator_01_imagepolicies-Default.crd.yaml create mode 100644 vendor/github.com/openshift/api/operator/v1alpha1/zz_generated.crd-manifests/0000_00_cluster-version-operator_01_clusterversionoperators-TechPreviewNoUpgrade.crd.yaml create mode 100644 vendor/github.com/openshift/client-go/machineconfiguration/applyconfigurations/machineconfiguration/v1/machineconfignodespecconfigimage.go create mode 100644 vendor/github.com/openshift/client-go/machineconfiguration/applyconfigurations/machineconfiguration/v1/machineconfignodestatusconfigimage.go diff --git a/go.mod b/go.mod index 97418725d6..0113fd9e6d 100644 --- a/go.mod +++ b/go.mod @@ -34,8 +34,8 @@ require ( github.com/onsi/gomega v1.36.2 github.com/opencontainers/go-digest v1.0.0 github.com/openshift-eng/openshift-tests-extension v0.0.0-20250722101414-8083129ab8f9 - github.com/openshift/api v0.0.0-20250811150514-cc869c87a7f0 - github.com/openshift/client-go v0.0.0-20250811163556-6193816ae379 + github.com/openshift/api v0.0.0-20250911131931-2acafd4d1ed2 + github.com/openshift/client-go v0.0.0-20250911202206-1bc0cb0da03b github.com/openshift/library-go v0.0.0-20250911074910-e2c18d5abc3a github.com/openshift/runtime-utils v0.0.0-20230921210328-7bdb5b9c177b github.com/prometheus/client_golang v1.22.0 diff --git a/go.sum b/go.sum index 968026167d..4cf922ddd1 100644 --- a/go.sum +++ b/go.sum @@ -591,10 +591,10 @@ github.com/opencontainers/selinux v1.12.0 h1:6n5JV4Cf+4y0KNXW48TLj5DwfXpvWlxXplU github.com/opencontainers/selinux v1.12.0/go.mod h1:BTPX+bjVbWGXw7ZZWUbdENt8w0htPSrlgOOysQaU62U= github.com/openshift-eng/openshift-tests-extension v0.0.0-20250722101414-8083129ab8f9 h1:4ZeSM80DVCb5WWB3Q/fyCI9jYXAl9bfrGnFvFONqzN4= github.com/openshift-eng/openshift-tests-extension v0.0.0-20250722101414-8083129ab8f9/go.mod h1:6gkP5f2HL0meusT0Aim8icAspcD1cG055xxBZ9yC68M= -github.com/openshift/api v0.0.0-20250811150514-cc869c87a7f0 h1:K/EiQZE4lBzGMvk7APzYWRuRUJtfwaD5QGRVcny2J1M= -github.com/openshift/api v0.0.0-20250811150514-cc869c87a7f0/go.mod h1:SPLf21TYPipzCO67BURkCfK6dcIIxx0oNRVWaOyRcXM= -github.com/openshift/client-go v0.0.0-20250811163556-6193816ae379 h1:Xr47DBqFVjpLdU4BTtCS5l2XojbRYap2FIPdSj8YYzU= -github.com/openshift/client-go v0.0.0-20250811163556-6193816ae379/go.mod h1:HouQRy4JgvTBpxcyw1YSD/Lp+wjOaUrxjWFHlMtZsk8= +github.com/openshift/api v0.0.0-20250911131931-2acafd4d1ed2 h1:orbYgUTUMs2asHZhT792jeXlVzOqGFaGo8FbD9ihnsE= +github.com/openshift/api v0.0.0-20250911131931-2acafd4d1ed2/go.mod h1:SPLf21TYPipzCO67BURkCfK6dcIIxx0oNRVWaOyRcXM= +github.com/openshift/client-go v0.0.0-20250911202206-1bc0cb0da03b h1:VQpSjWE8jmsPj+EXB+XABTLmDgg9xtT8/fudB/31/aI= +github.com/openshift/client-go v0.0.0-20250911202206-1bc0cb0da03b/go.mod h1:w7sV33ASK/HcuEb0Ll9qvChZdJwNwqo8GocVAnd7fVY= github.com/openshift/kubernetes v1.30.1-0.20250716113245-b94367cabf3e h1:M5BrUTglTltZjcRz5ouJBqSw0a60p760Bl520ndOGS0= github.com/openshift/kubernetes v1.30.1-0.20250716113245-b94367cabf3e/go.mod h1:GwUMe2E0Dqe2YN/Nkg9QWNBktqiTR7y+HFxcIWKshXI= github.com/openshift/kubernetes/staging/src/k8s.io/api v0.0.0-20250716113245-b94367cabf3e h1:Y70IDoOnCCKQT4lIJxx2KkTifLuqD/vjRrzo1DxZ/iw= diff --git a/vendor/github.com/openshift/api/OWNERS b/vendor/github.com/openshift/api/OWNERS index ff904b63a3..ebd9a2f459 100644 --- a/vendor/github.com/openshift/api/OWNERS +++ b/vendor/github.com/openshift/api/OWNERS @@ -1,7 +1,7 @@ reviewers: - - deads2k - JoelSpeed - everettraven approvers: - deads2k - JoelSpeed + - everettraven diff --git a/vendor/github.com/openshift/api/config/v1/types_apiserver.go b/vendor/github.com/openshift/api/config/v1/types_apiserver.go index e1a98cb267..0afe7b1d8d 100644 --- a/vendor/github.com/openshift/api/config/v1/types_apiserver.go +++ b/vendor/github.com/openshift/api/config/v1/types_apiserver.go @@ -58,9 +58,8 @@ type APIServerSpec struct { Encryption APIServerEncryption `json:"encryption"` // tlsSecurityProfile specifies settings for TLS connections for externally exposed servers. // - // If unset, a default (which may change between releases) is chosen. Note that only Old, - // Intermediate and Custom profiles are currently supported, and the maximum available - // minTLSVersion is VersionTLS12. + // When omitted, this means no opinion and the platform is left to choose a reasonable default, which is subject to change over time. + // The current default is the Intermediate profile. // +optional TLSSecurityProfile *TLSSecurityProfile `json:"tlsSecurityProfile,omitempty"` // audit specifies the settings for audit configuration to be applied to all OpenShift-provided diff --git a/vendor/github.com/openshift/api/config/v1/types_cluster_operator.go b/vendor/github.com/openshift/api/config/v1/types_cluster_operator.go index a447adb9f4..86fbc033e1 100644 --- a/vendor/github.com/openshift/api/config/v1/types_cluster_operator.go +++ b/vendor/github.com/openshift/api/config/v1/types_cluster_operator.go @@ -9,10 +9,9 @@ import ( // +genclient:nonNamespaced // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object -// ClusterOperator is the Custom Resource object which holds the current state -// of an operator. This object is used by operators to convey their state to -// the rest of the cluster. -// +// ClusterOperator holds the status of a core or optional OpenShift component +// managed by the Cluster Version Operator (CVO). This object is used by +// operators to convey their state to the rest of the cluster. // Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer). // +openshift:compatibility-gen:level=1 // +openshift:api-approved.openshift.io=https://github.com/openshift/api/pull/497 diff --git a/vendor/github.com/openshift/api/config/v1/types_cluster_version.go b/vendor/github.com/openshift/api/config/v1/types_cluster_version.go index 54e1de94ce..cfac9689e4 100644 --- a/vendor/github.com/openshift/api/config/v1/types_cluster_version.go +++ b/vendor/github.com/openshift/api/config/v1/types_cluster_version.go @@ -257,7 +257,7 @@ type UpdateHistory struct { // acceptedRisks records risks which were accepted to initiate the update. // For example, it may menition an Upgradeable=False or missing signature - // that was overriden via desiredUpdate.force, or an update that was + // that was overridden via desiredUpdate.force, or an update that was // initiated despite not being in the availableUpdates set of recommended // update targets. // +optional diff --git a/vendor/github.com/openshift/api/config/v1/types_infrastructure.go b/vendor/github.com/openshift/api/config/v1/types_infrastructure.go index a119e2c051..effafde644 100644 --- a/vendor/github.com/openshift/api/config/v1/types_infrastructure.go +++ b/vendor/github.com/openshift/api/config/v1/types_infrastructure.go @@ -650,7 +650,7 @@ const ( ) // GCPServiceEndpointName is the name of the GCP Service Endpoint. -// +kubebuilder:validation:Enum=Compute;Container;CloudResourceManager;DNS;File;IAM;ServiceUsage;Storage +// +kubebuilder:validation:Enum=Compute;Container;CloudResourceManager;DNS;File;IAM;IAMCredentials;OAuth;ServiceUsage;Storage;STS type GCPServiceEndpointName string const ( @@ -672,11 +672,20 @@ const ( // GCPServiceEndpointNameIAM is the name used for the GCP IAM Service endpoint. GCPServiceEndpointNameIAM GCPServiceEndpointName = "IAM" + // GCPServiceEndpointNameIAMCredentials is the name used for the GCP IAM Credentials Service endpoint. + GCPServiceEndpointNameIAMCredentials GCPServiceEndpointName = "IAMCredentials" + + // GCPServiceEndpointNameOAuth is the name used for the GCP OAuth2 Service endpoint. + GCPServiceEndpointNameOAuth GCPServiceEndpointName = "OAuth" + // GCPServiceEndpointNameServiceUsage is the name used for the GCP Service Usage Service endpoint. GCPServiceEndpointNameServiceUsage GCPServiceEndpointName = "ServiceUsage" // GCPServiceEndpointNameStorage is the name used for the GCP Storage Service endpoint. GCPServiceEndpointNameStorage GCPServiceEndpointName = "Storage" + + // GCPServiceEndpointNameSTS is the name used for the GCP STS Service endpoint. + GCPServiceEndpointNameSTS GCPServiceEndpointName = "STS" ) // GCPServiceEndpoint store the configuration of a custom url to @@ -767,10 +776,10 @@ type GCPPlatformStatus struct { // used when creating clients to interact with GCP services. // When not specified, the default endpoint for the GCP region will be used. // Only 1 endpoint override is permitted for each GCP service. - // The maximum number of endpoint overrides allowed is 9. + // The maximum number of endpoint overrides allowed is 11. // +listType=map // +listMapKey=name - // +kubebuilder:validation:MaxItems=8 + // +kubebuilder:validation:MaxItems=11 // +kubebuilder:validation:XValidation:rule="self.all(x, self.exists_one(y, x.name == y.name))",message="only 1 endpoint override is permitted per GCP service name" // +optional // +openshift:enable:FeatureGate=GCPCustomAPIEndpointsInstall @@ -1728,7 +1737,7 @@ type IBMCloudPlatformSpec struct { // serviceEndpoints is a list of custom endpoints which will override the default // service endpoints of an IBM service. These endpoints are used by components // within the cluster when trying to reach the IBM Cloud Services that have been - // overriden. The CCCMO reads in the IBMCloudPlatformSpec and validates each + // overridden. The CCCMO reads in the IBMCloudPlatformSpec and validates each // endpoint is resolvable. Once validated, the cloud config and IBMCloudPlatformStatus // are updated to reflect the same custom endpoints. // A maximum of 13 service endpoints overrides are supported. @@ -1762,7 +1771,7 @@ type IBMCloudPlatformStatus struct { // serviceEndpoints is a list of custom endpoints which will override the default // service endpoints of an IBM service. These endpoints are used by components // within the cluster when trying to reach the IBM Cloud Services that have been - // overriden. The CCCMO reads in the IBMCloudPlatformSpec and validates each + // overridden. The CCCMO reads in the IBMCloudPlatformSpec and validates each // endpoint is resolvable. Once validated, the cloud config and IBMCloudPlatformStatus // are updated to reflect the same custom endpoints. // +openshift:validation:FeatureGateAwareMaxItems:featureGate=DyanmicServiceEndpointIBMCloud,maxItems=13 diff --git a/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_00_cluster-version-operator_01_clusteroperators.crd.yaml b/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_00_cluster-version-operator_01_clusteroperators.crd.yaml index 7ab62874a1..7bb5defcbd 100644 --- a/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_00_cluster-version-operator_01_clusteroperators.crd.yaml +++ b/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_00_cluster-version-operator_01_clusteroperators.crd.yaml @@ -42,10 +42,9 @@ spec: schema: openAPIV3Schema: description: |- - ClusterOperator is the Custom Resource object which holds the current state - of an operator. This object is used by operators to convey their state to - the rest of the cluster. - + ClusterOperator holds the status of a core or optional OpenShift component + managed by the Cluster Version Operator (CVO). This object is used by + operators to convey their state to the rest of the cluster. Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer). properties: apiVersion: diff --git a/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_00_cluster-version-operator_01_clusterversions-CustomNoUpgrade.crd.yaml b/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_00_cluster-version-operator_01_clusterversions-CustomNoUpgrade.crd.yaml index 087b62dda1..fe8e41c086 100644 --- a/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_00_cluster-version-operator_01_clusterversions-CustomNoUpgrade.crd.yaml +++ b/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_00_cluster-version-operator_01_clusterversions-CustomNoUpgrade.crd.yaml @@ -748,7 +748,7 @@ spec: description: |- acceptedRisks records risks which were accepted to initiate the update. For example, it may menition an Upgradeable=False or missing signature - that was overriden via desiredUpdate.force, or an update that was + that was overridden via desiredUpdate.force, or an update that was initiated despite not being in the availableUpdates set of recommended update targets. type: string diff --git a/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_00_cluster-version-operator_01_clusterversions-Default.crd.yaml b/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_00_cluster-version-operator_01_clusterversions-Default.crd.yaml index f93da1e2e2..1b2662e080 100644 --- a/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_00_cluster-version-operator_01_clusterversions-Default.crd.yaml +++ b/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_00_cluster-version-operator_01_clusterversions-Default.crd.yaml @@ -664,7 +664,7 @@ spec: description: |- acceptedRisks records risks which were accepted to initiate the update. For example, it may menition an Upgradeable=False or missing signature - that was overriden via desiredUpdate.force, or an update that was + that was overridden via desiredUpdate.force, or an update that was initiated despite not being in the availableUpdates set of recommended update targets. type: string diff --git a/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_00_cluster-version-operator_01_clusterversions-DevPreviewNoUpgrade.crd.yaml b/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_00_cluster-version-operator_01_clusterversions-DevPreviewNoUpgrade.crd.yaml index 300d94a714..3d0a05471b 100644 --- a/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_00_cluster-version-operator_01_clusterversions-DevPreviewNoUpgrade.crd.yaml +++ b/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_00_cluster-version-operator_01_clusterversions-DevPreviewNoUpgrade.crd.yaml @@ -748,7 +748,7 @@ spec: description: |- acceptedRisks records risks which were accepted to initiate the update. For example, it may menition an Upgradeable=False or missing signature - that was overriden via desiredUpdate.force, or an update that was + that was overridden via desiredUpdate.force, or an update that was initiated despite not being in the availableUpdates set of recommended update targets. type: string diff --git a/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_00_cluster-version-operator_01_clusterversions-TechPreviewNoUpgrade.crd.yaml b/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_00_cluster-version-operator_01_clusterversions-TechPreviewNoUpgrade.crd.yaml index 6fc2cb0d94..1e0f08de8c 100644 --- a/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_00_cluster-version-operator_01_clusterversions-TechPreviewNoUpgrade.crd.yaml +++ b/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_00_cluster-version-operator_01_clusterversions-TechPreviewNoUpgrade.crd.yaml @@ -748,7 +748,7 @@ spec: description: |- acceptedRisks records risks which were accepted to initiate the update. For example, it may menition an Upgradeable=False or missing signature - that was overriden via desiredUpdate.force, or an update that was + that was overridden via desiredUpdate.force, or an update that was initiated despite not being in the availableUpdates set of recommended update targets. type: string diff --git a/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-CustomNoUpgrade.crd.yaml b/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-CustomNoUpgrade.crd.yaml index b10b46c6fb..f4416bf9b3 100644 --- a/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-CustomNoUpgrade.crd.yaml +++ b/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-CustomNoUpgrade.crd.yaml @@ -296,9 +296,8 @@ spec: description: |- tlsSecurityProfile specifies settings for TLS connections for externally exposed servers. - If unset, a default (which may change between releases) is chosen. Note that only Old, - Intermediate and Custom profiles are currently supported, and the maximum available - minTLSVersion is VersionTLS12. + When omitted, this means no opinion and the platform is left to choose a reasonable default, which is subject to change over time. + The current default is the Intermediate profile. properties: custom: description: |- diff --git a/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-Default.crd.yaml b/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-Default.crd.yaml index 44dc2924aa..37662cb58d 100644 --- a/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-Default.crd.yaml +++ b/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-Default.crd.yaml @@ -227,9 +227,8 @@ spec: description: |- tlsSecurityProfile specifies settings for TLS connections for externally exposed servers. - If unset, a default (which may change between releases) is chosen. Note that only Old, - Intermediate and Custom profiles are currently supported, and the maximum available - minTLSVersion is VersionTLS12. + When omitted, this means no opinion and the platform is left to choose a reasonable default, which is subject to change over time. + The current default is the Intermediate profile. properties: custom: description: |- diff --git a/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-DevPreviewNoUpgrade.crd.yaml b/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-DevPreviewNoUpgrade.crd.yaml index 843984380b..bfeefa11f3 100644 --- a/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-DevPreviewNoUpgrade.crd.yaml +++ b/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-DevPreviewNoUpgrade.crd.yaml @@ -296,9 +296,8 @@ spec: description: |- tlsSecurityProfile specifies settings for TLS connections for externally exposed servers. - If unset, a default (which may change between releases) is chosen. Note that only Old, - Intermediate and Custom profiles are currently supported, and the maximum available - minTLSVersion is VersionTLS12. + When omitted, this means no opinion and the platform is left to choose a reasonable default, which is subject to change over time. + The current default is the Intermediate profile. properties: custom: description: |- diff --git a/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-TechPreviewNoUpgrade.crd.yaml b/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-TechPreviewNoUpgrade.crd.yaml index 808e11aac3..a49976e0df 100644 --- a/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-TechPreviewNoUpgrade.crd.yaml +++ b/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-TechPreviewNoUpgrade.crd.yaml @@ -296,9 +296,8 @@ spec: description: |- tlsSecurityProfile specifies settings for TLS connections for externally exposed servers. - If unset, a default (which may change between releases) is chosen. Note that only Old, - Intermediate and Custom profiles are currently supported, and the maximum available - minTLSVersion is VersionTLS12. + When omitted, this means no opinion and the platform is left to choose a reasonable default, which is subject to change over time. + The current default is the Intermediate profile. properties: custom: description: |- diff --git a/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_clusterimagepolicies-Default.crd.yaml b/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_clusterimagepolicies-Default.crd.yaml new file mode 100644 index 0000000000..29dc56153e --- /dev/null +++ b/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_clusterimagepolicies-Default.crd.yaml @@ -0,0 +1,415 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.openshift.io: https://github.com/openshift/api/pull/2310 + api.openshift.io/merged-by-featuregates: "true" + include.release.openshift.io/ibm-cloud-managed: "true" + include.release.openshift.io/self-managed-high-availability: "true" + release.openshift.io/feature-set: Default + name: clusterimagepolicies.config.openshift.io +spec: + group: config.openshift.io + names: + kind: ClusterImagePolicy + listKind: ClusterImagePolicyList + plural: clusterimagepolicies + singular: clusterimagepolicy + scope: Cluster + versions: + - name: v1 + schema: + openAPIV3Schema: + description: |- + ClusterImagePolicy holds cluster-wide configuration for image signature verification + + Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer). + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: spec contains the configuration for the cluster image policy. + properties: + policy: + description: |- + policy is a required field that contains configuration to allow scopes to be verified, and defines how + images not matching the verification policy will be treated. + properties: + rootOfTrust: + description: |- + rootOfTrust is a required field that defines the root of trust for verifying image signatures during retrieval. + This allows image consumers to specify policyType and corresponding configuration of the policy, matching how the policy was generated. + properties: + fulcioCAWithRekor: + description: |- + fulcioCAWithRekor defines the root of trust configuration based on the Fulcio certificate and the Rekor public key. + fulcioCAWithRekor is required when policyType is FulcioCAWithRekor, and forbidden otherwise + For more information about Fulcio and Rekor, please refer to the document at: + https://github.com/sigstore/fulcio and https://github.com/sigstore/rekor + properties: + fulcioCAData: + description: |- + fulcioCAData is a required field contains inline base64-encoded data for the PEM format fulcio CA. + fulcioCAData must be at most 8192 characters. + format: byte + maxLength: 8192 + type: string + x-kubernetes-validations: + - message: the fulcioCAData must start with base64 encoding + of '-----BEGIN CERTIFICATE-----'. + rule: string(self).startsWith('-----BEGIN CERTIFICATE-----') + - message: the fulcioCAData must end with base64 encoding + of '-----END CERTIFICATE-----'. + rule: string(self).endsWith('-----END CERTIFICATE-----\n') + || string(self).endsWith('-----END CERTIFICATE-----') + fulcioSubject: + description: fulcioSubject is a required field specifies + OIDC issuer and the email of the Fulcio authentication + configuration. + properties: + oidcIssuer: + description: |- + oidcIssuer is a required filed contains the expected OIDC issuer. The oidcIssuer must be a valid URL and at most 2048 characters in length. + It will be verified that the Fulcio-issued certificate contains a (Fulcio-defined) certificate extension pointing at this OIDC issuer URL. + When Fulcio issues certificates, it includes a value based on an URL inside the client-provided ID token. + Example: "https://expected.OIDC.issuer/" + maxLength: 2048 + type: string + x-kubernetes-validations: + - message: oidcIssuer must be a valid URL + rule: isURL(self) + signedEmail: + description: |- + signedEmail is a required field holds the email address that the Fulcio certificate is issued for. + The signedEmail must be a valid email address and at most 320 characters in length. + Example: "expected-signing-user@example.com" + maxLength: 320 + type: string + x-kubernetes-validations: + - message: invalid email address + rule: self.matches('^\\S+@\\S+$') + required: + - oidcIssuer + - signedEmail + type: object + rekorKeyData: + description: |- + rekorKeyData is a required field contains inline base64-encoded data for the PEM format from the Rekor public key. + rekorKeyData must be at most 8192 characters. + format: byte + maxLength: 8192 + type: string + x-kubernetes-validations: + - message: the rekorKeyData must start with base64 encoding + of '-----BEGIN PUBLIC KEY-----'. + rule: string(self).startsWith('-----BEGIN PUBLIC KEY-----') + - message: the rekorKeyData must end with base64 encoding + of '-----END PUBLIC KEY-----'. + rule: string(self).endsWith('-----END PUBLIC KEY-----\n') + || string(self).endsWith('-----END PUBLIC KEY-----') + required: + - fulcioCAData + - fulcioSubject + - rekorKeyData + type: object + policyType: + description: |- + policyType is a required field specifies the type of the policy for verification. This field must correspond to how the policy was generated. + Allowed values are "PublicKey", "FulcioCAWithRekor", and "PKI". + When set to "PublicKey", the policy relies on a sigstore publicKey and may optionally use a Rekor verification. + When set to "FulcioCAWithRekor", the policy is based on the Fulcio certification and incorporates a Rekor verification. + When set to "PKI", the policy is based on the certificates from Bring Your Own Public Key Infrastructure (BYOPKI). This value is enabled by turning on the SigstoreImageVerificationPKI feature gate. + type: string + publicKey: + description: |- + publicKey defines the root of trust configuration based on a sigstore public key. Optionally include a Rekor public key for Rekor verification. + publicKey is required when policyType is PublicKey, and forbidden otherwise. + properties: + keyData: + description: |- + keyData is a required field contains inline base64-encoded data for the PEM format public key. + keyData must be at most 8192 characters. + format: byte + maxLength: 8192 + minLength: 68 + type: string + x-kubernetes-validations: + - message: the keyData must start with base64 encoding + of '-----BEGIN PUBLIC KEY-----'. + rule: string(self).startsWith('-----BEGIN PUBLIC KEY-----') + - message: the keyData must end with base64 encoding of + '-----END PUBLIC KEY-----'. + rule: string(self).endsWith('-----END PUBLIC KEY-----\n') + || string(self).endsWith('-----END PUBLIC KEY-----') + rekorKeyData: + description: |- + rekorKeyData is an optional field contains inline base64-encoded data for the PEM format from the Rekor public key. + rekorKeyData must be at most 8192 characters. + format: byte + maxLength: 8192 + type: string + x-kubernetes-validations: + - message: the rekorKeyData must start with base64 encoding + of '-----BEGIN PUBLIC KEY-----'. + rule: string(self).startsWith('-----BEGIN PUBLIC KEY-----') + - message: the rekorKeyData must end with base64 encoding + of '-----END PUBLIC KEY-----'. + rule: string(self).endsWith('-----END PUBLIC KEY-----\n') + || string(self).endsWith('-----END PUBLIC KEY-----') + required: + - keyData + type: object + required: + - policyType + type: object + x-kubernetes-validations: + - message: publicKey is required when policyType is PublicKey, + and forbidden otherwise + rule: 'has(self.policyType) && self.policyType == ''PublicKey'' + ? has(self.publicKey) : !has(self.publicKey)' + - message: fulcioCAWithRekor is required when policyType is FulcioCAWithRekor, + and forbidden otherwise + rule: 'has(self.policyType) && self.policyType == ''FulcioCAWithRekor'' + ? has(self.fulcioCAWithRekor) : !has(self.fulcioCAWithRekor)' + signedIdentity: + description: |- + signedIdentity is an optional field specifies what image identity the signature claims about the image. This is useful when the image identity in the signature differs from the original image spec, such as when mirror registry is configured for the image scope, the signature from the mirror registry contains the image identity of the mirror instead of the original scope. + The required matchPolicy field specifies the approach used in the verification process to verify the identity in the signature and the actual image identity, the default matchPolicy is "MatchRepoDigestOrExact". + properties: + exactRepository: + description: |- + exactRepository specifies the repository that must be exactly matched by the identity in the signature. + exactRepository is required if matchPolicy is set to "ExactRepository". It is used to verify that the signature claims an identity matching this exact repository, rather than the original image identity. + properties: + repository: + description: |- + repository is the reference of the image identity to be matched. + repository is required if matchPolicy is set to "ExactRepository". + The value should be a repository name (by omitting the tag or digest) in a registry implementing the "Docker Registry HTTP API V2". For example, docker.io/library/busybox + maxLength: 512 + type: string + x-kubernetes-validations: + - message: invalid repository or prefix in the signedIdentity, + should not include the tag or digest + rule: 'self.matches(''.*:([\\w][\\w.-]{0,127})$'')? + self.matches(''^(localhost:[0-9]+)$''): true' + - message: invalid repository or prefix in the signedIdentity. + The repository or prefix must starts with 'localhost' + or a valid '.' separated domain. If contains registry + paths, the path component names must start with at + least one letter or number, with following parts able + to be separated by one period, one or two underscore + and multiple dashes. + rule: self.matches('^(((?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9])(?:\\.(?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9]))+(?::[0-9]+)?)|(localhost(?::[0-9]+)?))(?:(?:/[a-z0-9]+(?:(?:(?:[._]|__|[-]*)[a-z0-9]+)+)?)+)?$') + required: + - repository + type: object + matchPolicy: + description: |- + matchPolicy is a required filed specifies matching strategy to verify the image identity in the signature against the image scope. + Allowed values are "MatchRepoDigestOrExact", "MatchRepository", "ExactRepository", "RemapIdentity". When omitted, the default value is "MatchRepoDigestOrExact". + When set to "MatchRepoDigestOrExact", the identity in the signature must be in the same repository as the image identity if the image identity is referenced by a digest. Otherwise, the identity in the signature must be the same as the image identity. + When set to "MatchRepository", the identity in the signature must be in the same repository as the image identity. + When set to "ExactRepository", the exactRepository must be specified. The identity in the signature must be in the same repository as a specific identity specified by "repository". + When set to "RemapIdentity", the remapIdentity must be specified. The signature must be in the same as the remapped image identity. Remapped image identity is obtained by replacing the "prefix" with the specified “signedPrefix” if the the image identity matches the specified remapPrefix. + enum: + - MatchRepoDigestOrExact + - MatchRepository + - ExactRepository + - RemapIdentity + type: string + remapIdentity: + description: |- + remapIdentity specifies the prefix remapping rule for verifying image identity. + remapIdentity is required if matchPolicy is set to "RemapIdentity". It is used to verify that the signature claims a different registry/repository prefix than the original image. + properties: + prefix: + description: |- + prefix is required if matchPolicy is set to "RemapIdentity". + prefix is the prefix of the image identity to be matched. + If the image identity matches the specified prefix, that prefix is replaced by the specified “signedPrefix” (otherwise it is used as unchanged and no remapping takes place). + This is useful when verifying signatures for a mirror of some other repository namespace that preserves the vendor’s repository structure. + The prefix and signedPrefix values can be either host[:port] values (matching exactly the same host[:port], string), repository namespaces, + or repositories (i.e. they must not contain tags/digests), and match as prefixes of the fully expanded form. + For example, docker.io/library/busybox (not busybox) to specify that single repository, or docker.io/library (not an empty string) to specify the parent namespace of docker.io/library/busybox. + maxLength: 512 + type: string + x-kubernetes-validations: + - message: invalid repository or prefix in the signedIdentity, + should not include the tag or digest + rule: 'self.matches(''.*:([\\w][\\w.-]{0,127})$'')? + self.matches(''^(localhost:[0-9]+)$''): true' + - message: invalid repository or prefix in the signedIdentity. + The repository or prefix must starts with 'localhost' + or a valid '.' separated domain. If contains registry + paths, the path component names must start with at + least one letter or number, with following parts able + to be separated by one period, one or two underscore + and multiple dashes. + rule: self.matches('^(((?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9])(?:\\.(?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9]))+(?::[0-9]+)?)|(localhost(?::[0-9]+)?))(?:(?:/[a-z0-9]+(?:(?:(?:[._]|__|[-]*)[a-z0-9]+)+)?)+)?$') + signedPrefix: + description: |- + signedPrefix is required if matchPolicy is set to "RemapIdentity". + signedPrefix is the prefix of the image identity to be matched in the signature. The format is the same as "prefix". The values can be either host[:port] values (matching exactly the same host[:port], string), repository namespaces, + or repositories (i.e. they must not contain tags/digests), and match as prefixes of the fully expanded form. + For example, docker.io/library/busybox (not busybox) to specify that single repository, or docker.io/library (not an empty string) to specify the parent namespace of docker.io/library/busybox. + maxLength: 512 + type: string + x-kubernetes-validations: + - message: invalid repository or prefix in the signedIdentity, + should not include the tag or digest + rule: 'self.matches(''.*:([\\w][\\w.-]{0,127})$'')? + self.matches(''^(localhost:[0-9]+)$''): true' + - message: invalid repository or prefix in the signedIdentity. + The repository or prefix must starts with 'localhost' + or a valid '.' separated domain. If contains registry + paths, the path component names must start with at + least one letter or number, with following parts able + to be separated by one period, one or two underscore + and multiple dashes. + rule: self.matches('^(((?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9])(?:\\.(?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9]))+(?::[0-9]+)?)|(localhost(?::[0-9]+)?))(?:(?:/[a-z0-9]+(?:(?:(?:[._]|__|[-]*)[a-z0-9]+)+)?)+)?$') + required: + - prefix + - signedPrefix + type: object + required: + - matchPolicy + type: object + x-kubernetes-validations: + - message: exactRepository is required when matchPolicy is ExactRepository, + and forbidden otherwise + rule: '(has(self.matchPolicy) && self.matchPolicy == ''ExactRepository'') + ? has(self.exactRepository) : !has(self.exactRepository)' + - message: remapIdentity is required when matchPolicy is RemapIdentity, + and forbidden otherwise + rule: '(has(self.matchPolicy) && self.matchPolicy == ''RemapIdentity'') + ? has(self.remapIdentity) : !has(self.remapIdentity)' + required: + - rootOfTrust + type: object + scopes: + description: |- + scopes is a required field that defines the list of image identities assigned to a policy. Each item refers to a scope in a registry implementing the "Docker Registry HTTP API V2". + Scopes matching individual images are named Docker references in the fully expanded form, either using a tag or digest. For example, docker.io/library/busybox:latest (not busybox:latest). + More general scopes are prefixes of individual-image scopes, and specify a repository (by omitting the tag or digest), a repository + namespace, or a registry host (by only specifying the host name and possibly a port number) or a wildcard expression starting with `*.`, for matching all subdomains (not including a port number). + Wildcards are only supported for subdomain matching, and may not be used in the middle of the host, i.e. *.example.com is a valid case, but example*.*.com is not. + This support no more than 256 scopes in one object. If multiple scopes match a given image, only the policy requirements for the most specific scope apply. The policy requirements for more general scopes are ignored. + In addition to setting a policy appropriate for your own deployed applications, make sure that a policy on the OpenShift image repositories + quay.io/openshift-release-dev/ocp-release, quay.io/openshift-release-dev/ocp-v4.0-art-dev (or on a more general scope) allows deployment of the OpenShift images required for cluster operation. + If a scope is configured in both the ClusterImagePolicy and the ImagePolicy, or if the scope in ImagePolicy is nested under one of the scopes from the ClusterImagePolicy, only the policy from the ClusterImagePolicy will be applied. + For additional details about the format, please refer to the document explaining the docker transport field, + which can be found at: https://github.com/containers/image/blob/main/docs/containers-policy.json.5.md#docker + items: + maxLength: 512 + type: string + x-kubernetes-validations: + - message: invalid image scope format, scope must contain a fully + qualified domain name or 'localhost' + rule: 'size(self.split(''/'')[0].split(''.'')) == 1 ? self.split(''/'')[0].split(''.'')[0].split('':'')[0] + == ''localhost'' : true' + - message: invalid image scope with wildcard, a wildcard can only + be at the start of the domain and is only supported for subdomain + matching, not path matching + rule: 'self.contains(''*'') ? self.matches(''^\\*(?:\\.(?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9]))+$'') + : true' + - message: invalid repository namespace or image specification in + the image scope + rule: '!self.contains(''*'') ? self.matches(''^((((?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9])(?:\\.(?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9]))+(?::[0-9]+)?)|(localhost(?::[0-9]+)?))(?:(?:/[a-z0-9]+(?:(?:(?:[._]|__|[-]*)[a-z0-9]+)+)?)+)?)(?::([\\w][\\w.-]{0,127}))?(?:@([A-Za-z][A-Za-z0-9]*(?:[-_+.][A-Za-z][A-Za-z0-9]*)*[:][[:xdigit:]]{32,}))?$'') + : true' + maxItems: 256 + type: array + x-kubernetes-list-type: set + required: + - policy + - scopes + type: object + status: + description: status contains the observed state of the resource. + properties: + conditions: + description: conditions provide details on the status of this API + Resource. + items: + description: Condition contains details for one aspect of the current + state of this API Resource. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + minItems: 1 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} diff --git a/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_imagepolicies-Default.crd.yaml b/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_imagepolicies-Default.crd.yaml new file mode 100644 index 0000000000..ee88c398e5 --- /dev/null +++ b/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_imagepolicies-Default.crd.yaml @@ -0,0 +1,416 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.openshift.io: https://github.com/openshift/api/pull/2310 + api.openshift.io/merged-by-featuregates: "true" + include.release.openshift.io/ibm-cloud-managed: "true" + include.release.openshift.io/self-managed-high-availability: "true" + release.openshift.io/feature-set: Default + name: imagepolicies.config.openshift.io +spec: + group: config.openshift.io + names: + kind: ImagePolicy + listKind: ImagePolicyList + plural: imagepolicies + singular: imagepolicy + scope: Namespaced + versions: + - name: v1 + schema: + openAPIV3Schema: + description: |- + ImagePolicy holds namespace-wide configuration for image signature verification + + Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer). + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: spec holds user settable values for configuration + properties: + policy: + description: |- + policy is a required field that contains configuration to allow scopes to be verified, and defines how + images not matching the verification policy will be treated. + properties: + rootOfTrust: + description: |- + rootOfTrust is a required field that defines the root of trust for verifying image signatures during retrieval. + This allows image consumers to specify policyType and corresponding configuration of the policy, matching how the policy was generated. + properties: + fulcioCAWithRekor: + description: |- + fulcioCAWithRekor defines the root of trust configuration based on the Fulcio certificate and the Rekor public key. + fulcioCAWithRekor is required when policyType is FulcioCAWithRekor, and forbidden otherwise + For more information about Fulcio and Rekor, please refer to the document at: + https://github.com/sigstore/fulcio and https://github.com/sigstore/rekor + properties: + fulcioCAData: + description: |- + fulcioCAData is a required field contains inline base64-encoded data for the PEM format fulcio CA. + fulcioCAData must be at most 8192 characters. + format: byte + maxLength: 8192 + type: string + x-kubernetes-validations: + - message: the fulcioCAData must start with base64 encoding + of '-----BEGIN CERTIFICATE-----'. + rule: string(self).startsWith('-----BEGIN CERTIFICATE-----') + - message: the fulcioCAData must end with base64 encoding + of '-----END CERTIFICATE-----'. + rule: string(self).endsWith('-----END CERTIFICATE-----\n') + || string(self).endsWith('-----END CERTIFICATE-----') + fulcioSubject: + description: fulcioSubject is a required field specifies + OIDC issuer and the email of the Fulcio authentication + configuration. + properties: + oidcIssuer: + description: |- + oidcIssuer is a required filed contains the expected OIDC issuer. The oidcIssuer must be a valid URL and at most 2048 characters in length. + It will be verified that the Fulcio-issued certificate contains a (Fulcio-defined) certificate extension pointing at this OIDC issuer URL. + When Fulcio issues certificates, it includes a value based on an URL inside the client-provided ID token. + Example: "https://expected.OIDC.issuer/" + maxLength: 2048 + type: string + x-kubernetes-validations: + - message: oidcIssuer must be a valid URL + rule: isURL(self) + signedEmail: + description: |- + signedEmail is a required field holds the email address that the Fulcio certificate is issued for. + The signedEmail must be a valid email address and at most 320 characters in length. + Example: "expected-signing-user@example.com" + maxLength: 320 + type: string + x-kubernetes-validations: + - message: invalid email address + rule: self.matches('^\\S+@\\S+$') + required: + - oidcIssuer + - signedEmail + type: object + rekorKeyData: + description: |- + rekorKeyData is a required field contains inline base64-encoded data for the PEM format from the Rekor public key. + rekorKeyData must be at most 8192 characters. + format: byte + maxLength: 8192 + type: string + x-kubernetes-validations: + - message: the rekorKeyData must start with base64 encoding + of '-----BEGIN PUBLIC KEY-----'. + rule: string(self).startsWith('-----BEGIN PUBLIC KEY-----') + - message: the rekorKeyData must end with base64 encoding + of '-----END PUBLIC KEY-----'. + rule: string(self).endsWith('-----END PUBLIC KEY-----\n') + || string(self).endsWith('-----END PUBLIC KEY-----') + required: + - fulcioCAData + - fulcioSubject + - rekorKeyData + type: object + policyType: + description: |- + policyType is a required field specifies the type of the policy for verification. This field must correspond to how the policy was generated. + Allowed values are "PublicKey", "FulcioCAWithRekor", and "PKI". + When set to "PublicKey", the policy relies on a sigstore publicKey and may optionally use a Rekor verification. + When set to "FulcioCAWithRekor", the policy is based on the Fulcio certification and incorporates a Rekor verification. + When set to "PKI", the policy is based on the certificates from Bring Your Own Public Key Infrastructure (BYOPKI). This value is enabled by turning on the SigstoreImageVerificationPKI feature gate. + type: string + publicKey: + description: |- + publicKey defines the root of trust configuration based on a sigstore public key. Optionally include a Rekor public key for Rekor verification. + publicKey is required when policyType is PublicKey, and forbidden otherwise. + properties: + keyData: + description: |- + keyData is a required field contains inline base64-encoded data for the PEM format public key. + keyData must be at most 8192 characters. + format: byte + maxLength: 8192 + minLength: 68 + type: string + x-kubernetes-validations: + - message: the keyData must start with base64 encoding + of '-----BEGIN PUBLIC KEY-----'. + rule: string(self).startsWith('-----BEGIN PUBLIC KEY-----') + - message: the keyData must end with base64 encoding of + '-----END PUBLIC KEY-----'. + rule: string(self).endsWith('-----END PUBLIC KEY-----\n') + || string(self).endsWith('-----END PUBLIC KEY-----') + rekorKeyData: + description: |- + rekorKeyData is an optional field contains inline base64-encoded data for the PEM format from the Rekor public key. + rekorKeyData must be at most 8192 characters. + format: byte + maxLength: 8192 + type: string + x-kubernetes-validations: + - message: the rekorKeyData must start with base64 encoding + of '-----BEGIN PUBLIC KEY-----'. + rule: string(self).startsWith('-----BEGIN PUBLIC KEY-----') + - message: the rekorKeyData must end with base64 encoding + of '-----END PUBLIC KEY-----'. + rule: string(self).endsWith('-----END PUBLIC KEY-----\n') + || string(self).endsWith('-----END PUBLIC KEY-----') + required: + - keyData + type: object + required: + - policyType + type: object + x-kubernetes-validations: + - message: publicKey is required when policyType is PublicKey, + and forbidden otherwise + rule: 'has(self.policyType) && self.policyType == ''PublicKey'' + ? has(self.publicKey) : !has(self.publicKey)' + - message: fulcioCAWithRekor is required when policyType is FulcioCAWithRekor, + and forbidden otherwise + rule: 'has(self.policyType) && self.policyType == ''FulcioCAWithRekor'' + ? has(self.fulcioCAWithRekor) : !has(self.fulcioCAWithRekor)' + signedIdentity: + description: |- + signedIdentity is an optional field specifies what image identity the signature claims about the image. This is useful when the image identity in the signature differs from the original image spec, such as when mirror registry is configured for the image scope, the signature from the mirror registry contains the image identity of the mirror instead of the original scope. + The required matchPolicy field specifies the approach used in the verification process to verify the identity in the signature and the actual image identity, the default matchPolicy is "MatchRepoDigestOrExact". + properties: + exactRepository: + description: |- + exactRepository specifies the repository that must be exactly matched by the identity in the signature. + exactRepository is required if matchPolicy is set to "ExactRepository". It is used to verify that the signature claims an identity matching this exact repository, rather than the original image identity. + properties: + repository: + description: |- + repository is the reference of the image identity to be matched. + repository is required if matchPolicy is set to "ExactRepository". + The value should be a repository name (by omitting the tag or digest) in a registry implementing the "Docker Registry HTTP API V2". For example, docker.io/library/busybox + maxLength: 512 + type: string + x-kubernetes-validations: + - message: invalid repository or prefix in the signedIdentity, + should not include the tag or digest + rule: 'self.matches(''.*:([\\w][\\w.-]{0,127})$'')? + self.matches(''^(localhost:[0-9]+)$''): true' + - message: invalid repository or prefix in the signedIdentity. + The repository or prefix must starts with 'localhost' + or a valid '.' separated domain. If contains registry + paths, the path component names must start with at + least one letter or number, with following parts able + to be separated by one period, one or two underscore + and multiple dashes. + rule: self.matches('^(((?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9])(?:\\.(?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9]))+(?::[0-9]+)?)|(localhost(?::[0-9]+)?))(?:(?:/[a-z0-9]+(?:(?:(?:[._]|__|[-]*)[a-z0-9]+)+)?)+)?$') + required: + - repository + type: object + matchPolicy: + description: |- + matchPolicy is a required filed specifies matching strategy to verify the image identity in the signature against the image scope. + Allowed values are "MatchRepoDigestOrExact", "MatchRepository", "ExactRepository", "RemapIdentity". When omitted, the default value is "MatchRepoDigestOrExact". + When set to "MatchRepoDigestOrExact", the identity in the signature must be in the same repository as the image identity if the image identity is referenced by a digest. Otherwise, the identity in the signature must be the same as the image identity. + When set to "MatchRepository", the identity in the signature must be in the same repository as the image identity. + When set to "ExactRepository", the exactRepository must be specified. The identity in the signature must be in the same repository as a specific identity specified by "repository". + When set to "RemapIdentity", the remapIdentity must be specified. The signature must be in the same as the remapped image identity. Remapped image identity is obtained by replacing the "prefix" with the specified “signedPrefix” if the the image identity matches the specified remapPrefix. + enum: + - MatchRepoDigestOrExact + - MatchRepository + - ExactRepository + - RemapIdentity + type: string + remapIdentity: + description: |- + remapIdentity specifies the prefix remapping rule for verifying image identity. + remapIdentity is required if matchPolicy is set to "RemapIdentity". It is used to verify that the signature claims a different registry/repository prefix than the original image. + properties: + prefix: + description: |- + prefix is required if matchPolicy is set to "RemapIdentity". + prefix is the prefix of the image identity to be matched. + If the image identity matches the specified prefix, that prefix is replaced by the specified “signedPrefix” (otherwise it is used as unchanged and no remapping takes place). + This is useful when verifying signatures for a mirror of some other repository namespace that preserves the vendor’s repository structure. + The prefix and signedPrefix values can be either host[:port] values (matching exactly the same host[:port], string), repository namespaces, + or repositories (i.e. they must not contain tags/digests), and match as prefixes of the fully expanded form. + For example, docker.io/library/busybox (not busybox) to specify that single repository, or docker.io/library (not an empty string) to specify the parent namespace of docker.io/library/busybox. + maxLength: 512 + type: string + x-kubernetes-validations: + - message: invalid repository or prefix in the signedIdentity, + should not include the tag or digest + rule: 'self.matches(''.*:([\\w][\\w.-]{0,127})$'')? + self.matches(''^(localhost:[0-9]+)$''): true' + - message: invalid repository or prefix in the signedIdentity. + The repository or prefix must starts with 'localhost' + or a valid '.' separated domain. If contains registry + paths, the path component names must start with at + least one letter or number, with following parts able + to be separated by one period, one or two underscore + and multiple dashes. + rule: self.matches('^(((?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9])(?:\\.(?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9]))+(?::[0-9]+)?)|(localhost(?::[0-9]+)?))(?:(?:/[a-z0-9]+(?:(?:(?:[._]|__|[-]*)[a-z0-9]+)+)?)+)?$') + signedPrefix: + description: |- + signedPrefix is required if matchPolicy is set to "RemapIdentity". + signedPrefix is the prefix of the image identity to be matched in the signature. The format is the same as "prefix". The values can be either host[:port] values (matching exactly the same host[:port], string), repository namespaces, + or repositories (i.e. they must not contain tags/digests), and match as prefixes of the fully expanded form. + For example, docker.io/library/busybox (not busybox) to specify that single repository, or docker.io/library (not an empty string) to specify the parent namespace of docker.io/library/busybox. + maxLength: 512 + type: string + x-kubernetes-validations: + - message: invalid repository or prefix in the signedIdentity, + should not include the tag or digest + rule: 'self.matches(''.*:([\\w][\\w.-]{0,127})$'')? + self.matches(''^(localhost:[0-9]+)$''): true' + - message: invalid repository or prefix in the signedIdentity. + The repository or prefix must starts with 'localhost' + or a valid '.' separated domain. If contains registry + paths, the path component names must start with at + least one letter or number, with following parts able + to be separated by one period, one or two underscore + and multiple dashes. + rule: self.matches('^(((?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9])(?:\\.(?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9]))+(?::[0-9]+)?)|(localhost(?::[0-9]+)?))(?:(?:/[a-z0-9]+(?:(?:(?:[._]|__|[-]*)[a-z0-9]+)+)?)+)?$') + required: + - prefix + - signedPrefix + type: object + required: + - matchPolicy + type: object + x-kubernetes-validations: + - message: exactRepository is required when matchPolicy is ExactRepository, + and forbidden otherwise + rule: '(has(self.matchPolicy) && self.matchPolicy == ''ExactRepository'') + ? has(self.exactRepository) : !has(self.exactRepository)' + - message: remapIdentity is required when matchPolicy is RemapIdentity, + and forbidden otherwise + rule: '(has(self.matchPolicy) && self.matchPolicy == ''RemapIdentity'') + ? has(self.remapIdentity) : !has(self.remapIdentity)' + required: + - rootOfTrust + type: object + scopes: + description: |- + scopes is a required field that defines the list of image identities assigned to a policy. Each item refers to a scope in a registry implementing the "Docker Registry HTTP API V2". + Scopes matching individual images are named Docker references in the fully expanded form, either using a tag or digest. For example, docker.io/library/busybox:latest (not busybox:latest). + More general scopes are prefixes of individual-image scopes, and specify a repository (by omitting the tag or digest), a repository + namespace, or a registry host (by only specifying the host name and possibly a port number) or a wildcard expression starting with `*.`, for matching all subdomains (not including a port number). + Wildcards are only supported for subdomain matching, and may not be used in the middle of the host, i.e. *.example.com is a valid case, but example*.*.com is not. + This support no more than 256 scopes in one object. If multiple scopes match a given image, only the policy requirements for the most specific scope apply. The policy requirements for more general scopes are ignored. + In addition to setting a policy appropriate for your own deployed applications, make sure that a policy on the OpenShift image repositories + quay.io/openshift-release-dev/ocp-release, quay.io/openshift-release-dev/ocp-v4.0-art-dev (or on a more general scope) allows deployment of the OpenShift images required for cluster operation. + If a scope is configured in both the ClusterImagePolicy and the ImagePolicy, or if the scope in ImagePolicy is nested under one of the scopes from the ClusterImagePolicy, only the policy from the ClusterImagePolicy will be applied. + For additional details about the format, please refer to the document explaining the docker transport field, + which can be found at: https://github.com/containers/image/blob/main/docs/containers-policy.json.5.md#docker + items: + maxLength: 512 + type: string + x-kubernetes-validations: + - message: invalid image scope format, scope must contain a fully + qualified domain name or 'localhost' + rule: 'size(self.split(''/'')[0].split(''.'')) == 1 ? self.split(''/'')[0].split(''.'')[0].split('':'')[0] + == ''localhost'' : true' + - message: invalid image scope with wildcard, a wildcard can only + be at the start of the domain and is only supported for subdomain + matching, not path matching + rule: 'self.contains(''*'') ? self.matches(''^\\*(?:\\.(?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9]))+$'') + : true' + - message: invalid repository namespace or image specification in + the image scope + rule: '!self.contains(''*'') ? self.matches(''^((((?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9])(?:\\.(?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9]))+(?::[0-9]+)?)|(localhost(?::[0-9]+)?))(?:(?:/[a-z0-9]+(?:(?:(?:[._]|__|[-]*)[a-z0-9]+)+)?)+)?)(?::([\\w][\\w.-]{0,127}))?(?:@([A-Za-z][A-Za-z0-9]*(?:[-_+.][A-Za-z][A-Za-z0-9]*)*[:][[:xdigit:]]{32,}))?$'') + : true' + maxItems: 256 + type: array + x-kubernetes-list-type: set + required: + - policy + - scopes + type: object + status: + description: status contains the observed state of the resource. + properties: + conditions: + description: |- + conditions provide details on the status of this API Resource. + condition type 'Pending' indicates that the customer resource contains a policy that cannot take effect. It is either overwritten by a global policy or the image scope is not valid. + items: + description: Condition contains details for one aspect of the current + state of this API Resource. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + minItems: 1 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} diff --git a/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_infrastructures-CustomNoUpgrade.crd.yaml b/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_infrastructures-CustomNoUpgrade.crd.yaml index 355f154607..9f01a6aebd 100644 --- a/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_infrastructures-CustomNoUpgrade.crd.yaml +++ b/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_infrastructures-CustomNoUpgrade.crd.yaml @@ -229,7 +229,7 @@ spec: serviceEndpoints is a list of custom endpoints which will override the default service endpoints of an IBM service. These endpoints are used by components within the cluster when trying to reach the IBM Cloud Services that have been - overriden. The CCCMO reads in the IBMCloudPlatformSpec and validates each + overridden. The CCCMO reads in the IBMCloudPlatformSpec and validates each endpoint is resolvable. Once validated, the cloud config and IBMCloudPlatformStatus are updated to reflect the same custom endpoints. A maximum of 13 service endpoints overrides are supported. @@ -1995,7 +1995,7 @@ spec: used when creating clients to interact with GCP services. When not specified, the default endpoint for the GCP region will be used. Only 1 endpoint override is permitted for each GCP service. - The maximum number of endpoint overrides allowed is 9. + The maximum number of endpoint overrides allowed is 11. items: description: |- GCPServiceEndpoint store the configuration of a custom url to @@ -2018,8 +2018,11 @@ spec: - DNS - File - IAM + - IAMCredentials + - OAuth - ServiceUsage - Storage + - STS type: string url: description: |- @@ -2045,7 +2048,7 @@ spec: - name - url type: object - maxItems: 8 + maxItems: 11 type: array x-kubernetes-list-map-keys: - name @@ -2092,7 +2095,7 @@ spec: serviceEndpoints is a list of custom endpoints which will override the default service endpoints of an IBM service. These endpoints are used by components within the cluster when trying to reach the IBM Cloud Services that have been - overriden. The CCCMO reads in the IBMCloudPlatformSpec and validates each + overridden. The CCCMO reads in the IBMCloudPlatformSpec and validates each endpoint is resolvable. Once validated, the cloud config and IBMCloudPlatformStatus are updated to reflect the same custom endpoints. items: diff --git a/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_infrastructures-Default.crd.yaml b/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_infrastructures-Default.crd.yaml index 1ae221ca45..4ecbc18e96 100644 --- a/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_infrastructures-Default.crd.yaml +++ b/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_infrastructures-Default.crd.yaml @@ -1493,6 +1493,110 @@ spec: description: gcp contains settings specific to the Google Cloud Platform infrastructure provider. properties: + cloudLoadBalancerConfig: + default: + dnsType: PlatformDefault + description: |- + cloudLoadBalancerConfig holds configuration related to DNS and cloud + load balancers. It allows configuration of in-cluster DNS as an alternative + to the platform default DNS implementation. + When using the ClusterHosted DNS type, Load Balancer IP addresses + must be provided for the API and internal API load balancers as well as the + ingress load balancer. + nullable: true + properties: + clusterHosted: + description: |- + clusterHosted holds the IP addresses of API, API-Int and Ingress Load + Balancers on Cloud Platforms. The DNS solution hosted within the cluster + use these IP addresses to provide resolution for API, API-Int and Ingress + services. + properties: + apiIntLoadBalancerIPs: + description: |- + apiIntLoadBalancerIPs holds Load Balancer IPs for the internal API service. + These Load Balancer IP addresses can be IPv4 and/or IPv6 addresses. + Entries in the apiIntLoadBalancerIPs must be unique. + A maximum of 16 IP addresses are permitted. + format: ip + items: + description: IP is an IP address (for example, "10.0.0.0" + or "fd00::"). + maxLength: 39 + minLength: 1 + type: string + x-kubernetes-validations: + - message: value must be a valid IP address + rule: isIP(self) + maxItems: 16 + type: array + x-kubernetes-list-type: set + apiLoadBalancerIPs: + description: |- + apiLoadBalancerIPs holds Load Balancer IPs for the API service. + These Load Balancer IP addresses can be IPv4 and/or IPv6 addresses. + Could be empty for private clusters. + Entries in the apiLoadBalancerIPs must be unique. + A maximum of 16 IP addresses are permitted. + format: ip + items: + description: IP is an IP address (for example, "10.0.0.0" + or "fd00::"). + maxLength: 39 + minLength: 1 + type: string + x-kubernetes-validations: + - message: value must be a valid IP address + rule: isIP(self) + maxItems: 16 + type: array + x-kubernetes-list-type: set + ingressLoadBalancerIPs: + description: |- + ingressLoadBalancerIPs holds IPs for Ingress Load Balancers. + These Load Balancer IP addresses can be IPv4 and/or IPv6 addresses. + Entries in the ingressLoadBalancerIPs must be unique. + A maximum of 16 IP addresses are permitted. + format: ip + items: + description: IP is an IP address (for example, "10.0.0.0" + or "fd00::"). + maxLength: 39 + minLength: 1 + type: string + x-kubernetes-validations: + - message: value must be a valid IP address + rule: isIP(self) + maxItems: 16 + type: array + x-kubernetes-list-type: set + type: object + dnsType: + default: PlatformDefault + description: |- + dnsType indicates the type of DNS solution in use within the cluster. Its default value of + `PlatformDefault` indicates that the cluster's DNS is the default provided by the cloud platform. + It can be set to `ClusterHosted` to bypass the configuration of the cloud default DNS. In this mode, + the cluster needs to provide a self-hosted DNS solution for the cluster's installation to succeed. + The cluster's use of the cloud's Load Balancers is unaffected by this setting. + The value is immutable after it has been set at install time. + Currently, there is no way for the customer to add additional DNS entries into the cluster hosted DNS. + Enabling this functionality allows the user to start their own DNS solution outside the cluster after + installation is complete. The customer would be responsible for configuring this custom DNS solution, + and it can be run in addition to the in-cluster DNS solution. + enum: + - ClusterHosted + - PlatformDefault + type: string + x-kubernetes-validations: + - message: dnsType is immutable + rule: oldSelf == '' || self == oldSelf + type: object + x-kubernetes-validations: + - message: clusterHosted is permitted only when dnsType is + ClusterHosted + rule: 'has(self.dnsType) && self.dnsType != ''ClusterHosted'' + ? !has(self.clusterHosted) : true' projectID: description: resourceGroupName is the Project ID for new GCP resources created for the cluster. @@ -1638,7 +1742,7 @@ spec: serviceEndpoints is a list of custom endpoints which will override the default service endpoints of an IBM service. These endpoints are used by components within the cluster when trying to reach the IBM Cloud Services that have been - overriden. The CCCMO reads in the IBMCloudPlatformSpec and validates each + overridden. The CCCMO reads in the IBMCloudPlatformSpec and validates each endpoint is resolvable. Once validated, the cloud config and IBMCloudPlatformStatus are updated to reflect the same custom endpoints. items: diff --git a/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_infrastructures-DevPreviewNoUpgrade.crd.yaml b/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_infrastructures-DevPreviewNoUpgrade.crd.yaml index 4bdde7c603..44185f514e 100644 --- a/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_infrastructures-DevPreviewNoUpgrade.crd.yaml +++ b/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_infrastructures-DevPreviewNoUpgrade.crd.yaml @@ -229,7 +229,7 @@ spec: serviceEndpoints is a list of custom endpoints which will override the default service endpoints of an IBM service. These endpoints are used by components within the cluster when trying to reach the IBM Cloud Services that have been - overriden. The CCCMO reads in the IBMCloudPlatformSpec and validates each + overridden. The CCCMO reads in the IBMCloudPlatformSpec and validates each endpoint is resolvable. Once validated, the cloud config and IBMCloudPlatformStatus are updated to reflect the same custom endpoints. A maximum of 13 service endpoints overrides are supported. @@ -1995,7 +1995,7 @@ spec: used when creating clients to interact with GCP services. When not specified, the default endpoint for the GCP region will be used. Only 1 endpoint override is permitted for each GCP service. - The maximum number of endpoint overrides allowed is 9. + The maximum number of endpoint overrides allowed is 11. items: description: |- GCPServiceEndpoint store the configuration of a custom url to @@ -2018,8 +2018,11 @@ spec: - DNS - File - IAM + - IAMCredentials + - OAuth - ServiceUsage - Storage + - STS type: string url: description: |- @@ -2045,7 +2048,7 @@ spec: - name - url type: object - maxItems: 8 + maxItems: 11 type: array x-kubernetes-list-map-keys: - name @@ -2092,7 +2095,7 @@ spec: serviceEndpoints is a list of custom endpoints which will override the default service endpoints of an IBM service. These endpoints are used by components within the cluster when trying to reach the IBM Cloud Services that have been - overriden. The CCCMO reads in the IBMCloudPlatformSpec and validates each + overridden. The CCCMO reads in the IBMCloudPlatformSpec and validates each endpoint is resolvable. Once validated, the cloud config and IBMCloudPlatformStatus are updated to reflect the same custom endpoints. items: diff --git a/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_infrastructures-TechPreviewNoUpgrade.crd.yaml b/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_infrastructures-TechPreviewNoUpgrade.crd.yaml index 2fd59215f9..27e1ce7b41 100644 --- a/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_infrastructures-TechPreviewNoUpgrade.crd.yaml +++ b/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_infrastructures-TechPreviewNoUpgrade.crd.yaml @@ -229,7 +229,7 @@ spec: serviceEndpoints is a list of custom endpoints which will override the default service endpoints of an IBM service. These endpoints are used by components within the cluster when trying to reach the IBM Cloud Services that have been - overriden. The CCCMO reads in the IBMCloudPlatformSpec and validates each + overridden. The CCCMO reads in the IBMCloudPlatformSpec and validates each endpoint is resolvable. Once validated, the cloud config and IBMCloudPlatformStatus are updated to reflect the same custom endpoints. A maximum of 13 service endpoints overrides are supported. @@ -1995,7 +1995,7 @@ spec: used when creating clients to interact with GCP services. When not specified, the default endpoint for the GCP region will be used. Only 1 endpoint override is permitted for each GCP service. - The maximum number of endpoint overrides allowed is 9. + The maximum number of endpoint overrides allowed is 11. items: description: |- GCPServiceEndpoint store the configuration of a custom url to @@ -2018,8 +2018,11 @@ spec: - DNS - File - IAM + - IAMCredentials + - OAuth - ServiceUsage - Storage + - STS type: string url: description: |- @@ -2045,7 +2048,7 @@ spec: - name - url type: object - maxItems: 8 + maxItems: 11 type: array x-kubernetes-list-map-keys: - name @@ -2092,7 +2095,7 @@ spec: serviceEndpoints is a list of custom endpoints which will override the default service endpoints of an IBM service. These endpoints are used by components within the cluster when trying to reach the IBM Cloud Services that have been - overriden. The CCCMO reads in the IBMCloudPlatformSpec and validates each + overridden. The CCCMO reads in the IBMCloudPlatformSpec and validates each endpoint is resolvable. Once validated, the cloud config and IBMCloudPlatformStatus are updated to reflect the same custom endpoints. items: diff --git a/vendor/github.com/openshift/api/config/v1/zz_generated.swagger_doc_generated.go b/vendor/github.com/openshift/api/config/v1/zz_generated.swagger_doc_generated.go index fe10c58f53..e3494151c6 100644 --- a/vendor/github.com/openshift/api/config/v1/zz_generated.swagger_doc_generated.go +++ b/vendor/github.com/openshift/api/config/v1/zz_generated.swagger_doc_generated.go @@ -318,7 +318,7 @@ var map_APIServerSpec = map[string]string{ "clientCA": "clientCA references a ConfigMap containing a certificate bundle for the signers that will be recognized for incoming client certificates in addition to the operator managed signers. If this is empty, then only operator managed signers are valid. You usually only have to set this if you have your own PKI you wish to honor client certificates from. The ConfigMap must exist in the openshift-config namespace and contain the following required fields: - ConfigMap.Data[\"ca-bundle.crt\"] - CA bundle.", "additionalCORSAllowedOrigins": "additionalCORSAllowedOrigins lists additional, user-defined regular expressions describing hosts for which the API server allows access using the CORS headers. This may be needed to access the API and the integrated OAuth server from JavaScript applications. The values are regular expressions that correspond to the Golang regular expression language.", "encryption": "encryption allows the configuration of encryption of resources at the datastore layer.", - "tlsSecurityProfile": "tlsSecurityProfile specifies settings for TLS connections for externally exposed servers.\n\nIf unset, a default (which may change between releases) is chosen. Note that only Old, Intermediate and Custom profiles are currently supported, and the maximum available minTLSVersion is VersionTLS12.", + "tlsSecurityProfile": "tlsSecurityProfile specifies settings for TLS connections for externally exposed servers.\n\nWhen omitted, this means no opinion and the platform is left to choose a reasonable default, which is subject to change over time. The current default is the Intermediate profile.", "audit": "audit specifies the settings for audit configuration to be applied to all OpenShift-provided API servers in the cluster.", } @@ -651,7 +651,7 @@ func (ClusterImagePolicyStatus) SwaggerDoc() map[string]string { } var map_ClusterOperator = map[string]string{ - "": "ClusterOperator is the Custom Resource object which holds the current state of an operator. This object is used by operators to convey their state to the rest of the cluster.\n\nCompatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).", + "": "ClusterOperator holds the status of a core or optional OpenShift component managed by the Cluster Version Operator (CVO). This object is used by operators to convey their state to the rest of the cluster. Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).", "metadata": "metadata is the standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata", "spec": "spec holds configuration that could apply to any operator.", "status": "status holds the information about the state of an operator. It is consistent with status information across the Kubernetes ecosystem.", @@ -893,7 +893,7 @@ var map_UpdateHistory = map[string]string{ "version": "version is a semantic version identifying the update version. If the requested image does not define a version, or if a failure occurs retrieving the image, this value may be empty.", "image": "image is a container image location that contains the update. This value is always populated.", "verified": "verified indicates whether the provided update was properly verified before it was installed. If this is false the cluster may not be trusted. Verified does not cover upgradeable checks that depend on the cluster state at the time when the update target was accepted.", - "acceptedRisks": "acceptedRisks records risks which were accepted to initiate the update. For example, it may menition an Upgradeable=False or missing signature that was overriden via desiredUpdate.force, or an update that was initiated despite not being in the availableUpdates set of recommended update targets.", + "acceptedRisks": "acceptedRisks records risks which were accepted to initiate the update. For example, it may menition an Upgradeable=False or missing signature that was overridden via desiredUpdate.force, or an update that was initiated despite not being in the availableUpdates set of recommended update targets.", } func (UpdateHistory) SwaggerDoc() map[string]string { @@ -1613,7 +1613,7 @@ var map_GCPPlatformStatus = map[string]string{ "resourceLabels": "resourceLabels is a list of additional labels to apply to GCP resources created for the cluster. See https://cloud.google.com/compute/docs/labeling-resources for information on labeling GCP resources. GCP supports a maximum of 64 labels per resource. OpenShift reserves 32 labels for internal use, allowing 32 labels for user configuration.", "resourceTags": "resourceTags is a list of additional tags to apply to GCP resources created for the cluster. See https://cloud.google.com/resource-manager/docs/tags/tags-overview for information on tagging GCP resources. GCP supports a maximum of 50 tags per resource.", "cloudLoadBalancerConfig": "cloudLoadBalancerConfig holds configuration related to DNS and cloud load balancers. It allows configuration of in-cluster DNS as an alternative to the platform default DNS implementation. When using the ClusterHosted DNS type, Load Balancer IP addresses must be provided for the API and internal API load balancers as well as the ingress load balancer.", - "serviceEndpoints": "serviceEndpoints specifies endpoints that override the default endpoints used when creating clients to interact with GCP services. When not specified, the default endpoint for the GCP region will be used. Only 1 endpoint override is permitted for each GCP service. The maximum number of endpoint overrides allowed is 9.", + "serviceEndpoints": "serviceEndpoints specifies endpoints that override the default endpoints used when creating clients to interact with GCP services. When not specified, the default endpoint for the GCP region will be used. Only 1 endpoint override is permitted for each GCP service. The maximum number of endpoint overrides allowed is 11.", } func (GCPPlatformStatus) SwaggerDoc() map[string]string { @@ -1653,7 +1653,7 @@ func (GCPServiceEndpoint) SwaggerDoc() map[string]string { var map_IBMCloudPlatformSpec = map[string]string{ "": "IBMCloudPlatformSpec holds the desired state of the IBMCloud infrastructure provider. This only includes fields that can be modified in the cluster.", - "serviceEndpoints": "serviceEndpoints is a list of custom endpoints which will override the default service endpoints of an IBM service. These endpoints are used by components within the cluster when trying to reach the IBM Cloud Services that have been overriden. The CCCMO reads in the IBMCloudPlatformSpec and validates each endpoint is resolvable. Once validated, the cloud config and IBMCloudPlatformStatus are updated to reflect the same custom endpoints. A maximum of 13 service endpoints overrides are supported.", + "serviceEndpoints": "serviceEndpoints is a list of custom endpoints which will override the default service endpoints of an IBM service. These endpoints are used by components within the cluster when trying to reach the IBM Cloud Services that have been overridden. The CCCMO reads in the IBMCloudPlatformSpec and validates each endpoint is resolvable. Once validated, the cloud config and IBMCloudPlatformStatus are updated to reflect the same custom endpoints. A maximum of 13 service endpoints overrides are supported.", } func (IBMCloudPlatformSpec) SwaggerDoc() map[string]string { @@ -1667,7 +1667,7 @@ var map_IBMCloudPlatformStatus = map[string]string{ "providerType": "providerType indicates the type of cluster that was created", "cisInstanceCRN": "cisInstanceCRN is the CRN of the Cloud Internet Services instance managing the DNS zone for the cluster's base domain", "dnsInstanceCRN": "dnsInstanceCRN is the CRN of the DNS Services instance managing the DNS zone for the cluster's base domain", - "serviceEndpoints": "serviceEndpoints is a list of custom endpoints which will override the default service endpoints of an IBM service. These endpoints are used by components within the cluster when trying to reach the IBM Cloud Services that have been overriden. The CCCMO reads in the IBMCloudPlatformSpec and validates each endpoint is resolvable. Once validated, the cloud config and IBMCloudPlatformStatus are updated to reflect the same custom endpoints.", + "serviceEndpoints": "serviceEndpoints is a list of custom endpoints which will override the default service endpoints of an IBM service. These endpoints are used by components within the cluster when trying to reach the IBM Cloud Services that have been overridden. The CCCMO reads in the IBMCloudPlatformSpec and validates each endpoint is resolvable. Once validated, the cloud config and IBMCloudPlatformStatus are updated to reflect the same custom endpoints.", } func (IBMCloudPlatformStatus) SwaggerDoc() map[string]string { diff --git a/vendor/github.com/openshift/api/config/v1alpha1/zz_generated.crd-manifests/0000_10_config-operator_01_clusterimagepolicies-Default.crd.yaml b/vendor/github.com/openshift/api/config/v1alpha1/zz_generated.crd-manifests/0000_10_config-operator_01_clusterimagepolicies-Default.crd.yaml new file mode 100644 index 0000000000..356d35a09f --- /dev/null +++ b/vendor/github.com/openshift/api/config/v1alpha1/zz_generated.crd-manifests/0000_10_config-operator_01_clusterimagepolicies-Default.crd.yaml @@ -0,0 +1,350 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.openshift.io: https://github.com/openshift/api/pull/1457 + api.openshift.io/merged-by-featuregates: "true" + include.release.openshift.io/ibm-cloud-managed: "true" + include.release.openshift.io/self-managed-high-availability: "true" + release.openshift.io/feature-set: Default + name: clusterimagepolicies.config.openshift.io +spec: + group: config.openshift.io + names: + kind: ClusterImagePolicy + listKind: ClusterImagePolicyList + plural: clusterimagepolicies + singular: clusterimagepolicy + scope: Cluster + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: |- + ClusterImagePolicy holds cluster-wide configuration for image signature verification + + Compatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: spec contains the configuration for the cluster image policy. + properties: + policy: + description: |- + policy contains configuration to allow scopes to be verified, and defines how + images not matching the verification policy will be treated. + properties: + rootOfTrust: + description: rootOfTrust specifies the root of trust for the policy. + properties: + fulcioCAWithRekor: + description: |- + fulcioCAWithRekor defines the root of trust based on the Fulcio certificate and the Rekor public key. + For more information about Fulcio and Rekor, please refer to the document at: + https://github.com/sigstore/fulcio and https://github.com/sigstore/rekor + properties: + fulcioCAData: + description: |- + fulcioCAData contains inline base64-encoded data for the PEM format fulcio CA. + fulcioCAData must be at most 8192 characters. + format: byte + maxLength: 8192 + type: string + fulcioSubject: + description: fulcioSubject specifies OIDC issuer and the + email of the Fulcio authentication configuration. + properties: + oidcIssuer: + description: |- + oidcIssuer contains the expected OIDC issuer. It will be verified that the Fulcio-issued certificate contains a (Fulcio-defined) certificate extension pointing at this OIDC issuer URL. When Fulcio issues certificates, it includes a value based on an URL inside the client-provided ID token. + Example: "https://expected.OIDC.issuer/" + type: string + x-kubernetes-validations: + - message: oidcIssuer must be a valid URL + rule: isURL(self) + signedEmail: + description: |- + signedEmail holds the email address the the Fulcio certificate is issued for. + Example: "expected-signing-user@example.com" + type: string + x-kubernetes-validations: + - message: invalid email address + rule: self.matches('^\\S+@\\S+$') + required: + - oidcIssuer + - signedEmail + type: object + rekorKeyData: + description: |- + rekorKeyData contains inline base64-encoded data for the PEM format from the Rekor public key. + rekorKeyData must be at most 8192 characters. + format: byte + maxLength: 8192 + type: string + required: + - fulcioCAData + - fulcioSubject + - rekorKeyData + type: object + policyType: + description: |- + policyType serves as the union's discriminator. Users are required to assign a value to this field, choosing one of the policy types that define the root of trust. + "PublicKey" indicates that the policy relies on a sigstore publicKey and may optionally use a Rekor verification. + "FulcioCAWithRekor" indicates that the policy is based on the Fulcio certification and incorporates a Rekor verification. + "PKI" indicates that the policy is based on the certificates from Bring Your Own Public Key Infrastructure (BYOPKI). This value is enabled by turning on the SigstoreImageVerificationPKI feature gate. + type: string + publicKey: + description: publicKey defines the root of trust based on + a sigstore public key. + properties: + keyData: + description: |- + keyData contains inline base64-encoded data for the PEM format public key. + KeyData must be at most 8192 characters. + format: byte + maxLength: 8192 + type: string + rekorKeyData: + description: |- + rekorKeyData contains inline base64-encoded data for the PEM format from the Rekor public key. + rekorKeyData must be at most 8192 characters. + format: byte + maxLength: 8192 + type: string + required: + - keyData + type: object + required: + - policyType + type: object + x-kubernetes-validations: + - message: publicKey is required when policyType is PublicKey, + and forbidden otherwise + rule: 'has(self.policyType) && self.policyType == ''PublicKey'' + ? has(self.publicKey) : !has(self.publicKey)' + - message: fulcioCAWithRekor is required when policyType is FulcioCAWithRekor, + and forbidden otherwise + rule: 'has(self.policyType) && self.policyType == ''FulcioCAWithRekor'' + ? has(self.fulcioCAWithRekor) : !has(self.fulcioCAWithRekor)' + signedIdentity: + description: signedIdentity specifies what image identity the + signature claims about the image. The required matchPolicy field + specifies the approach used in the verification process to verify + the identity in the signature and the actual image identity, + the default matchPolicy is "MatchRepoDigestOrExact". + properties: + exactRepository: + description: exactRepository is required if matchPolicy is + set to "ExactRepository". + properties: + repository: + description: |- + repository is the reference of the image identity to be matched. + The value should be a repository name (by omitting the tag or digest) in a registry implementing the "Docker Registry HTTP API V2". For example, docker.io/library/busybox + maxLength: 512 + type: string + x-kubernetes-validations: + - message: invalid repository or prefix in the signedIdentity, + should not include the tag or digest + rule: 'self.matches(''.*:([\\w][\\w.-]{0,127})$'')? + self.matches(''^(localhost:[0-9]+)$''): true' + - message: invalid repository or prefix in the signedIdentity + rule: self.matches('^(((?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9])(?:\\.(?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9]))+(?::[0-9]+)?)|(localhost(?::[0-9]+)?))(?:(?:/[a-z0-9]+(?:(?:(?:[._]|__|[-]*)[a-z0-9]+)+)?)+)?$') + required: + - repository + type: object + matchPolicy: + description: |- + matchPolicy sets the type of matching to be used. + Valid values are "MatchRepoDigestOrExact", "MatchRepository", "ExactRepository", "RemapIdentity". When omitted, the default value is "MatchRepoDigestOrExact". + If set matchPolicy to ExactRepository, then the exactRepository must be specified. + If set matchPolicy to RemapIdentity, then the remapIdentity must be specified. + "MatchRepoDigestOrExact" means that the identity in the signature must be in the same repository as the image identity if the image identity is referenced by a digest. Otherwise, the identity in the signature must be the same as the image identity. + "MatchRepository" means that the identity in the signature must be in the same repository as the image identity. + "ExactRepository" means that the identity in the signature must be in the same repository as a specific identity specified by "repository". + "RemapIdentity" means that the signature must be in the same as the remapped image identity. Remapped image identity is obtained by replacing the "prefix" with the specified “signedPrefix” if the the image identity matches the specified remapPrefix. + enum: + - MatchRepoDigestOrExact + - MatchRepository + - ExactRepository + - RemapIdentity + type: string + remapIdentity: + description: remapIdentity is required if matchPolicy is set + to "RemapIdentity". + properties: + prefix: + description: |- + prefix is the prefix of the image identity to be matched. + If the image identity matches the specified prefix, that prefix is replaced by the specified “signedPrefix” (otherwise it is used as unchanged and no remapping takes place). + This useful when verifying signatures for a mirror of some other repository namespace that preserves the vendor’s repository structure. + The prefix and signedPrefix values can be either host[:port] values (matching exactly the same host[:port], string), repository namespaces, + or repositories (i.e. they must not contain tags/digests), and match as prefixes of the fully expanded form. + For example, docker.io/library/busybox (not busybox) to specify that single repository, or docker.io/library (not an empty string) to specify the parent namespace of docker.io/library/busybox. + maxLength: 512 + type: string + x-kubernetes-validations: + - message: invalid repository or prefix in the signedIdentity, + should not include the tag or digest + rule: 'self.matches(''.*:([\\w][\\w.-]{0,127})$'')? + self.matches(''^(localhost:[0-9]+)$''): true' + - message: invalid repository or prefix in the signedIdentity + rule: self.matches('^(((?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9])(?:\\.(?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9]))+(?::[0-9]+)?)|(localhost(?::[0-9]+)?))(?:(?:/[a-z0-9]+(?:(?:(?:[._]|__|[-]*)[a-z0-9]+)+)?)+)?$') + signedPrefix: + description: |- + signedPrefix is the prefix of the image identity to be matched in the signature. The format is the same as "prefix". The values can be either host[:port] values (matching exactly the same host[:port], string), repository namespaces, + or repositories (i.e. they must not contain tags/digests), and match as prefixes of the fully expanded form. + For example, docker.io/library/busybox (not busybox) to specify that single repository, or docker.io/library (not an empty string) to specify the parent namespace of docker.io/library/busybox. + maxLength: 512 + type: string + x-kubernetes-validations: + - message: invalid repository or prefix in the signedIdentity, + should not include the tag or digest + rule: 'self.matches(''.*:([\\w][\\w.-]{0,127})$'')? + self.matches(''^(localhost:[0-9]+)$''): true' + - message: invalid repository or prefix in the signedIdentity + rule: self.matches('^(((?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9])(?:\\.(?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9]))+(?::[0-9]+)?)|(localhost(?::[0-9]+)?))(?:(?:/[a-z0-9]+(?:(?:(?:[._]|__|[-]*)[a-z0-9]+)+)?)+)?$') + required: + - prefix + - signedPrefix + type: object + required: + - matchPolicy + type: object + x-kubernetes-validations: + - message: exactRepository is required when matchPolicy is ExactRepository, + and forbidden otherwise + rule: '(has(self.matchPolicy) && self.matchPolicy == ''ExactRepository'') + ? has(self.exactRepository) : !has(self.exactRepository)' + - message: remapIdentity is required when matchPolicy is RemapIdentity, + and forbidden otherwise + rule: '(has(self.matchPolicy) && self.matchPolicy == ''RemapIdentity'') + ? has(self.remapIdentity) : !has(self.remapIdentity)' + required: + - rootOfTrust + type: object + scopes: + description: |- + scopes defines the list of image identities assigned to a policy. Each item refers to a scope in a registry implementing the "Docker Registry HTTP API V2". + Scopes matching individual images are named Docker references in the fully expanded form, either using a tag or digest. For example, docker.io/library/busybox:latest (not busybox:latest). + More general scopes are prefixes of individual-image scopes, and specify a repository (by omitting the tag or digest), a repository + namespace, or a registry host (by only specifying the host name and possibly a port number) or a wildcard expression starting with `*.`, for matching all subdomains (not including a port number). + Wildcards are only supported for subdomain matching, and may not be used in the middle of the host, i.e. *.example.com is a valid case, but example*.*.com is not. + If multiple scopes match a given image, only the policy requirements for the most specific scope apply. The policy requirements for more general scopes are ignored. + In addition to setting a policy appropriate for your own deployed applications, make sure that a policy on the OpenShift image repositories + quay.io/openshift-release-dev/ocp-release, quay.io/openshift-release-dev/ocp-v4.0-art-dev (or on a more general scope) allows deployment of the OpenShift images required for cluster operation. + If a scope is configured in both the ClusterImagePolicy and the ImagePolicy, or if the scope in ImagePolicy is nested under one of the scopes from the ClusterImagePolicy, only the policy from the ClusterImagePolicy will be applied. + For additional details about the format, please refer to the document explaining the docker transport field, + which can be found at: https://github.com/containers/image/blob/main/docs/containers-policy.json.5.md#docker + items: + maxLength: 512 + type: string + x-kubernetes-validations: + - message: invalid image scope format, scope must contain a fully + qualified domain name or 'localhost' + rule: 'size(self.split(''/'')[0].split(''.'')) == 1 ? self.split(''/'')[0].split(''.'')[0].split('':'')[0] + == ''localhost'' : true' + - message: invalid image scope with wildcard, a wildcard can only + be at the start of the domain and is only supported for subdomain + matching, not path matching + rule: 'self.contains(''*'') ? self.matches(''^\\*(?:\\.(?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9]))+$'') + : true' + - message: invalid repository namespace or image specification in + the image scope + rule: '!self.contains(''*'') ? self.matches(''^((((?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9])(?:\\.(?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9]))+(?::[0-9]+)?)|(localhost(?::[0-9]+)?))(?:(?:/[a-z0-9]+(?:(?:(?:[._]|__|[-]*)[a-z0-9]+)+)?)+)?)(?::([\\w][\\w.-]{0,127}))?(?:@([A-Za-z][A-Za-z0-9]*(?:[-_+.][A-Za-z][A-Za-z0-9]*)*[:][[:xdigit:]]{32,}))?$'') + : true' + maxItems: 256 + type: array + x-kubernetes-list-type: set + required: + - policy + - scopes + type: object + status: + description: status contains the observed state of the resource. + properties: + conditions: + description: conditions provide details on the status of this API + Resource. + items: + description: Condition contains details for one aspect of the current + state of this API Resource. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} diff --git a/vendor/github.com/openshift/api/config/v1alpha1/zz_generated.crd-manifests/0000_10_config-operator_01_imagepolicies-Default.crd.yaml b/vendor/github.com/openshift/api/config/v1alpha1/zz_generated.crd-manifests/0000_10_config-operator_01_imagepolicies-Default.crd.yaml new file mode 100644 index 0000000000..8e951e362c --- /dev/null +++ b/vendor/github.com/openshift/api/config/v1alpha1/zz_generated.crd-manifests/0000_10_config-operator_01_imagepolicies-Default.crd.yaml @@ -0,0 +1,350 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.openshift.io: https://github.com/openshift/api/pull/1457 + api.openshift.io/merged-by-featuregates: "true" + include.release.openshift.io/ibm-cloud-managed: "true" + include.release.openshift.io/self-managed-high-availability: "true" + release.openshift.io/feature-set: Default + name: imagepolicies.config.openshift.io +spec: + group: config.openshift.io + names: + kind: ImagePolicy + listKind: ImagePolicyList + plural: imagepolicies + singular: imagepolicy + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: |- + ImagePolicy holds namespace-wide configuration for image signature verification + + Compatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: spec holds user settable values for configuration + properties: + policy: + description: |- + policy contains configuration to allow scopes to be verified, and defines how + images not matching the verification policy will be treated. + properties: + rootOfTrust: + description: rootOfTrust specifies the root of trust for the policy. + properties: + fulcioCAWithRekor: + description: |- + fulcioCAWithRekor defines the root of trust based on the Fulcio certificate and the Rekor public key. + For more information about Fulcio and Rekor, please refer to the document at: + https://github.com/sigstore/fulcio and https://github.com/sigstore/rekor + properties: + fulcioCAData: + description: |- + fulcioCAData contains inline base64-encoded data for the PEM format fulcio CA. + fulcioCAData must be at most 8192 characters. + format: byte + maxLength: 8192 + type: string + fulcioSubject: + description: fulcioSubject specifies OIDC issuer and the + email of the Fulcio authentication configuration. + properties: + oidcIssuer: + description: |- + oidcIssuer contains the expected OIDC issuer. It will be verified that the Fulcio-issued certificate contains a (Fulcio-defined) certificate extension pointing at this OIDC issuer URL. When Fulcio issues certificates, it includes a value based on an URL inside the client-provided ID token. + Example: "https://expected.OIDC.issuer/" + type: string + x-kubernetes-validations: + - message: oidcIssuer must be a valid URL + rule: isURL(self) + signedEmail: + description: |- + signedEmail holds the email address the the Fulcio certificate is issued for. + Example: "expected-signing-user@example.com" + type: string + x-kubernetes-validations: + - message: invalid email address + rule: self.matches('^\\S+@\\S+$') + required: + - oidcIssuer + - signedEmail + type: object + rekorKeyData: + description: |- + rekorKeyData contains inline base64-encoded data for the PEM format from the Rekor public key. + rekorKeyData must be at most 8192 characters. + format: byte + maxLength: 8192 + type: string + required: + - fulcioCAData + - fulcioSubject + - rekorKeyData + type: object + policyType: + description: |- + policyType serves as the union's discriminator. Users are required to assign a value to this field, choosing one of the policy types that define the root of trust. + "PublicKey" indicates that the policy relies on a sigstore publicKey and may optionally use a Rekor verification. + "FulcioCAWithRekor" indicates that the policy is based on the Fulcio certification and incorporates a Rekor verification. + "PKI" indicates that the policy is based on the certificates from Bring Your Own Public Key Infrastructure (BYOPKI). This value is enabled by turning on the SigstoreImageVerificationPKI feature gate. + type: string + publicKey: + description: publicKey defines the root of trust based on + a sigstore public key. + properties: + keyData: + description: |- + keyData contains inline base64-encoded data for the PEM format public key. + KeyData must be at most 8192 characters. + format: byte + maxLength: 8192 + type: string + rekorKeyData: + description: |- + rekorKeyData contains inline base64-encoded data for the PEM format from the Rekor public key. + rekorKeyData must be at most 8192 characters. + format: byte + maxLength: 8192 + type: string + required: + - keyData + type: object + required: + - policyType + type: object + x-kubernetes-validations: + - message: publicKey is required when policyType is PublicKey, + and forbidden otherwise + rule: 'has(self.policyType) && self.policyType == ''PublicKey'' + ? has(self.publicKey) : !has(self.publicKey)' + - message: fulcioCAWithRekor is required when policyType is FulcioCAWithRekor, + and forbidden otherwise + rule: 'has(self.policyType) && self.policyType == ''FulcioCAWithRekor'' + ? has(self.fulcioCAWithRekor) : !has(self.fulcioCAWithRekor)' + signedIdentity: + description: signedIdentity specifies what image identity the + signature claims about the image. The required matchPolicy field + specifies the approach used in the verification process to verify + the identity in the signature and the actual image identity, + the default matchPolicy is "MatchRepoDigestOrExact". + properties: + exactRepository: + description: exactRepository is required if matchPolicy is + set to "ExactRepository". + properties: + repository: + description: |- + repository is the reference of the image identity to be matched. + The value should be a repository name (by omitting the tag or digest) in a registry implementing the "Docker Registry HTTP API V2". For example, docker.io/library/busybox + maxLength: 512 + type: string + x-kubernetes-validations: + - message: invalid repository or prefix in the signedIdentity, + should not include the tag or digest + rule: 'self.matches(''.*:([\\w][\\w.-]{0,127})$'')? + self.matches(''^(localhost:[0-9]+)$''): true' + - message: invalid repository or prefix in the signedIdentity + rule: self.matches('^(((?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9])(?:\\.(?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9]))+(?::[0-9]+)?)|(localhost(?::[0-9]+)?))(?:(?:/[a-z0-9]+(?:(?:(?:[._]|__|[-]*)[a-z0-9]+)+)?)+)?$') + required: + - repository + type: object + matchPolicy: + description: |- + matchPolicy sets the type of matching to be used. + Valid values are "MatchRepoDigestOrExact", "MatchRepository", "ExactRepository", "RemapIdentity". When omitted, the default value is "MatchRepoDigestOrExact". + If set matchPolicy to ExactRepository, then the exactRepository must be specified. + If set matchPolicy to RemapIdentity, then the remapIdentity must be specified. + "MatchRepoDigestOrExact" means that the identity in the signature must be in the same repository as the image identity if the image identity is referenced by a digest. Otherwise, the identity in the signature must be the same as the image identity. + "MatchRepository" means that the identity in the signature must be in the same repository as the image identity. + "ExactRepository" means that the identity in the signature must be in the same repository as a specific identity specified by "repository". + "RemapIdentity" means that the signature must be in the same as the remapped image identity. Remapped image identity is obtained by replacing the "prefix" with the specified “signedPrefix” if the the image identity matches the specified remapPrefix. + enum: + - MatchRepoDigestOrExact + - MatchRepository + - ExactRepository + - RemapIdentity + type: string + remapIdentity: + description: remapIdentity is required if matchPolicy is set + to "RemapIdentity". + properties: + prefix: + description: |- + prefix is the prefix of the image identity to be matched. + If the image identity matches the specified prefix, that prefix is replaced by the specified “signedPrefix” (otherwise it is used as unchanged and no remapping takes place). + This useful when verifying signatures for a mirror of some other repository namespace that preserves the vendor’s repository structure. + The prefix and signedPrefix values can be either host[:port] values (matching exactly the same host[:port], string), repository namespaces, + or repositories (i.e. they must not contain tags/digests), and match as prefixes of the fully expanded form. + For example, docker.io/library/busybox (not busybox) to specify that single repository, or docker.io/library (not an empty string) to specify the parent namespace of docker.io/library/busybox. + maxLength: 512 + type: string + x-kubernetes-validations: + - message: invalid repository or prefix in the signedIdentity, + should not include the tag or digest + rule: 'self.matches(''.*:([\\w][\\w.-]{0,127})$'')? + self.matches(''^(localhost:[0-9]+)$''): true' + - message: invalid repository or prefix in the signedIdentity + rule: self.matches('^(((?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9])(?:\\.(?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9]))+(?::[0-9]+)?)|(localhost(?::[0-9]+)?))(?:(?:/[a-z0-9]+(?:(?:(?:[._]|__|[-]*)[a-z0-9]+)+)?)+)?$') + signedPrefix: + description: |- + signedPrefix is the prefix of the image identity to be matched in the signature. The format is the same as "prefix". The values can be either host[:port] values (matching exactly the same host[:port], string), repository namespaces, + or repositories (i.e. they must not contain tags/digests), and match as prefixes of the fully expanded form. + For example, docker.io/library/busybox (not busybox) to specify that single repository, or docker.io/library (not an empty string) to specify the parent namespace of docker.io/library/busybox. + maxLength: 512 + type: string + x-kubernetes-validations: + - message: invalid repository or prefix in the signedIdentity, + should not include the tag or digest + rule: 'self.matches(''.*:([\\w][\\w.-]{0,127})$'')? + self.matches(''^(localhost:[0-9]+)$''): true' + - message: invalid repository or prefix in the signedIdentity + rule: self.matches('^(((?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9])(?:\\.(?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9]))+(?::[0-9]+)?)|(localhost(?::[0-9]+)?))(?:(?:/[a-z0-9]+(?:(?:(?:[._]|__|[-]*)[a-z0-9]+)+)?)+)?$') + required: + - prefix + - signedPrefix + type: object + required: + - matchPolicy + type: object + x-kubernetes-validations: + - message: exactRepository is required when matchPolicy is ExactRepository, + and forbidden otherwise + rule: '(has(self.matchPolicy) && self.matchPolicy == ''ExactRepository'') + ? has(self.exactRepository) : !has(self.exactRepository)' + - message: remapIdentity is required when matchPolicy is RemapIdentity, + and forbidden otherwise + rule: '(has(self.matchPolicy) && self.matchPolicy == ''RemapIdentity'') + ? has(self.remapIdentity) : !has(self.remapIdentity)' + required: + - rootOfTrust + type: object + scopes: + description: |- + scopes defines the list of image identities assigned to a policy. Each item refers to a scope in a registry implementing the "Docker Registry HTTP API V2". + Scopes matching individual images are named Docker references in the fully expanded form, either using a tag or digest. For example, docker.io/library/busybox:latest (not busybox:latest). + More general scopes are prefixes of individual-image scopes, and specify a repository (by omitting the tag or digest), a repository + namespace, or a registry host (by only specifying the host name and possibly a port number) or a wildcard expression starting with `*.`, for matching all subdomains (not including a port number). + Wildcards are only supported for subdomain matching, and may not be used in the middle of the host, i.e. *.example.com is a valid case, but example*.*.com is not. + If multiple scopes match a given image, only the policy requirements for the most specific scope apply. The policy requirements for more general scopes are ignored. + In addition to setting a policy appropriate for your own deployed applications, make sure that a policy on the OpenShift image repositories + quay.io/openshift-release-dev/ocp-release, quay.io/openshift-release-dev/ocp-v4.0-art-dev (or on a more general scope) allows deployment of the OpenShift images required for cluster operation. + If a scope is configured in both the ClusterImagePolicy and the ImagePolicy, or if the scope in ImagePolicy is nested under one of the scopes from the ClusterImagePolicy, only the policy from the ClusterImagePolicy will be applied. + For additional details about the format, please refer to the document explaining the docker transport field, + which can be found at: https://github.com/containers/image/blob/main/docs/containers-policy.json.5.md#docker + items: + maxLength: 512 + type: string + x-kubernetes-validations: + - message: invalid image scope format, scope must contain a fully + qualified domain name or 'localhost' + rule: 'size(self.split(''/'')[0].split(''.'')) == 1 ? self.split(''/'')[0].split(''.'')[0].split('':'')[0] + == ''localhost'' : true' + - message: invalid image scope with wildcard, a wildcard can only + be at the start of the domain and is only supported for subdomain + matching, not path matching + rule: 'self.contains(''*'') ? self.matches(''^\\*(?:\\.(?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9]))+$'') + : true' + - message: invalid repository namespace or image specification in + the image scope + rule: '!self.contains(''*'') ? self.matches(''^((((?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9])(?:\\.(?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9]))+(?::[0-9]+)?)|(localhost(?::[0-9]+)?))(?:(?:/[a-z0-9]+(?:(?:(?:[._]|__|[-]*)[a-z0-9]+)+)?)+)?)(?::([\\w][\\w.-]{0,127}))?(?:@([A-Za-z][A-Za-z0-9]*(?:[-_+.][A-Za-z][A-Za-z0-9]*)*[:][[:xdigit:]]{32,}))?$'') + : true' + maxItems: 256 + type: array + x-kubernetes-list-type: set + required: + - policy + - scopes + type: object + status: + description: status contains the observed state of the resource. + properties: + conditions: + description: conditions provide details on the status of this API + Resource. + items: + description: Condition contains details for one aspect of the current + state of this API Resource. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} diff --git a/vendor/github.com/openshift/api/features.md b/vendor/github.com/openshift/api/features.md index bc5794ffb2..0a31a8efa9 100644 --- a/vendor/github.com/openshift/api/features.md +++ b/vendor/github.com/openshift/api/features.md @@ -5,28 +5,31 @@ | MachineAPIOperatorDisableMachineHealthCheckController| | | | | | | | MultiArchInstallAzure| | | | | | | | ShortCertRotation| | | | | | | -| NoRegistryClusterOperations| | | | Enabled | | | | BootImageSkewEnforcement| | | Enabled | Enabled | | | -| ClusterVersionOperatorConfiguration| | | Enabled | Enabled | | | +| ClusterAPIMachineManagementVSphere| | | Enabled | Enabled | | | | Example2| | | Enabled | Enabled | | | | ExternalSnapshotMetadata| | | Enabled | Enabled | | | | NewOLMCatalogdAPIV1Metas| | | | Enabled | | Enabled | | NewOLMOwnSingleNamespace| | | | Enabled | | Enabled | | NewOLMPreflightPermissionChecks| | | | Enabled | | Enabled | | NewOLMWebhookProviderOpenshiftServiceCA| | | | Enabled | | Enabled | +| NoRegistryClusterOperations| | | | Enabled | | Enabled | | VSphereMixedNodeEnv| | | Enabled | Enabled | | | | NewOLM| | Enabled | | Enabled | | Enabled | | AWSClusterHostedDNS| | | Enabled | Enabled | Enabled | Enabled | | AWSClusterHostedDNSInstall| | | Enabled | Enabled | Enabled | Enabled | | AWSDedicatedHosts| | | Enabled | Enabled | Enabled | Enabled | +| AWSDualStackInstall| | | Enabled | Enabled | Enabled | Enabled | | AWSServiceLBNetworkSecurityGroup| | | Enabled | Enabled | Enabled | Enabled | | AutomatedEtcdBackup| | | Enabled | Enabled | Enabled | Enabled | | AzureClusterHostedDNSInstall| | | Enabled | Enabled | Enabled | Enabled | | AzureDedicatedHosts| | | Enabled | Enabled | Enabled | Enabled | +| AzureDualStackInstall| | | Enabled | Enabled | Enabled | Enabled | | AzureMultiDisk| | | Enabled | Enabled | Enabled | Enabled | | BootcNodeManagement| | | Enabled | Enabled | Enabled | Enabled | | ClusterAPIInstallIBMCloud| | | Enabled | Enabled | Enabled | Enabled | | ClusterMonitoringConfig| | | Enabled | Enabled | Enabled | Enabled | +| ClusterVersionOperatorConfiguration| | | Enabled | Enabled | Enabled | Enabled | | DNSNameResolver| | | Enabled | Enabled | Enabled | Enabled | | DualReplica| | | Enabled | Enabled | Enabled | Enabled | | DyanmicServiceEndpointIBMCloud| | | Enabled | Enabled | Enabled | Enabled | @@ -35,17 +38,15 @@ | Example| | | Enabled | Enabled | Enabled | Enabled | | ExternalOIDCWithUIDAndExtraClaimMappings| | | Enabled | Enabled | Enabled | Enabled | | GCPClusterHostedDNS| | | Enabled | Enabled | Enabled | Enabled | -| GCPClusterHostedDNSInstall| | | Enabled | Enabled | Enabled | Enabled | | GCPCustomAPIEndpoints| | | Enabled | Enabled | Enabled | Enabled | | GCPCustomAPIEndpointsInstall| | | Enabled | Enabled | Enabled | Enabled | +| GCPDualStackInstall| | | Enabled | Enabled | Enabled | Enabled | | ImageModeStatusReporting| | | Enabled | Enabled | Enabled | Enabled | | ImageStreamImportMode| | | Enabled | Enabled | Enabled | Enabled | -| ImageVolume| | | Enabled | Enabled | Enabled | Enabled | | IngressControllerDynamicConfigurationManager| | | Enabled | Enabled | Enabled | Enabled | | InsightsConfig| | | Enabled | Enabled | Enabled | Enabled | | InsightsConfigAPI| | | Enabled | Enabled | Enabled | Enabled | | InsightsOnDemandDataGather| | | Enabled | Enabled | Enabled | Enabled | -| InsightsRuntimeExtractor| | | Enabled | Enabled | Enabled | Enabled | | IrreconcilableMachineConfig| | | Enabled | Enabled | Enabled | Enabled | | KMSEncryptionProvider| | | Enabled | Enabled | Enabled | Enabled | | MachineAPIMigration| | | Enabled | Enabled | Enabled | Enabled | @@ -62,11 +63,8 @@ | PreconfiguredUDNAddresses| | | Enabled | Enabled | Enabled | Enabled | | SELinuxMount| | | Enabled | Enabled | Enabled | Enabled | | SignatureStores| | | Enabled | Enabled | Enabled | Enabled | -| SigstoreImageVerification| | | Enabled | Enabled | Enabled | Enabled | | SigstoreImageVerificationPKI| | | Enabled | Enabled | Enabled | Enabled | -| StoragePerformantSecurityPolicy| | | Enabled | Enabled | Enabled | Enabled | | TranslateStreamCloseWebsocketRequests| | | Enabled | Enabled | Enabled | Enabled | -| UpgradeStatus| | | Enabled | Enabled | Enabled | Enabled | | VSphereConfigurableMaxAllowedBlockVolumesPerNode| | | Enabled | Enabled | Enabled | Enabled | | VSphereHostVMGroupZonal| | | Enabled | Enabled | Enabled | Enabled | | VolumeAttributesClass| | | Enabled | Enabled | Enabled | Enabled | @@ -78,11 +76,12 @@ | AzureWorkloadIdentity| Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | | BuildCSIVolumes| Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | | CPMSMachineNamePrefix| Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | -| ChunkSizeMiB| Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | | ConsolePluginContentSecurityPolicy| Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | +| GCPClusterHostedDNSInstall| Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | | GatewayAPI| Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | | GatewayAPIController| Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | | HighlyAvailableArbiter| Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | +| ImageVolume| Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | | IngressControllerLBSubnetsAWS| Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | | KMSv1| Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | | MachineConfigNodes| Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | @@ -99,6 +98,9 @@ | RouteExternalCertificate| Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | | ServiceAccountTokenNodeBinding| Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | | SetEIPForNLBIngressController| Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | +| SigstoreImageVerification| Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | +| StoragePerformantSecurityPolicy| Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | +| UpgradeStatus| Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | | UserNamespacesPodSecurityStandards| Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | | UserNamespacesSupport| Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | | VSphereMultiDisk| Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | diff --git a/vendor/github.com/openshift/api/features/features.go b/vendor/github.com/openshift/api/features/features.go index 5b8e694263..d3ad9b28e6 100644 --- a/vendor/github.com/openshift/api/features/features.go +++ b/vendor/github.com/openshift/api/features/features.go @@ -92,9 +92,11 @@ var ( enableIn(configv1.Default, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). mustRegister() + // OpenShift and Node Team will keep this turned off until evictions and + // disk provisioning are fixed even though upstream will take this GA. FeatureGateNodeSwap = newFeatureGate("NodeSwap"). reportProblemsToJiraComponent("node"). - contactPerson("ehashman"). + contactPerson("haircommander"). productScope(kubernetes). enhancementPR("https://github.com/kubernetes/enhancements/issues/2400"). enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). @@ -108,14 +110,6 @@ var ( enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). mustRegister() - FeatureGateInsightsRuntimeExtractor = newFeatureGate("InsightsRuntimeExtractor"). - reportProblemsToJiraComponent("insights"). - contactPerson("jmesnil"). - productScope(ocpSpecific). - enhancementPR(legacyFeatureGateWithoutEnhancement). - enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). - mustRegister() - FeatureGateDynamicResourceAllocation = newFeatureGate("DynamicResourceAllocation"). reportProblemsToJiraComponent("scheduling"). contactPerson("jchaloup"). @@ -160,7 +154,7 @@ var ( contactPerson("sgrunert"). productScope(ocpSpecific). enhancementPR(legacyFeatureGateWithoutEnhancement). - enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). + enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade, configv1.Default). mustRegister() FeatureGateSigstoreImageVerificationPKI = newFeatureGate("SigstoreImageVerificationPKI"). @@ -430,7 +424,7 @@ var ( contactPerson("pmuller"). productScope(ocpSpecific). enhancementPR(legacyFeatureGateWithoutEnhancement). - enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). + enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade, configv1.Default). mustRegister() FeatureGateTranslateStreamCloseWebsocketRequests = newFeatureGate("TranslateStreamCloseWebsocketRequests"). @@ -571,14 +565,6 @@ var ( enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). mustRegister() - FeatureGateChunkSizeMiB = newFeatureGate("ChunkSizeMiB"). - reportProblemsToJiraComponent("Image Registry"). - contactPerson("flavianmissi"). - productScope(ocpSpecific). - enhancementPR(legacyFeatureGateWithoutEnhancement). - enableIn(configv1.Default, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). - mustRegister() - FeatureGateMachineAPIMigration = newFeatureGate("MachineAPIMigration"). reportProblemsToJiraComponent("OCPCLOUD"). contactPerson("jspeed"). @@ -587,6 +573,14 @@ var ( enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). mustRegister() + FeatureGateClusterAPIMachineManagementVSphere = newFeatureGate("ClusterAPIMachineManagementVSphere"). + reportProblemsToJiraComponent("SPLAT"). + contactPerson("jcpowermac"). + productScope(ocpSpecific). + enhancementPR("https://github.com/openshift/enhancements/pull/1465"). + enableIn(configv1.DevPreviewNoUpgrade). + mustRegister() + FeatureGateClusterMonitoringConfig = newFeatureGate("ClusterMonitoringConfig"). reportProblemsToJiraComponent("Monitoring"). contactPerson("marioferh"). @@ -698,7 +692,7 @@ var ( contactPerson("dhurta"). productScope(ocpSpecific). enhancementPR("https://github.com/openshift/enhancements/pull/1492"). - enableIn(configv1.DevPreviewNoUpgrade). + enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). mustRegister() FeatureGateGCPCustomAPIEndpoints = newFeatureGate("GCPCustomAPIEndpoints"). @@ -774,7 +768,7 @@ var ( contactPerson("hekumar"). productScope(ocpSpecific). enhancementPR("https://github.com/openshift/enhancements/pull/1804"). - enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). + enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade, configv1.Default). mustRegister() FeatureGateMultiDiskSetup = newFeatureGate("MultiDiskSetup"). @@ -822,7 +816,7 @@ var ( contactPerson("haircommander"). productScope(kubernetes). enhancementPR("https://github.com/openshift/enhancements/pull/1792"). - enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). + enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade, configv1.Default). mustRegister() FeatureGateNoRegistryClusterOperations = newFeatureGate("NoRegistryClusterOperations"). @@ -830,7 +824,7 @@ var ( contactPerson("andfasano"). productScope(ocpSpecific). enhancementPR("https://github.com/openshift/enhancements/pull/1821"). - enableForClusterProfile(SelfManaged, configv1.DevPreviewNoUpgrade). + enableForClusterProfile(SelfManaged, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). mustRegister() FeatureGateGCPClusterHostedDNSInstall = newFeatureGate("GCPClusterHostedDNSInstall"). @@ -838,7 +832,7 @@ var ( contactPerson("barbacbd"). productScope(ocpSpecific). enhancementPR("https://github.com/openshift/enhancements/pull/1468"). - enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). + enableIn(configv1.Default, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). mustRegister() FeatureGateAWSClusterHostedDNSInstall = newFeatureGate("AWSClusterHostedDNSInstall"). @@ -864,4 +858,27 @@ var ( enhancementPR("https://github.com/openshift/enhancements/pull/1785"). enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). mustRegister() + FeatureGateAWSDualStackInstall = newFeatureGate("AWSDualStackInstall"). + reportProblemsToJiraComponent("Installer"). + contactPerson("sadasu"). + productScope(ocpSpecific). + enhancementPR("https://github.com/openshift/enhancements/pull/1806"). + enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). + mustRegister() + + FeatureGateAzureDualStackInstall = newFeatureGate("AzureDualStackInstall"). + reportProblemsToJiraComponent("Installer"). + contactPerson("jhixson74"). + productScope(ocpSpecific). + enhancementPR("https://github.com/openshift/enhancements/pull/1806"). + enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). + mustRegister() + + FeatureGateGCPDualStackInstall = newFeatureGate("GCPDualStackInstall"). + reportProblemsToJiraComponent("Installer"). + contactPerson("barbacbd"). + productScope(ocpSpecific). + enhancementPR("https://github.com/openshift/enhancements/pull/1806"). + enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). + mustRegister() ) diff --git a/vendor/github.com/openshift/api/features/legacyfeaturegates.go b/vendor/github.com/openshift/api/features/legacyfeaturegates.go index 76874a2c7d..dd11fdf663 100644 --- a/vendor/github.com/openshift/api/features/legacyfeaturegates.go +++ b/vendor/github.com/openshift/api/features/legacyfeaturegates.go @@ -21,8 +21,6 @@ var legacyFeatureGates = sets.New( // never add to this list, if you think you have an exception ask @deads2k "BuildCSIVolumes", // never add to this list, if you think you have an exception ask @deads2k - "ChunkSizeMiB", - // never add to this list, if you think you have an exception ask @deads2k "ClusterAPIInstall", // never add to this list, if you think you have an exception ask @deads2k "ClusterAPIInstallIBMCloud", diff --git a/vendor/github.com/openshift/api/imageregistry/v1/types.go b/vendor/github.com/openshift/api/imageregistry/v1/types.go index e4f5319460..4fea205401 100644 --- a/vendor/github.com/openshift/api/imageregistry/v1/types.go +++ b/vendor/github.com/openshift/api/imageregistry/v1/types.go @@ -215,7 +215,6 @@ type ImageRegistryConfigStorageS3 struct { // The minimum value is 5 and the maximum value is 5120 (5 GiB). // +kubebuilder:validation:Minimum=5 // +kubebuilder:validation:Maximum=5120 - // +openshift:enable:FeatureGate=ChunkSizeMiB // +optional ChunkSizeMiB int32 `json:"chunkSizeMiB,omitempty"` // encrypt specifies whether the registry stores the image in encrypted diff --git a/vendor/github.com/openshift/api/imageregistry/v1/zz_generated.featuregated-crd-manifests.yaml b/vendor/github.com/openshift/api/imageregistry/v1/zz_generated.featuregated-crd-manifests.yaml index a6ccc2262a..95613c7ae2 100644 --- a/vendor/github.com/openshift/api/imageregistry/v1/zz_generated.featuregated-crd-manifests.yaml +++ b/vendor/github.com/openshift/api/imageregistry/v1/zz_generated.featuregated-crd-manifests.yaml @@ -4,8 +4,7 @@ configs.imageregistry.operator.openshift.io: CRDName: configs.imageregistry.operator.openshift.io Capability: "" Category: "" - FeatureGates: - - ChunkSizeMiB + FeatureGates: [] FilenameOperatorName: "" FilenameOperatorOrdering: "00" FilenameRunLevel: "" diff --git a/vendor/github.com/openshift/api/legacyconfig/v1/types.go b/vendor/github.com/openshift/api/legacyconfig/v1/types.go index c0e03c233a..f2db8e9ccb 100644 --- a/vendor/github.com/openshift/api/legacyconfig/v1/types.go +++ b/vendor/github.com/openshift/api/legacyconfig/v1/types.go @@ -801,7 +801,7 @@ type TokenConfig struct { // accessTokenInactivityTimeoutSeconds defined the default token // inactivity timeout for tokens granted by any client. // Setting it to nil means the feature is completely disabled (default) - // The default setting can be overriden on OAuthClient basis. + // The default setting can be overridden on OAuthClient basis. // The value represents the maximum amount of time that can occur between // consecutive uses of the token. Tokens become invalid if they are not // used within this temporal window. The user will need to acquire a new diff --git a/vendor/github.com/openshift/api/legacyconfig/v1/zz_generated.swagger_doc_generated.go b/vendor/github.com/openshift/api/legacyconfig/v1/zz_generated.swagger_doc_generated.go index 42444e8aee..a915c00425 100644 --- a/vendor/github.com/openshift/api/legacyconfig/v1/zz_generated.swagger_doc_generated.go +++ b/vendor/github.com/openshift/api/legacyconfig/v1/zz_generated.swagger_doc_generated.go @@ -927,7 +927,7 @@ var map_TokenConfig = map[string]string{ "": "TokenConfig holds the necessary configuration options for authorization and access tokens", "authorizeTokenMaxAgeSeconds": "authorizeTokenMaxAgeSeconds defines the maximum age of authorize tokens", "accessTokenMaxAgeSeconds": "accessTokenMaxAgeSeconds defines the maximum age of access tokens", - "accessTokenInactivityTimeoutSeconds": "accessTokenInactivityTimeoutSeconds defined the default token inactivity timeout for tokens granted by any client. Setting it to nil means the feature is completely disabled (default) The default setting can be overriden on OAuthClient basis. The value represents the maximum amount of time that can occur between consecutive uses of the token. Tokens become invalid if they are not used within this temporal window. The user will need to acquire a new token to regain access once a token times out. Valid values are: - 0: Tokens never time out - X: Tokens time out if there is no activity for X seconds The current minimum allowed value for X is 300 (5 minutes)", + "accessTokenInactivityTimeoutSeconds": "accessTokenInactivityTimeoutSeconds defined the default token inactivity timeout for tokens granted by any client. Setting it to nil means the feature is completely disabled (default) The default setting can be overridden on OAuthClient basis. The value represents the maximum amount of time that can occur between consecutive uses of the token. Tokens become invalid if they are not used within this temporal window. The user will need to acquire a new token to regain access once a token times out. Valid values are: - 0: Tokens never time out - X: Tokens time out if there is no activity for X seconds The current minimum allowed value for X is 300 (5 minutes)", } func (TokenConfig) SwaggerDoc() map[string]string { diff --git a/vendor/github.com/openshift/api/machine/v1/types_controlplanemachineset.go b/vendor/github.com/openshift/api/machine/v1/types_controlplanemachineset.go index 409ffc64e0..d7661cf389 100644 --- a/vendor/github.com/openshift/api/machine/v1/types_controlplanemachineset.go +++ b/vendor/github.com/openshift/api/machine/v1/types_controlplanemachineset.go @@ -174,7 +174,7 @@ type OpenShiftMachineV1Beta1MachineTemplate struct { // The ProviderSpec within contains platform specific details // for creating the Control Plane Machines. // The ProviderSe should be complete apart from the platform specific - // failure domain field. This will be overriden when the Machines + // failure domain field. This will be overridden when the Machines // are created based on the FailureDomains field. // +required Spec machinev1beta1.MachineSpec `json:"spec"` diff --git a/vendor/github.com/openshift/api/machine/v1/zz_generated.swagger_doc_generated.go b/vendor/github.com/openshift/api/machine/v1/zz_generated.swagger_doc_generated.go index c0b8c4ce42..2e35df7e23 100644 --- a/vendor/github.com/openshift/api/machine/v1/zz_generated.swagger_doc_generated.go +++ b/vendor/github.com/openshift/api/machine/v1/zz_generated.swagger_doc_generated.go @@ -280,7 +280,7 @@ var map_OpenShiftMachineV1Beta1MachineTemplate = map[string]string{ "": "OpenShiftMachineV1Beta1MachineTemplate is a template for the ControlPlaneMachineSet to create Machines from the v1beta1.machine.openshift.io API group.", "failureDomains": "failureDomains is the list of failure domains (sometimes called availability zones) in which the ControlPlaneMachineSet should balance the Control Plane Machines. This will be merged into the ProviderSpec given in the template. This field is optional on platforms that do not require placement information.", "metadata": "ObjectMeta is the standard object metadata More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata Labels are required to match the ControlPlaneMachineSet selector.", - "spec": "spec contains the desired configuration of the Control Plane Machines. The ProviderSpec within contains platform specific details for creating the Control Plane Machines. The ProviderSe should be complete apart from the platform specific failure domain field. This will be overriden when the Machines are created based on the FailureDomains field.", + "spec": "spec contains the desired configuration of the Control Plane Machines. The ProviderSpec within contains platform specific details for creating the Control Plane Machines. The ProviderSe should be complete apart from the platform specific failure domain field. This will be overridden when the Machines are created based on the FailureDomains field.", } func (OpenShiftMachineV1Beta1MachineTemplate) SwaggerDoc() map[string]string { diff --git a/vendor/github.com/openshift/api/machine/v1beta1/types_machinehealthcheck.go b/vendor/github.com/openshift/api/machine/v1beta1/types_machinehealthcheck.go index 00dbebc9eb..f80d716a0d 100644 --- a/vendor/github.com/openshift/api/machine/v1beta1/types_machinehealthcheck.go +++ b/vendor/github.com/openshift/api/machine/v1beta1/types_machinehealthcheck.go @@ -76,6 +76,7 @@ type MachineHealthCheckSpec struct { // Expects either a postive integer value or a percentage value. // Percentage values must be positive whole numbers and are capped at 100%. // Both 0 and 0% are valid and will block all remediation. + // Defaults to 100% if not set. // +kubebuilder:default:="100%" // +kubebuilder:validation:XIntOrString // +kubebuilder:validation:Pattern="^((100|[0-9]{1,2})%|[0-9]+)$" diff --git a/vendor/github.com/openshift/api/machine/v1beta1/zz_generated.swagger_doc_generated.go b/vendor/github.com/openshift/api/machine/v1beta1/zz_generated.swagger_doc_generated.go index 2667a0aa24..e40d744f60 100644 --- a/vendor/github.com/openshift/api/machine/v1beta1/zz_generated.swagger_doc_generated.go +++ b/vendor/github.com/openshift/api/machine/v1beta1/zz_generated.swagger_doc_generated.go @@ -625,7 +625,7 @@ var map_MachineHealthCheckSpec = map[string]string{ "": "MachineHealthCheckSpec defines the desired state of MachineHealthCheck", "selector": "Label selector to match machines whose health will be exercised. Note: An empty selector will match all machines.", "unhealthyConditions": "unhealthyConditions contains a list of the conditions that determine whether a node is considered unhealthy. The conditions are combined in a logical OR, i.e. if any of the conditions is met, the node is unhealthy.", - "maxUnhealthy": "Any farther remediation is only allowed if at most \"MaxUnhealthy\" machines selected by \"selector\" are not healthy. Expects either a postive integer value or a percentage value. Percentage values must be positive whole numbers and are capped at 100%. Both 0 and 0% are valid and will block all remediation.", + "maxUnhealthy": "Any farther remediation is only allowed if at most \"MaxUnhealthy\" machines selected by \"selector\" are not healthy. Expects either a postive integer value or a percentage value. Percentage values must be positive whole numbers and are capped at 100%. Both 0 and 0% are valid and will block all remediation. Defaults to 100% if not set.", "nodeStartupTimeout": "Machines older than this duration without a node will be considered to have failed and will be remediated. To prevent Machines without Nodes from being removed, disable startup checks by setting this value explicitly to \"0\". Expects an unsigned duration string of decimal numbers each with optional fraction and a unit suffix, eg \"300ms\", \"1.5h\" or \"2h45m\". Valid time units are \"ns\", \"us\" (or \"µs\"), \"ms\", \"s\", \"m\", \"h\".", "remediationTemplate": "remediationTemplate is a reference to a remediation template provided by an infrastructure provider.\n\nThis field is completely optional, when filled, the MachineHealthCheck controller creates a new object from the template referenced and hands off remediation of the machine to a controller that lives outside of Machine API Operator.", } diff --git a/vendor/github.com/openshift/api/machineconfiguration/v1/types_machineconfignode.go b/vendor/github.com/openshift/api/machineconfiguration/v1/types_machineconfignode.go index 5decf3738a..effe1656e3 100644 --- a/vendor/github.com/openshift/api/machineconfiguration/v1/types_machineconfignode.go +++ b/vendor/github.com/openshift/api/machineconfiguration/v1/types_machineconfignode.go @@ -98,6 +98,13 @@ type MachineConfigNodeSpec struct { // the new machine config against the current machine config. // +required ConfigVersion MachineConfigNodeSpecMachineConfigVersion `json:"configVersion"` + + // configImage is an optional field for configuring the OS image to be used for this node. This field will only exist if the node belongs to a pool opted into on-cluster image builds, and will override any MachineConfig referenced OSImageURL fields + // When omitted, Image Mode is not be enabled and the node will follow the standard update process of creating a rendered MachineConfig and updating to its specifications. + // When specified, Image Mode is enabled and will attempt to update the node to use the desired image. Following this, the node will follow the standard update process of creating a rendered MachineConfig and updating to its specifications. + // +openshift:enable:FeatureGate=ImageModeStatusReporting + // +optional + ConfigImage MachineConfigNodeSpecConfigImage `json:"configImage,omitempty,omitzero"` } // MachineConfigNodeStatus holds the reported information on a particular machine config node. @@ -106,6 +113,8 @@ type MachineConfigNodeStatus struct { // UpdatePrepared, UpdateExecuted, UpdatePostActionComplete, UpdateComplete, Updated, Resumed, // Drained, AppliedFilesAndOS, Cordoned, Uncordoned, RebootedNode, NodeDegraded, PinnedImageSetsProgressing, // and PinnedImageSetsDegraded. + // The following types are only available when the ImageModeStatusReporting feature gate is enabled: ImagePulledFromRegistry, + // AppliedOSImage, AppliedFiles // +listType=map // +listMapKey=type // +kubebuilder:validation:MaxItems=20 @@ -120,6 +129,15 @@ type MachineConfigNodeStatus struct { // configVersion describes the current and desired machine config version for this node. // +optional ConfigVersion *MachineConfigNodeStatusMachineConfigVersion `json:"configVersion,omitempty"` + // configImage is an optional field for configuring the OS image to be used for this node. This field will only exist if the node belongs to a pool opted into on-cluster image builds, and will override any MachineConfig referenced OSImageURL fields. + // When omitted, this means that the Image Mode feature is not being used and the node will be up to date with the specific current rendered config version for the nodes MachinePool. + // When specified, the Image Mode feature is enabled and the contents of this field show the observed state of the node image. + // When Image Mode is enabled and a new MachineConfig is applied such that a new OS image build is not created, only the configVersion field will change. + // When Image Mode is enabled and a new MachineConfig is applied such that a new OS image build is created, then only the configImage field will change. It is also possible that both the configImage + // and configVersion change during the same update. + // +openshift:enable:FeatureGate=ImageModeStatusReporting + // +optional + ConfigImage MachineConfigNodeStatusConfigImage `json:"configImage,omitempty,omitzero"` // pinnedImageSets describes the current and desired pinned image sets for this node. // +listType=map // +listMapKey=name @@ -244,6 +262,41 @@ type MachineConfigNodeSpecMachineConfigVersion struct { Desired string `json:"desired"` } +// MachineConfigNodeSpecConfigImage holds the desired image for the node. +// This structure is populated from the `machineconfiguration.openshift.io/desiredImage` +// annotation on the target node, which is set by the Machine Config Pool controller +// to signal the desired image pullspec for the node to update to. +type MachineConfigNodeSpecConfigImage struct { + // desiredImage is a required field that configures the image that the node should be updated to use. + // It must be a fully qualified OCI image pull spec of the format host[:port][/namespace]/name@sha256:, where the digest must be exactly 64 characters in length and consist only of lowercase hexadecimal characters, a-f and 0-9. + // desiredImage must not be an empty string and must not exceed 447 characters in length. + // +required + DesiredImage ImageDigestFormat `json:"desiredImage,omitempty"` +} + +// MachineConfigNodeStatusConfigImage holds the observed state of the image +// on the node, including both the image targeted for an update and the image +// currently applied. This allows for monitoring the progress of the layering +// rollout. If Image Mode is enabled, desiredImage must be defined. +// +kubebuilder:validation:MinProperties:=1 +type MachineConfigNodeStatusConfigImage struct { + // currentImage is an optional field that represents the current image that is applied to the node. + // When omitted, this means that no image updates have been applied to the node and it will be up to date with the specific current rendered config version. + // When specified, this means that the node is currently using this image. + // currentImage must be a fully qualified OCI image pull spec of the format host[:port][/namespace]/name@sha256:, where the digest must be exactly 64 characters in length and consist only of lowercase hexadecimal characters, a-f and 0-9. + // currentImage must not be an empty string and must not exceed 447 characters in length. + // +optional + CurrentImage ImageDigestFormat `json:"currentImage,omitzero,omitempty"` + // desiredImage is an optional field that represents the currently observed state of image that the node should be updated to use. + // When not specified, this means that Image Mode has been disabled and the node will up to date with the specific current rendered config version. + // When specified, this means that Image Mode has been enabled and the node is actively progressing to update the node to this image. + // If currentImage and desiredImage match, the node has been successfully updated to use the desired image. + // desiredImage must be a fully qualified OCI image pull spec of the format host[:port][/namespace]/name@sha256:, where the digest must be exactly 64 characters in length and consist only of lowercase hexadecimal characters, a-f and 0-9. + // desiredImage must not be an empty string and must not exceed 447 characters in length. + // +optional + DesiredImage ImageDigestFormat `json:"desiredImage,omitzero,omitempty"` +} + // StateProgress is each possible state for each possible MachineConfigNodeType // +enum type StateProgress string @@ -263,8 +316,14 @@ const ( MachineConfigNodeResumed StateProgress = "Resumed" // MachineConfigNodeUpdateDrained describes the part of the in progress phase where the node drains MachineConfigNodeUpdateDrained StateProgress = "Drained" + // MachineConfigNodeUpdateFiles describes the part of the in progress phase where the nodes files changes + MachineConfigNodeUpdateFiles StateProgress = "AppliedFiles" + // MachineConfigNodeUpdateOS describes the part of the in progress phase where the OS config changes + MachineConfigNodeUpdateOS StateProgress = "AppliedOSImage" // MachineConfigNodeUpdateFilesAndOS describes the part of the in progress phase where the nodes files and OS config change MachineConfigNodeUpdateFilesAndOS StateProgress = "AppliedFilesAndOS" + // MachineConfigNodeImagePulledFromRegistry describes the part of the in progress phase where the update image is pulled from the registry + MachineConfigNodeImagePulledFromRegistry StateProgress = "ImagePulledFromRegistry" // MachineConfigNodeUpdateCordoned describes the part of the in progress phase where the node cordons MachineConfigNodeUpdateCordoned StateProgress = "Cordoned" // MachineConfigNodeUpdateUncordoned describes the part of the completing phase where the node uncordons diff --git a/vendor/github.com/openshift/api/machineconfiguration/v1/types_machineosconfig.go b/vendor/github.com/openshift/api/machineconfiguration/v1/types_machineosconfig.go index a579f1c674..49404d5696 100644 --- a/vendor/github.com/openshift/api/machineconfiguration/v1/types_machineosconfig.go +++ b/vendor/github.com/openshift/api/machineconfiguration/v1/types_machineosconfig.go @@ -17,6 +17,7 @@ import ( // MachineOSConfig describes the configuration for a build process managed by the MCO // Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer). // +openshift:compatibility-gen:level=1 +// +kubebuilder:validation:XValidation:rule="self.metadata.name == self.spec.machineConfigPool.name || oldSelf.hasValue() && oldSelf.spec.machineConfigPool.name.value() == self.spec.machineConfigPool.name",optionalOldSelf=true,message="MachineOSConfig name must match the referenced MachineConfigPool name; can only have one MachineOSConfig per MachineConfigPool" type MachineOSConfig struct { metav1.TypeMeta `json:",inline"` diff --git a/vendor/github.com/openshift/api/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_controllerconfigs-CustomNoUpgrade.crd.yaml b/vendor/github.com/openshift/api/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_controllerconfigs-CustomNoUpgrade.crd.yaml index 24937ba06c..386383a9b5 100644 --- a/vendor/github.com/openshift/api/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_controllerconfigs-CustomNoUpgrade.crd.yaml +++ b/vendor/github.com/openshift/api/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_controllerconfigs-CustomNoUpgrade.crd.yaml @@ -508,7 +508,7 @@ spec: serviceEndpoints is a list of custom endpoints which will override the default service endpoints of an IBM service. These endpoints are used by components within the cluster when trying to reach the IBM Cloud Services that have been - overriden. The CCCMO reads in the IBMCloudPlatformSpec and validates each + overridden. The CCCMO reads in the IBMCloudPlatformSpec and validates each endpoint is resolvable. Once validated, the cloud config and IBMCloudPlatformStatus are updated to reflect the same custom endpoints. A maximum of 13 service endpoints overrides are supported. @@ -2275,7 +2275,7 @@ spec: used when creating clients to interact with GCP services. When not specified, the default endpoint for the GCP region will be used. Only 1 endpoint override is permitted for each GCP service. - The maximum number of endpoint overrides allowed is 9. + The maximum number of endpoint overrides allowed is 11. items: description: |- GCPServiceEndpoint store the configuration of a custom url to @@ -2298,8 +2298,11 @@ spec: - DNS - File - IAM + - IAMCredentials + - OAuth - ServiceUsage - Storage + - STS type: string url: description: |- @@ -2325,7 +2328,7 @@ spec: - name - url type: object - maxItems: 8 + maxItems: 11 type: array x-kubernetes-list-map-keys: - name @@ -2375,7 +2378,7 @@ spec: serviceEndpoints is a list of custom endpoints which will override the default service endpoints of an IBM service. These endpoints are used by components within the cluster when trying to reach the IBM Cloud Services that have been - overriden. The CCCMO reads in the IBMCloudPlatformSpec and validates each + overridden. The CCCMO reads in the IBMCloudPlatformSpec and validates each endpoint is resolvable. Once validated, the cloud config and IBMCloudPlatformStatus are updated to reflect the same custom endpoints. items: diff --git a/vendor/github.com/openshift/api/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_controllerconfigs-Default.crd.yaml b/vendor/github.com/openshift/api/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_controllerconfigs-Default.crd.yaml index 96b84fb71b..485501e0ac 100644 --- a/vendor/github.com/openshift/api/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_controllerconfigs-Default.crd.yaml +++ b/vendor/github.com/openshift/api/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_controllerconfigs-Default.crd.yaml @@ -1779,6 +1779,110 @@ spec: description: gcp contains settings specific to the Google Cloud Platform infrastructure provider. properties: + cloudLoadBalancerConfig: + default: + dnsType: PlatformDefault + description: |- + cloudLoadBalancerConfig holds configuration related to DNS and cloud + load balancers. It allows configuration of in-cluster DNS as an alternative + to the platform default DNS implementation. + When using the ClusterHosted DNS type, Load Balancer IP addresses + must be provided for the API and internal API load balancers as well as the + ingress load balancer. + nullable: true + properties: + clusterHosted: + description: |- + clusterHosted holds the IP addresses of API, API-Int and Ingress Load + Balancers on Cloud Platforms. The DNS solution hosted within the cluster + use these IP addresses to provide resolution for API, API-Int and Ingress + services. + properties: + apiIntLoadBalancerIPs: + description: |- + apiIntLoadBalancerIPs holds Load Balancer IPs for the internal API service. + These Load Balancer IP addresses can be IPv4 and/or IPv6 addresses. + Entries in the apiIntLoadBalancerIPs must be unique. + A maximum of 16 IP addresses are permitted. + format: ip + items: + description: IP is an IP address (for example, + "10.0.0.0" or "fd00::"). + maxLength: 39 + minLength: 1 + type: string + x-kubernetes-validations: + - message: value must be a valid IP address + rule: isIP(self) + maxItems: 16 + type: array + x-kubernetes-list-type: set + apiLoadBalancerIPs: + description: |- + apiLoadBalancerIPs holds Load Balancer IPs for the API service. + These Load Balancer IP addresses can be IPv4 and/or IPv6 addresses. + Could be empty for private clusters. + Entries in the apiLoadBalancerIPs must be unique. + A maximum of 16 IP addresses are permitted. + format: ip + items: + description: IP is an IP address (for example, + "10.0.0.0" or "fd00::"). + maxLength: 39 + minLength: 1 + type: string + x-kubernetes-validations: + - message: value must be a valid IP address + rule: isIP(self) + maxItems: 16 + type: array + x-kubernetes-list-type: set + ingressLoadBalancerIPs: + description: |- + ingressLoadBalancerIPs holds IPs for Ingress Load Balancers. + These Load Balancer IP addresses can be IPv4 and/or IPv6 addresses. + Entries in the ingressLoadBalancerIPs must be unique. + A maximum of 16 IP addresses are permitted. + format: ip + items: + description: IP is an IP address (for example, + "10.0.0.0" or "fd00::"). + maxLength: 39 + minLength: 1 + type: string + x-kubernetes-validations: + - message: value must be a valid IP address + rule: isIP(self) + maxItems: 16 + type: array + x-kubernetes-list-type: set + type: object + dnsType: + default: PlatformDefault + description: |- + dnsType indicates the type of DNS solution in use within the cluster. Its default value of + `PlatformDefault` indicates that the cluster's DNS is the default provided by the cloud platform. + It can be set to `ClusterHosted` to bypass the configuration of the cloud default DNS. In this mode, + the cluster needs to provide a self-hosted DNS solution for the cluster's installation to succeed. + The cluster's use of the cloud's Load Balancers is unaffected by this setting. + The value is immutable after it has been set at install time. + Currently, there is no way for the customer to add additional DNS entries into the cluster hosted DNS. + Enabling this functionality allows the user to start their own DNS solution outside the cluster after + installation is complete. The customer would be responsible for configuring this custom DNS solution, + and it can be run in addition to the in-cluster DNS solution. + enum: + - ClusterHosted + - PlatformDefault + type: string + x-kubernetes-validations: + - message: dnsType is immutable + rule: oldSelf == '' || self == oldSelf + type: object + x-kubernetes-validations: + - message: clusterHosted is permitted only when dnsType + is ClusterHosted + rule: 'has(self.dnsType) && self.dnsType != ''ClusterHosted'' + ? !has(self.clusterHosted) : true' projectID: description: resourceGroupName is the Project ID for new GCP resources created for the cluster. @@ -1930,7 +2034,7 @@ spec: serviceEndpoints is a list of custom endpoints which will override the default service endpoints of an IBM service. These endpoints are used by components within the cluster when trying to reach the IBM Cloud Services that have been - overriden. The CCCMO reads in the IBMCloudPlatformSpec and validates each + overridden. The CCCMO reads in the IBMCloudPlatformSpec and validates each endpoint is resolvable. Once validated, the cloud config and IBMCloudPlatformStatus are updated to reflect the same custom endpoints. items: diff --git a/vendor/github.com/openshift/api/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_controllerconfigs-DevPreviewNoUpgrade.crd.yaml b/vendor/github.com/openshift/api/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_controllerconfigs-DevPreviewNoUpgrade.crd.yaml index 5d62bdce5f..9cf9598025 100644 --- a/vendor/github.com/openshift/api/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_controllerconfigs-DevPreviewNoUpgrade.crd.yaml +++ b/vendor/github.com/openshift/api/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_controllerconfigs-DevPreviewNoUpgrade.crd.yaml @@ -508,7 +508,7 @@ spec: serviceEndpoints is a list of custom endpoints which will override the default service endpoints of an IBM service. These endpoints are used by components within the cluster when trying to reach the IBM Cloud Services that have been - overriden. The CCCMO reads in the IBMCloudPlatformSpec and validates each + overridden. The CCCMO reads in the IBMCloudPlatformSpec and validates each endpoint is resolvable. Once validated, the cloud config and IBMCloudPlatformStatus are updated to reflect the same custom endpoints. A maximum of 13 service endpoints overrides are supported. @@ -2275,7 +2275,7 @@ spec: used when creating clients to interact with GCP services. When not specified, the default endpoint for the GCP region will be used. Only 1 endpoint override is permitted for each GCP service. - The maximum number of endpoint overrides allowed is 9. + The maximum number of endpoint overrides allowed is 11. items: description: |- GCPServiceEndpoint store the configuration of a custom url to @@ -2298,8 +2298,11 @@ spec: - DNS - File - IAM + - IAMCredentials + - OAuth - ServiceUsage - Storage + - STS type: string url: description: |- @@ -2325,7 +2328,7 @@ spec: - name - url type: object - maxItems: 8 + maxItems: 11 type: array x-kubernetes-list-map-keys: - name @@ -2375,7 +2378,7 @@ spec: serviceEndpoints is a list of custom endpoints which will override the default service endpoints of an IBM service. These endpoints are used by components within the cluster when trying to reach the IBM Cloud Services that have been - overriden. The CCCMO reads in the IBMCloudPlatformSpec and validates each + overridden. The CCCMO reads in the IBMCloudPlatformSpec and validates each endpoint is resolvable. Once validated, the cloud config and IBMCloudPlatformStatus are updated to reflect the same custom endpoints. items: diff --git a/vendor/github.com/openshift/api/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_controllerconfigs-TechPreviewNoUpgrade.crd.yaml b/vendor/github.com/openshift/api/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_controllerconfigs-TechPreviewNoUpgrade.crd.yaml index b44a0068eb..434cdf4c63 100644 --- a/vendor/github.com/openshift/api/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_controllerconfigs-TechPreviewNoUpgrade.crd.yaml +++ b/vendor/github.com/openshift/api/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_controllerconfigs-TechPreviewNoUpgrade.crd.yaml @@ -508,7 +508,7 @@ spec: serviceEndpoints is a list of custom endpoints which will override the default service endpoints of an IBM service. These endpoints are used by components within the cluster when trying to reach the IBM Cloud Services that have been - overriden. The CCCMO reads in the IBMCloudPlatformSpec and validates each + overridden. The CCCMO reads in the IBMCloudPlatformSpec and validates each endpoint is resolvable. Once validated, the cloud config and IBMCloudPlatformStatus are updated to reflect the same custom endpoints. A maximum of 13 service endpoints overrides are supported. @@ -2275,7 +2275,7 @@ spec: used when creating clients to interact with GCP services. When not specified, the default endpoint for the GCP region will be used. Only 1 endpoint override is permitted for each GCP service. - The maximum number of endpoint overrides allowed is 9. + The maximum number of endpoint overrides allowed is 11. items: description: |- GCPServiceEndpoint store the configuration of a custom url to @@ -2298,8 +2298,11 @@ spec: - DNS - File - IAM + - IAMCredentials + - OAuth - ServiceUsage - Storage + - STS type: string url: description: |- @@ -2325,7 +2328,7 @@ spec: - name - url type: object - maxItems: 8 + maxItems: 11 type: array x-kubernetes-list-map-keys: - name @@ -2375,7 +2378,7 @@ spec: serviceEndpoints is a list of custom endpoints which will override the default service endpoints of an IBM service. These endpoints are used by components within the cluster when trying to reach the IBM Cloud Services that have been - overriden. The CCCMO reads in the IBMCloudPlatformSpec and validates each + overridden. The CCCMO reads in the IBMCloudPlatformSpec and validates each endpoint is resolvable. Once validated, the cloud config and IBMCloudPlatformStatus are updated to reflect the same custom endpoints. items: diff --git a/vendor/github.com/openshift/api/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_machineconfignodes-CustomNoUpgrade.crd.yaml b/vendor/github.com/openshift/api/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_machineconfignodes-CustomNoUpgrade.crd.yaml index a9b3e19a7b..46d9a6ea46 100644 --- a/vendor/github.com/openshift/api/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_machineconfignodes-CustomNoUpgrade.crd.yaml +++ b/vendor/github.com/openshift/api/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_machineconfignodes-CustomNoUpgrade.crd.yaml @@ -99,6 +99,30 @@ spec: spec: description: spec describes the configuration of the machine config node. properties: + configImage: + description: |- + configImage is an optional field for configuring the OS image to be used for this node. This field will only exist if the node belongs to a pool opted into on-cluster image builds, and will override any MachineConfig referenced OSImageURL fields + When omitted, Image Mode is not be enabled and the node will follow the standard update process of creating a rendered MachineConfig and updating to its specifications. + When specified, Image Mode is enabled and will attempt to update the node to use the desired image. Following this, the node will follow the standard update process of creating a rendered MachineConfig and updating to its specifications. + properties: + desiredImage: + description: |- + desiredImage is a required field that configures the image that the node should be updated to use. + It must be a fully qualified OCI image pull spec of the format host[:port][/namespace]/name@sha256:, where the digest must be exactly 64 characters in length and consist only of lowercase hexadecimal characters, a-f and 0-9. + desiredImage must not be an empty string and must not exceed 447 characters in length. + maxLength: 447 + minLength: 1 + type: string + x-kubernetes-validations: + - message: the OCI Image reference must end with a valid '@sha256:' + suffix, where '' is 64 characters long + rule: (self.split('@').size() == 2 && self.split('@')[1].matches('^sha256:[a-f0-9]{64}$')) + - message: the OCI Image name should follow the host[:port][/namespace]/name + format, resembling a valid URL without the scheme + rule: (self.split('@')[0].matches('^([a-zA-Z0-9-]+\\.)+[a-zA-Z0-9-]+(:[0-9]{2,5})?/([a-zA-Z0-9-_]{0,61}/)?[a-zA-Z0-9-_.]*?$')) + required: + - desiredImage + type: object configVersion: description: |- configVersion holds the desired config version for the node targeted by this machine config node resource. @@ -182,6 +206,8 @@ spec: UpdatePrepared, UpdateExecuted, UpdatePostActionComplete, UpdateComplete, Updated, Resumed, Drained, AppliedFilesAndOS, Cordoned, Uncordoned, RebootedNode, NodeDegraded, PinnedImageSetsProgressing, and PinnedImageSetsDegraded. + The following types are only available when the ImageModeStatusReporting feature gate is enabled: ImagePulledFromRegistry, + AppliedOSImage, AppliedFiles items: description: Condition contains details for one aspect of the current state of this API Resource. @@ -241,6 +267,52 @@ spec: x-kubernetes-list-map-keys: - type x-kubernetes-list-type: map + configImage: + description: |- + configImage is an optional field for configuring the OS image to be used for this node. This field will only exist if the node belongs to a pool opted into on-cluster image builds, and will override any MachineConfig referenced OSImageURL fields. + When omitted, this means that the Image Mode feature is not being used and the node will be up to date with the specific current rendered config version for the nodes MachinePool. + When specified, the Image Mode feature is enabled and the contents of this field show the observed state of the node image. + When Image Mode is enabled and a new MachineConfig is applied such that a new OS image build is not created, only the configVersion field will change. + When Image Mode is enabled and a new MachineConfig is applied such that a new OS image build is created, then only the configImage field will change. It is also possible that both the configImage + and configVersion change during the same update. + minProperties: 1 + properties: + currentImage: + description: |- + currentImage is an optional field that represents the current image that is applied to the node. + When omitted, this means that no image updates have been applied to the node and it will be up to date with the specific current rendered config version. + When specified, this means that the node is currently using this image. + currentImage must be a fully qualified OCI image pull spec of the format host[:port][/namespace]/name@sha256:, where the digest must be exactly 64 characters in length and consist only of lowercase hexadecimal characters, a-f and 0-9. + currentImage must not be an empty string and must not exceed 447 characters in length. + maxLength: 447 + minLength: 1 + type: string + x-kubernetes-validations: + - message: the OCI Image reference must end with a valid '@sha256:' + suffix, where '' is 64 characters long + rule: (self.split('@').size() == 2 && self.split('@')[1].matches('^sha256:[a-f0-9]{64}$')) + - message: the OCI Image name should follow the host[:port][/namespace]/name + format, resembling a valid URL without the scheme + rule: (self.split('@')[0].matches('^([a-zA-Z0-9-]+\\.)+[a-zA-Z0-9-]+(:[0-9]{2,5})?/([a-zA-Z0-9-_]{0,61}/)?[a-zA-Z0-9-_.]*?$')) + desiredImage: + description: |- + desiredImage is an optional field that represents the currently observed state of image that the node should be updated to use. + When not specified, this means that Image Mode has been disabled and the node will up to date with the specific current rendered config version. + When specified, this means that Image Mode has been enabled and the node is actively progressing to update the node to this image. + If currentImage and desiredImage match, the node has been successfully updated to use the desired image. + desiredImage must be a fully qualified OCI image pull spec of the format host[:port][/namespace]/name@sha256:, where the digest must be exactly 64 characters in length and consist only of lowercase hexadecimal characters, a-f and 0-9. + desiredImage must not be an empty string and must not exceed 447 characters in length. + maxLength: 447 + minLength: 1 + type: string + x-kubernetes-validations: + - message: the OCI Image reference must end with a valid '@sha256:' + suffix, where '' is 64 characters long + rule: (self.split('@').size() == 2 && self.split('@')[1].matches('^sha256:[a-f0-9]{64}$')) + - message: the OCI Image name should follow the host[:port][/namespace]/name + format, resembling a valid URL without the scheme + rule: (self.split('@')[0].matches('^([a-zA-Z0-9-]+\\.)+[a-zA-Z0-9-]+(:[0-9]{2,5})?/([a-zA-Z0-9-_]{0,61}/)?[a-zA-Z0-9-_.]*?$')) + type: object configVersion: description: configVersion describes the current and desired machine config version for this node. diff --git a/vendor/github.com/openshift/api/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_machineconfignodes-Default.crd.yaml b/vendor/github.com/openshift/api/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_machineconfignodes-Default.crd.yaml index 7a1aed97d2..21d9caaa42 100644 --- a/vendor/github.com/openshift/api/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_machineconfignodes-Default.crd.yaml +++ b/vendor/github.com/openshift/api/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_machineconfignodes-Default.crd.yaml @@ -182,6 +182,8 @@ spec: UpdatePrepared, UpdateExecuted, UpdatePostActionComplete, UpdateComplete, Updated, Resumed, Drained, AppliedFilesAndOS, Cordoned, Uncordoned, RebootedNode, NodeDegraded, PinnedImageSetsProgressing, and PinnedImageSetsDegraded. + The following types are only available when the ImageModeStatusReporting feature gate is enabled: ImagePulledFromRegistry, + AppliedOSImage, AppliedFiles items: description: Condition contains details for one aspect of the current state of this API Resource. diff --git a/vendor/github.com/openshift/api/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_machineconfignodes-DevPreviewNoUpgrade.crd.yaml b/vendor/github.com/openshift/api/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_machineconfignodes-DevPreviewNoUpgrade.crd.yaml index 487dc5beac..a68b8d0adf 100644 --- a/vendor/github.com/openshift/api/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_machineconfignodes-DevPreviewNoUpgrade.crd.yaml +++ b/vendor/github.com/openshift/api/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_machineconfignodes-DevPreviewNoUpgrade.crd.yaml @@ -99,6 +99,30 @@ spec: spec: description: spec describes the configuration of the machine config node. properties: + configImage: + description: |- + configImage is an optional field for configuring the OS image to be used for this node. This field will only exist if the node belongs to a pool opted into on-cluster image builds, and will override any MachineConfig referenced OSImageURL fields + When omitted, Image Mode is not be enabled and the node will follow the standard update process of creating a rendered MachineConfig and updating to its specifications. + When specified, Image Mode is enabled and will attempt to update the node to use the desired image. Following this, the node will follow the standard update process of creating a rendered MachineConfig and updating to its specifications. + properties: + desiredImage: + description: |- + desiredImage is a required field that configures the image that the node should be updated to use. + It must be a fully qualified OCI image pull spec of the format host[:port][/namespace]/name@sha256:, where the digest must be exactly 64 characters in length and consist only of lowercase hexadecimal characters, a-f and 0-9. + desiredImage must not be an empty string and must not exceed 447 characters in length. + maxLength: 447 + minLength: 1 + type: string + x-kubernetes-validations: + - message: the OCI Image reference must end with a valid '@sha256:' + suffix, where '' is 64 characters long + rule: (self.split('@').size() == 2 && self.split('@')[1].matches('^sha256:[a-f0-9]{64}$')) + - message: the OCI Image name should follow the host[:port][/namespace]/name + format, resembling a valid URL without the scheme + rule: (self.split('@')[0].matches('^([a-zA-Z0-9-]+\\.)+[a-zA-Z0-9-]+(:[0-9]{2,5})?/([a-zA-Z0-9-_]{0,61}/)?[a-zA-Z0-9-_.]*?$')) + required: + - desiredImage + type: object configVersion: description: |- configVersion holds the desired config version for the node targeted by this machine config node resource. @@ -182,6 +206,8 @@ spec: UpdatePrepared, UpdateExecuted, UpdatePostActionComplete, UpdateComplete, Updated, Resumed, Drained, AppliedFilesAndOS, Cordoned, Uncordoned, RebootedNode, NodeDegraded, PinnedImageSetsProgressing, and PinnedImageSetsDegraded. + The following types are only available when the ImageModeStatusReporting feature gate is enabled: ImagePulledFromRegistry, + AppliedOSImage, AppliedFiles items: description: Condition contains details for one aspect of the current state of this API Resource. @@ -241,6 +267,52 @@ spec: x-kubernetes-list-map-keys: - type x-kubernetes-list-type: map + configImage: + description: |- + configImage is an optional field for configuring the OS image to be used for this node. This field will only exist if the node belongs to a pool opted into on-cluster image builds, and will override any MachineConfig referenced OSImageURL fields. + When omitted, this means that the Image Mode feature is not being used and the node will be up to date with the specific current rendered config version for the nodes MachinePool. + When specified, the Image Mode feature is enabled and the contents of this field show the observed state of the node image. + When Image Mode is enabled and a new MachineConfig is applied such that a new OS image build is not created, only the configVersion field will change. + When Image Mode is enabled and a new MachineConfig is applied such that a new OS image build is created, then only the configImage field will change. It is also possible that both the configImage + and configVersion change during the same update. + minProperties: 1 + properties: + currentImage: + description: |- + currentImage is an optional field that represents the current image that is applied to the node. + When omitted, this means that no image updates have been applied to the node and it will be up to date with the specific current rendered config version. + When specified, this means that the node is currently using this image. + currentImage must be a fully qualified OCI image pull spec of the format host[:port][/namespace]/name@sha256:, where the digest must be exactly 64 characters in length and consist only of lowercase hexadecimal characters, a-f and 0-9. + currentImage must not be an empty string and must not exceed 447 characters in length. + maxLength: 447 + minLength: 1 + type: string + x-kubernetes-validations: + - message: the OCI Image reference must end with a valid '@sha256:' + suffix, where '' is 64 characters long + rule: (self.split('@').size() == 2 && self.split('@')[1].matches('^sha256:[a-f0-9]{64}$')) + - message: the OCI Image name should follow the host[:port][/namespace]/name + format, resembling a valid URL without the scheme + rule: (self.split('@')[0].matches('^([a-zA-Z0-9-]+\\.)+[a-zA-Z0-9-]+(:[0-9]{2,5})?/([a-zA-Z0-9-_]{0,61}/)?[a-zA-Z0-9-_.]*?$')) + desiredImage: + description: |- + desiredImage is an optional field that represents the currently observed state of image that the node should be updated to use. + When not specified, this means that Image Mode has been disabled and the node will up to date with the specific current rendered config version. + When specified, this means that Image Mode has been enabled and the node is actively progressing to update the node to this image. + If currentImage and desiredImage match, the node has been successfully updated to use the desired image. + desiredImage must be a fully qualified OCI image pull spec of the format host[:port][/namespace]/name@sha256:, where the digest must be exactly 64 characters in length and consist only of lowercase hexadecimal characters, a-f and 0-9. + desiredImage must not be an empty string and must not exceed 447 characters in length. + maxLength: 447 + minLength: 1 + type: string + x-kubernetes-validations: + - message: the OCI Image reference must end with a valid '@sha256:' + suffix, where '' is 64 characters long + rule: (self.split('@').size() == 2 && self.split('@')[1].matches('^sha256:[a-f0-9]{64}$')) + - message: the OCI Image name should follow the host[:port][/namespace]/name + format, resembling a valid URL without the scheme + rule: (self.split('@')[0].matches('^([a-zA-Z0-9-]+\\.)+[a-zA-Z0-9-]+(:[0-9]{2,5})?/([a-zA-Z0-9-_]{0,61}/)?[a-zA-Z0-9-_.]*?$')) + type: object configVersion: description: configVersion describes the current and desired machine config version for this node. diff --git a/vendor/github.com/openshift/api/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_machineconfignodes-TechPreviewNoUpgrade.crd.yaml b/vendor/github.com/openshift/api/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_machineconfignodes-TechPreviewNoUpgrade.crd.yaml index 013d6952b4..74d7000f65 100644 --- a/vendor/github.com/openshift/api/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_machineconfignodes-TechPreviewNoUpgrade.crd.yaml +++ b/vendor/github.com/openshift/api/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_machineconfignodes-TechPreviewNoUpgrade.crd.yaml @@ -99,6 +99,30 @@ spec: spec: description: spec describes the configuration of the machine config node. properties: + configImage: + description: |- + configImage is an optional field for configuring the OS image to be used for this node. This field will only exist if the node belongs to a pool opted into on-cluster image builds, and will override any MachineConfig referenced OSImageURL fields + When omitted, Image Mode is not be enabled and the node will follow the standard update process of creating a rendered MachineConfig and updating to its specifications. + When specified, Image Mode is enabled and will attempt to update the node to use the desired image. Following this, the node will follow the standard update process of creating a rendered MachineConfig and updating to its specifications. + properties: + desiredImage: + description: |- + desiredImage is a required field that configures the image that the node should be updated to use. + It must be a fully qualified OCI image pull spec of the format host[:port][/namespace]/name@sha256:, where the digest must be exactly 64 characters in length and consist only of lowercase hexadecimal characters, a-f and 0-9. + desiredImage must not be an empty string and must not exceed 447 characters in length. + maxLength: 447 + minLength: 1 + type: string + x-kubernetes-validations: + - message: the OCI Image reference must end with a valid '@sha256:' + suffix, where '' is 64 characters long + rule: (self.split('@').size() == 2 && self.split('@')[1].matches('^sha256:[a-f0-9]{64}$')) + - message: the OCI Image name should follow the host[:port][/namespace]/name + format, resembling a valid URL without the scheme + rule: (self.split('@')[0].matches('^([a-zA-Z0-9-]+\\.)+[a-zA-Z0-9-]+(:[0-9]{2,5})?/([a-zA-Z0-9-_]{0,61}/)?[a-zA-Z0-9-_.]*?$')) + required: + - desiredImage + type: object configVersion: description: |- configVersion holds the desired config version for the node targeted by this machine config node resource. @@ -182,6 +206,8 @@ spec: UpdatePrepared, UpdateExecuted, UpdatePostActionComplete, UpdateComplete, Updated, Resumed, Drained, AppliedFilesAndOS, Cordoned, Uncordoned, RebootedNode, NodeDegraded, PinnedImageSetsProgressing, and PinnedImageSetsDegraded. + The following types are only available when the ImageModeStatusReporting feature gate is enabled: ImagePulledFromRegistry, + AppliedOSImage, AppliedFiles items: description: Condition contains details for one aspect of the current state of this API Resource. @@ -241,6 +267,52 @@ spec: x-kubernetes-list-map-keys: - type x-kubernetes-list-type: map + configImage: + description: |- + configImage is an optional field for configuring the OS image to be used for this node. This field will only exist if the node belongs to a pool opted into on-cluster image builds, and will override any MachineConfig referenced OSImageURL fields. + When omitted, this means that the Image Mode feature is not being used and the node will be up to date with the specific current rendered config version for the nodes MachinePool. + When specified, the Image Mode feature is enabled and the contents of this field show the observed state of the node image. + When Image Mode is enabled and a new MachineConfig is applied such that a new OS image build is not created, only the configVersion field will change. + When Image Mode is enabled and a new MachineConfig is applied such that a new OS image build is created, then only the configImage field will change. It is also possible that both the configImage + and configVersion change during the same update. + minProperties: 1 + properties: + currentImage: + description: |- + currentImage is an optional field that represents the current image that is applied to the node. + When omitted, this means that no image updates have been applied to the node and it will be up to date with the specific current rendered config version. + When specified, this means that the node is currently using this image. + currentImage must be a fully qualified OCI image pull spec of the format host[:port][/namespace]/name@sha256:, where the digest must be exactly 64 characters in length and consist only of lowercase hexadecimal characters, a-f and 0-9. + currentImage must not be an empty string and must not exceed 447 characters in length. + maxLength: 447 + minLength: 1 + type: string + x-kubernetes-validations: + - message: the OCI Image reference must end with a valid '@sha256:' + suffix, where '' is 64 characters long + rule: (self.split('@').size() == 2 && self.split('@')[1].matches('^sha256:[a-f0-9]{64}$')) + - message: the OCI Image name should follow the host[:port][/namespace]/name + format, resembling a valid URL without the scheme + rule: (self.split('@')[0].matches('^([a-zA-Z0-9-]+\\.)+[a-zA-Z0-9-]+(:[0-9]{2,5})?/([a-zA-Z0-9-_]{0,61}/)?[a-zA-Z0-9-_.]*?$')) + desiredImage: + description: |- + desiredImage is an optional field that represents the currently observed state of image that the node should be updated to use. + When not specified, this means that Image Mode has been disabled and the node will up to date with the specific current rendered config version. + When specified, this means that Image Mode has been enabled and the node is actively progressing to update the node to this image. + If currentImage and desiredImage match, the node has been successfully updated to use the desired image. + desiredImage must be a fully qualified OCI image pull spec of the format host[:port][/namespace]/name@sha256:, where the digest must be exactly 64 characters in length and consist only of lowercase hexadecimal characters, a-f and 0-9. + desiredImage must not be an empty string and must not exceed 447 characters in length. + maxLength: 447 + minLength: 1 + type: string + x-kubernetes-validations: + - message: the OCI Image reference must end with a valid '@sha256:' + suffix, where '' is 64 characters long + rule: (self.split('@').size() == 2 && self.split('@')[1].matches('^sha256:[a-f0-9]{64}$')) + - message: the OCI Image name should follow the host[:port][/namespace]/name + format, resembling a valid URL without the scheme + rule: (self.split('@')[0].matches('^([a-zA-Z0-9-]+\\.)+[a-zA-Z0-9-]+(:[0-9]{2,5})?/([a-zA-Z0-9-_]{0,61}/)?[a-zA-Z0-9-_.]*?$')) + type: object configVersion: description: configVersion describes the current and desired machine config version for this node. diff --git a/vendor/github.com/openshift/api/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_machineosconfigs.crd.yaml b/vendor/github.com/openshift/api/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_machineosconfigs.crd.yaml index 6e8dd52e54..d1515713bd 100644 --- a/vendor/github.com/openshift/api/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_machineosconfigs.crd.yaml +++ b/vendor/github.com/openshift/api/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_machineosconfigs.crd.yaml @@ -345,6 +345,12 @@ spec: required: - spec type: object + x-kubernetes-validations: + - message: MachineOSConfig name must match the referenced MachineConfigPool + name; can only have one MachineOSConfig per MachineConfigPool + optionalOldSelf: true + rule: self.metadata.name == self.spec.machineConfigPool.name || oldSelf.hasValue() + && oldSelf.spec.machineConfigPool.name.value() == self.spec.machineConfigPool.name served: true storage: true subresources: diff --git a/vendor/github.com/openshift/api/machineconfiguration/v1/zz_generated.deepcopy.go b/vendor/github.com/openshift/api/machineconfiguration/v1/zz_generated.deepcopy.go index 521fd1af22..c8a7667fe7 100644 --- a/vendor/github.com/openshift/api/machineconfiguration/v1/zz_generated.deepcopy.go +++ b/vendor/github.com/openshift/api/machineconfiguration/v1/zz_generated.deepcopy.go @@ -748,6 +748,7 @@ func (in *MachineConfigNodeSpec) DeepCopyInto(out *MachineConfigNodeSpec) { out.Node = in.Node out.Pool = in.Pool out.ConfigVersion = in.ConfigVersion + out.ConfigImage = in.ConfigImage return } @@ -761,6 +762,22 @@ func (in *MachineConfigNodeSpec) DeepCopy() *MachineConfigNodeSpec { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *MachineConfigNodeSpecConfigImage) DeepCopyInto(out *MachineConfigNodeSpecConfigImage) { + *out = *in + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new MachineConfigNodeSpecConfigImage. +func (in *MachineConfigNodeSpecConfigImage) DeepCopy() *MachineConfigNodeSpecConfigImage { + if in == nil { + return nil + } + out := new(MachineConfigNodeSpecConfigImage) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *MachineConfigNodeSpecMachineConfigVersion) DeepCopyInto(out *MachineConfigNodeSpecMachineConfigVersion) { *out = *in @@ -792,6 +809,7 @@ func (in *MachineConfigNodeStatus) DeepCopyInto(out *MachineConfigNodeStatus) { *out = new(MachineConfigNodeStatusMachineConfigVersion) **out = **in } + out.ConfigImage = in.ConfigImage if in.PinnedImageSets != nil { in, out := &in.PinnedImageSets, &out.PinnedImageSets *out = make([]MachineConfigNodeStatusPinnedImageSet, len(*in)) @@ -815,6 +833,22 @@ func (in *MachineConfigNodeStatus) DeepCopy() *MachineConfigNodeStatus { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *MachineConfigNodeStatusConfigImage) DeepCopyInto(out *MachineConfigNodeStatusConfigImage) { + *out = *in + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new MachineConfigNodeStatusConfigImage. +func (in *MachineConfigNodeStatusConfigImage) DeepCopy() *MachineConfigNodeStatusConfigImage { + if in == nil { + return nil + } + out := new(MachineConfigNodeStatusConfigImage) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *MachineConfigNodeStatusMachineConfigVersion) DeepCopyInto(out *MachineConfigNodeStatusMachineConfigVersion) { *out = *in diff --git a/vendor/github.com/openshift/api/machineconfiguration/v1/zz_generated.featuregated-crd-manifests.yaml b/vendor/github.com/openshift/api/machineconfiguration/v1/zz_generated.featuregated-crd-manifests.yaml index 2fa1eb8e8f..d80bfc5848 100644 --- a/vendor/github.com/openshift/api/machineconfiguration/v1/zz_generated.featuregated-crd-manifests.yaml +++ b/vendor/github.com/openshift/api/machineconfiguration/v1/zz_generated.featuregated-crd-manifests.yaml @@ -117,6 +117,7 @@ machineconfignodes.machineconfiguration.openshift.io: Capability: "" Category: "" FeatureGates: + - ImageModeStatusReporting - IrreconcilableMachineConfig - MachineConfigNodes FilenameOperatorName: machine-config diff --git a/vendor/github.com/openshift/api/machineconfiguration/v1/zz_generated.swagger_doc_generated.go b/vendor/github.com/openshift/api/machineconfiguration/v1/zz_generated.swagger_doc_generated.go index 1105a2c77f..3a0b0646a6 100644 --- a/vendor/github.com/openshift/api/machineconfiguration/v1/zz_generated.swagger_doc_generated.go +++ b/vendor/github.com/openshift/api/machineconfiguration/v1/zz_generated.swagger_doc_generated.go @@ -413,12 +413,22 @@ var map_MachineConfigNodeSpec = map[string]string{ "node": "node contains a reference to the node for this machine config node.", "pool": "pool contains a reference to the machine config pool that this machine config node's referenced node belongs to.", "configVersion": "configVersion holds the desired config version for the node targeted by this machine config node resource. The desired version represents the machine config the node will attempt to update to and gets set before the machine config operator validates the new machine config against the current machine config.", + "configImage": "configImage is an optional field for configuring the OS image to be used for this node. This field will only exist if the node belongs to a pool opted into on-cluster image builds, and will override any MachineConfig referenced OSImageURL fields When omitted, Image Mode is not be enabled and the node will follow the standard update process of creating a rendered MachineConfig and updating to its specifications. When specified, Image Mode is enabled and will attempt to update the node to use the desired image. Following this, the node will follow the standard update process of creating a rendered MachineConfig and updating to its specifications.", } func (MachineConfigNodeSpec) SwaggerDoc() map[string]string { return map_MachineConfigNodeSpec } +var map_MachineConfigNodeSpecConfigImage = map[string]string{ + "": "MachineConfigNodeSpecConfigImage holds the desired image for the node. This structure is populated from the `machineconfiguration.openshift.io/desiredImage` annotation on the target node, which is set by the Machine Config Pool controller to signal the desired image pullspec for the node to update to.", + "desiredImage": "desiredImage is a required field that configures the image that the node should be updated to use. It must be a fully qualified OCI image pull spec of the format host[:port][/namespace]/name@sha256:, where the digest must be exactly 64 characters in length and consist only of lowercase hexadecimal characters, a-f and 0-9. desiredImage must not be an empty string and must not exceed 447 characters in length.", +} + +func (MachineConfigNodeSpecConfigImage) SwaggerDoc() map[string]string { + return map_MachineConfigNodeSpecConfigImage +} + var map_MachineConfigNodeSpecMachineConfigVersion = map[string]string{ "": "MachineConfigNodeSpecMachineConfigVersion holds the desired config version for the current observed machine config node. When Current is not equal to Desired, the MachineConfigOperator is in an upgrade phase and the machine config node will take account of upgrade related events. Otherwise, they will be ignored given that certain operations happen both during the MCO's upgrade mode and the daily operations mode.", "desired": "desired is the name of the machine config that the the node should be upgraded to. This value is set when the machine config pool generates a new version of its rendered configuration. When this value is changed, the machine config daemon starts the node upgrade process. This value gets set in the machine config node spec once the machine config has been targeted for upgrade and before it is validated. Must be a lowercase RFC-1123 subdomain name (https://tools.ietf.org/html/rfc1123) consisting of only lowercase alphanumeric characters, hyphens (-), and periods (.), and must start and end with an alphanumeric character, and be at most 253 characters in length.", @@ -430,9 +440,10 @@ func (MachineConfigNodeSpecMachineConfigVersion) SwaggerDoc() map[string]string var map_MachineConfigNodeStatus = map[string]string{ "": "MachineConfigNodeStatus holds the reported information on a particular machine config node.", - "conditions": "conditions represent the observations of a machine config node's current state. Valid types are: UpdatePrepared, UpdateExecuted, UpdatePostActionComplete, UpdateComplete, Updated, Resumed, Drained, AppliedFilesAndOS, Cordoned, Uncordoned, RebootedNode, NodeDegraded, PinnedImageSetsProgressing, and PinnedImageSetsDegraded.", + "conditions": "conditions represent the observations of a machine config node's current state. Valid types are: UpdatePrepared, UpdateExecuted, UpdatePostActionComplete, UpdateComplete, Updated, Resumed, Drained, AppliedFilesAndOS, Cordoned, Uncordoned, RebootedNode, NodeDegraded, PinnedImageSetsProgressing, and PinnedImageSetsDegraded. The following types are only available when the ImageModeStatusReporting feature gate is enabled: ImagePulledFromRegistry, AppliedOSImage, AppliedFiles", "observedGeneration": "observedGeneration represents the generation of the MachineConfigNode object observed by the Machine Config Operator's controller. This field is updated when the controller observes a change to the desiredConfig in the configVersion of the machine config node spec.", "configVersion": "configVersion describes the current and desired machine config version for this node.", + "configImage": "configImage is an optional field for configuring the OS image to be used for this node. This field will only exist if the node belongs to a pool opted into on-cluster image builds, and will override any MachineConfig referenced OSImageURL fields. When omitted, this means that the Image Mode feature is not being used and the node will be up to date with the specific current rendered config version for the nodes MachinePool. When specified, the Image Mode feature is enabled and the contents of this field show the observed state of the node image. When Image Mode is enabled and a new MachineConfig is applied such that a new OS image build is not created, only the configVersion field will change. When Image Mode is enabled and a new MachineConfig is applied such that a new OS image build is created, then only the configImage field will change. It is also possible that both the configImage and configVersion change during the same update.", "pinnedImageSets": "pinnedImageSets describes the current and desired pinned image sets for this node.", "irreconcilableChanges": "irreconcilableChanges is an optional field that contains the observed differences between this nodes configuration and the target rendered MachineConfig. This field will be set when there are changes to the target rendered MachineConfig that can only be applied to new nodes joining the cluster. Entries must be unique, keyed on the fieldPath field. Must not exceed 32 entries.", } @@ -441,6 +452,16 @@ func (MachineConfigNodeStatus) SwaggerDoc() map[string]string { return map_MachineConfigNodeStatus } +var map_MachineConfigNodeStatusConfigImage = map[string]string{ + "": "MachineConfigNodeStatusConfigImage holds the observed state of the image on the node, including both the image targeted for an update and the image currently applied. This allows for monitoring the progress of the layering rollout. If Image Mode is enabled, desiredImage must be defined.", + "currentImage": "currentImage is an optional field that represents the current image that is applied to the node. When omitted, this means that no image updates have been applied to the node and it will be up to date with the specific current rendered config version. When specified, this means that the node is currently using this image. currentImage must be a fully qualified OCI image pull spec of the format host[:port][/namespace]/name@sha256:, where the digest must be exactly 64 characters in length and consist only of lowercase hexadecimal characters, a-f and 0-9. currentImage must not be an empty string and must not exceed 447 characters in length.", + "desiredImage": "desiredImage is an optional field that represents the currently observed state of image that the node should be updated to use. When not specified, this means that Image Mode has been disabled and the node will up to date with the specific current rendered config version. When specified, this means that Image Mode has been enabled and the node is actively progressing to update the node to this image. If currentImage and desiredImage match, the node has been successfully updated to use the desired image. desiredImage must be a fully qualified OCI image pull spec of the format host[:port][/namespace]/name@sha256:, where the digest must be exactly 64 characters in length and consist only of lowercase hexadecimal characters, a-f and 0-9. desiredImage must not be an empty string and must not exceed 447 characters in length.", +} + +func (MachineConfigNodeStatusConfigImage) SwaggerDoc() map[string]string { + return map_MachineConfigNodeStatusConfigImage +} + var map_MachineConfigNodeStatusMachineConfigVersion = map[string]string{ "": "MachineConfigNodeStatusMachineConfigVersion holds the current and desired config versions as last updated in the MCN status. When the current and desired versions do not match, the machine config pool is processing an upgrade and the machine config node will monitor the upgrade process. When the current and desired versions do match, the machine config node will ignore these events given that certain operations happen both during the MCO's upgrade mode and the daily operations mode.", "current": "current is the name of the machine config currently in use on the node. This value is updated once the machine config daemon has completed the update of the configuration for the node. This value should match the desired version unless an upgrade is in progress. Must be a lowercase RFC-1123 subdomain name (https://tools.ietf.org/html/rfc1123) consisting of only lowercase alphanumeric characters, hyphens (-), and periods (.), and must start and end with an alphanumeric character, and be at most 253 characters in length.", diff --git a/vendor/github.com/openshift/api/operator/v1alpha1/zz_generated.crd-manifests/0000_00_cluster-version-operator_01_clusterversionoperators-TechPreviewNoUpgrade.crd.yaml b/vendor/github.com/openshift/api/operator/v1alpha1/zz_generated.crd-manifests/0000_00_cluster-version-operator_01_clusterversionoperators-TechPreviewNoUpgrade.crd.yaml new file mode 100644 index 0000000000..5aaf4580d2 --- /dev/null +++ b/vendor/github.com/openshift/api/operator/v1alpha1/zz_generated.crd-manifests/0000_00_cluster-version-operator_01_clusterversionoperators-TechPreviewNoUpgrade.crd.yaml @@ -0,0 +1,90 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.openshift.io: https://github.com/openshift/api/pull/2044 + api.openshift.io/merged-by-featuregates: "true" + include.release.openshift.io/ibm-cloud-managed: "true" + include.release.openshift.io/self-managed-high-availability: "true" + release.openshift.io/feature-set: TechPreviewNoUpgrade + name: clusterversionoperators.operator.openshift.io +spec: + group: operator.openshift.io + names: + kind: ClusterVersionOperator + listKind: ClusterVersionOperatorList + plural: clusterversionoperators + singular: clusterversionoperator + scope: Cluster + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: |- + ClusterVersionOperator holds cluster-wide information about the Cluster Version Operator. + + Compatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: spec is the specification of the desired behavior of the + Cluster Version Operator. + properties: + operatorLogLevel: + default: Normal + description: |- + operatorLogLevel is an intent based logging for the operator itself. It does not give fine grained control, but it is a + simple way to manage coarse grained logging choices that operators have to interpret for themselves. + + Valid values are: "Normal", "Debug", "Trace", "TraceAll". + Defaults to "Normal". + enum: + - "" + - Normal + - Debug + - Trace + - TraceAll + type: string + type: object + status: + description: status is the most recently observed status of the Cluster + Version Operator. + properties: + observedGeneration: + description: |- + observedGeneration represents the most recent generation observed by the operator and specifies the version of + the spec field currently being synced. + format: int64 + type: integer + x-kubernetes-validations: + - message: observedGeneration must only increase + rule: self >= oldSelf + type: object + required: + - metadata + - spec + type: object + x-kubernetes-validations: + - message: ClusterVersionOperator is a singleton; the .metadata.name field + must be 'cluster' + rule: self.metadata.name == 'cluster' + served: true + storage: true + subresources: + status: {} diff --git a/vendor/github.com/openshift/api/payload-command/render/legacyfeaturegates.go b/vendor/github.com/openshift/api/payload-command/render/legacyfeaturegates.go index d27cfbebd4..80a4243a40 100644 --- a/vendor/github.com/openshift/api/payload-command/render/legacyfeaturegates.go +++ b/vendor/github.com/openshift/api/payload-command/render/legacyfeaturegates.go @@ -23,8 +23,6 @@ var legacyFeatureGates = sets.New( // never add to this list, if you think you have an exception ask @deads2k "BuildCSIVolumes", // never add to this list, if you think you have an exception ask @deads2k - "ChunkSizeMiB", - // never add to this list, if you think you have an exception ask @deads2k "ClusterAPIInstall", // never add to this list, if you think you have an exception ask @deads2k "ClusterAPIInstallIBMCloud", diff --git a/vendor/github.com/openshift/client-go/machineconfiguration/applyconfigurations/machineconfiguration/v1/machineconfignodespec.go b/vendor/github.com/openshift/client-go/machineconfiguration/applyconfigurations/machineconfiguration/v1/machineconfignodespec.go index d1e04cef84..6f34967acc 100644 --- a/vendor/github.com/openshift/client-go/machineconfiguration/applyconfigurations/machineconfiguration/v1/machineconfignodespec.go +++ b/vendor/github.com/openshift/client-go/machineconfiguration/applyconfigurations/machineconfiguration/v1/machineconfignodespec.go @@ -8,6 +8,7 @@ type MachineConfigNodeSpecApplyConfiguration struct { Node *MCOObjectReferenceApplyConfiguration `json:"node,omitempty"` Pool *MCOObjectReferenceApplyConfiguration `json:"pool,omitempty"` ConfigVersion *MachineConfigNodeSpecMachineConfigVersionApplyConfiguration `json:"configVersion,omitempty"` + ConfigImage *MachineConfigNodeSpecConfigImageApplyConfiguration `json:"configImage,omitempty"` } // MachineConfigNodeSpecApplyConfiguration constructs a declarative configuration of the MachineConfigNodeSpec type for use with @@ -39,3 +40,11 @@ func (b *MachineConfigNodeSpecApplyConfiguration) WithConfigVersion(value *Machi b.ConfigVersion = value return b } + +// WithConfigImage sets the ConfigImage field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the ConfigImage field is set to the value of the last call. +func (b *MachineConfigNodeSpecApplyConfiguration) WithConfigImage(value *MachineConfigNodeSpecConfigImageApplyConfiguration) *MachineConfigNodeSpecApplyConfiguration { + b.ConfigImage = value + return b +} diff --git a/vendor/github.com/openshift/client-go/machineconfiguration/applyconfigurations/machineconfiguration/v1/machineconfignodespecconfigimage.go b/vendor/github.com/openshift/client-go/machineconfiguration/applyconfigurations/machineconfiguration/v1/machineconfignodespecconfigimage.go new file mode 100644 index 0000000000..c72e26f9cd --- /dev/null +++ b/vendor/github.com/openshift/client-go/machineconfiguration/applyconfigurations/machineconfiguration/v1/machineconfignodespecconfigimage.go @@ -0,0 +1,27 @@ +// Code generated by applyconfiguration-gen. DO NOT EDIT. + +package v1 + +import ( + machineconfigurationv1 "github.com/openshift/api/machineconfiguration/v1" +) + +// MachineConfigNodeSpecConfigImageApplyConfiguration represents a declarative configuration of the MachineConfigNodeSpecConfigImage type for use +// with apply. +type MachineConfigNodeSpecConfigImageApplyConfiguration struct { + DesiredImage *machineconfigurationv1.ImageDigestFormat `json:"desiredImage,omitempty"` +} + +// MachineConfigNodeSpecConfigImageApplyConfiguration constructs a declarative configuration of the MachineConfigNodeSpecConfigImage type for use with +// apply. +func MachineConfigNodeSpecConfigImage() *MachineConfigNodeSpecConfigImageApplyConfiguration { + return &MachineConfigNodeSpecConfigImageApplyConfiguration{} +} + +// WithDesiredImage sets the DesiredImage field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the DesiredImage field is set to the value of the last call. +func (b *MachineConfigNodeSpecConfigImageApplyConfiguration) WithDesiredImage(value machineconfigurationv1.ImageDigestFormat) *MachineConfigNodeSpecConfigImageApplyConfiguration { + b.DesiredImage = &value + return b +} diff --git a/vendor/github.com/openshift/client-go/machineconfiguration/applyconfigurations/machineconfiguration/v1/machineconfignodestatus.go b/vendor/github.com/openshift/client-go/machineconfiguration/applyconfigurations/machineconfiguration/v1/machineconfignodestatus.go index 33c8cb0085..0052db33ea 100644 --- a/vendor/github.com/openshift/client-go/machineconfiguration/applyconfigurations/machineconfiguration/v1/machineconfignodestatus.go +++ b/vendor/github.com/openshift/client-go/machineconfiguration/applyconfigurations/machineconfiguration/v1/machineconfignodestatus.go @@ -12,6 +12,7 @@ type MachineConfigNodeStatusApplyConfiguration struct { Conditions []metav1.ConditionApplyConfiguration `json:"conditions,omitempty"` ObservedGeneration *int64 `json:"observedGeneration,omitempty"` ConfigVersion *MachineConfigNodeStatusMachineConfigVersionApplyConfiguration `json:"configVersion,omitempty"` + ConfigImage *MachineConfigNodeStatusConfigImageApplyConfiguration `json:"configImage,omitempty"` PinnedImageSets []MachineConfigNodeStatusPinnedImageSetApplyConfiguration `json:"pinnedImageSets,omitempty"` IrreconcilableChanges []IrreconcilableChangeDiffApplyConfiguration `json:"irreconcilableChanges,omitempty"` } @@ -51,6 +52,14 @@ func (b *MachineConfigNodeStatusApplyConfiguration) WithConfigVersion(value *Mac return b } +// WithConfigImage sets the ConfigImage field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the ConfigImage field is set to the value of the last call. +func (b *MachineConfigNodeStatusApplyConfiguration) WithConfigImage(value *MachineConfigNodeStatusConfigImageApplyConfiguration) *MachineConfigNodeStatusApplyConfiguration { + b.ConfigImage = value + return b +} + // WithPinnedImageSets adds the given value to the PinnedImageSets field in the declarative configuration // and returns the receiver, so that objects can be build by chaining "With" function invocations. // If called multiple times, values provided by each call will be appended to the PinnedImageSets field. diff --git a/vendor/github.com/openshift/client-go/machineconfiguration/applyconfigurations/machineconfiguration/v1/machineconfignodestatusconfigimage.go b/vendor/github.com/openshift/client-go/machineconfiguration/applyconfigurations/machineconfiguration/v1/machineconfignodestatusconfigimage.go new file mode 100644 index 0000000000..7eada16af9 --- /dev/null +++ b/vendor/github.com/openshift/client-go/machineconfiguration/applyconfigurations/machineconfiguration/v1/machineconfignodestatusconfigimage.go @@ -0,0 +1,36 @@ +// Code generated by applyconfiguration-gen. DO NOT EDIT. + +package v1 + +import ( + machineconfigurationv1 "github.com/openshift/api/machineconfiguration/v1" +) + +// MachineConfigNodeStatusConfigImageApplyConfiguration represents a declarative configuration of the MachineConfigNodeStatusConfigImage type for use +// with apply. +type MachineConfigNodeStatusConfigImageApplyConfiguration struct { + CurrentImage *machineconfigurationv1.ImageDigestFormat `json:"currentImage,omitempty"` + DesiredImage *machineconfigurationv1.ImageDigestFormat `json:"desiredImage,omitempty"` +} + +// MachineConfigNodeStatusConfigImageApplyConfiguration constructs a declarative configuration of the MachineConfigNodeStatusConfigImage type for use with +// apply. +func MachineConfigNodeStatusConfigImage() *MachineConfigNodeStatusConfigImageApplyConfiguration { + return &MachineConfigNodeStatusConfigImageApplyConfiguration{} +} + +// WithCurrentImage sets the CurrentImage field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the CurrentImage field is set to the value of the last call. +func (b *MachineConfigNodeStatusConfigImageApplyConfiguration) WithCurrentImage(value machineconfigurationv1.ImageDigestFormat) *MachineConfigNodeStatusConfigImageApplyConfiguration { + b.CurrentImage = &value + return b +} + +// WithDesiredImage sets the DesiredImage field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the DesiredImage field is set to the value of the last call. +func (b *MachineConfigNodeStatusConfigImageApplyConfiguration) WithDesiredImage(value machineconfigurationv1.ImageDigestFormat) *MachineConfigNodeStatusConfigImageApplyConfiguration { + b.DesiredImage = &value + return b +} diff --git a/vendor/github.com/openshift/client-go/machineconfiguration/applyconfigurations/utils.go b/vendor/github.com/openshift/client-go/machineconfiguration/applyconfigurations/utils.go index 8f1ab15ec0..ff03d0601c 100644 --- a/vendor/github.com/openshift/client-go/machineconfiguration/applyconfigurations/utils.go +++ b/vendor/github.com/openshift/client-go/machineconfiguration/applyconfigurations/utils.go @@ -60,10 +60,14 @@ func ForKind(kind schema.GroupVersionKind) interface{} { return &machineconfigurationv1.MachineConfigNodeApplyConfiguration{} case v1.SchemeGroupVersion.WithKind("MachineConfigNodeSpec"): return &machineconfigurationv1.MachineConfigNodeSpecApplyConfiguration{} + case v1.SchemeGroupVersion.WithKind("MachineConfigNodeSpecConfigImage"): + return &machineconfigurationv1.MachineConfigNodeSpecConfigImageApplyConfiguration{} case v1.SchemeGroupVersion.WithKind("MachineConfigNodeSpecMachineConfigVersion"): return &machineconfigurationv1.MachineConfigNodeSpecMachineConfigVersionApplyConfiguration{} case v1.SchemeGroupVersion.WithKind("MachineConfigNodeStatus"): return &machineconfigurationv1.MachineConfigNodeStatusApplyConfiguration{} + case v1.SchemeGroupVersion.WithKind("MachineConfigNodeStatusConfigImage"): + return &machineconfigurationv1.MachineConfigNodeStatusConfigImageApplyConfiguration{} case v1.SchemeGroupVersion.WithKind("MachineConfigNodeStatusMachineConfigVersion"): return &machineconfigurationv1.MachineConfigNodeStatusMachineConfigVersionApplyConfiguration{} case v1.SchemeGroupVersion.WithKind("MachineConfigNodeStatusPinnedImageSet"): diff --git a/vendor/modules.txt b/vendor/modules.txt index 8813204da7..2d496063ba 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -1214,7 +1214,7 @@ github.com/openshift-eng/openshift-tests-extension/pkg/ginkgo github.com/openshift-eng/openshift-tests-extension/pkg/junit github.com/openshift-eng/openshift-tests-extension/pkg/util/sets github.com/openshift-eng/openshift-tests-extension/pkg/version -# github.com/openshift/api v0.0.0-20250811150514-cc869c87a7f0 +# github.com/openshift/api v0.0.0-20250911131931-2acafd4d1ed2 ## explicit; go 1.24.0 github.com/openshift/api github.com/openshift/api/annotations @@ -1297,7 +1297,7 @@ github.com/openshift/api/template github.com/openshift/api/template/v1 github.com/openshift/api/user github.com/openshift/api/user/v1 -# github.com/openshift/client-go v0.0.0-20250811163556-6193816ae379 +# github.com/openshift/client-go v0.0.0-20250911202206-1bc0cb0da03b ## explicit; go 1.24.0 github.com/openshift/client-go/apps/applyconfigurations/apps/v1 github.com/openshift/client-go/apps/applyconfigurations/internal From b77f1c993ab3c0a931fc29a5433041eb9c5f4a5f Mon Sep 17 00:00:00 2001 From: Isabella Janssen Date: Fri, 12 Sep 2025 09:56:47 -0400 Subject: [PATCH 2/2] controller, daemon, and upgrade monitor: update MachineConfigNode update flow to include image mode status reporting fields --- pkg/controller/common/layered_node_state.go | 16 +++ pkg/controller/node/node_controller.go | 14 ++- pkg/daemon/update.go | 123 ++++++++++++++++++++ pkg/upgrademonitor/upgrade_monitor.go | 118 ++++++++++++++++++- 4 files changed, 266 insertions(+), 5 deletions(-) diff --git a/pkg/controller/common/layered_node_state.go b/pkg/controller/common/layered_node_state.go index ea4309df85..abec51d81e 100644 --- a/pkg/controller/common/layered_node_state.go +++ b/pkg/controller/common/layered_node_state.go @@ -321,3 +321,19 @@ func (l *LayeredNodeState) CheckNodeCandidacyForUpdate(layered bool, pool *mcfgv return true } + +// GetDesiredAnnotationsFromMachineOSConfig gets the desired config version and desired image values from the associated MOSC and MOSB +func (l *LayeredNodeState) GetDesiredAnnotationsFromMachineConfigPool(mcp *mcfgv1.MachineConfigPool) (desriedConfig string) { + return mcp.Spec.Configuration.Name +} + +// GetDesiredAnnotationsFromMachineOSConfig gets the desired config version and desired image values from the associated MOSC and MOSB +func (l *LayeredNodeState) GetDesiredAnnotationsFromMachineOSConfig(mosc *mcfgv1.MachineOSConfig, mosb *mcfgv1.MachineOSBuild) (desriedConfig, desiredImage string) { + desiredImage = "" + moscs := NewMachineOSConfigState(mosc) + if moscs.HasOSImage() { + desiredImage = moscs.GetOSImage() + } + + return mosb.Spec.MachineConfig.Name, desiredImage +} diff --git a/pkg/controller/node/node_controller.go b/pkg/controller/node/node_controller.go index 182285c412..5ec6b24997 100644 --- a/pkg/controller/node/node_controller.go +++ b/pkg/controller/node/node_controller.go @@ -9,6 +9,7 @@ import ( "time" helpers "github.com/openshift/machine-config-operator/pkg/helpers" + "github.com/openshift/machine-config-operator/pkg/upgrademonitor" configv1 "github.com/openshift/api/config/v1" features "github.com/openshift/api/features" @@ -1288,14 +1289,19 @@ func (ctrl *Controller) updateCandidateNode(mosc *mcfgv1.MachineOSConfig, mosb * } lns := ctrlcommon.NewLayeredNodeState(oldNode) + desiredConfig := "" + desiredImage := "" if !layered { lns.SetDesiredStateFromPool(pool) + // If pool is not layered, the desired image annotation is removed (see the `delete` + // call in `SetDesiredStateFromPool`), so only the desired config version must be set. + desiredConfig = lns.GetDesiredAnnotationsFromMachineConfigPool(pool) } else { lns.SetDesiredStateFromMachineOSConfig(mosc, mosb) + desiredConfig, desiredImage = lns.GetDesiredAnnotationsFromMachineOSConfig(mosc, mosb) } // Set the desired state to match the pool. - newData, err := json.Marshal(lns.Node()) if err != nil { return err @@ -1306,6 +1312,12 @@ func (ctrl *Controller) updateCandidateNode(mosc *mcfgv1.MachineOSConfig, mosb * return nil } + // Populate the desired config version and image annotations in the node's MCN + err = upgrademonitor.UpdateMachineConfigNodeSpecDesiredAnnotations(ctrl.fgHandler, ctrl.client, nodeName, desiredConfig, desiredImage) + if err != nil { + klog.Errorf("error populating MCN for desired config version and image updates: %v", err) + } + klog.V(4).Infof("Pool %s: layered=%v node %s update is needed", pool.Name, layered, nodeName) patchBytes, err := strategicpatch.CreateTwoWayMergePatch(oldData, newData, corev1.Node{}) if err != nil { diff --git a/pkg/daemon/update.go b/pkg/daemon/update.go index 2c2ab38f14..eaaf7c2842 100644 --- a/pkg/daemon/update.go +++ b/pkg/daemon/update.go @@ -2567,11 +2567,38 @@ func (dn *Daemon) updateLayeredOS(config *mcfgv1.MachineConfig) error { } } + // For image mode status reporting we need the node's MCP association to populate its MCN + imageModeStatusReportingEnabled := dn.fgHandler != nil && dn.fgHandler.Enabled(features.FeatureGateImageModeStatusReporting) + pool := "" + if imageModeStatusReportingEnabled { + pool, err = helpers.GetPrimaryPoolNameForMCN(dn.mcpLister, dn.node) + if err != nil { + return err + } + } + if isOsImagePresent { if err := dn.NodeUpdaterClient.RebaseLayeredFromContainerStorage(newURL); err != nil { return fmt.Errorf("failed to update OS from local storage: %s: %w", newURL, err) } } else { + // Report ImagePulledFromRegistry condition as unknown (pulling) + if imageModeStatusReportingEnabled { + err := upgrademonitor.GenerateAndApplyMachineConfigNodes( + &upgrademonitor.Condition{State: mcfgv1.MachineConfigNodeImagePulledFromRegistry, Reason: string(mcfgv1.MachineConfigNodeImagePulledFromRegistry), Message: fmt.Sprintf("Pulling OS image %s from registry", newURL)}, + nil, + metav1.ConditionUnknown, + metav1.ConditionFalse, + dn.node, + dn.mcfgClient, + dn.fgHandler, + pool, + ) + if err != nil { + klog.Errorf("Error setting ImagePulledFromRegistry condition to unknown: %v", err) + } + } + // Workaround for OCPBUGS-43406, retry the remote rebase with backoff, // such that if we happen to update while the CoreDNS pod is being restarted, // the next retry should succeed if no other issues are present. @@ -2588,8 +2615,41 @@ func (dn *Daemon) updateLayeredOS(config *mcfgv1.MachineConfig) error { } return true, nil }); err != nil { + // Report ImagePulledFromRegistry condition as false (failed) + if imageModeStatusReportingEnabled { + err = upgrademonitor.GenerateAndApplyMachineConfigNodes( + &upgrademonitor.Condition{State: mcfgv1.MachineConfigNodeImagePulledFromRegistry, Reason: string(mcfgv1.MachineConfigNodeImagePulledFromRegistry), Message: fmt.Sprintf("Failed to pull OS image %s from registry: %v", newURL, err)}, + nil, + metav1.ConditionFalse, + metav1.ConditionFalse, + dn.node, + dn.mcfgClient, + dn.fgHandler, + pool, + ) + if err != nil { + klog.Errorf("Error setting ImagePulledFromRegistry condition to false: %v", err) + } + } return fmt.Errorf("Failed to update OS to %s after retries: %w", newURL, err) } + + // Report ImagePulledFromRegistry condition as true (success) + if imageModeStatusReportingEnabled { + err := upgrademonitor.GenerateAndApplyMachineConfigNodes( + &upgrademonitor.Condition{State: mcfgv1.MachineConfigNodeImagePulledFromRegistry, Reason: string(mcfgv1.MachineConfigNodeImagePulledFromRegistry), Message: fmt.Sprintf("Successfully pulled OS image %s from registry", newURL)}, + nil, + metav1.ConditionTrue, + metav1.ConditionFalse, + dn.node, + dn.mcfgClient, + dn.fgHandler, + pool, + ) + if err != nil { + klog.Errorf("Error setting ImagePulledFromRegistry condition to true: %v", err) + } + } } return nil @@ -2727,6 +2787,7 @@ func (dn *Daemon) reboot(rationale string) error { return nil } +//nolint:gocyclo func (dn *CoreOSDaemon) applyLayeredOSChanges(mcDiff machineConfigDiff, oldConfig, newConfig *mcfgv1.MachineConfig) (retErr error) { // Override the computed diff if the booted state differs from the oldConfig // https://issues.redhat.com/browse/OCPBUGS-2757 @@ -2738,13 +2799,75 @@ func (dn *CoreOSDaemon) applyLayeredOSChanges(mcDiff machineConfigDiff, oldConfi var osExtensionsContentDir string var err error + // For image mode status reporting we need the node's MCP association to populate its MCN + imageModeStatusReportingEnabled := dn.fgHandler != nil && dn.fgHandler.Enabled(features.FeatureGateImageModeStatusReporting) + pool := "" + if imageModeStatusReportingEnabled { + pool, err = helpers.GetPrimaryPoolNameForMCN(dn.mcpLister, dn.node) + if err != nil { + return err + } + } + if newConfig.Spec.BaseOSExtensionsContainerImage != "" && (mcDiff.osUpdate || mcDiff.extensions || mcDiff.kernelType) && !mcDiff.oclEnabled { // TODO(jkyros): the original intent was that we use the extensions container as a service, but that currently results // in a lot of complexity due to boostrap and firstboot where the service isn't easily available, so for now we are going // to extract them to disk like we did previously. + + // Report ImagePulledFromRegistry condition as unknown (pulling) + if imageModeStatusReportingEnabled { + err := upgrademonitor.GenerateAndApplyMachineConfigNodes( + &upgrademonitor.Condition{State: mcfgv1.MachineConfigNodeImagePulledFromRegistry, Reason: string(mcfgv1.MachineConfigNodeImagePulledFromRegistry), Message: fmt.Sprintf("Pulling extensions image %s from registry", newConfig.Spec.BaseOSExtensionsContainerImage)}, + nil, + metav1.ConditionUnknown, + metav1.ConditionFalse, + dn.node, + dn.mcfgClient, + dn.fgHandler, + pool, + ) + if err != nil { + klog.Errorf("Error setting ImagePulledFromRegistry condition to unknown: %v", err) + } + } + if osExtensionsContentDir, err = ExtractExtensionsImage(newConfig.Spec.BaseOSExtensionsContainerImage); err != nil { + // Report ImagePulledFromRegistry condition as false (failed) + if imageModeStatusReportingEnabled { + err := upgrademonitor.GenerateAndApplyMachineConfigNodes( + &upgrademonitor.Condition{State: mcfgv1.MachineConfigNodeImagePulledFromRegistry, Reason: string(mcfgv1.MachineConfigNodeImagePulledFromRegistry), Message: fmt.Sprintf("Failed to pull extensions image %s from registry: %v", newConfig.Spec.BaseOSExtensionsContainerImage, err)}, + nil, + metav1.ConditionFalse, + metav1.ConditionFalse, + dn.node, + dn.mcfgClient, + dn.fgHandler, + pool, + ) + if err != nil { + klog.Errorf("Error setting ImagePulledFromRegistry condition to false: %v", err) + } + } return err } + + // Report ImagePulledFromRegistry condition as true (success) + if imageModeStatusReportingEnabled { + err := upgrademonitor.GenerateAndApplyMachineConfigNodes( + &upgrademonitor.Condition{State: mcfgv1.MachineConfigNodeImagePulledFromRegistry, Reason: string(mcfgv1.MachineConfigNodeImagePulledFromRegistry), Message: fmt.Sprintf("Successfully pulled extensions image %s from registry", newConfig.Spec.BaseOSExtensionsContainerImage)}, + nil, + metav1.ConditionTrue, + metav1.ConditionFalse, + dn.node, + dn.mcfgClient, + dn.fgHandler, + pool, + ) + if err != nil { + klog.Errorf("Error setting ImagePulledFromRegistry condition to true: %v", err) + } + } + // Delete extracted OS image once we are done. defer os.RemoveAll(osExtensionsContentDir) diff --git a/pkg/upgrademonitor/upgrade_monitor.go b/pkg/upgrademonitor/upgrade_monitor.go index d58542b8bb..43e18fd3a5 100644 --- a/pkg/upgrademonitor/upgrade_monitor.go +++ b/pkg/upgrademonitor/upgrade_monitor.go @@ -143,6 +143,7 @@ func generateAndApplyMachineConfigNodes( mcfgv1.MachineConfigNodeResumed, mcfgv1.MachineConfigNodeUpdateDrained, mcfgv1.MachineConfigNodeUpdateFilesAndOS, + mcfgv1.MachineConfigNodeImagePulledFromRegistry, mcfgv1.MachineConfigNodeUpdateCordoned, mcfgv1.MachineConfigNodeUpdateRebooted, mcfgv1.MachineConfigNodeUpdated, @@ -217,8 +218,19 @@ func generateAndApplyMachineConfigNodes( case condition.Status != metav1.ConditionFalse && reset: condition.Status = metav1.ConditionFalse - condition.Message = fmt.Sprintf("Action during update to %s: %s", newMCNode.Spec.ConfigVersion.Desired, condition.Message) condition.LastTransitionTime = metav1.Now() + + // Set the update to annotation to the desired rendered MC version by default for the condition message + updateToMessage := fmt.Sprintf("Action during update to %s: %s", newMCNode.Spec.ConfigVersion.Desired, condition.Message) + // Handle OCL update cases differently + if newMCNode.Spec.ConfigImage.DesiredImage != newMCNode.Status.ConfigImage.CurrentImage { + if newMCNode.Spec.ConfigImage.DesiredImage != "" { // Handle case when desired image exists + updateToMessage = fmt.Sprintf("Action during update to %s: %s", newMCNode.Spec.ConfigImage.DesiredImage, condition.Message) + } else { // When the desired image is empty, it means OCL is being disabled; provide a more useful message in this case + updateToMessage = fmt.Sprintf("Action during update to disable image mode: %s", condition.Message) + } + } + condition.Message = updateToMessage } condition.DeepCopyInto(&newMCNode.Status.Conditions[i]) } @@ -250,6 +262,26 @@ func generateAndApplyMachineConfigNodes( newMCNode.Status.ConfigVersion.Current = node.Annotations[daemonconsts.CurrentMachineConfigAnnotationKey] } + // Set current and desired image values in MCN.Status.ConfigImage + // This is only done when the ImageModeStatusReporting feature gate is enabled + if fgHandler.Enabled(features.FeatureGateImageModeStatusReporting) { + newMCNStatusConfigImage := mcfgv1.MachineConfigNodeStatusConfigImage{} + currentImageAnnotation := node.Annotations[daemonconsts.CurrentImageAnnotationKey] + desiredImageAnnotation := node.Annotations[daemonconsts.DesiredImageAnnotationKey] + + // Set current image if annotation exists + if currentImageAnnotation != "" { + newMCNStatusConfigImage.CurrentImage = mcfgv1.ImageDigestFormat(currentImageAnnotation) + } + + // Set desired image if annotation exists + if desiredImageAnnotation != "" { + newMCNStatusConfigImage.DesiredImage = mcfgv1.ImageDigestFormat(desiredImageAnnotation) + } + + newMCNode.Status.ConfigImage = newMCNStatusConfigImage + } + // if we do not need a new MCN, generate the apply configurations for this object if !needNewMCNode { statusconfigVersionApplyConfig := machineconfigurationv1.MachineConfigNodeStatusMachineConfigVersion().WithDesired(newMCNode.Status.ConfigVersion.Desired) @@ -262,6 +294,23 @@ func generateAndApplyMachineConfigNodes( WithObservedGeneration(newMCNode.Generation + 1). WithConfigVersion(statusconfigVersionApplyConfig) + // Add ConfigImage to apply configuration if feature gate is enabled and image annotations exist + if fgHandler.Enabled(features.FeatureGateImageModeStatusReporting) && (newMCNode.Status.ConfigImage.CurrentImage != "" || newMCNode.Status.ConfigImage.DesiredImage != "") { + configImageApplyConfig := machineconfigurationv1.MachineConfigNodeStatusConfigImage() + + // Set current image if it exists + if newMCNode.Status.ConfigImage.CurrentImage != "" { + configImageApplyConfig = configImageApplyConfig.WithCurrentImage(newMCNode.Status.ConfigImage.CurrentImage) + } + + // Set desired image if it exists + if newMCNode.Status.ConfigImage.DesiredImage != "" { + configImageApplyConfig = configImageApplyConfig.WithDesiredImage(newMCNode.Status.ConfigImage.DesiredImage) + } + + statusApplyConfig = statusApplyConfig.WithConfigImage(configImageApplyConfig) + } + if fgHandler.Enabled(features.FeatureGatePinnedImages) { if imageSetApplyConfig == nil { for _, imageSet := range newMCNode.Status.PinnedImageSets { @@ -335,6 +384,53 @@ func isSingletonCondition(singletonConditionTypes []mcfgv1.StateProgress, condit return false } +// UpdateMachineConfigNodeSpecDesiredAnnotations sets the desired config version and image +// annotation values in the `Spec` of an existing MachineConfigNode resource +func UpdateMachineConfigNodeSpecDesiredAnnotations(fgHandler ctrlcommon.FeatureGatesHandler, mcfgClient mcfgclientset.Interface, nodeName, desiredConfig, desiredImage string) error { + if fgHandler == nil { + return nil + } + + // Check that the MachineConfigNode feature gate is enabled + if !fgHandler.Enabled(features.FeatureGateMachineConfigNodes) { + klog.Infof("MachineConfigNode FeatureGate is not enabled.") + return nil + } + + // Get the existing MCN + mcn, mcnErr := mcfgClient.MachineconfigurationV1().MachineConfigNodes().Get(context.TODO(), nodeName, metav1.GetOptions{}) + // Note that this function is only intended to update the Spec of an existing MCN. We should + // not reach this point if there is not an existing MCN for a node, but we need to handle the + // DNE and other potential error situations just in case. + if mcnErr != nil { + return mcnErr + } + + // Set the desired config annotation + mcn.Spec.ConfigVersion.Desired = NotYetSet + if desiredConfig != "" { + mcn.Spec.ConfigVersion.Desired = desiredConfig + } + + // Set the desired image annotation if the ImageModeStatusReporting feature gate is enabled + if fgHandler.Enabled(features.FeatureGateImageModeStatusReporting) { + // Set the desired image annotation + mcn.Spec.ConfigImage = mcfgv1.MachineConfigNodeSpecConfigImage{} + if desiredImage != "" { + mcn.Spec.ConfigImage = mcfgv1.MachineConfigNodeSpecConfigImage{ + DesiredImage: mcfgv1.ImageDigestFormat(desiredImage), + } + } + } + + // Update the MCN resource + if _, err := mcfgClient.MachineconfigurationV1().MachineConfigNodes().Update(context.TODO(), mcn, metav1.UpdateOptions{FieldManager: "machine-config-operator"}); err != nil { + return fmt.Errorf("failed to update the %s mcn spec with the new desired config and image value: %w", nodeName, err) + } + + return nil +} + // GenerateAndApplyMachineConfigNodeSpec generates and applies a new MCN spec based off the node state func GenerateAndApplyMachineConfigNodeSpec(fgHandler ctrlcommon.FeatureGatesHandler, pool string, node *corev1.Node, mcfgClient mcfgclientset.Interface) error { if fgHandler == nil || node == nil { @@ -342,13 +438,14 @@ func GenerateAndApplyMachineConfigNodeSpec(fgHandler ctrlcommon.FeatureGatesHand } if !fgHandler.Enabled(features.FeatureGateMachineConfigNodes) { - klog.Infof("MCN Featuregate is not enabled. Please enable the TechPreviewNoUpgrade featureset to use MachineConfigNodes") + klog.Infof("MachineConfigNode FeatureGate is not enabled.") return nil } + // get the existing MCN, or if it DNE create one below mcNode, needNewMCNode := createOrGetMachineConfigNode(mcfgClient, node) newMCNode := mcNode.DeepCopy() - // set the spec config version + // Set the MCN owner references newMCNode.ObjectMeta.OwnerReferences = []metav1.OwnerReference{ { APIVersion: "v1", @@ -358,20 +455,33 @@ func GenerateAndApplyMachineConfigNodeSpec(fgHandler ctrlcommon.FeatureGatesHand }, } + // Set the desired config version in the MCN newMCNode.Spec.ConfigVersion = mcfgv1.MachineConfigNodeSpecMachineConfigVersion{ Desired: node.Annotations[daemonconsts.DesiredMachineConfigAnnotationKey], } - // Set desired config to NotYetSet if the annotation is empty to satisfy API validation + // If the desired config does not yet exist for the node, the desired config should be set to NotYetSet if newMCNode.Spec.ConfigVersion.Desired == "" { newMCNode.Spec.ConfigVersion.Desired = NotYetSet } + // Check that the ImageModeStatusReporting feature gate is enabled + if fgHandler.Enabled(features.FeatureGateImageModeStatusReporting) { + // Set the desired image in the MCN if it exists + newMCNode.Spec.ConfigImage = mcfgv1.MachineConfigNodeSpecConfigImage{} + if node.Annotations[daemonconsts.DesiredImageAnnotationKey] != "" { + newMCNode.Spec.ConfigImage.DesiredImage = mcfgv1.ImageDigestFormat(node.Annotations[daemonconsts.DesiredImageAnnotationKey]) + } + } + + // Set the MCN pool and node names newMCNode.Spec.Pool = mcfgv1.MCOObjectReference{ Name: pool, } newMCNode.Spec.Node = mcfgv1.MCOObjectReference{ Name: node.Name, } + + // Update the existing MCN with the new Spec values or create a new MCN if !needNewMCNode { nodeRefApplyConfig := machineconfigurationv1.MCOObjectReference().WithName(newMCNode.Spec.Node.Name) poolRefApplyConfig := machineconfigurationv1.MCOObjectReference().WithName(newMCNode.Spec.Pool.Name)