diff --git a/cmd/machine-config-controller/start.go b/cmd/machine-config-controller/start.go index 0945aba22c..dc191b6c33 100644 --- a/cmd/machine-config-controller/start.go +++ b/cmd/machine-config-controller/start.go @@ -134,6 +134,7 @@ func runStartCmd(_ *cobra.Command, _ []string) { ctrlctx.ClientBuilder.MachineClientOrDie("machine-set-boot-image-controller"), ctrlctx.KubeNamespacedInformerFactory.Core().V1().ConfigMaps(), ctrlctx.MachineInformerFactory.Machine().V1beta1().MachineSets(), + ctrlctx.MachineInformerFactory.Machine().V1().ControlPlaneMachineSets(), ctrlctx.ConfigInformerFactory.Config().V1().Infrastructures(), ctrlctx.ClientBuilder.OperatorClientOrDie(componentName), ctrlctx.OperatorInformerFactory.Operator().V1().MachineConfigurations(), diff --git a/go.mod b/go.mod index 0ce53e3c4d..5cc713ce39 100644 --- a/go.mod +++ b/go.mod @@ -35,7 +35,7 @@ require ( github.com/onsi/gomega v1.36.2 github.com/opencontainers/go-digest v1.0.0 github.com/openshift-eng/openshift-tests-extension v0.0.0-20250722101414-8083129ab8f9 - github.com/openshift/api v0.0.0-20250911131931-2acafd4d1ed2 + github.com/openshift/api v0.0.0-20251013165757-fe48e8fd548b github.com/openshift/client-go v0.0.0-20250911202206-1bc0cb0da03b github.com/openshift/library-go v0.0.0-20250911074910-e2c18d5abc3a github.com/openshift/runtime-utils v0.0.0-20230921210328-7bdb5b9c177b diff --git a/go.sum b/go.sum index ca6907b8c8..5fb66ff53c 100644 --- a/go.sum +++ b/go.sum @@ -595,8 +595,8 @@ github.com/opencontainers/selinux v1.12.0 h1:6n5JV4Cf+4y0KNXW48TLj5DwfXpvWlxXplU github.com/opencontainers/selinux v1.12.0/go.mod h1:BTPX+bjVbWGXw7ZZWUbdENt8w0htPSrlgOOysQaU62U= github.com/openshift-eng/openshift-tests-extension v0.0.0-20250722101414-8083129ab8f9 h1:4ZeSM80DVCb5WWB3Q/fyCI9jYXAl9bfrGnFvFONqzN4= github.com/openshift-eng/openshift-tests-extension v0.0.0-20250722101414-8083129ab8f9/go.mod h1:6gkP5f2HL0meusT0Aim8icAspcD1cG055xxBZ9yC68M= -github.com/openshift/api v0.0.0-20250911131931-2acafd4d1ed2 h1:orbYgUTUMs2asHZhT792jeXlVzOqGFaGo8FbD9ihnsE= -github.com/openshift/api v0.0.0-20250911131931-2acafd4d1ed2/go.mod h1:SPLf21TYPipzCO67BURkCfK6dcIIxx0oNRVWaOyRcXM= +github.com/openshift/api v0.0.0-20251013165757-fe48e8fd548b h1:X18aj8dcvmGC9T7xiHHz3B9YRT4b5KiX/snG27cj9mc= +github.com/openshift/api v0.0.0-20251013165757-fe48e8fd548b/go.mod h1:SPLf21TYPipzCO67BURkCfK6dcIIxx0oNRVWaOyRcXM= github.com/openshift/client-go v0.0.0-20250911202206-1bc0cb0da03b h1:VQpSjWE8jmsPj+EXB+XABTLmDgg9xtT8/fudB/31/aI= github.com/openshift/client-go v0.0.0-20250911202206-1bc0cb0da03b/go.mod h1:w7sV33ASK/HcuEb0Ll9qvChZdJwNwqo8GocVAnd7fVY= github.com/openshift/kubernetes v1.30.1-0.20250716113245-b94367cabf3e h1:M5BrUTglTltZjcRz5ouJBqSw0a60p760Bl520ndOGS0= diff --git a/manifests/machineconfigcontroller/clusterrole.yaml b/manifests/machineconfigcontroller/clusterrole.yaml index d2f5514ef1..64398641db 100644 --- a/manifests/machineconfigcontroller/clusterrole.yaml +++ b/manifests/machineconfigcontroller/clusterrole.yaml @@ -37,7 +37,7 @@ rules: resources: ["daemonsets"] verbs: ["get"] - apiGroups: ["machine.openshift.io"] - resources: ["machinesets","machines"] + resources: ["machinesets","machines","controlplanemachinesets"] verbs: ["get", "list", "watch", "patch"] - apiGroups: ["operator.openshift.io"] resources: ["machineconfigurations/status"] diff --git a/pkg/controller/machine-set-boot-image/cpms_helpers.go b/pkg/controller/machine-set-boot-image/cpms_helpers.go new file mode 100644 index 0000000000..48b11f481f --- /dev/null +++ b/pkg/controller/machine-set-boot-image/cpms_helpers.go @@ -0,0 +1,346 @@ +package machineset + +import ( + "bytes" + "context" + "encoding/json" + "fmt" + "time" + + archtranslater "github.com/coreos/stream-metadata-go/arch" + "github.com/coreos/stream-metadata-go/stream" + osconfigv1 "github.com/openshift/api/config/v1" + features "github.com/openshift/api/features" + machinev1 "github.com/openshift/api/machine/v1" + opv1 "github.com/openshift/api/operator/v1" + ctrlcommon "github.com/openshift/machine-config-operator/pkg/controller/common" + operatorversion "github.com/openshift/machine-config-operator/pkg/version" + "sigs.k8s.io/yaml" + + corev1 "k8s.io/api/core/v1" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + kruntime "k8s.io/apimachinery/pkg/runtime" + "k8s.io/apimachinery/pkg/types" + kubeErrs "k8s.io/apimachinery/pkg/util/errors" + "k8s.io/apimachinery/pkg/util/jsonmergepatch" + "k8s.io/apimachinery/pkg/util/wait" + clientset "k8s.io/client-go/kubernetes" + "k8s.io/klog/v2" +) + +// syncControlPlaneMachineSets will attempt to enqueue every control plane machineset +// ControlPlaneMachineSets are singletons, but for the sake of consistency with the other +// syncs, I chose to keep this function similar. +// nolint:dupl // I separated these from syncMAPIMachineSets for readability +func (ctrl *Controller) syncControlPlaneMachineSets(reason string) { + + // Check if CPMS feature gate is enabled + if !ctrl.fgHandler.Enabled(features.FeatureGateManagedBootImagesCPMS) { + klog.V(4).Infof("ManagedBootImagesCPMS feature gate is not enabled, skipping CPMS sync") + return + } + + ctrl.cpmsSyncMutex.Lock() + defer ctrl.cpmsSyncMutex.Unlock() + + var mcop *opv1.MachineConfiguration + var pollError error + // Wait for mcop.Status to populate, otherwise error out. This shouldn't take very long + // as this is done by the operator sync loop. + if err := wait.PollUntilContextTimeout(context.TODO(), 5*time.Second, 2*time.Minute, true, func(_ context.Context) (bool, error) { + mcop, pollError = ctrl.mcopLister.Get(ctrlcommon.MCOOperatorKnobsObjectName) + if pollError != nil { + klog.Errorf("MachineConfiguration/cluster has not been created yet") + return false, nil + } + + // Ensure status.ObservedGeneration matches the last generation of MachineConfiguration + if mcop.Generation != mcop.Status.ObservedGeneration { + klog.Errorf("MachineConfiguration.Status is not up to date.") + pollError = fmt.Errorf("MachineConfiguration.Status is not up to date") + return false, nil + } + return true, nil + }); err != nil { + klog.Errorf("MachineConfiguration was not ready: %v", pollError) + ctrl.updateConditions(reason, fmt.Errorf("MachineConfiguration was not ready: while enqueueing ControlPlaneMachineSet %v", err), opv1.MachineConfigurationBootImageUpdateDegraded) + return + } + + machineManagerFound, machineResourceSelector, err := getMachineResourceSelectorFromMachineManagers(mcop.Status.ManagedBootImagesStatus.MachineManagers, opv1.MachineAPI, opv1.ControlPlaneMachineSets) + if err != nil { + klog.Errorf("failed to create a machineset selector while enqueueing controlplanemachineset %v", err) + ctrl.updateConditions(reason, fmt.Errorf("failed to create a machineset selector while enqueueing ControlPlaneMachineSet %v", err), opv1.MachineConfigurationBootImageUpdateDegraded) + return + } + if !machineManagerFound { + klog.V(4).Infof("No ControlPlaneMachineSet manager was found, so no ControlPlaneMachineSet will be enrolled.") + // clear out MAPI boot image history + for k := range ctrl.cpmsBootImageState { + delete(ctrl.cpmsBootImageState, k) + } + } + + controlPlaneMachineSets, err := ctrl.cpmsLister.List(machineResourceSelector) + if err != nil { + klog.Errorf("failed to fetch ControlPlaneMachineSet list while enqueueing ControlPlaneMachineSet %v", err) + ctrl.updateConditions(reason, fmt.Errorf("failed to fetch ControlPlaneMachineSet list while enqueueing ControlPlaneMachineSet %v", err), opv1.MachineConfigurationBootImageUpdateDegraded) + return + } + + // If no machine resources were enrolled; exit the enqueue process without errors. + if len(controlPlaneMachineSets) == 0 { + klog.Infof("No ControlPlaneMachineSet was enrolled, so no ControlPlaneMachineSet will be enqueued.") + // clear out ControlPlaneMachineSet boot image history + for k := range ctrl.cpmsBootImageState { + delete(ctrl.cpmsBootImageState, k) + } + } + + // Reset stats before initiating reconciliation loop + ctrl.cpmsStats.inProgress = 0 + ctrl.cpmsStats.totalCount = len(controlPlaneMachineSets) + ctrl.cpmsStats.erroredCount = 0 + + // Signal start of reconciliation process, by setting progressing to true + var syncErrors []error + ctrl.updateConditions(reason, nil, opv1.MachineConfigurationBootImageUpdateProgressing) + + for _, controlPlaneMachineSet := range controlPlaneMachineSets { + err := ctrl.syncControlPlaneMachineSet(controlPlaneMachineSet) + if err == nil { + ctrl.cpmsStats.inProgress++ + } else { + klog.Errorf("Error syncing ControlPlaneMachineSet %v", err) + syncErrors = append(syncErrors, fmt.Errorf("error syncing ControlPlaneMachineSet %s: %v", controlPlaneMachineSet.Name, err)) + ctrl.cpmsStats.erroredCount++ + } + // Update progressing conditions every step of the loop + ctrl.updateConditions(reason, nil, opv1.MachineConfigurationBootImageUpdateProgressing) + } + // Update/Clear degrade conditions based on errors from this loop + ctrl.updateConditions(reason, kubeErrs.NewAggregate(syncErrors), opv1.MachineConfigurationBootImageUpdateDegraded) +} + +// syncControlPlaneMachineSet will attempt to reconcile the provided ControlPlaneMachineSet +func (ctrl *Controller) syncControlPlaneMachineSet(controlPlaneMachineSet *machinev1.ControlPlaneMachineSet) error { + + startTime := time.Now() + klog.V(4).Infof("Started syncing ControlPlaneMachineSet %q (%v)", controlPlaneMachineSet.Name, startTime) + defer func() { + klog.V(4).Infof("Finished syncing ControlPlaneMachineSet %q (%v)", controlPlaneMachineSet.Name, time.Since(startTime)) + }() + + // If the machineset has an owner reference, exit and report error. This means + // that the machineset may be managed by another workflow and should not be reconciled. + if len(controlPlaneMachineSet.GetOwnerReferences()) != 0 { + klog.Infof("ControlPlaneMachineSet %s has OwnerReference: %v, skipping boot image update", controlPlaneMachineSet.GetOwnerReferences()[0].Kind+"/"+controlPlaneMachineSet.GetOwnerReferences()[0].Name, controlPlaneMachineSet.Name) + return nil + } + + if os, ok := controlPlaneMachineSet.Spec.Template.OpenShiftMachineV1Beta1Machine.Spec.Labels[OSLabelKey]; ok { + if os == "Windows" { + klog.Infof("ControlPlaneMachineSet %s has a windows os label, skipping boot image update", controlPlaneMachineSet.Name) + return nil + } + } + + // ControlPlaneMachineSets do not normally have an arch annotation, so use the architecture of the node + // running this pod, which will always be a control plane node. + arch := archtranslater.CurrentRpmArch() + + // Fetch the infra object to determine the platform type + infra, err := ctrl.infraLister.Get("cluster") + if err != nil { + return fmt.Errorf("failed to fetch infra object during ControlPlaneMachineSet sync: %w", err) + } + + // Fetch the bootimage configmap & ensure it has been stamped by the operator. This is done by + // the operator when a master node successfully updates to a new image. This is + // to prevent machinesets from being updated before the operator itself has updated. + // If it hasn't been updated, exit and wait for a resync. + configMap, err := ctrl.mcoCmLister.ConfigMaps(ctrlcommon.MCONamespace).Get(ctrlcommon.BootImagesConfigMapName) + if err != nil { + return fmt.Errorf("failed to fetch coreos-bootimages config map duringControlPlaneMachineSet sync: %w", err) + } + versionHashFromCM, versionHashFound := configMap.Data[ctrlcommon.MCOVersionHashKey] + if !versionHashFound { + klog.Infof("failed to find mco version hash in %s configmap, sync will exit to wait for the MCO upgrade to complete", ctrlcommon.BootImagesConfigMapName) + return nil + } + if versionHashFromCM != operatorversion.Hash { + klog.Infof("mismatch between MCO hash version stored in configmap and current MCO version; sync will exit to wait for the MCO upgrade to complete") + return nil + } + releaseVersionFromCM, releaseVersionFound := configMap.Data[ctrlcommon.OCPReleaseVersionKey] + if !releaseVersionFound { + klog.Infof("failed to find OCP release version in %s configmap, sync will exit to wait for the MCO upgrade to complete", ctrlcommon.BootImagesConfigMapName) + return nil + } + if releaseVersionFromCM != operatorversion.ReleaseVersion { + klog.Infof("mismatch between OCP release version stored in configmap and current MCO release version; sync will exit to wait for the MCO upgrade to complete") + return nil + } + + // Check if the this ControlPlaneMachineSet requires an update + patchRequired, newControlPlaneMachineSet, err := checkControlPlaneMachineSet(infra, controlPlaneMachineSet, configMap, arch, ctrl.kubeClient) + if err != nil { + return fmt.Errorf("failed to reconcile ControlPlaneMachineSet %s, err: %w", controlPlaneMachineSet.Name, err) + } + + // Patch the machineset if required + if patchRequired { + // First, check if we're hot looping + if ctrl.checkControlPlaneMachineSetHotLoop(newControlPlaneMachineSet) { + return fmt.Errorf("refusing to reconcile ControlPlaneMachineSet %s, hot loop detected. Please opt-out of boot image updates, adjust your machine provisioning workflow to prevent hot loops and opt back in to resume boot image updates", controlPlaneMachineSet.Name) + } + klog.Infof("Patching ControlPlaneMachineSet %s", controlPlaneMachineSet.Name) + return ctrl.patchControlPlaneMachineSet(controlPlaneMachineSet, newControlPlaneMachineSet) + } + klog.Infof("No patching required for ControlPlaneMachineSet %s", controlPlaneMachineSet.Name) + return nil +} + +// Checks against a local store of boot image updates to detect hot looping +func (ctrl *Controller) checkControlPlaneMachineSetHotLoop(machineSet *machinev1.ControlPlaneMachineSet) bool { + bis, ok := ctrl.cpmsBootImageState[machineSet.Name] + if !ok { + // If the controlplanemachineset doesn't currently have a record, create a new one. + ctrl.cpmsBootImageState[machineSet.Name] = BootImageState{ + value: machineSet.Spec.Template.OpenShiftMachineV1Beta1Machine.Spec.ProviderSpec.Value.Raw, + hotLoopCount: 1, + } + } else { + hotLoopCount := 1 + // If the controller is updating to a value that was previously updated to, increase the hot loop counter + if bytes.Equal(bis.value, machineSet.Spec.Template.OpenShiftMachineV1Beta1Machine.Spec.ProviderSpec.Value.Raw) { + hotLoopCount = (bis.hotLoopCount) + 1 + } + // Return an error and degrade if the hot loop counter is above threshold + if hotLoopCount > HotLoopLimit { + return true + } + ctrl.cpmsBootImageState[machineSet.Name] = BootImageState{ + value: machineSet.Spec.Template.OpenShiftMachineV1Beta1Machine.Spec.ProviderSpec.Value.Raw, + hotLoopCount: hotLoopCount, + } + } + return false +} + +// This function patches the ControlPlaneMachineSet object using the machineClient +// Returns an error if marshsalling or patching fails. +func (ctrl *Controller) patchControlPlaneMachineSet(oldControlPlaneMachineSet, newControlPlaneMachineSet *machinev1.ControlPlaneMachineSet) error { + oldControlPlaneMachineSetMarshal, err := json.Marshal(oldControlPlaneMachineSet) + if err != nil { + return fmt.Errorf("unable to marshal old ControlPlaneMachineSet: %w", err) + } + newControlPlaneMachineSetMarshal, err := json.Marshal(newControlPlaneMachineSet) + if err != nil { + return fmt.Errorf("unable to marshal new ControlPlaneMachineSet: %w", err) + } + patchBytes, err := jsonmergepatch.CreateThreeWayJSONMergePatch(oldControlPlaneMachineSetMarshal, newControlPlaneMachineSetMarshal, oldControlPlaneMachineSetMarshal) + if err != nil { + return fmt.Errorf("unable to create patch for new ControlPlaneMachineSet: %w", err) + } + _, err = ctrl.machineClient.MachineV1().ControlPlaneMachineSets(MachineAPINamespace).Patch(context.TODO(), oldControlPlaneMachineSet.Name, types.MergePatchType, patchBytes, metav1.PatchOptions{}) + if err != nil { + return fmt.Errorf("unable to patch new ControlPlaneMachineSet: %w", err) + } + klog.Infof("Successfully patched ControlPlaneMachineSet %s", oldControlPlaneMachineSet.Name) + return nil +} + +// This function calls the appropriate reconcile function based on the infra type +// On success, it will return a bool indicating if a patch is required, and an updated +// machineset object if any. It will return an error if any of the above steps fail. +func checkControlPlaneMachineSet(infra *osconfigv1.Infrastructure, machineSet *machinev1.ControlPlaneMachineSet, configMap *corev1.ConfigMap, arch string, secretClient clientset.Interface) (bool, *machinev1.ControlPlaneMachineSet, error) { + switch infra.Status.PlatformStatus.Type { + case osconfigv1.AWSPlatformType: + return reconcilePlatformCPMS(machineSet, infra, configMap, arch, secretClient, reconcileAWSProviderSpec) + case osconfigv1.AzurePlatformType: + return reconcilePlatformCPMS(machineSet, infra, configMap, arch, secretClient, reconcileAzureProviderSpec) + case osconfigv1.GCPPlatformType: + return reconcilePlatformCPMS(machineSet, infra, configMap, arch, secretClient, reconcileGCPProviderSpec) + // TODO: vsphere CPMS template seems to be empty in CI runs, and will need further investigation + default: + klog.Infof("Skipping controlplanemachineset %s, unsupported platform %s", machineSet.Name, infra.Status.PlatformStatus.Type) + return false, nil, nil + } +} + +// Generic reconcile function that handles the common pattern across all platforms +// nolint:dupl // I separated this from reconcilePlatform for readability +func reconcilePlatformCPMS[T any]( + cpms *machinev1.ControlPlaneMachineSet, + infra *osconfigv1.Infrastructure, + configMap *corev1.ConfigMap, + arch string, + secretClient clientset.Interface, + reconcileProviderSpec func(*stream.Stream, string, *osconfigv1.Infrastructure, *T, string, clientset.Interface) (bool, *T, error), +) (patchRequired bool, newCPMS *machinev1.ControlPlaneMachineSet, err error) { + klog.Infof("Reconciling controlplanemachineset %s on %s, with arch %s", cpms.Name, string(infra.Status.PlatformStatus.Type), arch) + + // Unmarshal the provider spec + providerSpec := new(T) + if err := unmarshalProviderSpecCPMS(cpms, providerSpec); err != nil { + return false, nil, err + } + + // Unmarshal the configmap into a stream object + streamData := new(stream.Stream) + if err := unmarshalStreamDataConfigMap(configMap, streamData); err != nil { + return false, nil, err + } + + // Reconcile the provider spec + patchRequired, newProviderSpec, err := reconcileProviderSpec(streamData, arch, infra, providerSpec, cpms.Name, secretClient) + if err != nil { + return false, nil, err + } + + // If no patch is required, exit early + if !patchRequired { + return false, nil, nil + } + + // If patch is required, marshal the new providerspec into the controlplanemachineset + newCPMS = cpms.DeepCopy() + if err := marshalProviderSpecCPMS(newCPMS, newProviderSpec); err != nil { + return false, nil, err + } + return patchRequired, newCPMS, nil +} + +// This function unmarshals the controlplanemachineset's provider spec into +// a ProviderSpec object. Returns an error if providerSpec field is nil, +// or the unmarshal fails +func unmarshalProviderSpecCPMS(ms *machinev1.ControlPlaneMachineSet, providerSpec interface{}) error { + if ms == nil { + return fmt.Errorf("ControlPlaneMachineSet object was nil") + } + if ms.Spec.Template.OpenShiftMachineV1Beta1Machine.Spec.ProviderSpec.Value == nil { + return fmt.Errorf("providerSpec field was empty") + } + if err := yaml.Unmarshal(ms.Spec.Template.OpenShiftMachineV1Beta1Machine.Spec.ProviderSpec.Value.Raw, &providerSpec); err != nil { + return fmt.Errorf("unmarshal into providerSpec failed %w", err) + } + return nil +} + +// This function marshals the ProviderSpec object into a ControlPlaneMachineSet object. +// Returns an error if ProviderSpec or ControlPlaneMachineSet is nil, or if the marshal fails +func marshalProviderSpecCPMS(ms *machinev1.ControlPlaneMachineSet, providerSpec interface{}) error { + if ms == nil { + return fmt.Errorf("ControlPlaneMachineSet object was nil") + } + if providerSpec == nil { + return fmt.Errorf("ProviderSpec object was nil") + } + rawBytes, err := json.Marshal(providerSpec) + if err != nil { + return fmt.Errorf("marshal into machineset failed: %w", err) + } + ms.Spec.Template.OpenShiftMachineV1Beta1Machine.Spec.ProviderSpec.Value = &kruntime.RawExtension{Raw: rawBytes} + return nil +} diff --git a/pkg/controller/machine-set-boot-image/machine_set_boot_image_controller.go b/pkg/controller/machine-set-boot-image/machine_set_boot_image_controller.go index 9624ac5767..f69c029474 100644 --- a/pkg/controller/machine-set-boot-image/machine_set_boot_image_controller.go +++ b/pkg/controller/machine-set-boot-image/machine_set_boot_image_controller.go @@ -6,6 +6,7 @@ import ( "reflect" "sync" + features "github.com/openshift/api/features" opv1 "github.com/openshift/api/operator/v1" configinformersv1 "github.com/openshift/client-go/config/informers/externalversions/config/v1" configlistersv1 "github.com/openshift/client-go/config/listers/config/v1" @@ -23,10 +24,13 @@ import ( "k8s.io/klog/v2" "k8s.io/kubectl/pkg/scheme" + machinev1 "github.com/openshift/api/machine/v1" machinev1beta1 "github.com/openshift/api/machine/v1beta1" machineclientset "github.com/openshift/client-go/machine/clientset/versioned" - mapimachineinformers "github.com/openshift/client-go/machine/informers/externalversions/machine/v1beta1" - machinelisters "github.com/openshift/client-go/machine/listers/machine/v1beta1" + mapimachineinformersv1 "github.com/openshift/client-go/machine/informers/externalversions/machine/v1" + mapimachineinformersv1beta1 "github.com/openshift/client-go/machine/informers/externalversions/machine/v1beta1" + machinelistersv1 "github.com/openshift/client-go/machine/listers/machine/v1" + machinelistersv1beta1 "github.com/openshift/client-go/machine/listers/machine/v1beta1" mcopinformersv1 "github.com/openshift/client-go/operator/informers/externalversions/operator/v1" mcoplistersv1 "github.com/openshift/client-go/operator/listers/operator/v1" @@ -41,21 +45,26 @@ type Controller struct { eventRecorder record.EventRecorder mcoCmLister corelisterv1.ConfigMapLister - mapiMachineSetLister machinelisters.MachineSetLister + mapiMachineSetLister machinelistersv1beta1.MachineSetLister + cpmsLister machinelistersv1.ControlPlaneMachineSetLister infraLister configlistersv1.InfrastructureLister mcopLister mcoplistersv1.MachineConfigurationLister mcoCmListerSynced cache.InformerSynced mapiMachineSetListerSynced cache.InformerSynced + cpmsListerSynced cache.InformerSynced infraListerSynced cache.InformerSynced mcopListerSynced cache.InformerSynced mapiStats MachineResourceStats + cpmsStats MachineResourceStats capiMachineSetStats MachineResourceStats capiMachineDeploymentStats MachineResourceStats mapiBootImageState map[string]BootImageState + cpmsBootImageState map[string]BootImageState conditionMutex sync.Mutex mapiSyncMutex sync.Mutex + cpmsSyncMutex sync.Mutex fgHandler ctrlcommon.FeatureGatesHandler } @@ -74,7 +83,7 @@ type BootImageState struct { hotLoopCount int } -// Helper function that checks if all resources have been evaluated +// isFinished checks if all resources have been evaluated func (mrs MachineResourceStats) isFinished() bool { return mrs.totalCount == (mrs.inProgress + mrs.erroredCount) } @@ -101,7 +110,8 @@ func New( kubeClient clientset.Interface, machineClient machineclientset.Interface, mcoCmInfomer coreinformersv1.ConfigMapInformer, - mapiMachineSetInformer mapimachineinformers.MachineSetInformer, + mapiMachineSetInformer mapimachineinformersv1beta1.MachineSetInformer, + cpmsInformer mapimachineinformersv1.ControlPlaneMachineSetInformer, infraInformer configinformersv1.InfrastructureInformer, mcopClient mcopclientset.Interface, mcopInformer mcopinformersv1.MachineConfigurationInformer, @@ -120,11 +130,13 @@ func New( ctrl.mcoCmLister = mcoCmInfomer.Lister() ctrl.mapiMachineSetLister = mapiMachineSetInformer.Lister() + ctrl.cpmsLister = cpmsInformer.Lister() ctrl.infraLister = infraInformer.Lister() ctrl.mcopLister = mcopInformer.Lister() ctrl.mcoCmListerSynced = mcoCmInfomer.Informer().HasSynced ctrl.mapiMachineSetListerSynced = mapiMachineSetInformer.Informer().HasSynced + ctrl.cpmsListerSynced = cpmsInformer.Informer().HasSynced ctrl.infraListerSynced = infraInformer.Informer().HasSynced ctrl.mcopListerSynced = mcopInformer.Informer().HasSynced @@ -134,6 +146,15 @@ func New( DeleteFunc: ctrl.deleteMAPIMachineSet, }) + if fgHandler.Enabled(features.FeatureGateManagedBootImagesCPMS) { + klog.V(4).Infof("ManagedBootImagesCPMS feature gate is enabled, adding CPMS event handlers") + cpmsInformer.Informer().AddEventHandler(cache.ResourceEventHandlerFuncs{ + AddFunc: ctrl.addControlPlaneMachineSet, + UpdateFunc: ctrl.updateControlPlaneMachineSet, + DeleteFunc: ctrl.deleteControlPlaneMachineSet, + }) + } + mcoCmInfomer.Informer().AddEventHandler(cache.ResourceEventHandlerFuncs{ AddFunc: ctrl.addConfigMap, UpdateFunc: ctrl.updateConfigMap, @@ -149,6 +170,7 @@ func New( ctrl.fgHandler = fgHandler ctrl.mapiBootImageState = map[string]BootImageState{} + ctrl.cpmsBootImageState = map[string]BootImageState{} return ctrl } @@ -167,6 +189,8 @@ func (ctrl *Controller) Run(stopCh <-chan struct{}) { <-stopCh } +// addMAPIMachineSet handles the addition of a MAPI MachineSet by triggering +// a reconciliation of all enrolled MAPI MachineSets. func (ctrl *Controller) addMAPIMachineSet(obj interface{}) { machineSet := obj.(*machinev1beta1.MachineSet) @@ -179,6 +203,8 @@ func (ctrl *Controller) addMAPIMachineSet(obj interface{}) { go func() { ctrl.syncMAPIMachineSets("MAPIMachinesetAdded") }() } +// updateMAPIMachineSet handles updates to a MAPI MachineSet by triggering +// a reconciliation if the ProviderSpec, labels, annotations, or owner references changed. func (ctrl *Controller) updateMAPIMachineSet(oldMS, newMS interface{}) { oldMachineSet := oldMS.(*machinev1beta1.MachineSet) @@ -200,6 +226,8 @@ func (ctrl *Controller) updateMAPIMachineSet(oldMS, newMS interface{}) { go func() { ctrl.syncMAPIMachineSets("MAPIMachinesetUpdated") }() } +// deleteMAPIMachineSet handles the deletion of a MAPI MachineSet by triggering +// a reconciliation of all enrolled MAPI MachineSets. func (ctrl *Controller) deleteMAPIMachineSet(deletedMS interface{}) { deletedMachineSet := deletedMS.(*machinev1beta1.MachineSet) @@ -212,6 +240,59 @@ func (ctrl *Controller) deleteMAPIMachineSet(deletedMS interface{}) { go func() { ctrl.syncMAPIMachineSets("MAPIMachinesetDeleted") }() } +// addControlPlaneMachineSet handles the addition of a ControlPlaneMachineSet by triggering +// a reconciliation of all enrolled ControlPlaneMachineSets. +func (ctrl *Controller) addControlPlaneMachineSet(obj interface{}) { + + machineSet := obj.(*machinev1.ControlPlaneMachineSet) + + klog.Infof("ControlPlaneMachineSet %s added, reconciling enrolled machine resources", machineSet.Name) + + // Update/Check all ControlPlaneMachineSets instead of just this one. This prevents needing to maintain a local + // store of machineset conditions. As this is using a lister, it is relatively inexpensive to do + // this. + go func() { ctrl.syncControlPlaneMachineSets("ControlPlaneMachineSetAdded") }() +} + +// updateControlPlaneMachineSet handles updates to a ControlPlaneMachineSet by triggering +// a reconciliation if the ProviderSpec, labels, annotations, or owner references changed. +func (ctrl *Controller) updateControlPlaneMachineSet(oldCPMS, newCPMS interface{}) { + + oldMS := oldCPMS.(*machinev1.ControlPlaneMachineSet) + newMS := newCPMS.(*machinev1.ControlPlaneMachineSet) + + // Don't take action if the there is no change in the MachineSet's ProviderSpec, labels, annotations and ownerreferences + if reflect.DeepEqual(oldMS.Spec.Template.OpenShiftMachineV1Beta1Machine.Spec.ProviderSpec, newMS.Spec.Template.OpenShiftMachineV1Beta1Machine.Spec.ProviderSpec) && + reflect.DeepEqual(oldMS.GetLabels(), newMS.GetLabels()) && + reflect.DeepEqual(oldMS.GetAnnotations(), newMS.GetAnnotations()) && + reflect.DeepEqual(oldMS.GetOwnerReferences(), newMS.GetOwnerReferences()) { + return + } + + klog.Infof("ControlPlaneMachineSet %s updated, reconciling enrolled machineset resources", oldMS.Name) + + // Update all ControlPlaneMachineSets instead of just this one. This prevents needing to maintain a local + // store of machineset conditions. As this is using a lister, it is relatively inexpensive to do + // this. + go func() { ctrl.syncControlPlaneMachineSets("ControlPlaneMachineSetUpdated") }() +} + +// deleteControlPlaneMachineSet handles the deletion of a ControlPlaneMachineSet by triggering +// a reconciliation of all enrolled ControlPlaneMachineSets. +func (ctrl *Controller) deleteControlPlaneMachineSet(deletedCPMS interface{}) { + + deletedMachineSet := deletedCPMS.(*machinev1beta1.MachineSet) + + klog.Infof("ControlPlaneMachineSet %s deleted, reconciling enrolled machineset resources", deletedMachineSet.Name) + + // Update all ControlPlaneMachineSets. This prevents needing to maintain a local + // store of machineset conditions. As this is using a lister, it is relatively inexpensive to do + // this. + go func() { ctrl.syncControlPlaneMachineSets("ControlPlaneMachineSetDeleted") }() +} + +// addConfigMap handles the addition of the boot images ConfigMap by triggering +// a reconciliation of all enrolled machine resources. func (ctrl *Controller) addConfigMap(obj interface{}) { configMap := obj.(*corev1.ConfigMap) @@ -224,10 +305,11 @@ func (ctrl *Controller) addConfigMap(obj interface{}) { klog.Infof("configMap %s added, reconciling enrolled machine resources", configMap.Name) // Update all machinesets since the "golden" configmap has been added - // TODO: Add go routines for CAPI resources here - go func() { ctrl.syncMAPIMachineSets("BootImageConfigMapAdded") }() + go func() { ctrl.syncAll("BootImageConfigMapAdded") }() } +// updateConfigMap handles updates to the boot images ConfigMap by triggering +// a reconciliation of all enrolled machine resources if the resource version changed. func (ctrl *Controller) updateConfigMap(oldCM, newCM interface{}) { oldConfigMap := oldCM.(*corev1.ConfigMap) @@ -246,10 +328,11 @@ func (ctrl *Controller) updateConfigMap(oldCM, newCM interface{}) { klog.Infof("configMap %s updated, reconciling enrolled machine resources", oldConfigMap.Name) // Update all machinesets since the "golden" configmap has been updated - // TODO: Add go routines for CAPI resources here - go func() { ctrl.syncMAPIMachineSets("BootImageConfigMapUpdated") }() + go func() { ctrl.syncAll("BootImageConfigMapUpdated") }() } +// deleteConfigMap handles the deletion of the boot images ConfigMap by triggering +// a reconciliation of all enrolled machine resources. func (ctrl *Controller) deleteConfigMap(obj interface{}) { configMap := obj.(*corev1.ConfigMap) @@ -262,9 +345,11 @@ func (ctrl *Controller) deleteConfigMap(obj interface{}) { klog.Infof("configMap %s deleted, reconciling enrolled machine resources", configMap.Name) // Update all machinesets since the "golden" configmap has been deleted - go func() { ctrl.syncMAPIMachineSets("BootImageConfigMapDeleted") }() + go func() { ctrl.syncAll("BootImageConfigMapDeleted") }() } +// addMachineConfiguration handles the addition of the cluster-level MachineConfiguration +// by triggering a reconciliation of all enrolled machine resources. func (ctrl *Controller) addMachineConfiguration(obj interface{}) { machineConfiguration := obj.(*opv1.MachineConfiguration) @@ -278,10 +363,11 @@ func (ctrl *Controller) addMachineConfiguration(obj interface{}) { klog.Infof("Bootimages management configuration has been added, reconciling enrolled machine resources") // Update/Check machinesets since the boot images configuration knob was updated - // TODO: Add go routines for CAPI resources here - go func() { ctrl.syncMAPIMachineSets("BootImageUpdateConfigurationAdded") }() + go func() { ctrl.syncAll("BootImageUpdateConfigurationAdded") }() } +// updateMachineConfiguration handles updates to the cluster-level MachineConfiguration +// by triggering a reconciliation if the ManagedBootImagesStatus changed. func (ctrl *Controller) updateMachineConfiguration(oldMC, newMC interface{}) { oldMachineConfiguration := oldMC.(*opv1.MachineConfiguration) @@ -301,10 +387,11 @@ func (ctrl *Controller) updateMachineConfiguration(oldMC, newMC interface{}) { klog.Infof("Bootimages management configuration has been updated, reconciling enrolled machine resources") // Update all machinesets since the boot images configuration knob was updated - // TODO: Add go routines for CAPI resources here - go func() { ctrl.syncMAPIMachineSets("BootImageUpdateConfigurationUpdated") }() + go func() { ctrl.syncAll("BootImageUpdateConfigurationUpdated") }() } +// deleteMachineConfiguration handles the deletion of the cluster-level MachineConfiguration +// by triggering a reconciliation of all enrolled machine resources. func (ctrl *Controller) deleteMachineConfiguration(obj interface{}) { machineConfiguration := obj.(*opv1.MachineConfiguration) @@ -318,10 +405,11 @@ func (ctrl *Controller) deleteMachineConfiguration(obj interface{}) { klog.Infof("Bootimages management configuration has been deleted, reconciling enrolled machine resources") // Update/Check machinesets since the boot images configuration knob was updated - // TODO: Add go routines for CAPI resources here - go func() { ctrl.syncMAPIMachineSets("BootImageUpdateConfigurationDeleted") }() + go func() { ctrl.syncAll("BootImageUpdateConfigurationDeleted") }() } +// updateConditions updates the boot image update conditions on the MachineConfiguration status +// based on the current state of machine resource reconciliation. func (ctrl *Controller) updateConditions(newReason string, syncError error, targetConditionType string) { ctrl.conditionMutex.Lock() defer ctrl.conditionMutex.Unlock() @@ -339,19 +427,19 @@ func (ctrl *Controller) updateConditions(newReason string, syncError error, targ for i, condition := range newConditions { if condition.Type == targetConditionType { if condition.Type == opv1.MachineConfigurationBootImageUpdateProgressing { - newConditions[i].Message = fmt.Sprintf("Reconciled %d of %d MAPI MachineSets | Reconciled %d of %d CAPI MachineSets | Reconciled %d of %d CAPI MachineDeployments", ctrl.mapiStats.inProgress, ctrl.mapiStats.totalCount, ctrl.capiMachineSetStats.inProgress, ctrl.capiMachineSetStats.totalCount, ctrl.capiMachineDeploymentStats.inProgress, ctrl.capiMachineDeploymentStats.totalCount) + newConditions[i].Message = fmt.Sprintf("Reconciled %d of %d MAPI MachineSets | Reconciled %d of %d ControlPlaneMachineSets | Reconciled %d of %d CAPI MachineSets | Reconciled %d of %d CAPI MachineDeployments", ctrl.mapiStats.inProgress, ctrl.mapiStats.totalCount, ctrl.cpmsStats.inProgress, ctrl.cpmsStats.totalCount, ctrl.capiMachineSetStats.inProgress, ctrl.capiMachineSetStats.totalCount, ctrl.capiMachineDeploymentStats.inProgress, ctrl.capiMachineDeploymentStats.totalCount) newConditions[i].Reason = newReason // If all machine resources have been processed, then the controller is no longer progressing. - if ctrl.mapiStats.isFinished() && ctrl.capiMachineSetStats.isFinished() && ctrl.capiMachineDeploymentStats.isFinished() { + if ctrl.mapiStats.isFinished() && ctrl.cpmsStats.isFinished() && ctrl.capiMachineSetStats.isFinished() && ctrl.capiMachineDeploymentStats.isFinished() { newConditions[i].Status = metav1.ConditionFalse } else { newConditions[i].Status = metav1.ConditionTrue } } else if condition.Type == opv1.MachineConfigurationBootImageUpdateDegraded { if syncError == nil { - newConditions[i].Message = fmt.Sprintf("%d Degraded MAPI MachineSets | %d Degraded CAPI MachineSets | %d CAPI MachineDeployments", ctrl.mapiStats.erroredCount, ctrl.capiMachineSetStats.erroredCount, ctrl.capiMachineDeploymentStats.erroredCount) + newConditions[i].Message = fmt.Sprintf("%d Degraded MAPI MachineSets | %d Degraded ControlPlaneMachineSets | %d Degraded CAPI MachineSets | %d CAPI MachineDeployments", ctrl.mapiStats.erroredCount, ctrl.cpmsStats.erroredCount, ctrl.capiMachineSetStats.erroredCount, ctrl.capiMachineDeploymentStats.erroredCount) } else { - newConditions[i].Message = fmt.Sprintf("%d Degraded MAPI MachineSets | %d Degraded CAPI MachineSets | %d CAPI MachineDeployments | Error(s): %s", ctrl.mapiStats.erroredCount, ctrl.capiMachineSetStats.erroredCount, ctrl.capiMachineDeploymentStats.erroredCount, syncError.Error()) + newConditions[i].Message = fmt.Sprintf("%d Degraded MAPI MachineSets | %d Degraded ControlPlaneMachineSets | %d Degraded CAPI MachineSets | %d CAPI MachineDeployments | Error(s): %s", ctrl.mapiStats.erroredCount, ctrl.cpmsStats.erroredCount, ctrl.capiMachineSetStats.erroredCount, ctrl.capiMachineDeploymentStats.erroredCount, syncError.Error()) } newConditions[i].Reason = newReason if syncError != nil { @@ -373,6 +461,8 @@ func (ctrl *Controller) updateConditions(newReason string, syncError error, targ } } +// updateMachineConfigurationStatus updates the MachineConfiguration status with new conditions +// using retry logic to handle concurrent updates. func (ctrl *Controller) updateMachineConfigurationStatus(mcop *opv1.MachineConfiguration, newConditions []metav1.Condition) { // Using a retry here as there may be concurrent reconiliation loops updating conditions for multiple @@ -396,22 +486,30 @@ func (ctrl *Controller) updateMachineConfigurationStatus(mcop *opv1.MachineConfi } } +// getDefaultConditions returns the default boot image update conditions when no +// machine resources are enrolled. func getDefaultConditions() []metav1.Condition { // These are boilerplate conditions, with no machine resources enrolled. return []metav1.Condition{ { Type: opv1.MachineConfigurationBootImageUpdateProgressing, - Message: "Reconciled 0 of 0 MAPI MachineSets | Reconciled 0 of 0 CAPI MachineSets | Reconciled 0 of 0 CAPI MachineDeployments", + Message: "Reconciled 0 of 0 MAPI MachineSets | Reconciled 0 of 0 ControlPlaneMachineSets | Reconciled 0 of 0 CAPI MachineSets | Reconciled 0 of 0 CAPI MachineDeployments", Reason: "NA", LastTransitionTime: metav1.Now(), Status: metav1.ConditionFalse, }, { Type: opv1.MachineConfigurationBootImageUpdateDegraded, - Message: "0 Degraded MAPI MachineSets | 0 Degraded CAPI MachineSets | 0 CAPI MachineDeployments", + Message: "0 Degraded MAPI MachineSets | 0 Degraded ControlPlaneMachineSets | 0 Degraded CAPI MachineSets | 0 CAPI MachineDeployments", Reason: "NA", LastTransitionTime: metav1.Now(), Status: metav1.ConditionFalse, }} } + +// syncAll will attempt to enqueue all supported machine resources +func (ctrl *Controller) syncAll(reason string) { + ctrl.syncControlPlaneMachineSets(reason) + ctrl.syncMAPIMachineSets(reason) +} diff --git a/pkg/controller/machine-set-boot-image/ms_helpers.go b/pkg/controller/machine-set-boot-image/ms_helpers.go index ac371a7ec1..f87d0adbd6 100644 --- a/pkg/controller/machine-set-boot-image/ms_helpers.go +++ b/pkg/controller/machine-set-boot-image/ms_helpers.go @@ -24,6 +24,7 @@ import ( ) // syncMAPIMachineSets will attempt to enqueue every machineset +// nolint:dupl // I separated this from syncControlPlaneMachineSets for readability func (ctrl *Controller) syncMAPIMachineSets(reason string) { ctrl.mapiSyncMutex.Lock() diff --git a/pkg/controller/machine-set-boot-image/platform_helpers.go b/pkg/controller/machine-set-boot-image/platform_helpers.go index 1e31e579b8..15b7b96038 100644 --- a/pkg/controller/machine-set-boot-image/platform_helpers.go +++ b/pkg/controller/machine-set-boot-image/platform_helpers.go @@ -62,6 +62,7 @@ func checkMachineSet(infra *osconfigv1.Infrastructure, machineSet *machinev1beta } // Generic reconcile function that handles the common pattern across all platforms +// nolint:dupl // I separated this from reconcilePlatformCPMS for readability func reconcilePlatform[T any]( machineSet *machinev1beta1.MachineSet, infra *osconfigv1.Infrastructure, diff --git a/vendor/github.com/openshift/api/.ci-operator.yaml b/vendor/github.com/openshift/api/.ci-operator.yaml index 461415cbc5..e307e5af66 100644 --- a/vendor/github.com/openshift/api/.ci-operator.yaml +++ b/vendor/github.com/openshift/api/.ci-operator.yaml @@ -1,4 +1,4 @@ build_root_image: name: release namespace: openshift - tag: rhel-9-release-golang-1.24-openshift-4.20 + tag: rhel-9-release-golang-1.24-openshift-4.21 diff --git a/vendor/github.com/openshift/api/.golangci.go-validated.yaml b/vendor/github.com/openshift/api/.golangci.go-validated.yaml new file mode 100644 index 0000000000..44c73149d4 --- /dev/null +++ b/vendor/github.com/openshift/api/.golangci.go-validated.yaml @@ -0,0 +1,58 @@ +version: "2" +linters: + default: none + enable: + - kubeapilinter + settings: + custom: + kubeapilinter: + path: tools/_output/bin/kube-api-linter.so + description: kubeapilinter is the Kube-API-Linter and lints Kube like APIs based on API conventions and best practices. + settings: + linters: + enable: + - optionalfields + disable: + - "*" + lintersConfig: + optionalfields: + pointers: + preference: Always + policy: SuggestFix + omitEmpty: + # This will force omitempty on optional fields. + # This is in line with upstream guidance where optional fields should be omitted + # from the serialized output unless they are non-zero. + policy: SuggestFix + omitzero: + # This will force omitzero on optional struct fields. + # This means they can be omitted correctly and prevents the need for pointers to structs. + policy: SuggestFix + exclusions: + generated: lax + presets: + - comments + - common-false-positives + - legacy + - std-error-handling + paths: + - third_party$ + - builtin$ + - examples$ + rules: + - linters: + - kubeapilinter + # This regex must always be updated in tandem with the regex in .golangci.yaml that prevents `optionalfields` from being applied to the files in the path-except. + path-except: machine/v1beta1/(types_awsprovider.go|types_azureprovider.go|types_gcpprovider.go|types_vsphereprovider.go)|machine/v1alpha1/types_openstack.go +issues: + # We have a lot of existing issues. + # Want to make sure that those adding new fields have an + # opportunity to fix them when running the linter locally. + max-issues-per-linter: 1000 +formatters: + exclusions: + generated: lax + paths: + - third_party$ + - builtin$ + - examples$ diff --git a/vendor/github.com/openshift/api/.golangci.yaml b/vendor/github.com/openshift/api/.golangci.yaml index 6a22f61576..649f9bed35 100644 --- a/vendor/github.com/openshift/api/.golangci.yaml +++ b/vendor/github.com/openshift/api/.golangci.yaml @@ -73,6 +73,12 @@ linters: - third_party$ - builtin$ - examples$ + rules: + - linters: + - kubeapilinter + # This regex must always be updated in tandem with the regex in .golangci.go-validated.yaml that prevents `optionalfields` from being applied to the files in the path. + path: machine/v1beta1/(types_awsprovider.go|types_azureprovider.go|types_gcpprovider.go|types_vsphereprovider.go)|machine/v1alpha1/types_openstack.go + text: "optionalfields" issues: # We have a lot of existing issues. # Want to make sure that those adding new fields have an diff --git a/vendor/github.com/openshift/api/AGENTS.md b/vendor/github.com/openshift/api/AGENTS.md new file mode 100644 index 0000000000..a009bbb2de --- /dev/null +++ b/vendor/github.com/openshift/api/AGENTS.md @@ -0,0 +1,185 @@ +This file provides guidance to AI agents when working with code in this repository. + +This is the OpenShift API repository - the canonical location of OpenShift API type definitions and serialization code. It contains: + +- API type definitions for OpenShift-specific resources (Custom Resource Definitions) +- FeatureGate management system for controlling API availability across cluster profiles +- Generated CRD manifests and validation schemas +- Integration test suite for API validation + +## Key Architecture Components + +### FeatureGate System +The FeatureGate system (`features/features.go`) controls API availability across different cluster profiles (Hypershift, SelfManaged) and feature sets (Default, TechPreview, DevPreview). Each API feature is gated behind a FeatureGate that can be enabled/disabled per cluster profile and feature set. + +### API Structure +APIs are organized by group and version (e.g., `route/v1`, `config/v1`). Each API group contains: +- `types.go` - Go type definitions +- `zz_generated.*` files - Generated code (deepcopy, CRDs, etc.) +- `tests/` directories - Integration test definitions +- CRD manifest files + +## Common Development Commands + +### Building +```bash +make build # Build render and write-available-featuresets binaries +make clean # Clean build artifacts +``` + +### Code Generation +```bash +make update # Alias for update-codegen-crds +``` + +### Testing +```bash +make test-unit # Run unit tests +make integration # Run integration tests (in tests/ directory) +go test -v ./... # Run tests for specific packages + +# Run integration tests for specific API groups +make -C config/v1 test # Run tests for config/v1 API group +make -C route/v1 test # Run tests for route/v1 API group +make -C operator/v1 test # Run tests for operator/v1 API group +``` + +### Validation and Verification +```bash +make verify # Run all verification checks +make verify-scripts # Verify generated code is up to date +make verify-codegen-crds # Verify CRD generation is current +make lint # Run golangci-lint (only on changes from master) +make lint-fix # Auto-fix linting issues where possible +``` + +## Adding New APIs + +All APIs should start as tech preview. +New fields on stable APIs should be introduced behind a feature gate `+openshift:enable:FeatureGate=MyFeatureGate`. + + +### For New Stable APIs (v1) +1. Create the API type with proper kubebuilder annotations +2. Include required markers like `+openshift:compatibility-gen:level=1` +3. Add validation tests in `//tests//` +4. Run `make update-codegen-crds` to generate CRDs + +### For New TechPreview APIs (v1alpha1) +1. First add a FeatureGate in `features/features.go` +2. Create the API type with `+openshift:enable:FeatureGate=MyFeatureGate` +3. Add corresponding test files +4. Run generation commands + +### Adding FeatureGates +Add to `features/features.go` using the builder pattern: +```go +FeatureGateMyFeatureName = newFeatureGate("MyFeatureName"). + reportProblemsToJiraComponent("my-jira-component"). + contactPerson("my-team-lead"). + productScope(ocpSpecific). + enableIn(configv1.TechPreviewNoUpgrade). + mustRegister() +``` + +## Testing Framework + +The repository includes a comprehensive integration test suite in `tests/`. Test suites are defined in `*.testsuite.yaml` files alongside API definitions and support: +- `onCreate` tests for validation during resource creation +- `onUpdate` tests for update-specific validations and immutability +- Status subresource testing +- Validation ratcheting tests using `initialCRDPatches` + +Use `tests/hack/gen-minimal-test.sh $FOLDER $VERSION` to generate test suite templates. + +## Container-based Development +```bash +make verify-with-container # Run verification in container +make generate-with-container # Run code generation in container +``` + +Uses `podman` by default, set `RUNTIME=docker` or `USE_DOCKER=1` to use Docker instead. + +## Custom Claude Code Commands + +### API Review +``` +/api-review +``` +Runs comprehensive API review for OpenShift API changes in a GitHub PR: +- Executes `make lint` to check for kube-api-linter issues +- Validates that all API fields are properly documented +- Ensures optional fields explain behavior when not present +- Confirms validation rules and kubebuilder markers are documented in field comments + +#### Documentation Requirements +All kubebuilder validation markers must be documented in the field's comment. For example: + +**Good:** +```go +// internalDNSRecords is an optional field that determines whether we deploy +// with internal records enabled for api, api-int, and ingress. +// Valid values are "Enabled" and "Disabled". +// When set to Enabled, in cluster DNS resolution will be enabled for the api, api-int, and ingress endpoints. +// When set to Disabled, in cluster DNS resolution will be disabled and an external DNS solution must be provided for these endpoints. +// +optional +// +kubebuilder:validation:Enum=Enabled;Disabled +InternalDNSRecords InternalDNSRecordsType `json:"internalDNSRecords"` +``` + +**Bad:** +```go +// internalDNSRecords determines whether we deploy with internal records enabled for +// api, api-int, and ingress. +// +optional // ❌ Optional nature not documented in comment +// +kubebuilder:validation:Enum=Enabled;Disabled // ❌ Valid values not documented +InternalDNSRecords InternalDNSRecordsType `json:"internalDNSRecords"` +``` + +#### Systematic Validation Marker Documentation Checklist + +**MANDATORY**: For each field with validation markers, verify the comment documents ALL of the following that apply: + +**Field Optionality:** +- [ ] `+optional` - explain behavior when field is omitted +- [ ] `+required` - explain that the field is required + +**String/Array Length Constraints:** +- [ ] `+kubebuilder:validation:MinLength` and `+kubebuilder:validation:MaxLength` - document character length constraints +- [ ] `+kubebuilder:validation:MinItems` and `+kubebuilder:validation:MaxItems` - document item count ranges + +**Value Constraints:** +- [ ] `+kubebuilder:validation:Enum` - list all valid enum values and their meanings +- [ ] `+kubebuilder:validation:Pattern` - explain the pattern requirement in human-readable terms +- [ ] `+kubebuilder:validation:Minimum` and `+kubebuilder:validation:Maximum` - document numeric ranges + +**Advanced Validation:** +- [ ] `+kubebuilder:validation:XValidation` - explain cross-field validation rules in detail +- [ ] Any custom validation logic - document the validation behavior + +#### API Review Process + +**CRITICAL PROCESS**: Follow this exact order to ensure comprehensive validation: + +1. **Linting Check**: Run `make lint` and fix all kubeapilinter errors first +2. **Extract Validation Markers**: Use systematic search to find all markers +3. **Systematic Documentation Review**: For each marker found, verify corresponding documentation exists +4. **Optional Fields Review**: Ensure every `+optional` field explains omitted behavior +5. **Cross-field Validation**: Verify any documented field relationships have corresponding `XValidation` rules + +**FAILURE CONDITIONS**: The review MUST fail if any of these are found: +- Any validation marker without corresponding documentation +- Any `+optional` field without omitted behavior explanation +- Any documented field constraint without enforcement via validation rules +- Any `make lint` failures + +The comment must explicitly state: +- When a field is optional (for `+kubebuilder:validation:Optional` or `+optional`) +- Valid enum values (for `+kubebuilder:validation:Enum`) +- Validation constraints (for min/max, patterns, etc.) +- Default behavior when field is omitted +- Any interactions with other fields, commonly implemented with `+kubebuilder:validation:XValidation` + +**CRITICAL**: When API documentation states field relationships or constraints (e.g., "cannot be used together with field X", "mutually exclusive with field Y"), these relationships MUST be enforced with appropriate validation rules. Use `+kubebuilder:validation:XValidation` with CEL expressions for cross-field constraints. Documentation without enforcement is insufficient and will fail review. + +Example: `/api-review https://github.com/openshift/api/pull/1234` diff --git a/vendor/github.com/openshift/api/Dockerfile.ocp b/vendor/github.com/openshift/api/Dockerfile.ocp index 0a4c98c488..45d24f4fcc 100644 --- a/vendor/github.com/openshift/api/Dockerfile.ocp +++ b/vendor/github.com/openshift/api/Dockerfile.ocp @@ -1,10 +1,10 @@ -FROM registry.ci.openshift.org/ocp/builder:rhel-9-golang-1.24-openshift-4.20 AS builder +FROM registry.ci.openshift.org/ocp/builder:rhel-9-golang-1.24-openshift-4.21 AS builder WORKDIR /go/src/github.com/openshift/api COPY . . ENV GO_PACKAGE github.com/openshift/api RUN make build --warn-undefined-variables -FROM registry.ci.openshift.org/ocp/4.20:base-rhel9 +FROM registry.ci.openshift.org/ocp/4.21:base-rhel9 # copy the built binaries to /usr/bin COPY --from=builder /go/src/github.com/openshift/api/render /usr/bin/ diff --git a/vendor/github.com/openshift/api/Makefile b/vendor/github.com/openshift/api/Makefile index 123efe1029..fd4268a789 100644 --- a/vendor/github.com/openshift/api/Makefile +++ b/vendor/github.com/openshift/api/Makefile @@ -73,7 +73,7 @@ verify-scripts: hack/verify-payload-featuregates.sh .PHONY: verify -verify: verify-scripts lint verify-crd-schema verify-codegen-crds +verify: verify-scripts lint verify-crd-schema verify-crdify verify-codegen-crds .PHONY: verify-codegen-crds verify-codegen-crds: @@ -83,6 +83,10 @@ verify-codegen-crds: verify-crd-schema: bash -x hack/verify-crd-schema-checker.sh +.PHONY: verify-crdify +verify-crdify: + bash -x hack/verify-crdify.sh + .PHONY: verify-feature-promotion verify-feature-promotion: hack/verify-promoted-features-pass-tests.sh diff --git a/vendor/github.com/openshift/api/config/v1/register.go b/vendor/github.com/openshift/api/config/v1/register.go index eac29a2367..222c7f0cc7 100644 --- a/vendor/github.com/openshift/api/config/v1/register.go +++ b/vendor/github.com/openshift/api/config/v1/register.go @@ -76,6 +76,8 @@ func addKnownTypes(scheme *runtime.Scheme) error { &ImagePolicyList{}, &ClusterImagePolicy{}, &ClusterImagePolicyList{}, + &InsightsDataGather{}, + &InsightsDataGatherList{}, ) metav1.AddToGroupVersion(scheme, GroupVersion) return nil diff --git a/vendor/github.com/openshift/api/config/v1/types_cluster_operator.go b/vendor/github.com/openshift/api/config/v1/types_cluster_operator.go index 86fbc033e1..8323040389 100644 --- a/vendor/github.com/openshift/api/config/v1/types_cluster_operator.go +++ b/vendor/github.com/openshift/api/config/v1/types_cluster_operator.go @@ -153,15 +153,21 @@ const ( // is functional and available in the cluster. Available=False means at least // part of the component is non-functional, and that the condition requires // immediate administrator intervention. + // A component must not report Available=False during the course of a normal upgrade. OperatorAvailable ClusterStatusConditionType = "Available" // Progressing indicates that the component (operator and all configured operands) - // is actively rolling out new code, propagating config changes, or otherwise + // is actively rolling out new code, propagating config changes (e.g, a version change), or otherwise // moving from one steady state to another. Operators should not report - // progressing when they are reconciling (without action) a previously known - // state. If the observed cluster state has changed and the component is - // reacting to it (scaling up for instance), Progressing should become true + // Progressing when they are reconciling (without action) a previously known + // state. Operators should not report Progressing only because DaemonSets owned by them + // are adjusting to a new node from cluster scaleup or a node rebooting from cluster upgrade. + // If the observed cluster state has changed and the component is + // reacting to it (updated proxy configuration for instance), Progressing should become true // since it is moving from one steady state to another. + // A component in a cluster with less than 250 nodes must complete a version + // change within a limited period of time: 90 minutes for Machine Config Operator and 20 minutes for others. + // Machine Config Operator is given more time as it needs to restart control plane nodes. OperatorProgressing ClusterStatusConditionType = "Progressing" // Degraded indicates that the component (operator and all configured operands) @@ -174,7 +180,7 @@ const ( // Degraded because it may have a lower quality of service. A component may be // Progressing but not Degraded because the transition from one state to // another does not persist over a long enough period to report Degraded. A - // component should not report Degraded during the course of a normal upgrade. + // component must not report Degraded during the course of a normal upgrade. // A component may report Degraded in response to a persistent infrastructure // failure that requires eventual administrator intervention. For example, if // a control plane host is unhealthy and must be replaced. A component should diff --git a/vendor/github.com/openshift/api/config/v1/types_insights.go b/vendor/github.com/openshift/api/config/v1/types_insights.go new file mode 100644 index 0000000000..b0959881f1 --- /dev/null +++ b/vendor/github.com/openshift/api/config/v1/types_insights.go @@ -0,0 +1,230 @@ +package v1 + +import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + +// InsightsDataGather provides data gather configuration options for the Insights Operator. +// +// +genclient +// +genclient:nonNamespaced +// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object +// +// +kubebuilder:object:root=true +// +kubebuilder:resource:path=insightsdatagathers,scope=Cluster +// +openshift:api-approved.openshift.io=https://github.com/openshift/api/pull/2448 +// +openshift:file-pattern=cvoRunLevel=0000_10,operatorName=config-operator,operatorOrdering=01 +// +openshift:enable:FeatureGate=InsightsConfig +// +// Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer). +// +openshift:compatibility-gen:level=1 +type InsightsDataGather struct { + metav1.TypeMeta `json:",inline"` + // metadata is the standard object's metadata. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata + // +optional + metav1.ObjectMeta `json:"metadata,omitempty"` + // spec holds user settable values for configuration + // +required + Spec InsightsDataGatherSpec `json:"spec,omitempty,omitzero"` +} + +// InsightsDataGatherSpec contains the configuration for the data gathering. +type InsightsDataGatherSpec struct { + // gatherConfig is a required spec attribute that includes all the configuration options related to gathering of the Insights data and its uploading to the ingress. + // +required + GatherConfig GatherConfig `json:"gatherConfig,omitempty,omitzero"` +} + +// GatherConfig provides data gathering configuration options. +type GatherConfig struct { + // dataPolicy is an optional list of DataPolicyOptions that allows user to enable additional obfuscation of the Insights archive data. + // It may not exceed 2 items and must not contain duplicates. + // Valid values are ObfuscateNetworking and WorkloadNames. + // When set to ObfuscateNetworking the IP addresses and the cluster domain name are obfuscated. + // When set to WorkloadNames, the gathered data about cluster resources will not contain the workload names for your deployments. Resources UIDs will be used instead. + // When omitted no obfuscation is applied. + // +kubebuilder:validation:MinItems=1 + // +kubebuilder:validation:MaxItems=2 + // +kubebuilder:validation:XValidation:rule="self.all(x, self.exists_one(y, x == y))",message="dataPolicy items must be unique" + // +listType=atomic + // +optional + DataPolicy []DataPolicyOption `json:"dataPolicy,omitempty"` + // gatherers is a required field that specifies the configuration of the gatherers. + // +required + Gatherers Gatherers `json:"gatherers,omitempty,omitzero"` + // storage is an optional field that allows user to define persistent storage for gathering jobs to store the Insights data archive. + // If omitted, the gathering job will use ephemeral storage. + // +optional + Storage Storage `json:"storage,omitempty,omitzero"` +} + +// Gatherers specifies the configuration of the gatherers +// +kubebuilder:validation:XValidation:rule="has(self.mode) && self.mode == 'Custom' ? has(self.custom) : !has(self.custom)",message="custom is required when mode is Custom, and forbidden otherwise" +// +union +type Gatherers struct { + // mode is a required field that specifies the mode for gatherers. Allowed values are All, None, and Custom. + // When set to All, all gatherers will run and gather data. + // When set to None, all gatherers will be disabled and no data will be gathered. + // When set to Custom, the custom configuration from the custom field will be applied. + // +unionDiscriminator + // +required + Mode GatheringMode `json:"mode,omitempty"` + // custom provides gathering configuration. + // It is required when mode is Custom, and forbidden otherwise. + // Custom configuration allows user to disable only a subset of gatherers. + // Gatherers that are not explicitly disabled in custom configuration will run. + // +unionMember + // +optional + Custom Custom `json:"custom,omitempty,omitzero"` +} + +// Custom provides the custom configuration of gatherers +type Custom struct { + // configs is a required list of gatherers configurations that can be used to enable or disable specific gatherers. + // It may not exceed 100 items and each gatherer can be present only once. + // It is possible to disable an entire set of gatherers while allowing a specific function within that set. + // The particular gatherers IDs can be found at https://github.com/openshift/insights-operator/blob/master/docs/gathered-data.md. + // Run the following command to get the names of last active gatherers: + // "oc get insightsoperators.operator.openshift.io cluster -o json | jq '.status.gatherStatus.gatherers[].name'" + // +kubebuilder:validation:MinItems=1 + // +kubebuilder:validation:MaxItems=100 + // +listType=map + // +listMapKey=name + // +required + Configs []GathererConfig `json:"configs,omitempty"` +} + +// GatheringMode defines the valid gathering modes. +// +kubebuilder:validation:Enum=All;None;Custom +type GatheringMode string + +const ( + // Enabled enables all gatherers + GatheringModeAll GatheringMode = "All" + // Disabled disables all gatherers + GatheringModeNone GatheringMode = "None" + // Custom applies the configuration from GatheringConfig. + GatheringModeCustom GatheringMode = "Custom" +) + +// DataPolicyOption declares valid data policy options +// +kubebuilder:validation:Enum=ObfuscateNetworking;WorkloadNames +type DataPolicyOption string + +const ( + // IP addresses and cluster domain name are obfuscated + DataPolicyOptionObfuscateNetworking DataPolicyOption = "ObfuscateNetworking" + // Data from Deployment Validation Operator are obfuscated + DataPolicyOptionObfuscateWorkloadNames DataPolicyOption = "WorkloadNames" +) + +// Storage provides persistent storage configuration options for gathering jobs. +// If the type is set to PersistentVolume, then the PersistentVolume must be defined. +// If the type is set to Ephemeral, then the PersistentVolume must not be defined. +// +kubebuilder:validation:XValidation:rule="has(self.type) && self.type == 'PersistentVolume' ? has(self.persistentVolume) : !has(self.persistentVolume)",message="persistentVolume is required when type is PersistentVolume, and forbidden otherwise" +// +union +type Storage struct { + // type is a required field that specifies the type of storage that will be used to store the Insights data archive. + // Valid values are "PersistentVolume" and "Ephemeral". + // When set to Ephemeral, the Insights data archive is stored in the ephemeral storage of the gathering job. + // When set to PersistentVolume, the Insights data archive is stored in the PersistentVolume that is defined by the persistentVolume field. + // +unionDiscriminator + // +required + Type StorageType `json:"type,omitempty"` + // persistentVolume is an optional field that specifies the PersistentVolume that will be used to store the Insights data archive. + // The PersistentVolume must be created in the openshift-insights namespace. + // +unionMember + // +optional + PersistentVolume PersistentVolumeConfig `json:"persistentVolume,omitempty,omitzero"` +} + +// StorageType declares valid storage types +// +kubebuilder:validation:Enum=PersistentVolume;Ephemeral +type StorageType string + +const ( + // StorageTypePersistentVolume storage type + StorageTypePersistentVolume StorageType = "PersistentVolume" + // StorageTypeEphemeral storage type + StorageTypeEphemeral StorageType = "Ephemeral" +) + +// PersistentVolumeConfig provides configuration options for PersistentVolume storage. +type PersistentVolumeConfig struct { + // claim is a required field that specifies the configuration of the PersistentVolumeClaim that will be used to store the Insights data archive. + // The PersistentVolumeClaim must be created in the openshift-insights namespace. + // +required + Claim PersistentVolumeClaimReference `json:"claim,omitempty,omitzero"` + // mountPath is an optional field specifying the directory where the PVC will be mounted inside the Insights data gathering Pod. + // When omitted, this means no opinion and the platform is left to choose a reasonable default, which is subject to change over time. + // The current default mount path is /var/lib/insights-operator + // The path may not exceed 1024 characters and must not contain a colon. + // +kubebuilder:validation:MinLength=1 + // +kubebuilder:validation:MaxLength=1024 + // +kubebuilder:validation:XValidation:rule="!self.contains(':')",message="mountPath must not contain a colon" + // +optional + MountPath string `json:"mountPath,omitempty"` +} + +// PersistentVolumeClaimReference is a reference to a PersistentVolumeClaim. +type PersistentVolumeClaimReference struct { + // name is the name of the PersistentVolumeClaim that will be used to store the Insights data archive. + // It is a string that follows the DNS1123 subdomain format. + // It must be at most 253 characters in length, and must consist only of lower case alphanumeric characters, '-' and '.', and must start and end with an alphanumeric character. + // +kubebuilder:validation:XValidation:rule="!format.dns1123Subdomain().validate(self).hasValue()",message="a lowercase RFC 1123 subdomain must consist of lower case alphanumeric characters, '-' or '.', and must start and end with an alphanumeric character." + // +kubebuilder:validation:MinLength=1 + // +kubebuilder:validation:MaxLength=253 + // +required + Name string `json:"name,omitempty"` +} + +// GathererConfig allows to configure specific gatherers +type GathererConfig struct { + // name is the required name of a specific gatherer. + // It may not exceed 256 characters. + // The format for a gatherer name is: {gatherer}/{function} where the function is optional. + // Gatherer consists of a lowercase letters only that may include underscores (_). + // Function consists of a lowercase letters only that may include underscores (_) and is separated from the gatherer by a forward slash (/). + // The particular gatherers can be found at https://github.com/openshift/insights-operator/blob/master/docs/gathered-data.md. + // Run the following command to get the names of last active gatherers: + // "oc get insightsoperators.operator.openshift.io cluster -o json | jq '.status.gatherStatus.gatherers[].name'" + // +kubebuilder:validation:MinLength=1 + // +kubebuilder:validation:MaxLength=256 + // +kubebuilder:validation:XValidation:rule=`self.matches("^[a-z]+[_a-z]*[a-z]([/a-z][_a-z]*)?[a-z]$")`,message=`gatherer name must be in the format of {gatherer}/{function} where the gatherer and function are lowercase letters only that may include underscores (_) and are separated by a forward slash (/) if the function is provided` + // +required + Name string `json:"name,omitempty"` + // state is a required field that allows you to configure specific gatherer. Valid values are "Enabled" and "Disabled". + // When set to Enabled the gatherer will run. + // When set to Disabled the gatherer will not run. + // +required + State GathererState `json:"state,omitempty"` +} + +// GathererState declares valid gatherer state types. +// +kubebuilder:validation:Enum=Enabled;Disabled +type GathererState string + +const ( + // GathererStateEnabled gatherer state, which means that the gatherer will run. + GathererStateEnabled GathererState = "Enabled" + // GathererStateDisabled gatherer state, which means that the gatherer will not run. + GathererStateDisabled GathererState = "Disabled" +) + +// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object + +// InsightsDataGatherList is a collection of items +// Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer). +// +openshift:compatibility-gen:level=1 +type InsightsDataGatherList struct { + metav1.TypeMeta `json:",inline"` + // metadata is the required standard list's metadata. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata + // +required + metav1.ListMeta `json:"metadata,omitempty"` + // items is the required list of InsightsDataGather objects + // it may not exceed 100 items + // +kubebuilder:validation:MinItems=0 + // +kubebuilder:validation:MaxItems=100 + // +required + Items []InsightsDataGather `json:"items,omitempty"` +} diff --git a/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-Hypershift-CustomNoUpgrade.crd.yaml b/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-Hypershift-CustomNoUpgrade.crd.yaml deleted file mode 100644 index 4f67bf9e0c..0000000000 --- a/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-Hypershift-CustomNoUpgrade.crd.yaml +++ /dev/null @@ -1,870 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - api-approved.openshift.io: https://github.com/openshift/api/pull/470 - api.openshift.io/merged-by-featuregates: "true" - include.release.openshift.io/ibm-cloud-managed: "true" - release.openshift.io/bootstrap-required: "true" - release.openshift.io/feature-set: CustomNoUpgrade - name: authentications.config.openshift.io -spec: - group: config.openshift.io - names: - kind: Authentication - listKind: AuthenticationList - plural: authentications - singular: authentication - scope: Cluster - versions: - - name: v1 - schema: - openAPIV3Schema: - description: |- - Authentication specifies cluster-wide settings for authentication (like OAuth and - webhook token authenticators). The canonical name of an instance is `cluster`. - - Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer). - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: spec holds user settable values for configuration - properties: - oauthMetadata: - description: |- - oauthMetadata contains the discovery endpoint data for OAuth 2.0 - Authorization Server Metadata for an external OAuth server. - This discovery document can be viewed from its served location: - oc get --raw '/.well-known/oauth-authorization-server' - For further details, see the IETF Draft: - https://tools.ietf.org/html/draft-ietf-oauth-discovery-04#section-2 - If oauthMetadata.name is non-empty, this value has precedence - over any metadata reference stored in status. - The key "oauthMetadata" is used to locate the data. - If specified and the config map or expected key is not found, no metadata is served. - If the specified metadata is not valid, no metadata is served. - The namespace for this config map is openshift-config. - properties: - name: - description: name is the metadata.name of the referenced config - map - type: string - required: - - name - type: object - oidcProviders: - description: |- - oidcProviders are OIDC identity providers that can issue tokens - for this cluster - Can only be set if "Type" is set to "OIDC". - - At most one provider can be configured. - items: - properties: - claimMappings: - description: |- - claimMappings is a required field that configures the rules to be used by - the Kubernetes API server for translating claims in a JWT token, issued - by the identity provider, to a cluster identity. - properties: - extra: - description: |- - extra is an optional field for configuring the mappings - used to construct the extra attribute for the cluster identity. - When omitted, no extra attributes will be present on the cluster identity. - key values for extra mappings must be unique. - A maximum of 32 extra attribute mappings may be provided. - items: - description: |- - ExtraMapping allows specifying a key and CEL expression - to evaluate the keys' value. It is used to create additional - mappings and attributes added to a cluster identity from - a provided authentication token. - properties: - key: - description: |- - key is a required field that specifies the string - to use as the extra attribute key. - - key must be a domain-prefix path (e.g 'example.org/foo'). - key must not exceed 510 characters in length. - key must contain the '/' character, separating the domain and path characters. - key must not be empty. - - The domain portion of the key (string of characters prior to the '/') must be a valid RFC1123 subdomain. - It must not exceed 253 characters in length. - It must start and end with an alphanumeric character. - It must only contain lower case alphanumeric characters and '-' or '.'. - It must not use the reserved domains, or be subdomains of, "kubernetes.io", "k8s.io", and "openshift.io". - - The path portion of the key (string of characters after the '/') must not be empty and must consist of at least one - alphanumeric character, percent-encoded octets, '-', '.', '_', '~', '!', '$', '&', ''', '(', ')', '*', '+', ',', ';', '=', and ':'. - It must not exceed 256 characters in length. - maxLength: 510 - minLength: 1 - type: string - x-kubernetes-validations: - - message: key must contain the '/' character - rule: self.contains('/') - - message: the domain of the key must consist of only - lower case alphanumeric characters, '-' or '.', - and must start and end with an alphanumeric character - rule: self.split('/', 2)[0].matches("^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$") - - message: the domain of the key must not exceed 253 - characters in length - rule: self.split('/', 2)[0].size() <= 253 - - message: the domain 'kubernetes.io' is reserved - for Kubernetes use - rule: self.split('/', 2)[0] != 'kubernetes.io' - - message: the subdomains '*.kubernetes.io' are reserved - for Kubernetes use - rule: '!self.split(''/'', 2)[0].endsWith(''.kubernetes.io'')' - - message: the domain 'k8s.io' is reserved for Kubernetes - use - rule: self.split('/', 2)[0] != 'k8s.io' - - message: the subdomains '*.k8s.io' are reserved - for Kubernetes use - rule: '!self.split(''/'', 2)[0].endsWith(''.k8s.io'')' - - message: the domain 'openshift.io' is reserved for - OpenShift use - rule: self.split('/', 2)[0] != 'openshift.io' - - message: the subdomains '*.openshift.io' are reserved - for OpenShift use - rule: '!self.split(''/'', 2)[0].endsWith(''.openshift.io'')' - - message: the path of the key must not be empty and - must consist of at least one alphanumeric character, - percent-encoded octets, apostrophe, '-', '.', - '_', '~', '!', '$', '&', '(', ')', '*', '+', ',', - ';', '=', and ':' - rule: self.split('/', 2)[1].matches('[A-Za-z0-9/\\-._~%!$&\'()*+;=:]+') - - message: the path of the key must not exceed 256 - characters in length - rule: self.split('/', 2)[1].size() <= 256 - valueExpression: - description: |- - valueExpression is a required field to specify the CEL expression to extract - the extra attribute value from a JWT token's claims. - valueExpression must produce a string or string array value. - "", [], and null are treated as the extra mapping not being present. - Empty string values within an array are filtered out. - - CEL expressions have access to the token claims - through a CEL variable, 'claims'. - 'claims' is a map of claim names to claim values. - For example, the 'sub' claim value can be accessed as 'claims.sub'. - Nested claims can be accessed using dot notation ('claims.foo.bar'). - - valueExpression must not exceed 1024 characters in length. - valueExpression must not be empty. - maxLength: 1024 - minLength: 1 - type: string - required: - - key - - valueExpression - type: object - maxItems: 32 - type: array - x-kubernetes-list-map-keys: - - key - x-kubernetes-list-type: map - groups: - description: |- - groups is an optional field that configures how the groups of a cluster identity - should be constructed from the claims in a JWT token issued - by the identity provider. - When referencing a claim, if the claim is present in the JWT - token, its value must be a list of groups separated by a comma (','). - For example - '"example"' and '"exampleOne", "exampleTwo", "exampleThree"' are valid claim values. - properties: - claim: - description: |- - claim is a required field that configures the JWT token - claim whose value is assigned to the cluster identity - field associated with this mapping. - type: string - prefix: - description: |- - prefix is an optional field that configures the prefix that will be - applied to the cluster identity attribute during the process of mapping - JWT claims to cluster identity attributes. - - When omitted (""), no prefix is applied to the cluster identity attribute. - - Example: if `prefix` is set to "myoidc:" and the `claim` in JWT contains - an array of strings "a", "b" and "c", the mapping will result in an - array of string "myoidc:a", "myoidc:b" and "myoidc:c". - type: string - required: - - claim - type: object - uid: - description: |- - uid is an optional field for configuring the claim mapping - used to construct the uid for the cluster identity. - - When using uid.claim to specify the claim it must be a single string value. - When using uid.expression the expression must result in a single string value. - - When omitted, this means the user has no opinion and the platform - is left to choose a default, which is subject to change over time. - The current default is to use the 'sub' claim. - properties: - claim: - description: |- - claim is an optional field for specifying the - JWT token claim that is used in the mapping. - The value of this claim will be assigned to - the field in which this mapping is associated. - - Precisely one of claim or expression must be set. - claim must not be specified when expression is set. - When specified, claim must be at least 1 character in length - and must not exceed 256 characters in length. - maxLength: 256 - minLength: 1 - type: string - expression: - description: |- - expression is an optional field for specifying a - CEL expression that produces a string value from - JWT token claims. - - CEL expressions have access to the token claims - through a CEL variable, 'claims'. - 'claims' is a map of claim names to claim values. - For example, the 'sub' claim value can be accessed as 'claims.sub'. - Nested claims can be accessed using dot notation ('claims.foo.bar'). - - Precisely one of claim or expression must be set. - expression must not be specified when claim is set. - When specified, expression must be at least 1 character in length - and must not exceed 1024 characters in length. - maxLength: 1024 - minLength: 1 - type: string - type: object - x-kubernetes-validations: - - message: precisely one of claim or expression must be - set - rule: 'has(self.claim) ? !has(self.expression) : has(self.expression)' - username: - description: |- - username is a required field that configures how the username of a cluster identity - should be constructed from the claims in a JWT token issued by the identity provider. - properties: - claim: - description: |- - claim is a required field that configures the JWT token - claim whose value is assigned to the cluster identity - field associated with this mapping. - - claim must not be an empty string ("") and must not exceed 256 characters. - maxLength: 256 - minLength: 1 - type: string - prefix: - description: |- - prefix configures the prefix that should be prepended to the value - of the JWT claim. - - prefix must be set when prefixPolicy is set to 'Prefix' and must be unset otherwise. - properties: - prefixString: - description: |- - prefixString is a required field that configures the prefix that will - be applied to cluster identity username attribute - during the process of mapping JWT claims to cluster identity attributes. - - prefixString must not be an empty string (""). - minLength: 1 - type: string - required: - - prefixString - type: object - prefixPolicy: - description: |- - prefixPolicy is an optional field that configures how a prefix should be - applied to the value of the JWT claim specified in the 'claim' field. - - Allowed values are 'Prefix', 'NoPrefix', and omitted (not provided or an empty string). - - When set to 'Prefix', the value specified in the prefix field will be - prepended to the value of the JWT claim. - The prefix field must be set when prefixPolicy is 'Prefix'. - - When set to 'NoPrefix', no prefix will be prepended to the value - of the JWT claim. - - When omitted, this means no opinion and the platform is left to choose - any prefixes that are applied which is subject to change over time. - Currently, the platform prepends `{issuerURL}#` to the value of the JWT claim - when the claim is not 'email'. - As an example, consider the following scenario: - `prefix` is unset, `issuerURL` is set to `https://myoidc.tld`, - the JWT claims include "username":"userA" and "email":"userA@myoidc.tld", - and `claim` is set to: - - "username": the mapped value will be "https://myoidc.tld#userA" - - "email": the mapped value will be "userA@myoidc.tld" - enum: - - "" - - NoPrefix - - Prefix - type: string - required: - - claim - type: object - x-kubernetes-validations: - - message: prefix must be set if prefixPolicy is 'Prefix', - but must remain unset otherwise - rule: 'has(self.prefixPolicy) && self.prefixPolicy == - ''Prefix'' ? (has(self.prefix) && size(self.prefix.prefixString) - > 0) : !has(self.prefix)' - required: - - username - type: object - claimValidationRules: - description: |- - claimValidationRules is an optional field that configures the rules to - be used by the Kubernetes API server for validating the claims in a JWT - token issued by the identity provider. - - Validation rules are joined via an AND operation. - items: - properties: - requiredClaim: - description: |- - requiredClaim is an optional field that configures the required claim - and value that the Kubernetes API server will use to validate if an incoming - JWT is valid for this identity provider. - properties: - claim: - description: |- - claim is a required field that configures the name of the required claim. - When taken from the JWT claims, claim must be a string value. - - claim must not be an empty string (""). - minLength: 1 - type: string - requiredValue: - description: |- - requiredValue is a required field that configures the value that 'claim' must - have when taken from the incoming JWT claims. - If the value in the JWT claims does not match, the token - will be rejected for authentication. - - requiredValue must not be an empty string (""). - minLength: 1 - type: string - required: - - claim - - requiredValue - type: object - type: - default: RequiredClaim - description: |- - type is an optional field that configures the type of the validation rule. - - Allowed values are 'RequiredClaim' and omitted (not provided or an empty string). - - When set to 'RequiredClaim', the Kubernetes API server - will be configured to validate that the incoming JWT - contains the required claim and that its value matches - the required value. - - Defaults to 'RequiredClaim'. - enum: - - RequiredClaim - type: string - type: object - type: array - x-kubernetes-list-type: atomic - issuer: - description: |- - issuer is a required field that configures how the platform interacts - with the identity provider and how tokens issued from the identity provider - are evaluated by the Kubernetes API server. - properties: - audiences: - description: |- - audiences is a required field that configures the acceptable audiences - the JWT token, issued by the identity provider, must be issued to. - At least one of the entries must match the 'aud' claim in the JWT token. - - audiences must contain at least one entry and must not exceed ten entries. - items: - minLength: 1 - type: string - maxItems: 10 - minItems: 1 - type: array - x-kubernetes-list-type: set - issuerCertificateAuthority: - description: |- - issuerCertificateAuthority is an optional field that configures the - certificate authority, used by the Kubernetes API server, to validate - the connection to the identity provider when fetching discovery information. - - When not specified, the system trust is used. - - When specified, it must reference a ConfigMap in the openshift-config - namespace containing the PEM-encoded CA certificates under the 'ca-bundle.crt' - key in the data field of the ConfigMap. - properties: - name: - description: name is the metadata.name of the referenced - config map - type: string - required: - - name - type: object - issuerURL: - description: |- - issuerURL is a required field that configures the URL used to issue tokens - by the identity provider. - The Kubernetes API server determines how authentication tokens should be handled - by matching the 'iss' claim in the JWT to the issuerURL of configured identity providers. - - Must be at least 1 character and must not exceed 512 characters in length. - Must be a valid URL that uses the 'https' scheme and does not contain a query, fragment or user. - maxLength: 512 - minLength: 1 - type: string - x-kubernetes-validations: - - message: must be a valid URL - rule: isURL(self) - - message: must use the 'https' scheme - rule: isURL(self) && url(self).getScheme() == 'https' - - message: must not have a query - rule: isURL(self) && url(self).getQuery() == {} - - message: must not have a fragment - rule: self.find('#(.+)$') == '' - - message: must not have user info - rule: self.find('@') == '' - required: - - audiences - - issuerURL - type: object - name: - description: |- - name is a required field that configures the unique human-readable identifier - associated with the identity provider. - It is used to distinguish between multiple identity providers - and has no impact on token validation or authentication mechanics. - - name must not be an empty string (""). - minLength: 1 - type: string - oidcClients: - description: |- - oidcClients is an optional field that configures how on-cluster, - platform clients should request tokens from the identity provider. - oidcClients must not exceed 20 entries and entries must have unique namespace/name pairs. - items: - description: |- - OIDCClientConfig configures how platform clients - interact with identity providers as an authentication - method - properties: - clientID: - description: |- - clientID is a required field that configures the client identifier, from - the identity provider, that the platform component uses for authentication - requests made to the identity provider. - The identity provider must accept this identifier for platform components - to be able to use the identity provider as an authentication mode. - - clientID must not be an empty string (""). - minLength: 1 - type: string - clientSecret: - description: |- - clientSecret is an optional field that configures the client secret used - by the platform component when making authentication requests to the identity provider. - - When not specified, no client secret will be used when making authentication requests - to the identity provider. - - When specified, clientSecret references a Secret in the 'openshift-config' - namespace that contains the client secret in the 'clientSecret' key of the '.data' field. - The client secret will be used when making authentication requests to the identity provider. - - Public clients do not require a client secret but private - clients do require a client secret to work with the identity provider. - properties: - name: - description: name is the metadata.name of the referenced - secret - type: string - required: - - name - type: object - componentName: - description: |- - componentName is a required field that specifies the name of the platform - component being configured to use the identity provider as an authentication mode. - It is used in combination with componentNamespace as a unique identifier. - - componentName must not be an empty string ("") and must not exceed 256 characters in length. - maxLength: 256 - minLength: 1 - type: string - componentNamespace: - description: |- - componentNamespace is a required field that specifies the namespace in which the - platform component being configured to use the identity provider as an authentication - mode is running. - It is used in combination with componentName as a unique identifier. - - componentNamespace must not be an empty string ("") and must not exceed 63 characters in length. - maxLength: 63 - minLength: 1 - type: string - extraScopes: - description: |- - extraScopes is an optional field that configures the extra scopes that should - be requested by the platform component when making authentication requests to the - identity provider. - This is useful if you have configured claim mappings that requires specific - scopes to be requested beyond the standard OIDC scopes. - - When omitted, no additional scopes are requested. - items: - type: string - type: array - x-kubernetes-list-type: set - required: - - clientID - - componentName - - componentNamespace - type: object - maxItems: 20 - type: array - x-kubernetes-list-map-keys: - - componentNamespace - - componentName - x-kubernetes-list-type: map - required: - - claimMappings - - issuer - - name - type: object - maxItems: 1 - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - serviceAccountIssuer: - description: |- - serviceAccountIssuer is the identifier of the bound service account token - issuer. - The default is https://kubernetes.default.svc - WARNING: Updating this field will not result in immediate invalidation of all bound tokens with the - previous issuer value. Instead, the tokens issued by previous service account issuer will continue to - be trusted for a time period chosen by the platform (currently set to 24h). - This time period is subject to change over time. - This allows internal components to transition to use new service account issuer without service distruption. - type: string - type: - description: |- - type identifies the cluster managed, user facing authentication mode in use. - Specifically, it manages the component that responds to login attempts. - The default is IntegratedOAuth. - enum: - - "" - - None - - IntegratedOAuth - - OIDC - type: string - webhookTokenAuthenticator: - description: |- - webhookTokenAuthenticator configures a remote token reviewer. - These remote authentication webhooks can be used to verify bearer tokens - via the tokenreviews.authentication.k8s.io REST API. This is required to - honor bearer tokens that are provisioned by an external authentication service. - - Can only be set if "Type" is set to "None". - properties: - kubeConfig: - description: |- - kubeConfig references a secret that contains kube config file data which - describes how to access the remote webhook service. - The namespace for the referenced secret is openshift-config. - - For further details, see: - - https://kubernetes.io/docs/reference/access-authn-authz/authentication/#webhook-token-authentication - - The key "kubeConfig" is used to locate the data. - If the secret or expected key is not found, the webhook is not honored. - If the specified kube config data is not valid, the webhook is not honored. - properties: - name: - description: name is the metadata.name of the referenced secret - type: string - required: - - name - type: object - required: - - kubeConfig - type: object - webhookTokenAuthenticators: - description: webhookTokenAuthenticators is DEPRECATED, setting it - has no effect. - items: - description: |- - deprecatedWebhookTokenAuthenticator holds the necessary configuration options for a remote token authenticator. - It's the same as WebhookTokenAuthenticator but it's missing the 'required' validation on KubeConfig field. - properties: - kubeConfig: - description: |- - kubeConfig contains kube config file data which describes how to access the remote webhook service. - For further details, see: - https://kubernetes.io/docs/reference/access-authn-authz/authentication/#webhook-token-authentication - The key "kubeConfig" is used to locate the data. - If the secret or expected key is not found, the webhook is not honored. - If the specified kube config data is not valid, the webhook is not honored. - The namespace for this secret is determined by the point of use. - properties: - name: - description: name is the metadata.name of the referenced - secret - type: string - required: - - name - type: object - type: object - type: array - x-kubernetes-list-type: atomic - type: object - status: - description: status holds observed values from the cluster. They may not - be overridden. - properties: - integratedOAuthMetadata: - description: |- - integratedOAuthMetadata contains the discovery endpoint data for OAuth 2.0 - Authorization Server Metadata for the in-cluster integrated OAuth server. - This discovery document can be viewed from its served location: - oc get --raw '/.well-known/oauth-authorization-server' - For further details, see the IETF Draft: - https://tools.ietf.org/html/draft-ietf-oauth-discovery-04#section-2 - This contains the observed value based on cluster state. - An explicitly set value in spec.oauthMetadata has precedence over this field. - This field has no meaning if authentication spec.type is not set to IntegratedOAuth. - The key "oauthMetadata" is used to locate the data. - If the config map or expected key is not found, no metadata is served. - If the specified metadata is not valid, no metadata is served. - The namespace for this config map is openshift-config-managed. - properties: - name: - description: name is the metadata.name of the referenced config - map - type: string - required: - - name - type: object - oidcClients: - description: |- - oidcClients is where participating operators place the current OIDC client status - for OIDC clients that can be customized by the cluster-admin. - items: - description: |- - OIDCClientStatus represents the current state - of platform components and how they interact with - the configured identity providers. - properties: - componentName: - description: |- - componentName is a required field that specifies the name of the platform - component using the identity provider as an authentication mode. - It is used in combination with componentNamespace as a unique identifier. - - componentName must not be an empty string ("") and must not exceed 256 characters in length. - maxLength: 256 - minLength: 1 - type: string - componentNamespace: - description: |- - componentNamespace is a required field that specifies the namespace in which the - platform component using the identity provider as an authentication - mode is running. - It is used in combination with componentName as a unique identifier. - - componentNamespace must not be an empty string ("") and must not exceed 63 characters in length. - maxLength: 63 - minLength: 1 - type: string - conditions: - description: |- - conditions are used to communicate the state of the `oidcClients` entry. - - Supported conditions include Available, Degraded and Progressing. - - If Available is true, the component is successfully using the configured client. - If Degraded is true, that means something has gone wrong trying to handle the client configuration. - If Progressing is true, that means the component is taking some action related to the `oidcClients` entry. - items: - description: Condition contains details for one aspect of - the current state of this API Resource. - properties: - lastTransitionTime: - description: |- - lastTransitionTime is the last time the condition transitioned from one status to another. - This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: |- - message is a human readable message indicating details about the transition. - This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: - description: |- - observedGeneration represents the .metadata.generation that the condition was set based upon. - For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date - with respect to the current state of the instance. - format: int64 - minimum: 0 - type: integer - reason: - description: |- - reason contains a programmatic identifier indicating the reason for the condition's last transition. - Producers of specific condition types may define expected values and meanings for this field, - and whether the values are considered a guaranteed API. - The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, False, - Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - message - - reason - - status - - type - type: object - type: array - x-kubernetes-list-map-keys: - - type - x-kubernetes-list-type: map - consumingUsers: - description: |- - consumingUsers is an optional list of ServiceAccounts requiring - read permissions on the `clientSecret` secret. - - consumingUsers must not exceed 5 entries. - items: - description: ConsumingUser is an alias for string which we - add validation to. Currently only service accounts are supported. - maxLength: 512 - minLength: 1 - pattern: ^system:serviceaccount:[a-z0-9]([-a-z0-9]*[a-z0-9])?:[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - maxItems: 5 - type: array - x-kubernetes-list-type: set - currentOIDCClients: - description: |- - currentOIDCClients is an optional list of clients that the component is currently using. - Entries must have unique issuerURL/clientID pairs. - items: - description: |- - OIDCClientReference is a reference to a platform component - client configuration. - properties: - clientID: - description: |- - clientID is a required field that specifies the client identifier, from - the identity provider, that the platform component is using for authentication - requests made to the identity provider. - - clientID must not be empty. - minLength: 1 - type: string - issuerURL: - description: |- - issuerURL is a required field that specifies the URL of the identity - provider that this client is configured to make requests against. - - issuerURL must use the 'https' scheme. - pattern: ^https:\/\/[^\s] - type: string - oidcProviderName: - description: |- - oidcProviderName is a required reference to the 'name' of the identity provider - configured in 'oidcProviders' that this client is associated with. - - oidcProviderName must not be an empty string (""). - minLength: 1 - type: string - required: - - clientID - - issuerURL - - oidcProviderName - type: object - type: array - x-kubernetes-list-map-keys: - - issuerURL - - clientID - x-kubernetes-list-type: map - required: - - componentName - - componentNamespace - type: object - maxItems: 20 - type: array - x-kubernetes-list-map-keys: - - componentNamespace - - componentName - x-kubernetes-list-type: map - type: object - required: - - spec - type: object - x-kubernetes-validations: - - message: all oidcClients in the oidcProviders must match their componentName - and componentNamespace to either a previously configured oidcClient or - they must exist in the status.oidcClients - rule: '!has(self.spec.oidcProviders) || self.spec.oidcProviders.all(p, !has(p.oidcClients) - || p.oidcClients.all(specC, self.status.oidcClients.exists(statusC, statusC.componentNamespace - == specC.componentNamespace && statusC.componentName == specC.componentName) - || (has(oldSelf.spec.oidcProviders) && oldSelf.spec.oidcProviders.exists(oldP, - oldP.name == p.name && has(oldP.oidcClients) && oldP.oidcClients.exists(oldC, - oldC.componentNamespace == specC.componentNamespace && oldC.componentName - == specC.componentName)))))' - served: true - storage: true - subresources: - status: {} diff --git a/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-Hypershift-Default.crd.yaml b/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-Hypershift-Default.crd.yaml deleted file mode 100644 index 2a3b60571c..0000000000 --- a/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-Hypershift-Default.crd.yaml +++ /dev/null @@ -1,719 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - api-approved.openshift.io: https://github.com/openshift/api/pull/470 - api.openshift.io/merged-by-featuregates: "true" - include.release.openshift.io/ibm-cloud-managed: "true" - release.openshift.io/bootstrap-required: "true" - release.openshift.io/feature-set: Default - name: authentications.config.openshift.io -spec: - group: config.openshift.io - names: - kind: Authentication - listKind: AuthenticationList - plural: authentications - singular: authentication - scope: Cluster - versions: - - name: v1 - schema: - openAPIV3Schema: - description: |- - Authentication specifies cluster-wide settings for authentication (like OAuth and - webhook token authenticators). The canonical name of an instance is `cluster`. - - Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer). - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: spec holds user settable values for configuration - properties: - oauthMetadata: - description: |- - oauthMetadata contains the discovery endpoint data for OAuth 2.0 - Authorization Server Metadata for an external OAuth server. - This discovery document can be viewed from its served location: - oc get --raw '/.well-known/oauth-authorization-server' - For further details, see the IETF Draft: - https://tools.ietf.org/html/draft-ietf-oauth-discovery-04#section-2 - If oauthMetadata.name is non-empty, this value has precedence - over any metadata reference stored in status. - The key "oauthMetadata" is used to locate the data. - If specified and the config map or expected key is not found, no metadata is served. - If the specified metadata is not valid, no metadata is served. - The namespace for this config map is openshift-config. - properties: - name: - description: name is the metadata.name of the referenced config - map - type: string - required: - - name - type: object - oidcProviders: - description: |- - oidcProviders are OIDC identity providers that can issue tokens - for this cluster - Can only be set if "Type" is set to "OIDC". - - At most one provider can be configured. - items: - properties: - claimMappings: - description: |- - claimMappings is a required field that configures the rules to be used by - the Kubernetes API server for translating claims in a JWT token, issued - by the identity provider, to a cluster identity. - properties: - groups: - description: |- - groups is an optional field that configures how the groups of a cluster identity - should be constructed from the claims in a JWT token issued - by the identity provider. - When referencing a claim, if the claim is present in the JWT - token, its value must be a list of groups separated by a comma (','). - For example - '"example"' and '"exampleOne", "exampleTwo", "exampleThree"' are valid claim values. - properties: - claim: - description: |- - claim is a required field that configures the JWT token - claim whose value is assigned to the cluster identity - field associated with this mapping. - type: string - prefix: - description: |- - prefix is an optional field that configures the prefix that will be - applied to the cluster identity attribute during the process of mapping - JWT claims to cluster identity attributes. - - When omitted (""), no prefix is applied to the cluster identity attribute. - - Example: if `prefix` is set to "myoidc:" and the `claim` in JWT contains - an array of strings "a", "b" and "c", the mapping will result in an - array of string "myoidc:a", "myoidc:b" and "myoidc:c". - type: string - required: - - claim - type: object - username: - description: |- - username is a required field that configures how the username of a cluster identity - should be constructed from the claims in a JWT token issued by the identity provider. - properties: - claim: - description: |- - claim is a required field that configures the JWT token - claim whose value is assigned to the cluster identity - field associated with this mapping. - - claim must not be an empty string ("") and must not exceed 256 characters. - maxLength: 256 - minLength: 1 - type: string - prefix: - description: |- - prefix configures the prefix that should be prepended to the value - of the JWT claim. - - prefix must be set when prefixPolicy is set to 'Prefix' and must be unset otherwise. - properties: - prefixString: - description: |- - prefixString is a required field that configures the prefix that will - be applied to cluster identity username attribute - during the process of mapping JWT claims to cluster identity attributes. - - prefixString must not be an empty string (""). - minLength: 1 - type: string - required: - - prefixString - type: object - prefixPolicy: - description: |- - prefixPolicy is an optional field that configures how a prefix should be - applied to the value of the JWT claim specified in the 'claim' field. - - Allowed values are 'Prefix', 'NoPrefix', and omitted (not provided or an empty string). - - When set to 'Prefix', the value specified in the prefix field will be - prepended to the value of the JWT claim. - The prefix field must be set when prefixPolicy is 'Prefix'. - - When set to 'NoPrefix', no prefix will be prepended to the value - of the JWT claim. - - When omitted, this means no opinion and the platform is left to choose - any prefixes that are applied which is subject to change over time. - Currently, the platform prepends `{issuerURL}#` to the value of the JWT claim - when the claim is not 'email'. - As an example, consider the following scenario: - `prefix` is unset, `issuerURL` is set to `https://myoidc.tld`, - the JWT claims include "username":"userA" and "email":"userA@myoidc.tld", - and `claim` is set to: - - "username": the mapped value will be "https://myoidc.tld#userA" - - "email": the mapped value will be "userA@myoidc.tld" - enum: - - "" - - NoPrefix - - Prefix - type: string - required: - - claim - type: object - x-kubernetes-validations: - - message: prefix must be set if prefixPolicy is 'Prefix', - but must remain unset otherwise - rule: 'has(self.prefixPolicy) && self.prefixPolicy == - ''Prefix'' ? (has(self.prefix) && size(self.prefix.prefixString) - > 0) : !has(self.prefix)' - required: - - username - type: object - claimValidationRules: - description: |- - claimValidationRules is an optional field that configures the rules to - be used by the Kubernetes API server for validating the claims in a JWT - token issued by the identity provider. - - Validation rules are joined via an AND operation. - items: - properties: - requiredClaim: - description: |- - requiredClaim is an optional field that configures the required claim - and value that the Kubernetes API server will use to validate if an incoming - JWT is valid for this identity provider. - properties: - claim: - description: |- - claim is a required field that configures the name of the required claim. - When taken from the JWT claims, claim must be a string value. - - claim must not be an empty string (""). - minLength: 1 - type: string - requiredValue: - description: |- - requiredValue is a required field that configures the value that 'claim' must - have when taken from the incoming JWT claims. - If the value in the JWT claims does not match, the token - will be rejected for authentication. - - requiredValue must not be an empty string (""). - minLength: 1 - type: string - required: - - claim - - requiredValue - type: object - type: - default: RequiredClaim - description: |- - type is an optional field that configures the type of the validation rule. - - Allowed values are 'RequiredClaim' and omitted (not provided or an empty string). - - When set to 'RequiredClaim', the Kubernetes API server - will be configured to validate that the incoming JWT - contains the required claim and that its value matches - the required value. - - Defaults to 'RequiredClaim'. - enum: - - RequiredClaim - type: string - type: object - type: array - x-kubernetes-list-type: atomic - issuer: - description: |- - issuer is a required field that configures how the platform interacts - with the identity provider and how tokens issued from the identity provider - are evaluated by the Kubernetes API server. - properties: - audiences: - description: |- - audiences is a required field that configures the acceptable audiences - the JWT token, issued by the identity provider, must be issued to. - At least one of the entries must match the 'aud' claim in the JWT token. - - audiences must contain at least one entry and must not exceed ten entries. - items: - minLength: 1 - type: string - maxItems: 10 - minItems: 1 - type: array - x-kubernetes-list-type: set - issuerCertificateAuthority: - description: |- - issuerCertificateAuthority is an optional field that configures the - certificate authority, used by the Kubernetes API server, to validate - the connection to the identity provider when fetching discovery information. - - When not specified, the system trust is used. - - When specified, it must reference a ConfigMap in the openshift-config - namespace containing the PEM-encoded CA certificates under the 'ca-bundle.crt' - key in the data field of the ConfigMap. - properties: - name: - description: name is the metadata.name of the referenced - config map - type: string - required: - - name - type: object - issuerURL: - description: |- - issuerURL is a required field that configures the URL used to issue tokens - by the identity provider. - The Kubernetes API server determines how authentication tokens should be handled - by matching the 'iss' claim in the JWT to the issuerURL of configured identity providers. - - Must be at least 1 character and must not exceed 512 characters in length. - Must be a valid URL that uses the 'https' scheme and does not contain a query, fragment or user. - maxLength: 512 - minLength: 1 - type: string - x-kubernetes-validations: - - message: must be a valid URL - rule: isURL(self) - - message: must use the 'https' scheme - rule: isURL(self) && url(self).getScheme() == 'https' - - message: must not have a query - rule: isURL(self) && url(self).getQuery() == {} - - message: must not have a fragment - rule: self.find('#(.+)$') == '' - - message: must not have user info - rule: self.find('@') == '' - required: - - audiences - - issuerURL - type: object - name: - description: |- - name is a required field that configures the unique human-readable identifier - associated with the identity provider. - It is used to distinguish between multiple identity providers - and has no impact on token validation or authentication mechanics. - - name must not be an empty string (""). - minLength: 1 - type: string - oidcClients: - description: |- - oidcClients is an optional field that configures how on-cluster, - platform clients should request tokens from the identity provider. - oidcClients must not exceed 20 entries and entries must have unique namespace/name pairs. - items: - description: |- - OIDCClientConfig configures how platform clients - interact with identity providers as an authentication - method - properties: - clientID: - description: |- - clientID is a required field that configures the client identifier, from - the identity provider, that the platform component uses for authentication - requests made to the identity provider. - The identity provider must accept this identifier for platform components - to be able to use the identity provider as an authentication mode. - - clientID must not be an empty string (""). - minLength: 1 - type: string - clientSecret: - description: |- - clientSecret is an optional field that configures the client secret used - by the platform component when making authentication requests to the identity provider. - - When not specified, no client secret will be used when making authentication requests - to the identity provider. - - When specified, clientSecret references a Secret in the 'openshift-config' - namespace that contains the client secret in the 'clientSecret' key of the '.data' field. - The client secret will be used when making authentication requests to the identity provider. - - Public clients do not require a client secret but private - clients do require a client secret to work with the identity provider. - properties: - name: - description: name is the metadata.name of the referenced - secret - type: string - required: - - name - type: object - componentName: - description: |- - componentName is a required field that specifies the name of the platform - component being configured to use the identity provider as an authentication mode. - It is used in combination with componentNamespace as a unique identifier. - - componentName must not be an empty string ("") and must not exceed 256 characters in length. - maxLength: 256 - minLength: 1 - type: string - componentNamespace: - description: |- - componentNamespace is a required field that specifies the namespace in which the - platform component being configured to use the identity provider as an authentication - mode is running. - It is used in combination with componentName as a unique identifier. - - componentNamespace must not be an empty string ("") and must not exceed 63 characters in length. - maxLength: 63 - minLength: 1 - type: string - extraScopes: - description: |- - extraScopes is an optional field that configures the extra scopes that should - be requested by the platform component when making authentication requests to the - identity provider. - This is useful if you have configured claim mappings that requires specific - scopes to be requested beyond the standard OIDC scopes. - - When omitted, no additional scopes are requested. - items: - type: string - type: array - x-kubernetes-list-type: set - required: - - clientID - - componentName - - componentNamespace - type: object - maxItems: 20 - type: array - x-kubernetes-list-map-keys: - - componentNamespace - - componentName - x-kubernetes-list-type: map - required: - - claimMappings - - issuer - - name - type: object - maxItems: 1 - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - serviceAccountIssuer: - description: |- - serviceAccountIssuer is the identifier of the bound service account token - issuer. - The default is https://kubernetes.default.svc - WARNING: Updating this field will not result in immediate invalidation of all bound tokens with the - previous issuer value. Instead, the tokens issued by previous service account issuer will continue to - be trusted for a time period chosen by the platform (currently set to 24h). - This time period is subject to change over time. - This allows internal components to transition to use new service account issuer without service distruption. - type: string - type: - description: |- - type identifies the cluster managed, user facing authentication mode in use. - Specifically, it manages the component that responds to login attempts. - The default is IntegratedOAuth. - enum: - - "" - - None - - IntegratedOAuth - - OIDC - type: string - webhookTokenAuthenticator: - description: |- - webhookTokenAuthenticator configures a remote token reviewer. - These remote authentication webhooks can be used to verify bearer tokens - via the tokenreviews.authentication.k8s.io REST API. This is required to - honor bearer tokens that are provisioned by an external authentication service. - - Can only be set if "Type" is set to "None". - properties: - kubeConfig: - description: |- - kubeConfig references a secret that contains kube config file data which - describes how to access the remote webhook service. - The namespace for the referenced secret is openshift-config. - - For further details, see: - - https://kubernetes.io/docs/reference/access-authn-authz/authentication/#webhook-token-authentication - - The key "kubeConfig" is used to locate the data. - If the secret or expected key is not found, the webhook is not honored. - If the specified kube config data is not valid, the webhook is not honored. - properties: - name: - description: name is the metadata.name of the referenced secret - type: string - required: - - name - type: object - required: - - kubeConfig - type: object - webhookTokenAuthenticators: - description: webhookTokenAuthenticators is DEPRECATED, setting it - has no effect. - items: - description: |- - deprecatedWebhookTokenAuthenticator holds the necessary configuration options for a remote token authenticator. - It's the same as WebhookTokenAuthenticator but it's missing the 'required' validation on KubeConfig field. - properties: - kubeConfig: - description: |- - kubeConfig contains kube config file data which describes how to access the remote webhook service. - For further details, see: - https://kubernetes.io/docs/reference/access-authn-authz/authentication/#webhook-token-authentication - The key "kubeConfig" is used to locate the data. - If the secret or expected key is not found, the webhook is not honored. - If the specified kube config data is not valid, the webhook is not honored. - The namespace for this secret is determined by the point of use. - properties: - name: - description: name is the metadata.name of the referenced - secret - type: string - required: - - name - type: object - type: object - type: array - x-kubernetes-list-type: atomic - type: object - status: - description: status holds observed values from the cluster. They may not - be overridden. - properties: - integratedOAuthMetadata: - description: |- - integratedOAuthMetadata contains the discovery endpoint data for OAuth 2.0 - Authorization Server Metadata for the in-cluster integrated OAuth server. - This discovery document can be viewed from its served location: - oc get --raw '/.well-known/oauth-authorization-server' - For further details, see the IETF Draft: - https://tools.ietf.org/html/draft-ietf-oauth-discovery-04#section-2 - This contains the observed value based on cluster state. - An explicitly set value in spec.oauthMetadata has precedence over this field. - This field has no meaning if authentication spec.type is not set to IntegratedOAuth. - The key "oauthMetadata" is used to locate the data. - If the config map or expected key is not found, no metadata is served. - If the specified metadata is not valid, no metadata is served. - The namespace for this config map is openshift-config-managed. - properties: - name: - description: name is the metadata.name of the referenced config - map - type: string - required: - - name - type: object - oidcClients: - description: |- - oidcClients is where participating operators place the current OIDC client status - for OIDC clients that can be customized by the cluster-admin. - items: - description: |- - OIDCClientStatus represents the current state - of platform components and how they interact with - the configured identity providers. - properties: - componentName: - description: |- - componentName is a required field that specifies the name of the platform - component using the identity provider as an authentication mode. - It is used in combination with componentNamespace as a unique identifier. - - componentName must not be an empty string ("") and must not exceed 256 characters in length. - maxLength: 256 - minLength: 1 - type: string - componentNamespace: - description: |- - componentNamespace is a required field that specifies the namespace in which the - platform component using the identity provider as an authentication - mode is running. - It is used in combination with componentName as a unique identifier. - - componentNamespace must not be an empty string ("") and must not exceed 63 characters in length. - maxLength: 63 - minLength: 1 - type: string - conditions: - description: |- - conditions are used to communicate the state of the `oidcClients` entry. - - Supported conditions include Available, Degraded and Progressing. - - If Available is true, the component is successfully using the configured client. - If Degraded is true, that means something has gone wrong trying to handle the client configuration. - If Progressing is true, that means the component is taking some action related to the `oidcClients` entry. - items: - description: Condition contains details for one aspect of - the current state of this API Resource. - properties: - lastTransitionTime: - description: |- - lastTransitionTime is the last time the condition transitioned from one status to another. - This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: |- - message is a human readable message indicating details about the transition. - This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: - description: |- - observedGeneration represents the .metadata.generation that the condition was set based upon. - For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date - with respect to the current state of the instance. - format: int64 - minimum: 0 - type: integer - reason: - description: |- - reason contains a programmatic identifier indicating the reason for the condition's last transition. - Producers of specific condition types may define expected values and meanings for this field, - and whether the values are considered a guaranteed API. - The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, False, - Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - message - - reason - - status - - type - type: object - type: array - x-kubernetes-list-map-keys: - - type - x-kubernetes-list-type: map - consumingUsers: - description: |- - consumingUsers is an optional list of ServiceAccounts requiring - read permissions on the `clientSecret` secret. - - consumingUsers must not exceed 5 entries. - items: - description: ConsumingUser is an alias for string which we - add validation to. Currently only service accounts are supported. - maxLength: 512 - minLength: 1 - pattern: ^system:serviceaccount:[a-z0-9]([-a-z0-9]*[a-z0-9])?:[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - maxItems: 5 - type: array - x-kubernetes-list-type: set - currentOIDCClients: - description: |- - currentOIDCClients is an optional list of clients that the component is currently using. - Entries must have unique issuerURL/clientID pairs. - items: - description: |- - OIDCClientReference is a reference to a platform component - client configuration. - properties: - clientID: - description: |- - clientID is a required field that specifies the client identifier, from - the identity provider, that the platform component is using for authentication - requests made to the identity provider. - - clientID must not be empty. - minLength: 1 - type: string - issuerURL: - description: |- - issuerURL is a required field that specifies the URL of the identity - provider that this client is configured to make requests against. - - issuerURL must use the 'https' scheme. - pattern: ^https:\/\/[^\s] - type: string - oidcProviderName: - description: |- - oidcProviderName is a required reference to the 'name' of the identity provider - configured in 'oidcProviders' that this client is associated with. - - oidcProviderName must not be an empty string (""). - minLength: 1 - type: string - required: - - clientID - - issuerURL - - oidcProviderName - type: object - type: array - x-kubernetes-list-map-keys: - - issuerURL - - clientID - x-kubernetes-list-type: map - required: - - componentName - - componentNamespace - type: object - maxItems: 20 - type: array - x-kubernetes-list-map-keys: - - componentNamespace - - componentName - x-kubernetes-list-type: map - type: object - required: - - spec - type: object - x-kubernetes-validations: - - message: all oidcClients in the oidcProviders must match their componentName - and componentNamespace to either a previously configured oidcClient or - they must exist in the status.oidcClients - rule: '!has(self.spec.oidcProviders) || self.spec.oidcProviders.all(p, !has(p.oidcClients) - || p.oidcClients.all(specC, self.status.oidcClients.exists(statusC, statusC.componentNamespace - == specC.componentNamespace && statusC.componentName == specC.componentName) - || (has(oldSelf.spec.oidcProviders) && oldSelf.spec.oidcProviders.exists(oldP, - oldP.name == p.name && has(oldP.oidcClients) && oldP.oidcClients.exists(oldC, - oldC.componentNamespace == specC.componentNamespace && oldC.componentName - == specC.componentName)))))' - served: true - storage: true - subresources: - status: {} diff --git a/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-Hypershift-DevPreviewNoUpgrade.crd.yaml b/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-Hypershift-DevPreviewNoUpgrade.crd.yaml deleted file mode 100644 index 195efce400..0000000000 --- a/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-Hypershift-DevPreviewNoUpgrade.crd.yaml +++ /dev/null @@ -1,870 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - api-approved.openshift.io: https://github.com/openshift/api/pull/470 - api.openshift.io/merged-by-featuregates: "true" - include.release.openshift.io/ibm-cloud-managed: "true" - release.openshift.io/bootstrap-required: "true" - release.openshift.io/feature-set: DevPreviewNoUpgrade - name: authentications.config.openshift.io -spec: - group: config.openshift.io - names: - kind: Authentication - listKind: AuthenticationList - plural: authentications - singular: authentication - scope: Cluster - versions: - - name: v1 - schema: - openAPIV3Schema: - description: |- - Authentication specifies cluster-wide settings for authentication (like OAuth and - webhook token authenticators). The canonical name of an instance is `cluster`. - - Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer). - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: spec holds user settable values for configuration - properties: - oauthMetadata: - description: |- - oauthMetadata contains the discovery endpoint data for OAuth 2.0 - Authorization Server Metadata for an external OAuth server. - This discovery document can be viewed from its served location: - oc get --raw '/.well-known/oauth-authorization-server' - For further details, see the IETF Draft: - https://tools.ietf.org/html/draft-ietf-oauth-discovery-04#section-2 - If oauthMetadata.name is non-empty, this value has precedence - over any metadata reference stored in status. - The key "oauthMetadata" is used to locate the data. - If specified and the config map or expected key is not found, no metadata is served. - If the specified metadata is not valid, no metadata is served. - The namespace for this config map is openshift-config. - properties: - name: - description: name is the metadata.name of the referenced config - map - type: string - required: - - name - type: object - oidcProviders: - description: |- - oidcProviders are OIDC identity providers that can issue tokens - for this cluster - Can only be set if "Type" is set to "OIDC". - - At most one provider can be configured. - items: - properties: - claimMappings: - description: |- - claimMappings is a required field that configures the rules to be used by - the Kubernetes API server for translating claims in a JWT token, issued - by the identity provider, to a cluster identity. - properties: - extra: - description: |- - extra is an optional field for configuring the mappings - used to construct the extra attribute for the cluster identity. - When omitted, no extra attributes will be present on the cluster identity. - key values for extra mappings must be unique. - A maximum of 32 extra attribute mappings may be provided. - items: - description: |- - ExtraMapping allows specifying a key and CEL expression - to evaluate the keys' value. It is used to create additional - mappings and attributes added to a cluster identity from - a provided authentication token. - properties: - key: - description: |- - key is a required field that specifies the string - to use as the extra attribute key. - - key must be a domain-prefix path (e.g 'example.org/foo'). - key must not exceed 510 characters in length. - key must contain the '/' character, separating the domain and path characters. - key must not be empty. - - The domain portion of the key (string of characters prior to the '/') must be a valid RFC1123 subdomain. - It must not exceed 253 characters in length. - It must start and end with an alphanumeric character. - It must only contain lower case alphanumeric characters and '-' or '.'. - It must not use the reserved domains, or be subdomains of, "kubernetes.io", "k8s.io", and "openshift.io". - - The path portion of the key (string of characters after the '/') must not be empty and must consist of at least one - alphanumeric character, percent-encoded octets, '-', '.', '_', '~', '!', '$', '&', ''', '(', ')', '*', '+', ',', ';', '=', and ':'. - It must not exceed 256 characters in length. - maxLength: 510 - minLength: 1 - type: string - x-kubernetes-validations: - - message: key must contain the '/' character - rule: self.contains('/') - - message: the domain of the key must consist of only - lower case alphanumeric characters, '-' or '.', - and must start and end with an alphanumeric character - rule: self.split('/', 2)[0].matches("^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$") - - message: the domain of the key must not exceed 253 - characters in length - rule: self.split('/', 2)[0].size() <= 253 - - message: the domain 'kubernetes.io' is reserved - for Kubernetes use - rule: self.split('/', 2)[0] != 'kubernetes.io' - - message: the subdomains '*.kubernetes.io' are reserved - for Kubernetes use - rule: '!self.split(''/'', 2)[0].endsWith(''.kubernetes.io'')' - - message: the domain 'k8s.io' is reserved for Kubernetes - use - rule: self.split('/', 2)[0] != 'k8s.io' - - message: the subdomains '*.k8s.io' are reserved - for Kubernetes use - rule: '!self.split(''/'', 2)[0].endsWith(''.k8s.io'')' - - message: the domain 'openshift.io' is reserved for - OpenShift use - rule: self.split('/', 2)[0] != 'openshift.io' - - message: the subdomains '*.openshift.io' are reserved - for OpenShift use - rule: '!self.split(''/'', 2)[0].endsWith(''.openshift.io'')' - - message: the path of the key must not be empty and - must consist of at least one alphanumeric character, - percent-encoded octets, apostrophe, '-', '.', - '_', '~', '!', '$', '&', '(', ')', '*', '+', ',', - ';', '=', and ':' - rule: self.split('/', 2)[1].matches('[A-Za-z0-9/\\-._~%!$&\'()*+;=:]+') - - message: the path of the key must not exceed 256 - characters in length - rule: self.split('/', 2)[1].size() <= 256 - valueExpression: - description: |- - valueExpression is a required field to specify the CEL expression to extract - the extra attribute value from a JWT token's claims. - valueExpression must produce a string or string array value. - "", [], and null are treated as the extra mapping not being present. - Empty string values within an array are filtered out. - - CEL expressions have access to the token claims - through a CEL variable, 'claims'. - 'claims' is a map of claim names to claim values. - For example, the 'sub' claim value can be accessed as 'claims.sub'. - Nested claims can be accessed using dot notation ('claims.foo.bar'). - - valueExpression must not exceed 1024 characters in length. - valueExpression must not be empty. - maxLength: 1024 - minLength: 1 - type: string - required: - - key - - valueExpression - type: object - maxItems: 32 - type: array - x-kubernetes-list-map-keys: - - key - x-kubernetes-list-type: map - groups: - description: |- - groups is an optional field that configures how the groups of a cluster identity - should be constructed from the claims in a JWT token issued - by the identity provider. - When referencing a claim, if the claim is present in the JWT - token, its value must be a list of groups separated by a comma (','). - For example - '"example"' and '"exampleOne", "exampleTwo", "exampleThree"' are valid claim values. - properties: - claim: - description: |- - claim is a required field that configures the JWT token - claim whose value is assigned to the cluster identity - field associated with this mapping. - type: string - prefix: - description: |- - prefix is an optional field that configures the prefix that will be - applied to the cluster identity attribute during the process of mapping - JWT claims to cluster identity attributes. - - When omitted (""), no prefix is applied to the cluster identity attribute. - - Example: if `prefix` is set to "myoidc:" and the `claim` in JWT contains - an array of strings "a", "b" and "c", the mapping will result in an - array of string "myoidc:a", "myoidc:b" and "myoidc:c". - type: string - required: - - claim - type: object - uid: - description: |- - uid is an optional field for configuring the claim mapping - used to construct the uid for the cluster identity. - - When using uid.claim to specify the claim it must be a single string value. - When using uid.expression the expression must result in a single string value. - - When omitted, this means the user has no opinion and the platform - is left to choose a default, which is subject to change over time. - The current default is to use the 'sub' claim. - properties: - claim: - description: |- - claim is an optional field for specifying the - JWT token claim that is used in the mapping. - The value of this claim will be assigned to - the field in which this mapping is associated. - - Precisely one of claim or expression must be set. - claim must not be specified when expression is set. - When specified, claim must be at least 1 character in length - and must not exceed 256 characters in length. - maxLength: 256 - minLength: 1 - type: string - expression: - description: |- - expression is an optional field for specifying a - CEL expression that produces a string value from - JWT token claims. - - CEL expressions have access to the token claims - through a CEL variable, 'claims'. - 'claims' is a map of claim names to claim values. - For example, the 'sub' claim value can be accessed as 'claims.sub'. - Nested claims can be accessed using dot notation ('claims.foo.bar'). - - Precisely one of claim or expression must be set. - expression must not be specified when claim is set. - When specified, expression must be at least 1 character in length - and must not exceed 1024 characters in length. - maxLength: 1024 - minLength: 1 - type: string - type: object - x-kubernetes-validations: - - message: precisely one of claim or expression must be - set - rule: 'has(self.claim) ? !has(self.expression) : has(self.expression)' - username: - description: |- - username is a required field that configures how the username of a cluster identity - should be constructed from the claims in a JWT token issued by the identity provider. - properties: - claim: - description: |- - claim is a required field that configures the JWT token - claim whose value is assigned to the cluster identity - field associated with this mapping. - - claim must not be an empty string ("") and must not exceed 256 characters. - maxLength: 256 - minLength: 1 - type: string - prefix: - description: |- - prefix configures the prefix that should be prepended to the value - of the JWT claim. - - prefix must be set when prefixPolicy is set to 'Prefix' and must be unset otherwise. - properties: - prefixString: - description: |- - prefixString is a required field that configures the prefix that will - be applied to cluster identity username attribute - during the process of mapping JWT claims to cluster identity attributes. - - prefixString must not be an empty string (""). - minLength: 1 - type: string - required: - - prefixString - type: object - prefixPolicy: - description: |- - prefixPolicy is an optional field that configures how a prefix should be - applied to the value of the JWT claim specified in the 'claim' field. - - Allowed values are 'Prefix', 'NoPrefix', and omitted (not provided or an empty string). - - When set to 'Prefix', the value specified in the prefix field will be - prepended to the value of the JWT claim. - The prefix field must be set when prefixPolicy is 'Prefix'. - - When set to 'NoPrefix', no prefix will be prepended to the value - of the JWT claim. - - When omitted, this means no opinion and the platform is left to choose - any prefixes that are applied which is subject to change over time. - Currently, the platform prepends `{issuerURL}#` to the value of the JWT claim - when the claim is not 'email'. - As an example, consider the following scenario: - `prefix` is unset, `issuerURL` is set to `https://myoidc.tld`, - the JWT claims include "username":"userA" and "email":"userA@myoidc.tld", - and `claim` is set to: - - "username": the mapped value will be "https://myoidc.tld#userA" - - "email": the mapped value will be "userA@myoidc.tld" - enum: - - "" - - NoPrefix - - Prefix - type: string - required: - - claim - type: object - x-kubernetes-validations: - - message: prefix must be set if prefixPolicy is 'Prefix', - but must remain unset otherwise - rule: 'has(self.prefixPolicy) && self.prefixPolicy == - ''Prefix'' ? (has(self.prefix) && size(self.prefix.prefixString) - > 0) : !has(self.prefix)' - required: - - username - type: object - claimValidationRules: - description: |- - claimValidationRules is an optional field that configures the rules to - be used by the Kubernetes API server for validating the claims in a JWT - token issued by the identity provider. - - Validation rules are joined via an AND operation. - items: - properties: - requiredClaim: - description: |- - requiredClaim is an optional field that configures the required claim - and value that the Kubernetes API server will use to validate if an incoming - JWT is valid for this identity provider. - properties: - claim: - description: |- - claim is a required field that configures the name of the required claim. - When taken from the JWT claims, claim must be a string value. - - claim must not be an empty string (""). - minLength: 1 - type: string - requiredValue: - description: |- - requiredValue is a required field that configures the value that 'claim' must - have when taken from the incoming JWT claims. - If the value in the JWT claims does not match, the token - will be rejected for authentication. - - requiredValue must not be an empty string (""). - minLength: 1 - type: string - required: - - claim - - requiredValue - type: object - type: - default: RequiredClaim - description: |- - type is an optional field that configures the type of the validation rule. - - Allowed values are 'RequiredClaim' and omitted (not provided or an empty string). - - When set to 'RequiredClaim', the Kubernetes API server - will be configured to validate that the incoming JWT - contains the required claim and that its value matches - the required value. - - Defaults to 'RequiredClaim'. - enum: - - RequiredClaim - type: string - type: object - type: array - x-kubernetes-list-type: atomic - issuer: - description: |- - issuer is a required field that configures how the platform interacts - with the identity provider and how tokens issued from the identity provider - are evaluated by the Kubernetes API server. - properties: - audiences: - description: |- - audiences is a required field that configures the acceptable audiences - the JWT token, issued by the identity provider, must be issued to. - At least one of the entries must match the 'aud' claim in the JWT token. - - audiences must contain at least one entry and must not exceed ten entries. - items: - minLength: 1 - type: string - maxItems: 10 - minItems: 1 - type: array - x-kubernetes-list-type: set - issuerCertificateAuthority: - description: |- - issuerCertificateAuthority is an optional field that configures the - certificate authority, used by the Kubernetes API server, to validate - the connection to the identity provider when fetching discovery information. - - When not specified, the system trust is used. - - When specified, it must reference a ConfigMap in the openshift-config - namespace containing the PEM-encoded CA certificates under the 'ca-bundle.crt' - key in the data field of the ConfigMap. - properties: - name: - description: name is the metadata.name of the referenced - config map - type: string - required: - - name - type: object - issuerURL: - description: |- - issuerURL is a required field that configures the URL used to issue tokens - by the identity provider. - The Kubernetes API server determines how authentication tokens should be handled - by matching the 'iss' claim in the JWT to the issuerURL of configured identity providers. - - Must be at least 1 character and must not exceed 512 characters in length. - Must be a valid URL that uses the 'https' scheme and does not contain a query, fragment or user. - maxLength: 512 - minLength: 1 - type: string - x-kubernetes-validations: - - message: must be a valid URL - rule: isURL(self) - - message: must use the 'https' scheme - rule: isURL(self) && url(self).getScheme() == 'https' - - message: must not have a query - rule: isURL(self) && url(self).getQuery() == {} - - message: must not have a fragment - rule: self.find('#(.+)$') == '' - - message: must not have user info - rule: self.find('@') == '' - required: - - audiences - - issuerURL - type: object - name: - description: |- - name is a required field that configures the unique human-readable identifier - associated with the identity provider. - It is used to distinguish between multiple identity providers - and has no impact on token validation or authentication mechanics. - - name must not be an empty string (""). - minLength: 1 - type: string - oidcClients: - description: |- - oidcClients is an optional field that configures how on-cluster, - platform clients should request tokens from the identity provider. - oidcClients must not exceed 20 entries and entries must have unique namespace/name pairs. - items: - description: |- - OIDCClientConfig configures how platform clients - interact with identity providers as an authentication - method - properties: - clientID: - description: |- - clientID is a required field that configures the client identifier, from - the identity provider, that the platform component uses for authentication - requests made to the identity provider. - The identity provider must accept this identifier for platform components - to be able to use the identity provider as an authentication mode. - - clientID must not be an empty string (""). - minLength: 1 - type: string - clientSecret: - description: |- - clientSecret is an optional field that configures the client secret used - by the platform component when making authentication requests to the identity provider. - - When not specified, no client secret will be used when making authentication requests - to the identity provider. - - When specified, clientSecret references a Secret in the 'openshift-config' - namespace that contains the client secret in the 'clientSecret' key of the '.data' field. - The client secret will be used when making authentication requests to the identity provider. - - Public clients do not require a client secret but private - clients do require a client secret to work with the identity provider. - properties: - name: - description: name is the metadata.name of the referenced - secret - type: string - required: - - name - type: object - componentName: - description: |- - componentName is a required field that specifies the name of the platform - component being configured to use the identity provider as an authentication mode. - It is used in combination with componentNamespace as a unique identifier. - - componentName must not be an empty string ("") and must not exceed 256 characters in length. - maxLength: 256 - minLength: 1 - type: string - componentNamespace: - description: |- - componentNamespace is a required field that specifies the namespace in which the - platform component being configured to use the identity provider as an authentication - mode is running. - It is used in combination with componentName as a unique identifier. - - componentNamespace must not be an empty string ("") and must not exceed 63 characters in length. - maxLength: 63 - minLength: 1 - type: string - extraScopes: - description: |- - extraScopes is an optional field that configures the extra scopes that should - be requested by the platform component when making authentication requests to the - identity provider. - This is useful if you have configured claim mappings that requires specific - scopes to be requested beyond the standard OIDC scopes. - - When omitted, no additional scopes are requested. - items: - type: string - type: array - x-kubernetes-list-type: set - required: - - clientID - - componentName - - componentNamespace - type: object - maxItems: 20 - type: array - x-kubernetes-list-map-keys: - - componentNamespace - - componentName - x-kubernetes-list-type: map - required: - - claimMappings - - issuer - - name - type: object - maxItems: 1 - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - serviceAccountIssuer: - description: |- - serviceAccountIssuer is the identifier of the bound service account token - issuer. - The default is https://kubernetes.default.svc - WARNING: Updating this field will not result in immediate invalidation of all bound tokens with the - previous issuer value. Instead, the tokens issued by previous service account issuer will continue to - be trusted for a time period chosen by the platform (currently set to 24h). - This time period is subject to change over time. - This allows internal components to transition to use new service account issuer without service distruption. - type: string - type: - description: |- - type identifies the cluster managed, user facing authentication mode in use. - Specifically, it manages the component that responds to login attempts. - The default is IntegratedOAuth. - enum: - - "" - - None - - IntegratedOAuth - - OIDC - type: string - webhookTokenAuthenticator: - description: |- - webhookTokenAuthenticator configures a remote token reviewer. - These remote authentication webhooks can be used to verify bearer tokens - via the tokenreviews.authentication.k8s.io REST API. This is required to - honor bearer tokens that are provisioned by an external authentication service. - - Can only be set if "Type" is set to "None". - properties: - kubeConfig: - description: |- - kubeConfig references a secret that contains kube config file data which - describes how to access the remote webhook service. - The namespace for the referenced secret is openshift-config. - - For further details, see: - - https://kubernetes.io/docs/reference/access-authn-authz/authentication/#webhook-token-authentication - - The key "kubeConfig" is used to locate the data. - If the secret or expected key is not found, the webhook is not honored. - If the specified kube config data is not valid, the webhook is not honored. - properties: - name: - description: name is the metadata.name of the referenced secret - type: string - required: - - name - type: object - required: - - kubeConfig - type: object - webhookTokenAuthenticators: - description: webhookTokenAuthenticators is DEPRECATED, setting it - has no effect. - items: - description: |- - deprecatedWebhookTokenAuthenticator holds the necessary configuration options for a remote token authenticator. - It's the same as WebhookTokenAuthenticator but it's missing the 'required' validation on KubeConfig field. - properties: - kubeConfig: - description: |- - kubeConfig contains kube config file data which describes how to access the remote webhook service. - For further details, see: - https://kubernetes.io/docs/reference/access-authn-authz/authentication/#webhook-token-authentication - The key "kubeConfig" is used to locate the data. - If the secret or expected key is not found, the webhook is not honored. - If the specified kube config data is not valid, the webhook is not honored. - The namespace for this secret is determined by the point of use. - properties: - name: - description: name is the metadata.name of the referenced - secret - type: string - required: - - name - type: object - type: object - type: array - x-kubernetes-list-type: atomic - type: object - status: - description: status holds observed values from the cluster. They may not - be overridden. - properties: - integratedOAuthMetadata: - description: |- - integratedOAuthMetadata contains the discovery endpoint data for OAuth 2.0 - Authorization Server Metadata for the in-cluster integrated OAuth server. - This discovery document can be viewed from its served location: - oc get --raw '/.well-known/oauth-authorization-server' - For further details, see the IETF Draft: - https://tools.ietf.org/html/draft-ietf-oauth-discovery-04#section-2 - This contains the observed value based on cluster state. - An explicitly set value in spec.oauthMetadata has precedence over this field. - This field has no meaning if authentication spec.type is not set to IntegratedOAuth. - The key "oauthMetadata" is used to locate the data. - If the config map or expected key is not found, no metadata is served. - If the specified metadata is not valid, no metadata is served. - The namespace for this config map is openshift-config-managed. - properties: - name: - description: name is the metadata.name of the referenced config - map - type: string - required: - - name - type: object - oidcClients: - description: |- - oidcClients is where participating operators place the current OIDC client status - for OIDC clients that can be customized by the cluster-admin. - items: - description: |- - OIDCClientStatus represents the current state - of platform components and how they interact with - the configured identity providers. - properties: - componentName: - description: |- - componentName is a required field that specifies the name of the platform - component using the identity provider as an authentication mode. - It is used in combination with componentNamespace as a unique identifier. - - componentName must not be an empty string ("") and must not exceed 256 characters in length. - maxLength: 256 - minLength: 1 - type: string - componentNamespace: - description: |- - componentNamespace is a required field that specifies the namespace in which the - platform component using the identity provider as an authentication - mode is running. - It is used in combination with componentName as a unique identifier. - - componentNamespace must not be an empty string ("") and must not exceed 63 characters in length. - maxLength: 63 - minLength: 1 - type: string - conditions: - description: |- - conditions are used to communicate the state of the `oidcClients` entry. - - Supported conditions include Available, Degraded and Progressing. - - If Available is true, the component is successfully using the configured client. - If Degraded is true, that means something has gone wrong trying to handle the client configuration. - If Progressing is true, that means the component is taking some action related to the `oidcClients` entry. - items: - description: Condition contains details for one aspect of - the current state of this API Resource. - properties: - lastTransitionTime: - description: |- - lastTransitionTime is the last time the condition transitioned from one status to another. - This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: |- - message is a human readable message indicating details about the transition. - This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: - description: |- - observedGeneration represents the .metadata.generation that the condition was set based upon. - For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date - with respect to the current state of the instance. - format: int64 - minimum: 0 - type: integer - reason: - description: |- - reason contains a programmatic identifier indicating the reason for the condition's last transition. - Producers of specific condition types may define expected values and meanings for this field, - and whether the values are considered a guaranteed API. - The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, False, - Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - message - - reason - - status - - type - type: object - type: array - x-kubernetes-list-map-keys: - - type - x-kubernetes-list-type: map - consumingUsers: - description: |- - consumingUsers is an optional list of ServiceAccounts requiring - read permissions on the `clientSecret` secret. - - consumingUsers must not exceed 5 entries. - items: - description: ConsumingUser is an alias for string which we - add validation to. Currently only service accounts are supported. - maxLength: 512 - minLength: 1 - pattern: ^system:serviceaccount:[a-z0-9]([-a-z0-9]*[a-z0-9])?:[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - maxItems: 5 - type: array - x-kubernetes-list-type: set - currentOIDCClients: - description: |- - currentOIDCClients is an optional list of clients that the component is currently using. - Entries must have unique issuerURL/clientID pairs. - items: - description: |- - OIDCClientReference is a reference to a platform component - client configuration. - properties: - clientID: - description: |- - clientID is a required field that specifies the client identifier, from - the identity provider, that the platform component is using for authentication - requests made to the identity provider. - - clientID must not be empty. - minLength: 1 - type: string - issuerURL: - description: |- - issuerURL is a required field that specifies the URL of the identity - provider that this client is configured to make requests against. - - issuerURL must use the 'https' scheme. - pattern: ^https:\/\/[^\s] - type: string - oidcProviderName: - description: |- - oidcProviderName is a required reference to the 'name' of the identity provider - configured in 'oidcProviders' that this client is associated with. - - oidcProviderName must not be an empty string (""). - minLength: 1 - type: string - required: - - clientID - - issuerURL - - oidcProviderName - type: object - type: array - x-kubernetes-list-map-keys: - - issuerURL - - clientID - x-kubernetes-list-type: map - required: - - componentName - - componentNamespace - type: object - maxItems: 20 - type: array - x-kubernetes-list-map-keys: - - componentNamespace - - componentName - x-kubernetes-list-type: map - type: object - required: - - spec - type: object - x-kubernetes-validations: - - message: all oidcClients in the oidcProviders must match their componentName - and componentNamespace to either a previously configured oidcClient or - they must exist in the status.oidcClients - rule: '!has(self.spec.oidcProviders) || self.spec.oidcProviders.all(p, !has(p.oidcClients) - || p.oidcClients.all(specC, self.status.oidcClients.exists(statusC, statusC.componentNamespace - == specC.componentNamespace && statusC.componentName == specC.componentName) - || (has(oldSelf.spec.oidcProviders) && oldSelf.spec.oidcProviders.exists(oldP, - oldP.name == p.name && has(oldP.oidcClients) && oldP.oidcClients.exists(oldC, - oldC.componentNamespace == specC.componentNamespace && oldC.componentName - == specC.componentName)))))' - served: true - storage: true - subresources: - status: {} diff --git a/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-Hypershift-TechPreviewNoUpgrade.crd.yaml b/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-Hypershift-TechPreviewNoUpgrade.crd.yaml deleted file mode 100644 index 4e8c79c320..0000000000 --- a/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-Hypershift-TechPreviewNoUpgrade.crd.yaml +++ /dev/null @@ -1,870 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - api-approved.openshift.io: https://github.com/openshift/api/pull/470 - api.openshift.io/merged-by-featuregates: "true" - include.release.openshift.io/ibm-cloud-managed: "true" - release.openshift.io/bootstrap-required: "true" - release.openshift.io/feature-set: TechPreviewNoUpgrade - name: authentications.config.openshift.io -spec: - group: config.openshift.io - names: - kind: Authentication - listKind: AuthenticationList - plural: authentications - singular: authentication - scope: Cluster - versions: - - name: v1 - schema: - openAPIV3Schema: - description: |- - Authentication specifies cluster-wide settings for authentication (like OAuth and - webhook token authenticators). The canonical name of an instance is `cluster`. - - Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer). - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: spec holds user settable values for configuration - properties: - oauthMetadata: - description: |- - oauthMetadata contains the discovery endpoint data for OAuth 2.0 - Authorization Server Metadata for an external OAuth server. - This discovery document can be viewed from its served location: - oc get --raw '/.well-known/oauth-authorization-server' - For further details, see the IETF Draft: - https://tools.ietf.org/html/draft-ietf-oauth-discovery-04#section-2 - If oauthMetadata.name is non-empty, this value has precedence - over any metadata reference stored in status. - The key "oauthMetadata" is used to locate the data. - If specified and the config map or expected key is not found, no metadata is served. - If the specified metadata is not valid, no metadata is served. - The namespace for this config map is openshift-config. - properties: - name: - description: name is the metadata.name of the referenced config - map - type: string - required: - - name - type: object - oidcProviders: - description: |- - oidcProviders are OIDC identity providers that can issue tokens - for this cluster - Can only be set if "Type" is set to "OIDC". - - At most one provider can be configured. - items: - properties: - claimMappings: - description: |- - claimMappings is a required field that configures the rules to be used by - the Kubernetes API server for translating claims in a JWT token, issued - by the identity provider, to a cluster identity. - properties: - extra: - description: |- - extra is an optional field for configuring the mappings - used to construct the extra attribute for the cluster identity. - When omitted, no extra attributes will be present on the cluster identity. - key values for extra mappings must be unique. - A maximum of 32 extra attribute mappings may be provided. - items: - description: |- - ExtraMapping allows specifying a key and CEL expression - to evaluate the keys' value. It is used to create additional - mappings and attributes added to a cluster identity from - a provided authentication token. - properties: - key: - description: |- - key is a required field that specifies the string - to use as the extra attribute key. - - key must be a domain-prefix path (e.g 'example.org/foo'). - key must not exceed 510 characters in length. - key must contain the '/' character, separating the domain and path characters. - key must not be empty. - - The domain portion of the key (string of characters prior to the '/') must be a valid RFC1123 subdomain. - It must not exceed 253 characters in length. - It must start and end with an alphanumeric character. - It must only contain lower case alphanumeric characters and '-' or '.'. - It must not use the reserved domains, or be subdomains of, "kubernetes.io", "k8s.io", and "openshift.io". - - The path portion of the key (string of characters after the '/') must not be empty and must consist of at least one - alphanumeric character, percent-encoded octets, '-', '.', '_', '~', '!', '$', '&', ''', '(', ')', '*', '+', ',', ';', '=', and ':'. - It must not exceed 256 characters in length. - maxLength: 510 - minLength: 1 - type: string - x-kubernetes-validations: - - message: key must contain the '/' character - rule: self.contains('/') - - message: the domain of the key must consist of only - lower case alphanumeric characters, '-' or '.', - and must start and end with an alphanumeric character - rule: self.split('/', 2)[0].matches("^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$") - - message: the domain of the key must not exceed 253 - characters in length - rule: self.split('/', 2)[0].size() <= 253 - - message: the domain 'kubernetes.io' is reserved - for Kubernetes use - rule: self.split('/', 2)[0] != 'kubernetes.io' - - message: the subdomains '*.kubernetes.io' are reserved - for Kubernetes use - rule: '!self.split(''/'', 2)[0].endsWith(''.kubernetes.io'')' - - message: the domain 'k8s.io' is reserved for Kubernetes - use - rule: self.split('/', 2)[0] != 'k8s.io' - - message: the subdomains '*.k8s.io' are reserved - for Kubernetes use - rule: '!self.split(''/'', 2)[0].endsWith(''.k8s.io'')' - - message: the domain 'openshift.io' is reserved for - OpenShift use - rule: self.split('/', 2)[0] != 'openshift.io' - - message: the subdomains '*.openshift.io' are reserved - for OpenShift use - rule: '!self.split(''/'', 2)[0].endsWith(''.openshift.io'')' - - message: the path of the key must not be empty and - must consist of at least one alphanumeric character, - percent-encoded octets, apostrophe, '-', '.', - '_', '~', '!', '$', '&', '(', ')', '*', '+', ',', - ';', '=', and ':' - rule: self.split('/', 2)[1].matches('[A-Za-z0-9/\\-._~%!$&\'()*+;=:]+') - - message: the path of the key must not exceed 256 - characters in length - rule: self.split('/', 2)[1].size() <= 256 - valueExpression: - description: |- - valueExpression is a required field to specify the CEL expression to extract - the extra attribute value from a JWT token's claims. - valueExpression must produce a string or string array value. - "", [], and null are treated as the extra mapping not being present. - Empty string values within an array are filtered out. - - CEL expressions have access to the token claims - through a CEL variable, 'claims'. - 'claims' is a map of claim names to claim values. - For example, the 'sub' claim value can be accessed as 'claims.sub'. - Nested claims can be accessed using dot notation ('claims.foo.bar'). - - valueExpression must not exceed 1024 characters in length. - valueExpression must not be empty. - maxLength: 1024 - minLength: 1 - type: string - required: - - key - - valueExpression - type: object - maxItems: 32 - type: array - x-kubernetes-list-map-keys: - - key - x-kubernetes-list-type: map - groups: - description: |- - groups is an optional field that configures how the groups of a cluster identity - should be constructed from the claims in a JWT token issued - by the identity provider. - When referencing a claim, if the claim is present in the JWT - token, its value must be a list of groups separated by a comma (','). - For example - '"example"' and '"exampleOne", "exampleTwo", "exampleThree"' are valid claim values. - properties: - claim: - description: |- - claim is a required field that configures the JWT token - claim whose value is assigned to the cluster identity - field associated with this mapping. - type: string - prefix: - description: |- - prefix is an optional field that configures the prefix that will be - applied to the cluster identity attribute during the process of mapping - JWT claims to cluster identity attributes. - - When omitted (""), no prefix is applied to the cluster identity attribute. - - Example: if `prefix` is set to "myoidc:" and the `claim` in JWT contains - an array of strings "a", "b" and "c", the mapping will result in an - array of string "myoidc:a", "myoidc:b" and "myoidc:c". - type: string - required: - - claim - type: object - uid: - description: |- - uid is an optional field for configuring the claim mapping - used to construct the uid for the cluster identity. - - When using uid.claim to specify the claim it must be a single string value. - When using uid.expression the expression must result in a single string value. - - When omitted, this means the user has no opinion and the platform - is left to choose a default, which is subject to change over time. - The current default is to use the 'sub' claim. - properties: - claim: - description: |- - claim is an optional field for specifying the - JWT token claim that is used in the mapping. - The value of this claim will be assigned to - the field in which this mapping is associated. - - Precisely one of claim or expression must be set. - claim must not be specified when expression is set. - When specified, claim must be at least 1 character in length - and must not exceed 256 characters in length. - maxLength: 256 - minLength: 1 - type: string - expression: - description: |- - expression is an optional field for specifying a - CEL expression that produces a string value from - JWT token claims. - - CEL expressions have access to the token claims - through a CEL variable, 'claims'. - 'claims' is a map of claim names to claim values. - For example, the 'sub' claim value can be accessed as 'claims.sub'. - Nested claims can be accessed using dot notation ('claims.foo.bar'). - - Precisely one of claim or expression must be set. - expression must not be specified when claim is set. - When specified, expression must be at least 1 character in length - and must not exceed 1024 characters in length. - maxLength: 1024 - minLength: 1 - type: string - type: object - x-kubernetes-validations: - - message: precisely one of claim or expression must be - set - rule: 'has(self.claim) ? !has(self.expression) : has(self.expression)' - username: - description: |- - username is a required field that configures how the username of a cluster identity - should be constructed from the claims in a JWT token issued by the identity provider. - properties: - claim: - description: |- - claim is a required field that configures the JWT token - claim whose value is assigned to the cluster identity - field associated with this mapping. - - claim must not be an empty string ("") and must not exceed 256 characters. - maxLength: 256 - minLength: 1 - type: string - prefix: - description: |- - prefix configures the prefix that should be prepended to the value - of the JWT claim. - - prefix must be set when prefixPolicy is set to 'Prefix' and must be unset otherwise. - properties: - prefixString: - description: |- - prefixString is a required field that configures the prefix that will - be applied to cluster identity username attribute - during the process of mapping JWT claims to cluster identity attributes. - - prefixString must not be an empty string (""). - minLength: 1 - type: string - required: - - prefixString - type: object - prefixPolicy: - description: |- - prefixPolicy is an optional field that configures how a prefix should be - applied to the value of the JWT claim specified in the 'claim' field. - - Allowed values are 'Prefix', 'NoPrefix', and omitted (not provided or an empty string). - - When set to 'Prefix', the value specified in the prefix field will be - prepended to the value of the JWT claim. - The prefix field must be set when prefixPolicy is 'Prefix'. - - When set to 'NoPrefix', no prefix will be prepended to the value - of the JWT claim. - - When omitted, this means no opinion and the platform is left to choose - any prefixes that are applied which is subject to change over time. - Currently, the platform prepends `{issuerURL}#` to the value of the JWT claim - when the claim is not 'email'. - As an example, consider the following scenario: - `prefix` is unset, `issuerURL` is set to `https://myoidc.tld`, - the JWT claims include "username":"userA" and "email":"userA@myoidc.tld", - and `claim` is set to: - - "username": the mapped value will be "https://myoidc.tld#userA" - - "email": the mapped value will be "userA@myoidc.tld" - enum: - - "" - - NoPrefix - - Prefix - type: string - required: - - claim - type: object - x-kubernetes-validations: - - message: prefix must be set if prefixPolicy is 'Prefix', - but must remain unset otherwise - rule: 'has(self.prefixPolicy) && self.prefixPolicy == - ''Prefix'' ? (has(self.prefix) && size(self.prefix.prefixString) - > 0) : !has(self.prefix)' - required: - - username - type: object - claimValidationRules: - description: |- - claimValidationRules is an optional field that configures the rules to - be used by the Kubernetes API server for validating the claims in a JWT - token issued by the identity provider. - - Validation rules are joined via an AND operation. - items: - properties: - requiredClaim: - description: |- - requiredClaim is an optional field that configures the required claim - and value that the Kubernetes API server will use to validate if an incoming - JWT is valid for this identity provider. - properties: - claim: - description: |- - claim is a required field that configures the name of the required claim. - When taken from the JWT claims, claim must be a string value. - - claim must not be an empty string (""). - minLength: 1 - type: string - requiredValue: - description: |- - requiredValue is a required field that configures the value that 'claim' must - have when taken from the incoming JWT claims. - If the value in the JWT claims does not match, the token - will be rejected for authentication. - - requiredValue must not be an empty string (""). - minLength: 1 - type: string - required: - - claim - - requiredValue - type: object - type: - default: RequiredClaim - description: |- - type is an optional field that configures the type of the validation rule. - - Allowed values are 'RequiredClaim' and omitted (not provided or an empty string). - - When set to 'RequiredClaim', the Kubernetes API server - will be configured to validate that the incoming JWT - contains the required claim and that its value matches - the required value. - - Defaults to 'RequiredClaim'. - enum: - - RequiredClaim - type: string - type: object - type: array - x-kubernetes-list-type: atomic - issuer: - description: |- - issuer is a required field that configures how the platform interacts - with the identity provider and how tokens issued from the identity provider - are evaluated by the Kubernetes API server. - properties: - audiences: - description: |- - audiences is a required field that configures the acceptable audiences - the JWT token, issued by the identity provider, must be issued to. - At least one of the entries must match the 'aud' claim in the JWT token. - - audiences must contain at least one entry and must not exceed ten entries. - items: - minLength: 1 - type: string - maxItems: 10 - minItems: 1 - type: array - x-kubernetes-list-type: set - issuerCertificateAuthority: - description: |- - issuerCertificateAuthority is an optional field that configures the - certificate authority, used by the Kubernetes API server, to validate - the connection to the identity provider when fetching discovery information. - - When not specified, the system trust is used. - - When specified, it must reference a ConfigMap in the openshift-config - namespace containing the PEM-encoded CA certificates under the 'ca-bundle.crt' - key in the data field of the ConfigMap. - properties: - name: - description: name is the metadata.name of the referenced - config map - type: string - required: - - name - type: object - issuerURL: - description: |- - issuerURL is a required field that configures the URL used to issue tokens - by the identity provider. - The Kubernetes API server determines how authentication tokens should be handled - by matching the 'iss' claim in the JWT to the issuerURL of configured identity providers. - - Must be at least 1 character and must not exceed 512 characters in length. - Must be a valid URL that uses the 'https' scheme and does not contain a query, fragment or user. - maxLength: 512 - minLength: 1 - type: string - x-kubernetes-validations: - - message: must be a valid URL - rule: isURL(self) - - message: must use the 'https' scheme - rule: isURL(self) && url(self).getScheme() == 'https' - - message: must not have a query - rule: isURL(self) && url(self).getQuery() == {} - - message: must not have a fragment - rule: self.find('#(.+)$') == '' - - message: must not have user info - rule: self.find('@') == '' - required: - - audiences - - issuerURL - type: object - name: - description: |- - name is a required field that configures the unique human-readable identifier - associated with the identity provider. - It is used to distinguish between multiple identity providers - and has no impact on token validation or authentication mechanics. - - name must not be an empty string (""). - minLength: 1 - type: string - oidcClients: - description: |- - oidcClients is an optional field that configures how on-cluster, - platform clients should request tokens from the identity provider. - oidcClients must not exceed 20 entries and entries must have unique namespace/name pairs. - items: - description: |- - OIDCClientConfig configures how platform clients - interact with identity providers as an authentication - method - properties: - clientID: - description: |- - clientID is a required field that configures the client identifier, from - the identity provider, that the platform component uses for authentication - requests made to the identity provider. - The identity provider must accept this identifier for platform components - to be able to use the identity provider as an authentication mode. - - clientID must not be an empty string (""). - minLength: 1 - type: string - clientSecret: - description: |- - clientSecret is an optional field that configures the client secret used - by the platform component when making authentication requests to the identity provider. - - When not specified, no client secret will be used when making authentication requests - to the identity provider. - - When specified, clientSecret references a Secret in the 'openshift-config' - namespace that contains the client secret in the 'clientSecret' key of the '.data' field. - The client secret will be used when making authentication requests to the identity provider. - - Public clients do not require a client secret but private - clients do require a client secret to work with the identity provider. - properties: - name: - description: name is the metadata.name of the referenced - secret - type: string - required: - - name - type: object - componentName: - description: |- - componentName is a required field that specifies the name of the platform - component being configured to use the identity provider as an authentication mode. - It is used in combination with componentNamespace as a unique identifier. - - componentName must not be an empty string ("") and must not exceed 256 characters in length. - maxLength: 256 - minLength: 1 - type: string - componentNamespace: - description: |- - componentNamespace is a required field that specifies the namespace in which the - platform component being configured to use the identity provider as an authentication - mode is running. - It is used in combination with componentName as a unique identifier. - - componentNamespace must not be an empty string ("") and must not exceed 63 characters in length. - maxLength: 63 - minLength: 1 - type: string - extraScopes: - description: |- - extraScopes is an optional field that configures the extra scopes that should - be requested by the platform component when making authentication requests to the - identity provider. - This is useful if you have configured claim mappings that requires specific - scopes to be requested beyond the standard OIDC scopes. - - When omitted, no additional scopes are requested. - items: - type: string - type: array - x-kubernetes-list-type: set - required: - - clientID - - componentName - - componentNamespace - type: object - maxItems: 20 - type: array - x-kubernetes-list-map-keys: - - componentNamespace - - componentName - x-kubernetes-list-type: map - required: - - claimMappings - - issuer - - name - type: object - maxItems: 1 - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - serviceAccountIssuer: - description: |- - serviceAccountIssuer is the identifier of the bound service account token - issuer. - The default is https://kubernetes.default.svc - WARNING: Updating this field will not result in immediate invalidation of all bound tokens with the - previous issuer value. Instead, the tokens issued by previous service account issuer will continue to - be trusted for a time period chosen by the platform (currently set to 24h). - This time period is subject to change over time. - This allows internal components to transition to use new service account issuer without service distruption. - type: string - type: - description: |- - type identifies the cluster managed, user facing authentication mode in use. - Specifically, it manages the component that responds to login attempts. - The default is IntegratedOAuth. - enum: - - "" - - None - - IntegratedOAuth - - OIDC - type: string - webhookTokenAuthenticator: - description: |- - webhookTokenAuthenticator configures a remote token reviewer. - These remote authentication webhooks can be used to verify bearer tokens - via the tokenreviews.authentication.k8s.io REST API. This is required to - honor bearer tokens that are provisioned by an external authentication service. - - Can only be set if "Type" is set to "None". - properties: - kubeConfig: - description: |- - kubeConfig references a secret that contains kube config file data which - describes how to access the remote webhook service. - The namespace for the referenced secret is openshift-config. - - For further details, see: - - https://kubernetes.io/docs/reference/access-authn-authz/authentication/#webhook-token-authentication - - The key "kubeConfig" is used to locate the data. - If the secret or expected key is not found, the webhook is not honored. - If the specified kube config data is not valid, the webhook is not honored. - properties: - name: - description: name is the metadata.name of the referenced secret - type: string - required: - - name - type: object - required: - - kubeConfig - type: object - webhookTokenAuthenticators: - description: webhookTokenAuthenticators is DEPRECATED, setting it - has no effect. - items: - description: |- - deprecatedWebhookTokenAuthenticator holds the necessary configuration options for a remote token authenticator. - It's the same as WebhookTokenAuthenticator but it's missing the 'required' validation on KubeConfig field. - properties: - kubeConfig: - description: |- - kubeConfig contains kube config file data which describes how to access the remote webhook service. - For further details, see: - https://kubernetes.io/docs/reference/access-authn-authz/authentication/#webhook-token-authentication - The key "kubeConfig" is used to locate the data. - If the secret or expected key is not found, the webhook is not honored. - If the specified kube config data is not valid, the webhook is not honored. - The namespace for this secret is determined by the point of use. - properties: - name: - description: name is the metadata.name of the referenced - secret - type: string - required: - - name - type: object - type: object - type: array - x-kubernetes-list-type: atomic - type: object - status: - description: status holds observed values from the cluster. They may not - be overridden. - properties: - integratedOAuthMetadata: - description: |- - integratedOAuthMetadata contains the discovery endpoint data for OAuth 2.0 - Authorization Server Metadata for the in-cluster integrated OAuth server. - This discovery document can be viewed from its served location: - oc get --raw '/.well-known/oauth-authorization-server' - For further details, see the IETF Draft: - https://tools.ietf.org/html/draft-ietf-oauth-discovery-04#section-2 - This contains the observed value based on cluster state. - An explicitly set value in spec.oauthMetadata has precedence over this field. - This field has no meaning if authentication spec.type is not set to IntegratedOAuth. - The key "oauthMetadata" is used to locate the data. - If the config map or expected key is not found, no metadata is served. - If the specified metadata is not valid, no metadata is served. - The namespace for this config map is openshift-config-managed. - properties: - name: - description: name is the metadata.name of the referenced config - map - type: string - required: - - name - type: object - oidcClients: - description: |- - oidcClients is where participating operators place the current OIDC client status - for OIDC clients that can be customized by the cluster-admin. - items: - description: |- - OIDCClientStatus represents the current state - of platform components and how they interact with - the configured identity providers. - properties: - componentName: - description: |- - componentName is a required field that specifies the name of the platform - component using the identity provider as an authentication mode. - It is used in combination with componentNamespace as a unique identifier. - - componentName must not be an empty string ("") and must not exceed 256 characters in length. - maxLength: 256 - minLength: 1 - type: string - componentNamespace: - description: |- - componentNamespace is a required field that specifies the namespace in which the - platform component using the identity provider as an authentication - mode is running. - It is used in combination with componentName as a unique identifier. - - componentNamespace must not be an empty string ("") and must not exceed 63 characters in length. - maxLength: 63 - minLength: 1 - type: string - conditions: - description: |- - conditions are used to communicate the state of the `oidcClients` entry. - - Supported conditions include Available, Degraded and Progressing. - - If Available is true, the component is successfully using the configured client. - If Degraded is true, that means something has gone wrong trying to handle the client configuration. - If Progressing is true, that means the component is taking some action related to the `oidcClients` entry. - items: - description: Condition contains details for one aspect of - the current state of this API Resource. - properties: - lastTransitionTime: - description: |- - lastTransitionTime is the last time the condition transitioned from one status to another. - This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: |- - message is a human readable message indicating details about the transition. - This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: - description: |- - observedGeneration represents the .metadata.generation that the condition was set based upon. - For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date - with respect to the current state of the instance. - format: int64 - minimum: 0 - type: integer - reason: - description: |- - reason contains a programmatic identifier indicating the reason for the condition's last transition. - Producers of specific condition types may define expected values and meanings for this field, - and whether the values are considered a guaranteed API. - The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, False, - Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - message - - reason - - status - - type - type: object - type: array - x-kubernetes-list-map-keys: - - type - x-kubernetes-list-type: map - consumingUsers: - description: |- - consumingUsers is an optional list of ServiceAccounts requiring - read permissions on the `clientSecret` secret. - - consumingUsers must not exceed 5 entries. - items: - description: ConsumingUser is an alias for string which we - add validation to. Currently only service accounts are supported. - maxLength: 512 - minLength: 1 - pattern: ^system:serviceaccount:[a-z0-9]([-a-z0-9]*[a-z0-9])?:[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - maxItems: 5 - type: array - x-kubernetes-list-type: set - currentOIDCClients: - description: |- - currentOIDCClients is an optional list of clients that the component is currently using. - Entries must have unique issuerURL/clientID pairs. - items: - description: |- - OIDCClientReference is a reference to a platform component - client configuration. - properties: - clientID: - description: |- - clientID is a required field that specifies the client identifier, from - the identity provider, that the platform component is using for authentication - requests made to the identity provider. - - clientID must not be empty. - minLength: 1 - type: string - issuerURL: - description: |- - issuerURL is a required field that specifies the URL of the identity - provider that this client is configured to make requests against. - - issuerURL must use the 'https' scheme. - pattern: ^https:\/\/[^\s] - type: string - oidcProviderName: - description: |- - oidcProviderName is a required reference to the 'name' of the identity provider - configured in 'oidcProviders' that this client is associated with. - - oidcProviderName must not be an empty string (""). - minLength: 1 - type: string - required: - - clientID - - issuerURL - - oidcProviderName - type: object - type: array - x-kubernetes-list-map-keys: - - issuerURL - - clientID - x-kubernetes-list-type: map - required: - - componentName - - componentNamespace - type: object - maxItems: 20 - type: array - x-kubernetes-list-map-keys: - - componentNamespace - - componentName - x-kubernetes-list-type: map - type: object - required: - - spec - type: object - x-kubernetes-validations: - - message: all oidcClients in the oidcProviders must match their componentName - and componentNamespace to either a previously configured oidcClient or - they must exist in the status.oidcClients - rule: '!has(self.spec.oidcProviders) || self.spec.oidcProviders.all(p, !has(p.oidcClients) - || p.oidcClients.all(specC, self.status.oidcClients.exists(statusC, statusC.componentNamespace - == specC.componentNamespace && statusC.componentName == specC.componentName) - || (has(oldSelf.spec.oidcProviders) && oldSelf.spec.oidcProviders.exists(oldP, - oldP.name == p.name && has(oldP.oidcClients) && oldP.oidcClients.exists(oldC, - oldC.componentNamespace == specC.componentNamespace && oldC.componentName - == specC.componentName)))))' - served: true - storage: true - subresources: - status: {} diff --git a/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-SelfManagedHA-CustomNoUpgrade.crd.yaml b/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-SelfManagedHA-CustomNoUpgrade.crd.yaml deleted file mode 100644 index 72c798fae7..0000000000 --- a/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-SelfManagedHA-CustomNoUpgrade.crd.yaml +++ /dev/null @@ -1,870 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - api-approved.openshift.io: https://github.com/openshift/api/pull/470 - api.openshift.io/merged-by-featuregates: "true" - include.release.openshift.io/self-managed-high-availability: "true" - release.openshift.io/bootstrap-required: "true" - release.openshift.io/feature-set: CustomNoUpgrade - name: authentications.config.openshift.io -spec: - group: config.openshift.io - names: - kind: Authentication - listKind: AuthenticationList - plural: authentications - singular: authentication - scope: Cluster - versions: - - name: v1 - schema: - openAPIV3Schema: - description: |- - Authentication specifies cluster-wide settings for authentication (like OAuth and - webhook token authenticators). The canonical name of an instance is `cluster`. - - Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer). - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: spec holds user settable values for configuration - properties: - oauthMetadata: - description: |- - oauthMetadata contains the discovery endpoint data for OAuth 2.0 - Authorization Server Metadata for an external OAuth server. - This discovery document can be viewed from its served location: - oc get --raw '/.well-known/oauth-authorization-server' - For further details, see the IETF Draft: - https://tools.ietf.org/html/draft-ietf-oauth-discovery-04#section-2 - If oauthMetadata.name is non-empty, this value has precedence - over any metadata reference stored in status. - The key "oauthMetadata" is used to locate the data. - If specified and the config map or expected key is not found, no metadata is served. - If the specified metadata is not valid, no metadata is served. - The namespace for this config map is openshift-config. - properties: - name: - description: name is the metadata.name of the referenced config - map - type: string - required: - - name - type: object - oidcProviders: - description: |- - oidcProviders are OIDC identity providers that can issue tokens - for this cluster - Can only be set if "Type" is set to "OIDC". - - At most one provider can be configured. - items: - properties: - claimMappings: - description: |- - claimMappings is a required field that configures the rules to be used by - the Kubernetes API server for translating claims in a JWT token, issued - by the identity provider, to a cluster identity. - properties: - extra: - description: |- - extra is an optional field for configuring the mappings - used to construct the extra attribute for the cluster identity. - When omitted, no extra attributes will be present on the cluster identity. - key values for extra mappings must be unique. - A maximum of 32 extra attribute mappings may be provided. - items: - description: |- - ExtraMapping allows specifying a key and CEL expression - to evaluate the keys' value. It is used to create additional - mappings and attributes added to a cluster identity from - a provided authentication token. - properties: - key: - description: |- - key is a required field that specifies the string - to use as the extra attribute key. - - key must be a domain-prefix path (e.g 'example.org/foo'). - key must not exceed 510 characters in length. - key must contain the '/' character, separating the domain and path characters. - key must not be empty. - - The domain portion of the key (string of characters prior to the '/') must be a valid RFC1123 subdomain. - It must not exceed 253 characters in length. - It must start and end with an alphanumeric character. - It must only contain lower case alphanumeric characters and '-' or '.'. - It must not use the reserved domains, or be subdomains of, "kubernetes.io", "k8s.io", and "openshift.io". - - The path portion of the key (string of characters after the '/') must not be empty and must consist of at least one - alphanumeric character, percent-encoded octets, '-', '.', '_', '~', '!', '$', '&', ''', '(', ')', '*', '+', ',', ';', '=', and ':'. - It must not exceed 256 characters in length. - maxLength: 510 - minLength: 1 - type: string - x-kubernetes-validations: - - message: key must contain the '/' character - rule: self.contains('/') - - message: the domain of the key must consist of only - lower case alphanumeric characters, '-' or '.', - and must start and end with an alphanumeric character - rule: self.split('/', 2)[0].matches("^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$") - - message: the domain of the key must not exceed 253 - characters in length - rule: self.split('/', 2)[0].size() <= 253 - - message: the domain 'kubernetes.io' is reserved - for Kubernetes use - rule: self.split('/', 2)[0] != 'kubernetes.io' - - message: the subdomains '*.kubernetes.io' are reserved - for Kubernetes use - rule: '!self.split(''/'', 2)[0].endsWith(''.kubernetes.io'')' - - message: the domain 'k8s.io' is reserved for Kubernetes - use - rule: self.split('/', 2)[0] != 'k8s.io' - - message: the subdomains '*.k8s.io' are reserved - for Kubernetes use - rule: '!self.split(''/'', 2)[0].endsWith(''.k8s.io'')' - - message: the domain 'openshift.io' is reserved for - OpenShift use - rule: self.split('/', 2)[0] != 'openshift.io' - - message: the subdomains '*.openshift.io' are reserved - for OpenShift use - rule: '!self.split(''/'', 2)[0].endsWith(''.openshift.io'')' - - message: the path of the key must not be empty and - must consist of at least one alphanumeric character, - percent-encoded octets, apostrophe, '-', '.', - '_', '~', '!', '$', '&', '(', ')', '*', '+', ',', - ';', '=', and ':' - rule: self.split('/', 2)[1].matches('[A-Za-z0-9/\\-._~%!$&\'()*+;=:]+') - - message: the path of the key must not exceed 256 - characters in length - rule: self.split('/', 2)[1].size() <= 256 - valueExpression: - description: |- - valueExpression is a required field to specify the CEL expression to extract - the extra attribute value from a JWT token's claims. - valueExpression must produce a string or string array value. - "", [], and null are treated as the extra mapping not being present. - Empty string values within an array are filtered out. - - CEL expressions have access to the token claims - through a CEL variable, 'claims'. - 'claims' is a map of claim names to claim values. - For example, the 'sub' claim value can be accessed as 'claims.sub'. - Nested claims can be accessed using dot notation ('claims.foo.bar'). - - valueExpression must not exceed 1024 characters in length. - valueExpression must not be empty. - maxLength: 1024 - minLength: 1 - type: string - required: - - key - - valueExpression - type: object - maxItems: 32 - type: array - x-kubernetes-list-map-keys: - - key - x-kubernetes-list-type: map - groups: - description: |- - groups is an optional field that configures how the groups of a cluster identity - should be constructed from the claims in a JWT token issued - by the identity provider. - When referencing a claim, if the claim is present in the JWT - token, its value must be a list of groups separated by a comma (','). - For example - '"example"' and '"exampleOne", "exampleTwo", "exampleThree"' are valid claim values. - properties: - claim: - description: |- - claim is a required field that configures the JWT token - claim whose value is assigned to the cluster identity - field associated with this mapping. - type: string - prefix: - description: |- - prefix is an optional field that configures the prefix that will be - applied to the cluster identity attribute during the process of mapping - JWT claims to cluster identity attributes. - - When omitted (""), no prefix is applied to the cluster identity attribute. - - Example: if `prefix` is set to "myoidc:" and the `claim` in JWT contains - an array of strings "a", "b" and "c", the mapping will result in an - array of string "myoidc:a", "myoidc:b" and "myoidc:c". - type: string - required: - - claim - type: object - uid: - description: |- - uid is an optional field for configuring the claim mapping - used to construct the uid for the cluster identity. - - When using uid.claim to specify the claim it must be a single string value. - When using uid.expression the expression must result in a single string value. - - When omitted, this means the user has no opinion and the platform - is left to choose a default, which is subject to change over time. - The current default is to use the 'sub' claim. - properties: - claim: - description: |- - claim is an optional field for specifying the - JWT token claim that is used in the mapping. - The value of this claim will be assigned to - the field in which this mapping is associated. - - Precisely one of claim or expression must be set. - claim must not be specified when expression is set. - When specified, claim must be at least 1 character in length - and must not exceed 256 characters in length. - maxLength: 256 - minLength: 1 - type: string - expression: - description: |- - expression is an optional field for specifying a - CEL expression that produces a string value from - JWT token claims. - - CEL expressions have access to the token claims - through a CEL variable, 'claims'. - 'claims' is a map of claim names to claim values. - For example, the 'sub' claim value can be accessed as 'claims.sub'. - Nested claims can be accessed using dot notation ('claims.foo.bar'). - - Precisely one of claim or expression must be set. - expression must not be specified when claim is set. - When specified, expression must be at least 1 character in length - and must not exceed 1024 characters in length. - maxLength: 1024 - minLength: 1 - type: string - type: object - x-kubernetes-validations: - - message: precisely one of claim or expression must be - set - rule: 'has(self.claim) ? !has(self.expression) : has(self.expression)' - username: - description: |- - username is a required field that configures how the username of a cluster identity - should be constructed from the claims in a JWT token issued by the identity provider. - properties: - claim: - description: |- - claim is a required field that configures the JWT token - claim whose value is assigned to the cluster identity - field associated with this mapping. - - claim must not be an empty string ("") and must not exceed 256 characters. - maxLength: 256 - minLength: 1 - type: string - prefix: - description: |- - prefix configures the prefix that should be prepended to the value - of the JWT claim. - - prefix must be set when prefixPolicy is set to 'Prefix' and must be unset otherwise. - properties: - prefixString: - description: |- - prefixString is a required field that configures the prefix that will - be applied to cluster identity username attribute - during the process of mapping JWT claims to cluster identity attributes. - - prefixString must not be an empty string (""). - minLength: 1 - type: string - required: - - prefixString - type: object - prefixPolicy: - description: |- - prefixPolicy is an optional field that configures how a prefix should be - applied to the value of the JWT claim specified in the 'claim' field. - - Allowed values are 'Prefix', 'NoPrefix', and omitted (not provided or an empty string). - - When set to 'Prefix', the value specified in the prefix field will be - prepended to the value of the JWT claim. - The prefix field must be set when prefixPolicy is 'Prefix'. - - When set to 'NoPrefix', no prefix will be prepended to the value - of the JWT claim. - - When omitted, this means no opinion and the platform is left to choose - any prefixes that are applied which is subject to change over time. - Currently, the platform prepends `{issuerURL}#` to the value of the JWT claim - when the claim is not 'email'. - As an example, consider the following scenario: - `prefix` is unset, `issuerURL` is set to `https://myoidc.tld`, - the JWT claims include "username":"userA" and "email":"userA@myoidc.tld", - and `claim` is set to: - - "username": the mapped value will be "https://myoidc.tld#userA" - - "email": the mapped value will be "userA@myoidc.tld" - enum: - - "" - - NoPrefix - - Prefix - type: string - required: - - claim - type: object - x-kubernetes-validations: - - message: prefix must be set if prefixPolicy is 'Prefix', - but must remain unset otherwise - rule: 'has(self.prefixPolicy) && self.prefixPolicy == - ''Prefix'' ? (has(self.prefix) && size(self.prefix.prefixString) - > 0) : !has(self.prefix)' - required: - - username - type: object - claimValidationRules: - description: |- - claimValidationRules is an optional field that configures the rules to - be used by the Kubernetes API server for validating the claims in a JWT - token issued by the identity provider. - - Validation rules are joined via an AND operation. - items: - properties: - requiredClaim: - description: |- - requiredClaim is an optional field that configures the required claim - and value that the Kubernetes API server will use to validate if an incoming - JWT is valid for this identity provider. - properties: - claim: - description: |- - claim is a required field that configures the name of the required claim. - When taken from the JWT claims, claim must be a string value. - - claim must not be an empty string (""). - minLength: 1 - type: string - requiredValue: - description: |- - requiredValue is a required field that configures the value that 'claim' must - have when taken from the incoming JWT claims. - If the value in the JWT claims does not match, the token - will be rejected for authentication. - - requiredValue must not be an empty string (""). - minLength: 1 - type: string - required: - - claim - - requiredValue - type: object - type: - default: RequiredClaim - description: |- - type is an optional field that configures the type of the validation rule. - - Allowed values are 'RequiredClaim' and omitted (not provided or an empty string). - - When set to 'RequiredClaim', the Kubernetes API server - will be configured to validate that the incoming JWT - contains the required claim and that its value matches - the required value. - - Defaults to 'RequiredClaim'. - enum: - - RequiredClaim - type: string - type: object - type: array - x-kubernetes-list-type: atomic - issuer: - description: |- - issuer is a required field that configures how the platform interacts - with the identity provider and how tokens issued from the identity provider - are evaluated by the Kubernetes API server. - properties: - audiences: - description: |- - audiences is a required field that configures the acceptable audiences - the JWT token, issued by the identity provider, must be issued to. - At least one of the entries must match the 'aud' claim in the JWT token. - - audiences must contain at least one entry and must not exceed ten entries. - items: - minLength: 1 - type: string - maxItems: 10 - minItems: 1 - type: array - x-kubernetes-list-type: set - issuerCertificateAuthority: - description: |- - issuerCertificateAuthority is an optional field that configures the - certificate authority, used by the Kubernetes API server, to validate - the connection to the identity provider when fetching discovery information. - - When not specified, the system trust is used. - - When specified, it must reference a ConfigMap in the openshift-config - namespace containing the PEM-encoded CA certificates under the 'ca-bundle.crt' - key in the data field of the ConfigMap. - properties: - name: - description: name is the metadata.name of the referenced - config map - type: string - required: - - name - type: object - issuerURL: - description: |- - issuerURL is a required field that configures the URL used to issue tokens - by the identity provider. - The Kubernetes API server determines how authentication tokens should be handled - by matching the 'iss' claim in the JWT to the issuerURL of configured identity providers. - - Must be at least 1 character and must not exceed 512 characters in length. - Must be a valid URL that uses the 'https' scheme and does not contain a query, fragment or user. - maxLength: 512 - minLength: 1 - type: string - x-kubernetes-validations: - - message: must be a valid URL - rule: isURL(self) - - message: must use the 'https' scheme - rule: isURL(self) && url(self).getScheme() == 'https' - - message: must not have a query - rule: isURL(self) && url(self).getQuery() == {} - - message: must not have a fragment - rule: self.find('#(.+)$') == '' - - message: must not have user info - rule: self.find('@') == '' - required: - - audiences - - issuerURL - type: object - name: - description: |- - name is a required field that configures the unique human-readable identifier - associated with the identity provider. - It is used to distinguish between multiple identity providers - and has no impact on token validation or authentication mechanics. - - name must not be an empty string (""). - minLength: 1 - type: string - oidcClients: - description: |- - oidcClients is an optional field that configures how on-cluster, - platform clients should request tokens from the identity provider. - oidcClients must not exceed 20 entries and entries must have unique namespace/name pairs. - items: - description: |- - OIDCClientConfig configures how platform clients - interact with identity providers as an authentication - method - properties: - clientID: - description: |- - clientID is a required field that configures the client identifier, from - the identity provider, that the platform component uses for authentication - requests made to the identity provider. - The identity provider must accept this identifier for platform components - to be able to use the identity provider as an authentication mode. - - clientID must not be an empty string (""). - minLength: 1 - type: string - clientSecret: - description: |- - clientSecret is an optional field that configures the client secret used - by the platform component when making authentication requests to the identity provider. - - When not specified, no client secret will be used when making authentication requests - to the identity provider. - - When specified, clientSecret references a Secret in the 'openshift-config' - namespace that contains the client secret in the 'clientSecret' key of the '.data' field. - The client secret will be used when making authentication requests to the identity provider. - - Public clients do not require a client secret but private - clients do require a client secret to work with the identity provider. - properties: - name: - description: name is the metadata.name of the referenced - secret - type: string - required: - - name - type: object - componentName: - description: |- - componentName is a required field that specifies the name of the platform - component being configured to use the identity provider as an authentication mode. - It is used in combination with componentNamespace as a unique identifier. - - componentName must not be an empty string ("") and must not exceed 256 characters in length. - maxLength: 256 - minLength: 1 - type: string - componentNamespace: - description: |- - componentNamespace is a required field that specifies the namespace in which the - platform component being configured to use the identity provider as an authentication - mode is running. - It is used in combination with componentName as a unique identifier. - - componentNamespace must not be an empty string ("") and must not exceed 63 characters in length. - maxLength: 63 - minLength: 1 - type: string - extraScopes: - description: |- - extraScopes is an optional field that configures the extra scopes that should - be requested by the platform component when making authentication requests to the - identity provider. - This is useful if you have configured claim mappings that requires specific - scopes to be requested beyond the standard OIDC scopes. - - When omitted, no additional scopes are requested. - items: - type: string - type: array - x-kubernetes-list-type: set - required: - - clientID - - componentName - - componentNamespace - type: object - maxItems: 20 - type: array - x-kubernetes-list-map-keys: - - componentNamespace - - componentName - x-kubernetes-list-type: map - required: - - claimMappings - - issuer - - name - type: object - maxItems: 1 - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - serviceAccountIssuer: - description: |- - serviceAccountIssuer is the identifier of the bound service account token - issuer. - The default is https://kubernetes.default.svc - WARNING: Updating this field will not result in immediate invalidation of all bound tokens with the - previous issuer value. Instead, the tokens issued by previous service account issuer will continue to - be trusted for a time period chosen by the platform (currently set to 24h). - This time period is subject to change over time. - This allows internal components to transition to use new service account issuer without service distruption. - type: string - type: - description: |- - type identifies the cluster managed, user facing authentication mode in use. - Specifically, it manages the component that responds to login attempts. - The default is IntegratedOAuth. - enum: - - "" - - None - - IntegratedOAuth - - OIDC - type: string - webhookTokenAuthenticator: - description: |- - webhookTokenAuthenticator configures a remote token reviewer. - These remote authentication webhooks can be used to verify bearer tokens - via the tokenreviews.authentication.k8s.io REST API. This is required to - honor bearer tokens that are provisioned by an external authentication service. - - Can only be set if "Type" is set to "None". - properties: - kubeConfig: - description: |- - kubeConfig references a secret that contains kube config file data which - describes how to access the remote webhook service. - The namespace for the referenced secret is openshift-config. - - For further details, see: - - https://kubernetes.io/docs/reference/access-authn-authz/authentication/#webhook-token-authentication - - The key "kubeConfig" is used to locate the data. - If the secret or expected key is not found, the webhook is not honored. - If the specified kube config data is not valid, the webhook is not honored. - properties: - name: - description: name is the metadata.name of the referenced secret - type: string - required: - - name - type: object - required: - - kubeConfig - type: object - webhookTokenAuthenticators: - description: webhookTokenAuthenticators is DEPRECATED, setting it - has no effect. - items: - description: |- - deprecatedWebhookTokenAuthenticator holds the necessary configuration options for a remote token authenticator. - It's the same as WebhookTokenAuthenticator but it's missing the 'required' validation on KubeConfig field. - properties: - kubeConfig: - description: |- - kubeConfig contains kube config file data which describes how to access the remote webhook service. - For further details, see: - https://kubernetes.io/docs/reference/access-authn-authz/authentication/#webhook-token-authentication - The key "kubeConfig" is used to locate the data. - If the secret or expected key is not found, the webhook is not honored. - If the specified kube config data is not valid, the webhook is not honored. - The namespace for this secret is determined by the point of use. - properties: - name: - description: name is the metadata.name of the referenced - secret - type: string - required: - - name - type: object - type: object - type: array - x-kubernetes-list-type: atomic - type: object - status: - description: status holds observed values from the cluster. They may not - be overridden. - properties: - integratedOAuthMetadata: - description: |- - integratedOAuthMetadata contains the discovery endpoint data for OAuth 2.0 - Authorization Server Metadata for the in-cluster integrated OAuth server. - This discovery document can be viewed from its served location: - oc get --raw '/.well-known/oauth-authorization-server' - For further details, see the IETF Draft: - https://tools.ietf.org/html/draft-ietf-oauth-discovery-04#section-2 - This contains the observed value based on cluster state. - An explicitly set value in spec.oauthMetadata has precedence over this field. - This field has no meaning if authentication spec.type is not set to IntegratedOAuth. - The key "oauthMetadata" is used to locate the data. - If the config map or expected key is not found, no metadata is served. - If the specified metadata is not valid, no metadata is served. - The namespace for this config map is openshift-config-managed. - properties: - name: - description: name is the metadata.name of the referenced config - map - type: string - required: - - name - type: object - oidcClients: - description: |- - oidcClients is where participating operators place the current OIDC client status - for OIDC clients that can be customized by the cluster-admin. - items: - description: |- - OIDCClientStatus represents the current state - of platform components and how they interact with - the configured identity providers. - properties: - componentName: - description: |- - componentName is a required field that specifies the name of the platform - component using the identity provider as an authentication mode. - It is used in combination with componentNamespace as a unique identifier. - - componentName must not be an empty string ("") and must not exceed 256 characters in length. - maxLength: 256 - minLength: 1 - type: string - componentNamespace: - description: |- - componentNamespace is a required field that specifies the namespace in which the - platform component using the identity provider as an authentication - mode is running. - It is used in combination with componentName as a unique identifier. - - componentNamespace must not be an empty string ("") and must not exceed 63 characters in length. - maxLength: 63 - minLength: 1 - type: string - conditions: - description: |- - conditions are used to communicate the state of the `oidcClients` entry. - - Supported conditions include Available, Degraded and Progressing. - - If Available is true, the component is successfully using the configured client. - If Degraded is true, that means something has gone wrong trying to handle the client configuration. - If Progressing is true, that means the component is taking some action related to the `oidcClients` entry. - items: - description: Condition contains details for one aspect of - the current state of this API Resource. - properties: - lastTransitionTime: - description: |- - lastTransitionTime is the last time the condition transitioned from one status to another. - This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: |- - message is a human readable message indicating details about the transition. - This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: - description: |- - observedGeneration represents the .metadata.generation that the condition was set based upon. - For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date - with respect to the current state of the instance. - format: int64 - minimum: 0 - type: integer - reason: - description: |- - reason contains a programmatic identifier indicating the reason for the condition's last transition. - Producers of specific condition types may define expected values and meanings for this field, - and whether the values are considered a guaranteed API. - The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, False, - Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - message - - reason - - status - - type - type: object - type: array - x-kubernetes-list-map-keys: - - type - x-kubernetes-list-type: map - consumingUsers: - description: |- - consumingUsers is an optional list of ServiceAccounts requiring - read permissions on the `clientSecret` secret. - - consumingUsers must not exceed 5 entries. - items: - description: ConsumingUser is an alias for string which we - add validation to. Currently only service accounts are supported. - maxLength: 512 - minLength: 1 - pattern: ^system:serviceaccount:[a-z0-9]([-a-z0-9]*[a-z0-9])?:[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - maxItems: 5 - type: array - x-kubernetes-list-type: set - currentOIDCClients: - description: |- - currentOIDCClients is an optional list of clients that the component is currently using. - Entries must have unique issuerURL/clientID pairs. - items: - description: |- - OIDCClientReference is a reference to a platform component - client configuration. - properties: - clientID: - description: |- - clientID is a required field that specifies the client identifier, from - the identity provider, that the platform component is using for authentication - requests made to the identity provider. - - clientID must not be empty. - minLength: 1 - type: string - issuerURL: - description: |- - issuerURL is a required field that specifies the URL of the identity - provider that this client is configured to make requests against. - - issuerURL must use the 'https' scheme. - pattern: ^https:\/\/[^\s] - type: string - oidcProviderName: - description: |- - oidcProviderName is a required reference to the 'name' of the identity provider - configured in 'oidcProviders' that this client is associated with. - - oidcProviderName must not be an empty string (""). - minLength: 1 - type: string - required: - - clientID - - issuerURL - - oidcProviderName - type: object - type: array - x-kubernetes-list-map-keys: - - issuerURL - - clientID - x-kubernetes-list-type: map - required: - - componentName - - componentNamespace - type: object - maxItems: 20 - type: array - x-kubernetes-list-map-keys: - - componentNamespace - - componentName - x-kubernetes-list-type: map - type: object - required: - - spec - type: object - x-kubernetes-validations: - - message: all oidcClients in the oidcProviders must match their componentName - and componentNamespace to either a previously configured oidcClient or - they must exist in the status.oidcClients - rule: '!has(self.spec.oidcProviders) || self.spec.oidcProviders.all(p, !has(p.oidcClients) - || p.oidcClients.all(specC, self.status.oidcClients.exists(statusC, statusC.componentNamespace - == specC.componentNamespace && statusC.componentName == specC.componentName) - || (has(oldSelf.spec.oidcProviders) && oldSelf.spec.oidcProviders.exists(oldP, - oldP.name == p.name && has(oldP.oidcClients) && oldP.oidcClients.exists(oldC, - oldC.componentNamespace == specC.componentNamespace && oldC.componentName - == specC.componentName)))))' - served: true - storage: true - subresources: - status: {} diff --git a/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-SelfManagedHA-Default.crd.yaml b/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-SelfManagedHA-Default.crd.yaml deleted file mode 100644 index 5979653555..0000000000 --- a/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-SelfManagedHA-Default.crd.yaml +++ /dev/null @@ -1,187 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - api-approved.openshift.io: https://github.com/openshift/api/pull/470 - api.openshift.io/merged-by-featuregates: "true" - include.release.openshift.io/self-managed-high-availability: "true" - release.openshift.io/bootstrap-required: "true" - release.openshift.io/feature-set: Default - name: authentications.config.openshift.io -spec: - group: config.openshift.io - names: - kind: Authentication - listKind: AuthenticationList - plural: authentications - singular: authentication - scope: Cluster - versions: - - name: v1 - schema: - openAPIV3Schema: - description: |- - Authentication specifies cluster-wide settings for authentication (like OAuth and - webhook token authenticators). The canonical name of an instance is `cluster`. - - Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer). - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: spec holds user settable values for configuration - properties: - oauthMetadata: - description: |- - oauthMetadata contains the discovery endpoint data for OAuth 2.0 - Authorization Server Metadata for an external OAuth server. - This discovery document can be viewed from its served location: - oc get --raw '/.well-known/oauth-authorization-server' - For further details, see the IETF Draft: - https://tools.ietf.org/html/draft-ietf-oauth-discovery-04#section-2 - If oauthMetadata.name is non-empty, this value has precedence - over any metadata reference stored in status. - The key "oauthMetadata" is used to locate the data. - If specified and the config map or expected key is not found, no metadata is served. - If the specified metadata is not valid, no metadata is served. - The namespace for this config map is openshift-config. - properties: - name: - description: name is the metadata.name of the referenced config - map - type: string - required: - - name - type: object - serviceAccountIssuer: - description: |- - serviceAccountIssuer is the identifier of the bound service account token - issuer. - The default is https://kubernetes.default.svc - WARNING: Updating this field will not result in immediate invalidation of all bound tokens with the - previous issuer value. Instead, the tokens issued by previous service account issuer will continue to - be trusted for a time period chosen by the platform (currently set to 24h). - This time period is subject to change over time. - This allows internal components to transition to use new service account issuer without service distruption. - type: string - type: - description: |- - type identifies the cluster managed, user facing authentication mode in use. - Specifically, it manages the component that responds to login attempts. - The default is IntegratedOAuth. - enum: - - "" - - None - - IntegratedOAuth - type: string - webhookTokenAuthenticator: - description: |- - webhookTokenAuthenticator configures a remote token reviewer. - These remote authentication webhooks can be used to verify bearer tokens - via the tokenreviews.authentication.k8s.io REST API. This is required to - honor bearer tokens that are provisioned by an external authentication service. - - Can only be set if "Type" is set to "None". - properties: - kubeConfig: - description: |- - kubeConfig references a secret that contains kube config file data which - describes how to access the remote webhook service. - The namespace for the referenced secret is openshift-config. - - For further details, see: - - https://kubernetes.io/docs/reference/access-authn-authz/authentication/#webhook-token-authentication - - The key "kubeConfig" is used to locate the data. - If the secret or expected key is not found, the webhook is not honored. - If the specified kube config data is not valid, the webhook is not honored. - properties: - name: - description: name is the metadata.name of the referenced secret - type: string - required: - - name - type: object - required: - - kubeConfig - type: object - webhookTokenAuthenticators: - description: webhookTokenAuthenticators is DEPRECATED, setting it - has no effect. - items: - description: |- - deprecatedWebhookTokenAuthenticator holds the necessary configuration options for a remote token authenticator. - It's the same as WebhookTokenAuthenticator but it's missing the 'required' validation on KubeConfig field. - properties: - kubeConfig: - description: |- - kubeConfig contains kube config file data which describes how to access the remote webhook service. - For further details, see: - https://kubernetes.io/docs/reference/access-authn-authz/authentication/#webhook-token-authentication - The key "kubeConfig" is used to locate the data. - If the secret or expected key is not found, the webhook is not honored. - If the specified kube config data is not valid, the webhook is not honored. - The namespace for this secret is determined by the point of use. - properties: - name: - description: name is the metadata.name of the referenced - secret - type: string - required: - - name - type: object - type: object - type: array - x-kubernetes-list-type: atomic - type: object - status: - description: status holds observed values from the cluster. They may not - be overridden. - properties: - integratedOAuthMetadata: - description: |- - integratedOAuthMetadata contains the discovery endpoint data for OAuth 2.0 - Authorization Server Metadata for the in-cluster integrated OAuth server. - This discovery document can be viewed from its served location: - oc get --raw '/.well-known/oauth-authorization-server' - For further details, see the IETF Draft: - https://tools.ietf.org/html/draft-ietf-oauth-discovery-04#section-2 - This contains the observed value based on cluster state. - An explicitly set value in spec.oauthMetadata has precedence over this field. - This field has no meaning if authentication spec.type is not set to IntegratedOAuth. - The key "oauthMetadata" is used to locate the data. - If the config map or expected key is not found, no metadata is served. - If the specified metadata is not valid, no metadata is served. - The namespace for this config map is openshift-config-managed. - properties: - name: - description: name is the metadata.name of the referenced config - map - type: string - required: - - name - type: object - type: object - required: - - spec - type: object - served: true - storage: true - subresources: - status: {} diff --git a/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-SelfManagedHA-TechPreviewNoUpgrade.crd.yaml b/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-SelfManagedHA-TechPreviewNoUpgrade.crd.yaml deleted file mode 100644 index 75446be6cc..0000000000 --- a/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-SelfManagedHA-TechPreviewNoUpgrade.crd.yaml +++ /dev/null @@ -1,870 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - api-approved.openshift.io: https://github.com/openshift/api/pull/470 - api.openshift.io/merged-by-featuregates: "true" - include.release.openshift.io/self-managed-high-availability: "true" - release.openshift.io/bootstrap-required: "true" - release.openshift.io/feature-set: TechPreviewNoUpgrade - name: authentications.config.openshift.io -spec: - group: config.openshift.io - names: - kind: Authentication - listKind: AuthenticationList - plural: authentications - singular: authentication - scope: Cluster - versions: - - name: v1 - schema: - openAPIV3Schema: - description: |- - Authentication specifies cluster-wide settings for authentication (like OAuth and - webhook token authenticators). The canonical name of an instance is `cluster`. - - Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer). - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: spec holds user settable values for configuration - properties: - oauthMetadata: - description: |- - oauthMetadata contains the discovery endpoint data for OAuth 2.0 - Authorization Server Metadata for an external OAuth server. - This discovery document can be viewed from its served location: - oc get --raw '/.well-known/oauth-authorization-server' - For further details, see the IETF Draft: - https://tools.ietf.org/html/draft-ietf-oauth-discovery-04#section-2 - If oauthMetadata.name is non-empty, this value has precedence - over any metadata reference stored in status. - The key "oauthMetadata" is used to locate the data. - If specified and the config map or expected key is not found, no metadata is served. - If the specified metadata is not valid, no metadata is served. - The namespace for this config map is openshift-config. - properties: - name: - description: name is the metadata.name of the referenced config - map - type: string - required: - - name - type: object - oidcProviders: - description: |- - oidcProviders are OIDC identity providers that can issue tokens - for this cluster - Can only be set if "Type" is set to "OIDC". - - At most one provider can be configured. - items: - properties: - claimMappings: - description: |- - claimMappings is a required field that configures the rules to be used by - the Kubernetes API server for translating claims in a JWT token, issued - by the identity provider, to a cluster identity. - properties: - extra: - description: |- - extra is an optional field for configuring the mappings - used to construct the extra attribute for the cluster identity. - When omitted, no extra attributes will be present on the cluster identity. - key values for extra mappings must be unique. - A maximum of 32 extra attribute mappings may be provided. - items: - description: |- - ExtraMapping allows specifying a key and CEL expression - to evaluate the keys' value. It is used to create additional - mappings and attributes added to a cluster identity from - a provided authentication token. - properties: - key: - description: |- - key is a required field that specifies the string - to use as the extra attribute key. - - key must be a domain-prefix path (e.g 'example.org/foo'). - key must not exceed 510 characters in length. - key must contain the '/' character, separating the domain and path characters. - key must not be empty. - - The domain portion of the key (string of characters prior to the '/') must be a valid RFC1123 subdomain. - It must not exceed 253 characters in length. - It must start and end with an alphanumeric character. - It must only contain lower case alphanumeric characters and '-' or '.'. - It must not use the reserved domains, or be subdomains of, "kubernetes.io", "k8s.io", and "openshift.io". - - The path portion of the key (string of characters after the '/') must not be empty and must consist of at least one - alphanumeric character, percent-encoded octets, '-', '.', '_', '~', '!', '$', '&', ''', '(', ')', '*', '+', ',', ';', '=', and ':'. - It must not exceed 256 characters in length. - maxLength: 510 - minLength: 1 - type: string - x-kubernetes-validations: - - message: key must contain the '/' character - rule: self.contains('/') - - message: the domain of the key must consist of only - lower case alphanumeric characters, '-' or '.', - and must start and end with an alphanumeric character - rule: self.split('/', 2)[0].matches("^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$") - - message: the domain of the key must not exceed 253 - characters in length - rule: self.split('/', 2)[0].size() <= 253 - - message: the domain 'kubernetes.io' is reserved - for Kubernetes use - rule: self.split('/', 2)[0] != 'kubernetes.io' - - message: the subdomains '*.kubernetes.io' are reserved - for Kubernetes use - rule: '!self.split(''/'', 2)[0].endsWith(''.kubernetes.io'')' - - message: the domain 'k8s.io' is reserved for Kubernetes - use - rule: self.split('/', 2)[0] != 'k8s.io' - - message: the subdomains '*.k8s.io' are reserved - for Kubernetes use - rule: '!self.split(''/'', 2)[0].endsWith(''.k8s.io'')' - - message: the domain 'openshift.io' is reserved for - OpenShift use - rule: self.split('/', 2)[0] != 'openshift.io' - - message: the subdomains '*.openshift.io' are reserved - for OpenShift use - rule: '!self.split(''/'', 2)[0].endsWith(''.openshift.io'')' - - message: the path of the key must not be empty and - must consist of at least one alphanumeric character, - percent-encoded octets, apostrophe, '-', '.', - '_', '~', '!', '$', '&', '(', ')', '*', '+', ',', - ';', '=', and ':' - rule: self.split('/', 2)[1].matches('[A-Za-z0-9/\\-._~%!$&\'()*+;=:]+') - - message: the path of the key must not exceed 256 - characters in length - rule: self.split('/', 2)[1].size() <= 256 - valueExpression: - description: |- - valueExpression is a required field to specify the CEL expression to extract - the extra attribute value from a JWT token's claims. - valueExpression must produce a string or string array value. - "", [], and null are treated as the extra mapping not being present. - Empty string values within an array are filtered out. - - CEL expressions have access to the token claims - through a CEL variable, 'claims'. - 'claims' is a map of claim names to claim values. - For example, the 'sub' claim value can be accessed as 'claims.sub'. - Nested claims can be accessed using dot notation ('claims.foo.bar'). - - valueExpression must not exceed 1024 characters in length. - valueExpression must not be empty. - maxLength: 1024 - minLength: 1 - type: string - required: - - key - - valueExpression - type: object - maxItems: 32 - type: array - x-kubernetes-list-map-keys: - - key - x-kubernetes-list-type: map - groups: - description: |- - groups is an optional field that configures how the groups of a cluster identity - should be constructed from the claims in a JWT token issued - by the identity provider. - When referencing a claim, if the claim is present in the JWT - token, its value must be a list of groups separated by a comma (','). - For example - '"example"' and '"exampleOne", "exampleTwo", "exampleThree"' are valid claim values. - properties: - claim: - description: |- - claim is a required field that configures the JWT token - claim whose value is assigned to the cluster identity - field associated with this mapping. - type: string - prefix: - description: |- - prefix is an optional field that configures the prefix that will be - applied to the cluster identity attribute during the process of mapping - JWT claims to cluster identity attributes. - - When omitted (""), no prefix is applied to the cluster identity attribute. - - Example: if `prefix` is set to "myoidc:" and the `claim` in JWT contains - an array of strings "a", "b" and "c", the mapping will result in an - array of string "myoidc:a", "myoidc:b" and "myoidc:c". - type: string - required: - - claim - type: object - uid: - description: |- - uid is an optional field for configuring the claim mapping - used to construct the uid for the cluster identity. - - When using uid.claim to specify the claim it must be a single string value. - When using uid.expression the expression must result in a single string value. - - When omitted, this means the user has no opinion and the platform - is left to choose a default, which is subject to change over time. - The current default is to use the 'sub' claim. - properties: - claim: - description: |- - claim is an optional field for specifying the - JWT token claim that is used in the mapping. - The value of this claim will be assigned to - the field in which this mapping is associated. - - Precisely one of claim or expression must be set. - claim must not be specified when expression is set. - When specified, claim must be at least 1 character in length - and must not exceed 256 characters in length. - maxLength: 256 - minLength: 1 - type: string - expression: - description: |- - expression is an optional field for specifying a - CEL expression that produces a string value from - JWT token claims. - - CEL expressions have access to the token claims - through a CEL variable, 'claims'. - 'claims' is a map of claim names to claim values. - For example, the 'sub' claim value can be accessed as 'claims.sub'. - Nested claims can be accessed using dot notation ('claims.foo.bar'). - - Precisely one of claim or expression must be set. - expression must not be specified when claim is set. - When specified, expression must be at least 1 character in length - and must not exceed 1024 characters in length. - maxLength: 1024 - minLength: 1 - type: string - type: object - x-kubernetes-validations: - - message: precisely one of claim or expression must be - set - rule: 'has(self.claim) ? !has(self.expression) : has(self.expression)' - username: - description: |- - username is a required field that configures how the username of a cluster identity - should be constructed from the claims in a JWT token issued by the identity provider. - properties: - claim: - description: |- - claim is a required field that configures the JWT token - claim whose value is assigned to the cluster identity - field associated with this mapping. - - claim must not be an empty string ("") and must not exceed 256 characters. - maxLength: 256 - minLength: 1 - type: string - prefix: - description: |- - prefix configures the prefix that should be prepended to the value - of the JWT claim. - - prefix must be set when prefixPolicy is set to 'Prefix' and must be unset otherwise. - properties: - prefixString: - description: |- - prefixString is a required field that configures the prefix that will - be applied to cluster identity username attribute - during the process of mapping JWT claims to cluster identity attributes. - - prefixString must not be an empty string (""). - minLength: 1 - type: string - required: - - prefixString - type: object - prefixPolicy: - description: |- - prefixPolicy is an optional field that configures how a prefix should be - applied to the value of the JWT claim specified in the 'claim' field. - - Allowed values are 'Prefix', 'NoPrefix', and omitted (not provided or an empty string). - - When set to 'Prefix', the value specified in the prefix field will be - prepended to the value of the JWT claim. - The prefix field must be set when prefixPolicy is 'Prefix'. - - When set to 'NoPrefix', no prefix will be prepended to the value - of the JWT claim. - - When omitted, this means no opinion and the platform is left to choose - any prefixes that are applied which is subject to change over time. - Currently, the platform prepends `{issuerURL}#` to the value of the JWT claim - when the claim is not 'email'. - As an example, consider the following scenario: - `prefix` is unset, `issuerURL` is set to `https://myoidc.tld`, - the JWT claims include "username":"userA" and "email":"userA@myoidc.tld", - and `claim` is set to: - - "username": the mapped value will be "https://myoidc.tld#userA" - - "email": the mapped value will be "userA@myoidc.tld" - enum: - - "" - - NoPrefix - - Prefix - type: string - required: - - claim - type: object - x-kubernetes-validations: - - message: prefix must be set if prefixPolicy is 'Prefix', - but must remain unset otherwise - rule: 'has(self.prefixPolicy) && self.prefixPolicy == - ''Prefix'' ? (has(self.prefix) && size(self.prefix.prefixString) - > 0) : !has(self.prefix)' - required: - - username - type: object - claimValidationRules: - description: |- - claimValidationRules is an optional field that configures the rules to - be used by the Kubernetes API server for validating the claims in a JWT - token issued by the identity provider. - - Validation rules are joined via an AND operation. - items: - properties: - requiredClaim: - description: |- - requiredClaim is an optional field that configures the required claim - and value that the Kubernetes API server will use to validate if an incoming - JWT is valid for this identity provider. - properties: - claim: - description: |- - claim is a required field that configures the name of the required claim. - When taken from the JWT claims, claim must be a string value. - - claim must not be an empty string (""). - minLength: 1 - type: string - requiredValue: - description: |- - requiredValue is a required field that configures the value that 'claim' must - have when taken from the incoming JWT claims. - If the value in the JWT claims does not match, the token - will be rejected for authentication. - - requiredValue must not be an empty string (""). - minLength: 1 - type: string - required: - - claim - - requiredValue - type: object - type: - default: RequiredClaim - description: |- - type is an optional field that configures the type of the validation rule. - - Allowed values are 'RequiredClaim' and omitted (not provided or an empty string). - - When set to 'RequiredClaim', the Kubernetes API server - will be configured to validate that the incoming JWT - contains the required claim and that its value matches - the required value. - - Defaults to 'RequiredClaim'. - enum: - - RequiredClaim - type: string - type: object - type: array - x-kubernetes-list-type: atomic - issuer: - description: |- - issuer is a required field that configures how the platform interacts - with the identity provider and how tokens issued from the identity provider - are evaluated by the Kubernetes API server. - properties: - audiences: - description: |- - audiences is a required field that configures the acceptable audiences - the JWT token, issued by the identity provider, must be issued to. - At least one of the entries must match the 'aud' claim in the JWT token. - - audiences must contain at least one entry and must not exceed ten entries. - items: - minLength: 1 - type: string - maxItems: 10 - minItems: 1 - type: array - x-kubernetes-list-type: set - issuerCertificateAuthority: - description: |- - issuerCertificateAuthority is an optional field that configures the - certificate authority, used by the Kubernetes API server, to validate - the connection to the identity provider when fetching discovery information. - - When not specified, the system trust is used. - - When specified, it must reference a ConfigMap in the openshift-config - namespace containing the PEM-encoded CA certificates under the 'ca-bundle.crt' - key in the data field of the ConfigMap. - properties: - name: - description: name is the metadata.name of the referenced - config map - type: string - required: - - name - type: object - issuerURL: - description: |- - issuerURL is a required field that configures the URL used to issue tokens - by the identity provider. - The Kubernetes API server determines how authentication tokens should be handled - by matching the 'iss' claim in the JWT to the issuerURL of configured identity providers. - - Must be at least 1 character and must not exceed 512 characters in length. - Must be a valid URL that uses the 'https' scheme and does not contain a query, fragment or user. - maxLength: 512 - minLength: 1 - type: string - x-kubernetes-validations: - - message: must be a valid URL - rule: isURL(self) - - message: must use the 'https' scheme - rule: isURL(self) && url(self).getScheme() == 'https' - - message: must not have a query - rule: isURL(self) && url(self).getQuery() == {} - - message: must not have a fragment - rule: self.find('#(.+)$') == '' - - message: must not have user info - rule: self.find('@') == '' - required: - - audiences - - issuerURL - type: object - name: - description: |- - name is a required field that configures the unique human-readable identifier - associated with the identity provider. - It is used to distinguish between multiple identity providers - and has no impact on token validation or authentication mechanics. - - name must not be an empty string (""). - minLength: 1 - type: string - oidcClients: - description: |- - oidcClients is an optional field that configures how on-cluster, - platform clients should request tokens from the identity provider. - oidcClients must not exceed 20 entries and entries must have unique namespace/name pairs. - items: - description: |- - OIDCClientConfig configures how platform clients - interact with identity providers as an authentication - method - properties: - clientID: - description: |- - clientID is a required field that configures the client identifier, from - the identity provider, that the platform component uses for authentication - requests made to the identity provider. - The identity provider must accept this identifier for platform components - to be able to use the identity provider as an authentication mode. - - clientID must not be an empty string (""). - minLength: 1 - type: string - clientSecret: - description: |- - clientSecret is an optional field that configures the client secret used - by the platform component when making authentication requests to the identity provider. - - When not specified, no client secret will be used when making authentication requests - to the identity provider. - - When specified, clientSecret references a Secret in the 'openshift-config' - namespace that contains the client secret in the 'clientSecret' key of the '.data' field. - The client secret will be used when making authentication requests to the identity provider. - - Public clients do not require a client secret but private - clients do require a client secret to work with the identity provider. - properties: - name: - description: name is the metadata.name of the referenced - secret - type: string - required: - - name - type: object - componentName: - description: |- - componentName is a required field that specifies the name of the platform - component being configured to use the identity provider as an authentication mode. - It is used in combination with componentNamespace as a unique identifier. - - componentName must not be an empty string ("") and must not exceed 256 characters in length. - maxLength: 256 - minLength: 1 - type: string - componentNamespace: - description: |- - componentNamespace is a required field that specifies the namespace in which the - platform component being configured to use the identity provider as an authentication - mode is running. - It is used in combination with componentName as a unique identifier. - - componentNamespace must not be an empty string ("") and must not exceed 63 characters in length. - maxLength: 63 - minLength: 1 - type: string - extraScopes: - description: |- - extraScopes is an optional field that configures the extra scopes that should - be requested by the platform component when making authentication requests to the - identity provider. - This is useful if you have configured claim mappings that requires specific - scopes to be requested beyond the standard OIDC scopes. - - When omitted, no additional scopes are requested. - items: - type: string - type: array - x-kubernetes-list-type: set - required: - - clientID - - componentName - - componentNamespace - type: object - maxItems: 20 - type: array - x-kubernetes-list-map-keys: - - componentNamespace - - componentName - x-kubernetes-list-type: map - required: - - claimMappings - - issuer - - name - type: object - maxItems: 1 - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - serviceAccountIssuer: - description: |- - serviceAccountIssuer is the identifier of the bound service account token - issuer. - The default is https://kubernetes.default.svc - WARNING: Updating this field will not result in immediate invalidation of all bound tokens with the - previous issuer value. Instead, the tokens issued by previous service account issuer will continue to - be trusted for a time period chosen by the platform (currently set to 24h). - This time period is subject to change over time. - This allows internal components to transition to use new service account issuer without service distruption. - type: string - type: - description: |- - type identifies the cluster managed, user facing authentication mode in use. - Specifically, it manages the component that responds to login attempts. - The default is IntegratedOAuth. - enum: - - "" - - None - - IntegratedOAuth - - OIDC - type: string - webhookTokenAuthenticator: - description: |- - webhookTokenAuthenticator configures a remote token reviewer. - These remote authentication webhooks can be used to verify bearer tokens - via the tokenreviews.authentication.k8s.io REST API. This is required to - honor bearer tokens that are provisioned by an external authentication service. - - Can only be set if "Type" is set to "None". - properties: - kubeConfig: - description: |- - kubeConfig references a secret that contains kube config file data which - describes how to access the remote webhook service. - The namespace for the referenced secret is openshift-config. - - For further details, see: - - https://kubernetes.io/docs/reference/access-authn-authz/authentication/#webhook-token-authentication - - The key "kubeConfig" is used to locate the data. - If the secret or expected key is not found, the webhook is not honored. - If the specified kube config data is not valid, the webhook is not honored. - properties: - name: - description: name is the metadata.name of the referenced secret - type: string - required: - - name - type: object - required: - - kubeConfig - type: object - webhookTokenAuthenticators: - description: webhookTokenAuthenticators is DEPRECATED, setting it - has no effect. - items: - description: |- - deprecatedWebhookTokenAuthenticator holds the necessary configuration options for a remote token authenticator. - It's the same as WebhookTokenAuthenticator but it's missing the 'required' validation on KubeConfig field. - properties: - kubeConfig: - description: |- - kubeConfig contains kube config file data which describes how to access the remote webhook service. - For further details, see: - https://kubernetes.io/docs/reference/access-authn-authz/authentication/#webhook-token-authentication - The key "kubeConfig" is used to locate the data. - If the secret or expected key is not found, the webhook is not honored. - If the specified kube config data is not valid, the webhook is not honored. - The namespace for this secret is determined by the point of use. - properties: - name: - description: name is the metadata.name of the referenced - secret - type: string - required: - - name - type: object - type: object - type: array - x-kubernetes-list-type: atomic - type: object - status: - description: status holds observed values from the cluster. They may not - be overridden. - properties: - integratedOAuthMetadata: - description: |- - integratedOAuthMetadata contains the discovery endpoint data for OAuth 2.0 - Authorization Server Metadata for the in-cluster integrated OAuth server. - This discovery document can be viewed from its served location: - oc get --raw '/.well-known/oauth-authorization-server' - For further details, see the IETF Draft: - https://tools.ietf.org/html/draft-ietf-oauth-discovery-04#section-2 - This contains the observed value based on cluster state. - An explicitly set value in spec.oauthMetadata has precedence over this field. - This field has no meaning if authentication spec.type is not set to IntegratedOAuth. - The key "oauthMetadata" is used to locate the data. - If the config map or expected key is not found, no metadata is served. - If the specified metadata is not valid, no metadata is served. - The namespace for this config map is openshift-config-managed. - properties: - name: - description: name is the metadata.name of the referenced config - map - type: string - required: - - name - type: object - oidcClients: - description: |- - oidcClients is where participating operators place the current OIDC client status - for OIDC clients that can be customized by the cluster-admin. - items: - description: |- - OIDCClientStatus represents the current state - of platform components and how they interact with - the configured identity providers. - properties: - componentName: - description: |- - componentName is a required field that specifies the name of the platform - component using the identity provider as an authentication mode. - It is used in combination with componentNamespace as a unique identifier. - - componentName must not be an empty string ("") and must not exceed 256 characters in length. - maxLength: 256 - minLength: 1 - type: string - componentNamespace: - description: |- - componentNamespace is a required field that specifies the namespace in which the - platform component using the identity provider as an authentication - mode is running. - It is used in combination with componentName as a unique identifier. - - componentNamespace must not be an empty string ("") and must not exceed 63 characters in length. - maxLength: 63 - minLength: 1 - type: string - conditions: - description: |- - conditions are used to communicate the state of the `oidcClients` entry. - - Supported conditions include Available, Degraded and Progressing. - - If Available is true, the component is successfully using the configured client. - If Degraded is true, that means something has gone wrong trying to handle the client configuration. - If Progressing is true, that means the component is taking some action related to the `oidcClients` entry. - items: - description: Condition contains details for one aspect of - the current state of this API Resource. - properties: - lastTransitionTime: - description: |- - lastTransitionTime is the last time the condition transitioned from one status to another. - This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: |- - message is a human readable message indicating details about the transition. - This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: - description: |- - observedGeneration represents the .metadata.generation that the condition was set based upon. - For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date - with respect to the current state of the instance. - format: int64 - minimum: 0 - type: integer - reason: - description: |- - reason contains a programmatic identifier indicating the reason for the condition's last transition. - Producers of specific condition types may define expected values and meanings for this field, - and whether the values are considered a guaranteed API. - The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, False, - Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - message - - reason - - status - - type - type: object - type: array - x-kubernetes-list-map-keys: - - type - x-kubernetes-list-type: map - consumingUsers: - description: |- - consumingUsers is an optional list of ServiceAccounts requiring - read permissions on the `clientSecret` secret. - - consumingUsers must not exceed 5 entries. - items: - description: ConsumingUser is an alias for string which we - add validation to. Currently only service accounts are supported. - maxLength: 512 - minLength: 1 - pattern: ^system:serviceaccount:[a-z0-9]([-a-z0-9]*[a-z0-9])?:[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - maxItems: 5 - type: array - x-kubernetes-list-type: set - currentOIDCClients: - description: |- - currentOIDCClients is an optional list of clients that the component is currently using. - Entries must have unique issuerURL/clientID pairs. - items: - description: |- - OIDCClientReference is a reference to a platform component - client configuration. - properties: - clientID: - description: |- - clientID is a required field that specifies the client identifier, from - the identity provider, that the platform component is using for authentication - requests made to the identity provider. - - clientID must not be empty. - minLength: 1 - type: string - issuerURL: - description: |- - issuerURL is a required field that specifies the URL of the identity - provider that this client is configured to make requests against. - - issuerURL must use the 'https' scheme. - pattern: ^https:\/\/[^\s] - type: string - oidcProviderName: - description: |- - oidcProviderName is a required reference to the 'name' of the identity provider - configured in 'oidcProviders' that this client is associated with. - - oidcProviderName must not be an empty string (""). - minLength: 1 - type: string - required: - - clientID - - issuerURL - - oidcProviderName - type: object - type: array - x-kubernetes-list-map-keys: - - issuerURL - - clientID - x-kubernetes-list-type: map - required: - - componentName - - componentNamespace - type: object - maxItems: 20 - type: array - x-kubernetes-list-map-keys: - - componentNamespace - - componentName - x-kubernetes-list-type: map - type: object - required: - - spec - type: object - x-kubernetes-validations: - - message: all oidcClients in the oidcProviders must match their componentName - and componentNamespace to either a previously configured oidcClient or - they must exist in the status.oidcClients - rule: '!has(self.spec.oidcProviders) || self.spec.oidcProviders.all(p, !has(p.oidcClients) - || p.oidcClients.all(specC, self.status.oidcClients.exists(statusC, statusC.componentNamespace - == specC.componentNamespace && statusC.componentName == specC.componentName) - || (has(oldSelf.spec.oidcProviders) && oldSelf.spec.oidcProviders.exists(oldP, - oldP.name == p.name && has(oldP.oidcClients) && oldP.oidcClients.exists(oldC, - oldC.componentNamespace == specC.componentNamespace && oldC.componentName - == specC.componentName)))))' - served: true - storage: true - subresources: - status: {} diff --git a/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-SelfManagedHA-DevPreviewNoUpgrade.crd.yaml b/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications.crd.yaml similarity index 99% rename from vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-SelfManagedHA-DevPreviewNoUpgrade.crd.yaml rename to vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications.crd.yaml index 998e804191..d6e1cf0849 100644 --- a/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-SelfManagedHA-DevPreviewNoUpgrade.crd.yaml +++ b/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications.crd.yaml @@ -4,9 +4,9 @@ metadata: annotations: api-approved.openshift.io: https://github.com/openshift/api/pull/470 api.openshift.io/merged-by-featuregates: "true" + include.release.openshift.io/ibm-cloud-managed: "true" include.release.openshift.io/self-managed-high-availability: "true" release.openshift.io/bootstrap-required: "true" - release.openshift.io/feature-set: DevPreviewNoUpgrade name: authentications.config.openshift.io spec: group: config.openshift.io diff --git a/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_insightsdatagathers-CustomNoUpgrade.crd.yaml b/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_insightsdatagathers-CustomNoUpgrade.crd.yaml new file mode 100644 index 0000000000..8e7d3c392d --- /dev/null +++ b/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_insightsdatagathers-CustomNoUpgrade.crd.yaml @@ -0,0 +1,233 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.openshift.io: https://github.com/openshift/api/pull/2448 + api.openshift.io/merged-by-featuregates: "true" + include.release.openshift.io/ibm-cloud-managed: "true" + include.release.openshift.io/self-managed-high-availability: "true" + release.openshift.io/feature-set: CustomNoUpgrade + name: insightsdatagathers.config.openshift.io +spec: + group: config.openshift.io + names: + kind: InsightsDataGather + listKind: InsightsDataGatherList + plural: insightsdatagathers + singular: insightsdatagather + scope: Cluster + versions: + - name: v1 + schema: + openAPIV3Schema: + description: |- + InsightsDataGather provides data gather configuration options for the Insights Operator. + + Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer). + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: spec holds user settable values for configuration + properties: + gatherConfig: + description: gatherConfig is a required spec attribute that includes + all the configuration options related to gathering of the Insights + data and its uploading to the ingress. + properties: + dataPolicy: + description: |- + dataPolicy is an optional list of DataPolicyOptions that allows user to enable additional obfuscation of the Insights archive data. + It may not exceed 2 items and must not contain duplicates. + Valid values are ObfuscateNetworking and WorkloadNames. + When set to ObfuscateNetworking the IP addresses and the cluster domain name are obfuscated. + When set to WorkloadNames, the gathered data about cluster resources will not contain the workload names for your deployments. Resources UIDs will be used instead. + When omitted no obfuscation is applied. + items: + description: DataPolicyOption declares valid data policy options + enum: + - ObfuscateNetworking + - WorkloadNames + type: string + maxItems: 2 + minItems: 1 + type: array + x-kubernetes-list-type: atomic + x-kubernetes-validations: + - message: dataPolicy items must be unique + rule: self.all(x, self.exists_one(y, x == y)) + gatherers: + description: gatherers is a required field that specifies the + configuration of the gatherers. + properties: + custom: + description: |- + custom provides gathering configuration. + It is required when mode is Custom, and forbidden otherwise. + Custom configuration allows user to disable only a subset of gatherers. + Gatherers that are not explicitly disabled in custom configuration will run. + properties: + configs: + description: |- + configs is a required list of gatherers configurations that can be used to enable or disable specific gatherers. + It may not exceed 100 items and each gatherer can be present only once. + It is possible to disable an entire set of gatherers while allowing a specific function within that set. + The particular gatherers IDs can be found at https://github.com/openshift/insights-operator/blob/master/docs/gathered-data.md. + Run the following command to get the names of last active gatherers: + "oc get insightsoperators.operator.openshift.io cluster -o json | jq '.status.gatherStatus.gatherers[].name'" + items: + description: GathererConfig allows to configure specific + gatherers + properties: + name: + description: |- + name is the required name of a specific gatherer. + It may not exceed 256 characters. + The format for a gatherer name is: {gatherer}/{function} where the function is optional. + Gatherer consists of a lowercase letters only that may include underscores (_). + Function consists of a lowercase letters only that may include underscores (_) and is separated from the gatherer by a forward slash (/). + The particular gatherers can be found at https://github.com/openshift/insights-operator/blob/master/docs/gathered-data.md. + Run the following command to get the names of last active gatherers: + "oc get insightsoperators.operator.openshift.io cluster -o json | jq '.status.gatherStatus.gatherers[].name'" + maxLength: 256 + minLength: 1 + type: string + x-kubernetes-validations: + - message: gatherer name must be in the format of + {gatherer}/{function} where the gatherer and + function are lowercase letters only that may + include underscores (_) and are separated by + a forward slash (/) if the function is provided + rule: self.matches("^[a-z]+[_a-z]*[a-z]([/a-z][_a-z]*)?[a-z]$") + state: + description: |- + state is a required field that allows you to configure specific gatherer. Valid values are "Enabled" and "Disabled". + When set to Enabled the gatherer will run. + When set to Disabled the gatherer will not run. + enum: + - Enabled + - Disabled + type: string + required: + - name + - state + type: object + maxItems: 100 + minItems: 1 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + required: + - configs + type: object + mode: + description: |- + mode is a required field that specifies the mode for gatherers. Allowed values are All, None, and Custom. + When set to All, all gatherers will run and gather data. + When set to None, all gatherers will be disabled and no data will be gathered. + When set to Custom, the custom configuration from the custom field will be applied. + enum: + - All + - None + - Custom + type: string + required: + - mode + type: object + x-kubernetes-validations: + - message: custom is required when mode is Custom, and forbidden + otherwise + rule: 'has(self.mode) && self.mode == ''Custom'' ? has(self.custom) + : !has(self.custom)' + storage: + description: |- + storage is an optional field that allows user to define persistent storage for gathering jobs to store the Insights data archive. + If omitted, the gathering job will use ephemeral storage. + properties: + persistentVolume: + description: |- + persistentVolume is an optional field that specifies the PersistentVolume that will be used to store the Insights data archive. + The PersistentVolume must be created in the openshift-insights namespace. + properties: + claim: + description: |- + claim is a required field that specifies the configuration of the PersistentVolumeClaim that will be used to store the Insights data archive. + The PersistentVolumeClaim must be created in the openshift-insights namespace. + properties: + name: + description: |- + name is the name of the PersistentVolumeClaim that will be used to store the Insights data archive. + It is a string that follows the DNS1123 subdomain format. + It must be at most 253 characters in length, and must consist only of lower case alphanumeric characters, '-' and '.', and must start and end with an alphanumeric character. + maxLength: 253 + minLength: 1 + type: string + x-kubernetes-validations: + - message: a lowercase RFC 1123 subdomain must consist + of lower case alphanumeric characters, '-' or + '.', and must start and end with an alphanumeric + character. + rule: '!format.dns1123Subdomain().validate(self).hasValue()' + required: + - name + type: object + mountPath: + description: |- + mountPath is an optional field specifying the directory where the PVC will be mounted inside the Insights data gathering Pod. + When omitted, this means no opinion and the platform is left to choose a reasonable default, which is subject to change over time. + The current default mount path is /var/lib/insights-operator + The path may not exceed 1024 characters and must not contain a colon. + maxLength: 1024 + minLength: 1 + type: string + x-kubernetes-validations: + - message: mountPath must not contain a colon + rule: '!self.contains('':'')' + required: + - claim + type: object + type: + description: |- + type is a required field that specifies the type of storage that will be used to store the Insights data archive. + Valid values are "PersistentVolume" and "Ephemeral". + When set to Ephemeral, the Insights data archive is stored in the ephemeral storage of the gathering job. + When set to PersistentVolume, the Insights data archive is stored in the PersistentVolume that is defined by the persistentVolume field. + enum: + - PersistentVolume + - Ephemeral + type: string + required: + - type + type: object + x-kubernetes-validations: + - message: persistentVolume is required when type is PersistentVolume, + and forbidden otherwise + rule: 'has(self.type) && self.type == ''PersistentVolume'' ? has(self.persistentVolume) + : !has(self.persistentVolume)' + required: + - gatherers + type: object + required: + - gatherConfig + type: object + required: + - spec + type: object + served: true + storage: true diff --git a/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_insightsdatagathers-DevPreviewNoUpgrade.crd.yaml b/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_insightsdatagathers-DevPreviewNoUpgrade.crd.yaml new file mode 100644 index 0000000000..0ecdc12f2b --- /dev/null +++ b/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_insightsdatagathers-DevPreviewNoUpgrade.crd.yaml @@ -0,0 +1,233 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.openshift.io: https://github.com/openshift/api/pull/2448 + api.openshift.io/merged-by-featuregates: "true" + include.release.openshift.io/ibm-cloud-managed: "true" + include.release.openshift.io/self-managed-high-availability: "true" + release.openshift.io/feature-set: DevPreviewNoUpgrade + name: insightsdatagathers.config.openshift.io +spec: + group: config.openshift.io + names: + kind: InsightsDataGather + listKind: InsightsDataGatherList + plural: insightsdatagathers + singular: insightsdatagather + scope: Cluster + versions: + - name: v1 + schema: + openAPIV3Schema: + description: |- + InsightsDataGather provides data gather configuration options for the Insights Operator. + + Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer). + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: spec holds user settable values for configuration + properties: + gatherConfig: + description: gatherConfig is a required spec attribute that includes + all the configuration options related to gathering of the Insights + data and its uploading to the ingress. + properties: + dataPolicy: + description: |- + dataPolicy is an optional list of DataPolicyOptions that allows user to enable additional obfuscation of the Insights archive data. + It may not exceed 2 items and must not contain duplicates. + Valid values are ObfuscateNetworking and WorkloadNames. + When set to ObfuscateNetworking the IP addresses and the cluster domain name are obfuscated. + When set to WorkloadNames, the gathered data about cluster resources will not contain the workload names for your deployments. Resources UIDs will be used instead. + When omitted no obfuscation is applied. + items: + description: DataPolicyOption declares valid data policy options + enum: + - ObfuscateNetworking + - WorkloadNames + type: string + maxItems: 2 + minItems: 1 + type: array + x-kubernetes-list-type: atomic + x-kubernetes-validations: + - message: dataPolicy items must be unique + rule: self.all(x, self.exists_one(y, x == y)) + gatherers: + description: gatherers is a required field that specifies the + configuration of the gatherers. + properties: + custom: + description: |- + custom provides gathering configuration. + It is required when mode is Custom, and forbidden otherwise. + Custom configuration allows user to disable only a subset of gatherers. + Gatherers that are not explicitly disabled in custom configuration will run. + properties: + configs: + description: |- + configs is a required list of gatherers configurations that can be used to enable or disable specific gatherers. + It may not exceed 100 items and each gatherer can be present only once. + It is possible to disable an entire set of gatherers while allowing a specific function within that set. + The particular gatherers IDs can be found at https://github.com/openshift/insights-operator/blob/master/docs/gathered-data.md. + Run the following command to get the names of last active gatherers: + "oc get insightsoperators.operator.openshift.io cluster -o json | jq '.status.gatherStatus.gatherers[].name'" + items: + description: GathererConfig allows to configure specific + gatherers + properties: + name: + description: |- + name is the required name of a specific gatherer. + It may not exceed 256 characters. + The format for a gatherer name is: {gatherer}/{function} where the function is optional. + Gatherer consists of a lowercase letters only that may include underscores (_). + Function consists of a lowercase letters only that may include underscores (_) and is separated from the gatherer by a forward slash (/). + The particular gatherers can be found at https://github.com/openshift/insights-operator/blob/master/docs/gathered-data.md. + Run the following command to get the names of last active gatherers: + "oc get insightsoperators.operator.openshift.io cluster -o json | jq '.status.gatherStatus.gatherers[].name'" + maxLength: 256 + minLength: 1 + type: string + x-kubernetes-validations: + - message: gatherer name must be in the format of + {gatherer}/{function} where the gatherer and + function are lowercase letters only that may + include underscores (_) and are separated by + a forward slash (/) if the function is provided + rule: self.matches("^[a-z]+[_a-z]*[a-z]([/a-z][_a-z]*)?[a-z]$") + state: + description: |- + state is a required field that allows you to configure specific gatherer. Valid values are "Enabled" and "Disabled". + When set to Enabled the gatherer will run. + When set to Disabled the gatherer will not run. + enum: + - Enabled + - Disabled + type: string + required: + - name + - state + type: object + maxItems: 100 + minItems: 1 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + required: + - configs + type: object + mode: + description: |- + mode is a required field that specifies the mode for gatherers. Allowed values are All, None, and Custom. + When set to All, all gatherers will run and gather data. + When set to None, all gatherers will be disabled and no data will be gathered. + When set to Custom, the custom configuration from the custom field will be applied. + enum: + - All + - None + - Custom + type: string + required: + - mode + type: object + x-kubernetes-validations: + - message: custom is required when mode is Custom, and forbidden + otherwise + rule: 'has(self.mode) && self.mode == ''Custom'' ? has(self.custom) + : !has(self.custom)' + storage: + description: |- + storage is an optional field that allows user to define persistent storage for gathering jobs to store the Insights data archive. + If omitted, the gathering job will use ephemeral storage. + properties: + persistentVolume: + description: |- + persistentVolume is an optional field that specifies the PersistentVolume that will be used to store the Insights data archive. + The PersistentVolume must be created in the openshift-insights namespace. + properties: + claim: + description: |- + claim is a required field that specifies the configuration of the PersistentVolumeClaim that will be used to store the Insights data archive. + The PersistentVolumeClaim must be created in the openshift-insights namespace. + properties: + name: + description: |- + name is the name of the PersistentVolumeClaim that will be used to store the Insights data archive. + It is a string that follows the DNS1123 subdomain format. + It must be at most 253 characters in length, and must consist only of lower case alphanumeric characters, '-' and '.', and must start and end with an alphanumeric character. + maxLength: 253 + minLength: 1 + type: string + x-kubernetes-validations: + - message: a lowercase RFC 1123 subdomain must consist + of lower case alphanumeric characters, '-' or + '.', and must start and end with an alphanumeric + character. + rule: '!format.dns1123Subdomain().validate(self).hasValue()' + required: + - name + type: object + mountPath: + description: |- + mountPath is an optional field specifying the directory where the PVC will be mounted inside the Insights data gathering Pod. + When omitted, this means no opinion and the platform is left to choose a reasonable default, which is subject to change over time. + The current default mount path is /var/lib/insights-operator + The path may not exceed 1024 characters and must not contain a colon. + maxLength: 1024 + minLength: 1 + type: string + x-kubernetes-validations: + - message: mountPath must not contain a colon + rule: '!self.contains('':'')' + required: + - claim + type: object + type: + description: |- + type is a required field that specifies the type of storage that will be used to store the Insights data archive. + Valid values are "PersistentVolume" and "Ephemeral". + When set to Ephemeral, the Insights data archive is stored in the ephemeral storage of the gathering job. + When set to PersistentVolume, the Insights data archive is stored in the PersistentVolume that is defined by the persistentVolume field. + enum: + - PersistentVolume + - Ephemeral + type: string + required: + - type + type: object + x-kubernetes-validations: + - message: persistentVolume is required when type is PersistentVolume, + and forbidden otherwise + rule: 'has(self.type) && self.type == ''PersistentVolume'' ? has(self.persistentVolume) + : !has(self.persistentVolume)' + required: + - gatherers + type: object + required: + - gatherConfig + type: object + required: + - spec + type: object + served: true + storage: true diff --git a/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_insightsdatagathers-TechPreviewNoUpgrade.crd.yaml b/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_insightsdatagathers-TechPreviewNoUpgrade.crd.yaml new file mode 100644 index 0000000000..afaf9c37da --- /dev/null +++ b/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_insightsdatagathers-TechPreviewNoUpgrade.crd.yaml @@ -0,0 +1,233 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.openshift.io: https://github.com/openshift/api/pull/2448 + api.openshift.io/merged-by-featuregates: "true" + include.release.openshift.io/ibm-cloud-managed: "true" + include.release.openshift.io/self-managed-high-availability: "true" + release.openshift.io/feature-set: TechPreviewNoUpgrade + name: insightsdatagathers.config.openshift.io +spec: + group: config.openshift.io + names: + kind: InsightsDataGather + listKind: InsightsDataGatherList + plural: insightsdatagathers + singular: insightsdatagather + scope: Cluster + versions: + - name: v1 + schema: + openAPIV3Schema: + description: |- + InsightsDataGather provides data gather configuration options for the Insights Operator. + + Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer). + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: spec holds user settable values for configuration + properties: + gatherConfig: + description: gatherConfig is a required spec attribute that includes + all the configuration options related to gathering of the Insights + data and its uploading to the ingress. + properties: + dataPolicy: + description: |- + dataPolicy is an optional list of DataPolicyOptions that allows user to enable additional obfuscation of the Insights archive data. + It may not exceed 2 items and must not contain duplicates. + Valid values are ObfuscateNetworking and WorkloadNames. + When set to ObfuscateNetworking the IP addresses and the cluster domain name are obfuscated. + When set to WorkloadNames, the gathered data about cluster resources will not contain the workload names for your deployments. Resources UIDs will be used instead. + When omitted no obfuscation is applied. + items: + description: DataPolicyOption declares valid data policy options + enum: + - ObfuscateNetworking + - WorkloadNames + type: string + maxItems: 2 + minItems: 1 + type: array + x-kubernetes-list-type: atomic + x-kubernetes-validations: + - message: dataPolicy items must be unique + rule: self.all(x, self.exists_one(y, x == y)) + gatherers: + description: gatherers is a required field that specifies the + configuration of the gatherers. + properties: + custom: + description: |- + custom provides gathering configuration. + It is required when mode is Custom, and forbidden otherwise. + Custom configuration allows user to disable only a subset of gatherers. + Gatherers that are not explicitly disabled in custom configuration will run. + properties: + configs: + description: |- + configs is a required list of gatherers configurations that can be used to enable or disable specific gatherers. + It may not exceed 100 items and each gatherer can be present only once. + It is possible to disable an entire set of gatherers while allowing a specific function within that set. + The particular gatherers IDs can be found at https://github.com/openshift/insights-operator/blob/master/docs/gathered-data.md. + Run the following command to get the names of last active gatherers: + "oc get insightsoperators.operator.openshift.io cluster -o json | jq '.status.gatherStatus.gatherers[].name'" + items: + description: GathererConfig allows to configure specific + gatherers + properties: + name: + description: |- + name is the required name of a specific gatherer. + It may not exceed 256 characters. + The format for a gatherer name is: {gatherer}/{function} where the function is optional. + Gatherer consists of a lowercase letters only that may include underscores (_). + Function consists of a lowercase letters only that may include underscores (_) and is separated from the gatherer by a forward slash (/). + The particular gatherers can be found at https://github.com/openshift/insights-operator/blob/master/docs/gathered-data.md. + Run the following command to get the names of last active gatherers: + "oc get insightsoperators.operator.openshift.io cluster -o json | jq '.status.gatherStatus.gatherers[].name'" + maxLength: 256 + minLength: 1 + type: string + x-kubernetes-validations: + - message: gatherer name must be in the format of + {gatherer}/{function} where the gatherer and + function are lowercase letters only that may + include underscores (_) and are separated by + a forward slash (/) if the function is provided + rule: self.matches("^[a-z]+[_a-z]*[a-z]([/a-z][_a-z]*)?[a-z]$") + state: + description: |- + state is a required field that allows you to configure specific gatherer. Valid values are "Enabled" and "Disabled". + When set to Enabled the gatherer will run. + When set to Disabled the gatherer will not run. + enum: + - Enabled + - Disabled + type: string + required: + - name + - state + type: object + maxItems: 100 + minItems: 1 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + required: + - configs + type: object + mode: + description: |- + mode is a required field that specifies the mode for gatherers. Allowed values are All, None, and Custom. + When set to All, all gatherers will run and gather data. + When set to None, all gatherers will be disabled and no data will be gathered. + When set to Custom, the custom configuration from the custom field will be applied. + enum: + - All + - None + - Custom + type: string + required: + - mode + type: object + x-kubernetes-validations: + - message: custom is required when mode is Custom, and forbidden + otherwise + rule: 'has(self.mode) && self.mode == ''Custom'' ? has(self.custom) + : !has(self.custom)' + storage: + description: |- + storage is an optional field that allows user to define persistent storage for gathering jobs to store the Insights data archive. + If omitted, the gathering job will use ephemeral storage. + properties: + persistentVolume: + description: |- + persistentVolume is an optional field that specifies the PersistentVolume that will be used to store the Insights data archive. + The PersistentVolume must be created in the openshift-insights namespace. + properties: + claim: + description: |- + claim is a required field that specifies the configuration of the PersistentVolumeClaim that will be used to store the Insights data archive. + The PersistentVolumeClaim must be created in the openshift-insights namespace. + properties: + name: + description: |- + name is the name of the PersistentVolumeClaim that will be used to store the Insights data archive. + It is a string that follows the DNS1123 subdomain format. + It must be at most 253 characters in length, and must consist only of lower case alphanumeric characters, '-' and '.', and must start and end with an alphanumeric character. + maxLength: 253 + minLength: 1 + type: string + x-kubernetes-validations: + - message: a lowercase RFC 1123 subdomain must consist + of lower case alphanumeric characters, '-' or + '.', and must start and end with an alphanumeric + character. + rule: '!format.dns1123Subdomain().validate(self).hasValue()' + required: + - name + type: object + mountPath: + description: |- + mountPath is an optional field specifying the directory where the PVC will be mounted inside the Insights data gathering Pod. + When omitted, this means no opinion and the platform is left to choose a reasonable default, which is subject to change over time. + The current default mount path is /var/lib/insights-operator + The path may not exceed 1024 characters and must not contain a colon. + maxLength: 1024 + minLength: 1 + type: string + x-kubernetes-validations: + - message: mountPath must not contain a colon + rule: '!self.contains('':'')' + required: + - claim + type: object + type: + description: |- + type is a required field that specifies the type of storage that will be used to store the Insights data archive. + Valid values are "PersistentVolume" and "Ephemeral". + When set to Ephemeral, the Insights data archive is stored in the ephemeral storage of the gathering job. + When set to PersistentVolume, the Insights data archive is stored in the PersistentVolume that is defined by the persistentVolume field. + enum: + - PersistentVolume + - Ephemeral + type: string + required: + - type + type: object + x-kubernetes-validations: + - message: persistentVolume is required when type is PersistentVolume, + and forbidden otherwise + rule: 'has(self.type) && self.type == ''PersistentVolume'' ? has(self.persistentVolume) + : !has(self.persistentVolume)' + required: + - gatherers + type: object + required: + - gatherConfig + type: object + required: + - spec + type: object + served: true + storage: true diff --git a/vendor/github.com/openshift/api/config/v1/zz_generated.deepcopy.go b/vendor/github.com/openshift/api/config/v1/zz_generated.deepcopy.go index 788e10479b..0863934f22 100644 --- a/vendor/github.com/openshift/api/config/v1/zz_generated.deepcopy.go +++ b/vendor/github.com/openshift/api/config/v1/zz_generated.deepcopy.go @@ -1736,6 +1736,27 @@ func (in *ConsoleStatus) DeepCopy() *ConsoleStatus { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *Custom) DeepCopyInto(out *Custom) { + *out = *in + if in.Configs != nil { + in, out := &in.Configs, &out.Configs + *out = make([]GathererConfig, len(*in)) + copy(*out, *in) + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Custom. +func (in *Custom) DeepCopy() *Custom { + if in == nil { + return nil + } + out := new(Custom) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *CustomFeatureGates) DeepCopyInto(out *CustomFeatureGates) { *out = *in @@ -2467,6 +2488,62 @@ func (in *GCPServiceEndpoint) DeepCopy() *GCPServiceEndpoint { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *GatherConfig) DeepCopyInto(out *GatherConfig) { + *out = *in + if in.DataPolicy != nil { + in, out := &in.DataPolicy, &out.DataPolicy + *out = make([]DataPolicyOption, len(*in)) + copy(*out, *in) + } + in.Gatherers.DeepCopyInto(&out.Gatherers) + out.Storage = in.Storage + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GatherConfig. +func (in *GatherConfig) DeepCopy() *GatherConfig { + if in == nil { + return nil + } + out := new(GatherConfig) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *GathererConfig) DeepCopyInto(out *GathererConfig) { + *out = *in + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GathererConfig. +func (in *GathererConfig) DeepCopy() *GathererConfig { + if in == nil { + return nil + } + out := new(GathererConfig) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *Gatherers) DeepCopyInto(out *Gatherers) { + *out = *in + in.Custom.DeepCopyInto(&out.Custom) + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Gatherers. +func (in *Gatherers) DeepCopy() *Gatherers { + if in == nil { + return nil + } + out := new(Gatherers) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *GenericAPIServerConfig) DeepCopyInto(out *GenericAPIServerConfig) { *out = *in @@ -3570,6 +3647,83 @@ func (in *IngressStatus) DeepCopy() *IngressStatus { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *InsightsDataGather) DeepCopyInto(out *InsightsDataGather) { + *out = *in + out.TypeMeta = in.TypeMeta + in.ObjectMeta.DeepCopyInto(&out.ObjectMeta) + in.Spec.DeepCopyInto(&out.Spec) + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new InsightsDataGather. +func (in *InsightsDataGather) DeepCopy() *InsightsDataGather { + if in == nil { + return nil + } + out := new(InsightsDataGather) + in.DeepCopyInto(out) + return out +} + +// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. +func (in *InsightsDataGather) DeepCopyObject() runtime.Object { + if c := in.DeepCopy(); c != nil { + return c + } + return nil +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *InsightsDataGatherList) DeepCopyInto(out *InsightsDataGatherList) { + *out = *in + out.TypeMeta = in.TypeMeta + in.ListMeta.DeepCopyInto(&out.ListMeta) + if in.Items != nil { + in, out := &in.Items, &out.Items + *out = make([]InsightsDataGather, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new InsightsDataGatherList. +func (in *InsightsDataGatherList) DeepCopy() *InsightsDataGatherList { + if in == nil { + return nil + } + out := new(InsightsDataGatherList) + in.DeepCopyInto(out) + return out +} + +// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. +func (in *InsightsDataGatherList) DeepCopyObject() runtime.Object { + if c := in.DeepCopy(); c != nil { + return c + } + return nil +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *InsightsDataGatherSpec) DeepCopyInto(out *InsightsDataGatherSpec) { + *out = *in + in.GatherConfig.DeepCopyInto(&out.GatherConfig) + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new InsightsDataGatherSpec. +func (in *InsightsDataGatherSpec) DeepCopy() *InsightsDataGatherSpec { + if in == nil { + return nil + } + out := new(InsightsDataGatherSpec) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *IntermediateTLSProfile) DeepCopyInto(out *IntermediateTLSProfile) { *out = *in @@ -5019,6 +5173,39 @@ func (in *PKICertificateSubject) DeepCopy() *PKICertificateSubject { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *PersistentVolumeClaimReference) DeepCopyInto(out *PersistentVolumeClaimReference) { + *out = *in + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PersistentVolumeClaimReference. +func (in *PersistentVolumeClaimReference) DeepCopy() *PersistentVolumeClaimReference { + if in == nil { + return nil + } + out := new(PersistentVolumeClaimReference) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *PersistentVolumeConfig) DeepCopyInto(out *PersistentVolumeConfig) { + *out = *in + out.Claim = in.Claim + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PersistentVolumeConfig. +func (in *PersistentVolumeConfig) DeepCopy() *PersistentVolumeConfig { + if in == nil { + return nil + } + out := new(PersistentVolumeConfig) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *PlatformSpec) DeepCopyInto(out *PlatformSpec) { *out = *in @@ -5981,6 +6168,23 @@ func (in *SignatureStore) DeepCopy() *SignatureStore { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *Storage) DeepCopyInto(out *Storage) { + *out = *in + out.PersistentVolume = in.PersistentVolume + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Storage. +func (in *Storage) DeepCopy() *Storage { + if in == nil { + return nil + } + out := new(Storage) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *StringSource) DeepCopyInto(out *StringSource) { *out = *in diff --git a/vendor/github.com/openshift/api/config/v1/zz_generated.featuregated-crd-manifests.yaml b/vendor/github.com/openshift/api/config/v1/zz_generated.featuregated-crd-manifests.yaml index 6d756e8f90..d8d6b502ee 100644 --- a/vendor/github.com/openshift/api/config/v1/zz_generated.featuregated-crd-manifests.yaml +++ b/vendor/github.com/openshift/api/config/v1/zz_generated.featuregated-crd-manifests.yaml @@ -408,6 +408,29 @@ ingresses.config.openshift.io: TopLevelFeatureGates: [] Version: v1 +insightsdatagathers.config.openshift.io: + Annotations: {} + ApprovedPRNumber: https://github.com/openshift/api/pull/2448 + CRDName: insightsdatagathers.config.openshift.io + Capability: "" + Category: "" + FeatureGates: + - InsightsConfig + FilenameOperatorName: config-operator + FilenameOperatorOrdering: "01" + FilenameRunLevel: "0000_10" + GroupName: config.openshift.io + HasStatus: false + KindName: InsightsDataGather + Labels: {} + PluralName: insightsdatagathers + PrinterColumns: [] + Scope: Cluster + ShortNames: null + TopLevelFeatureGates: + - InsightsConfig + Version: v1 + networks.config.openshift.io: Annotations: release.openshift.io/bootstrap-required: "true" diff --git a/vendor/github.com/openshift/api/config/v1/zz_generated.swagger_doc_generated.go b/vendor/github.com/openshift/api/config/v1/zz_generated.swagger_doc_generated.go index e3494151c6..31aab4dfe8 100644 --- a/vendor/github.com/openshift/api/config/v1/zz_generated.swagger_doc_generated.go +++ b/vendor/github.com/openshift/api/config/v1/zz_generated.swagger_doc_generated.go @@ -2195,6 +2195,104 @@ func (LoadBalancer) SwaggerDoc() map[string]string { return map_LoadBalancer } +var map_Custom = map[string]string{ + "": "Custom provides the custom configuration of gatherers", + "configs": "configs is a required list of gatherers configurations that can be used to enable or disable specific gatherers. It may not exceed 100 items and each gatherer can be present only once. It is possible to disable an entire set of gatherers while allowing a specific function within that set. The particular gatherers IDs can be found at https://github.com/openshift/insights-operator/blob/master/docs/gathered-data.md. Run the following command to get the names of last active gatherers: \"oc get insightsoperators.operator.openshift.io cluster -o json | jq '.status.gatherStatus.gatherers[].name'\"", +} + +func (Custom) SwaggerDoc() map[string]string { + return map_Custom +} + +var map_GatherConfig = map[string]string{ + "": "GatherConfig provides data gathering configuration options.", + "dataPolicy": "dataPolicy is an optional list of DataPolicyOptions that allows user to enable additional obfuscation of the Insights archive data. It may not exceed 2 items and must not contain duplicates. Valid values are ObfuscateNetworking and WorkloadNames. When set to ObfuscateNetworking the IP addresses and the cluster domain name are obfuscated. When set to WorkloadNames, the gathered data about cluster resources will not contain the workload names for your deployments. Resources UIDs will be used instead. When omitted no obfuscation is applied.", + "gatherers": "gatherers is a required field that specifies the configuration of the gatherers.", + "storage": "storage is an optional field that allows user to define persistent storage for gathering jobs to store the Insights data archive. If omitted, the gathering job will use ephemeral storage.", +} + +func (GatherConfig) SwaggerDoc() map[string]string { + return map_GatherConfig +} + +var map_GathererConfig = map[string]string{ + "": "GathererConfig allows to configure specific gatherers", + "name": "name is the required name of a specific gatherer. It may not exceed 256 characters. The format for a gatherer name is: {gatherer}/{function} where the function is optional. Gatherer consists of a lowercase letters only that may include underscores (_). Function consists of a lowercase letters only that may include underscores (_) and is separated from the gatherer by a forward slash (/). The particular gatherers can be found at https://github.com/openshift/insights-operator/blob/master/docs/gathered-data.md. Run the following command to get the names of last active gatherers: \"oc get insightsoperators.operator.openshift.io cluster -o json | jq '.status.gatherStatus.gatherers[].name'\"", + "state": "state is a required field that allows you to configure specific gatherer. Valid values are \"Enabled\" and \"Disabled\". When set to Enabled the gatherer will run. When set to Disabled the gatherer will not run.", +} + +func (GathererConfig) SwaggerDoc() map[string]string { + return map_GathererConfig +} + +var map_Gatherers = map[string]string{ + "": "Gatherers specifies the configuration of the gatherers", + "mode": "mode is a required field that specifies the mode for gatherers. Allowed values are All, None, and Custom. When set to All, all gatherers will run and gather data. When set to None, all gatherers will be disabled and no data will be gathered. When set to Custom, the custom configuration from the custom field will be applied.", + "custom": "custom provides gathering configuration. It is required when mode is Custom, and forbidden otherwise. Custom configuration allows user to disable only a subset of gatherers. Gatherers that are not explicitly disabled in custom configuration will run.", +} + +func (Gatherers) SwaggerDoc() map[string]string { + return map_Gatherers +} + +var map_InsightsDataGather = map[string]string{ + "": "InsightsDataGather provides data gather configuration options for the Insights Operator.\n\n\n\nCompatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).", + "metadata": "metadata is the standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata", + "spec": "spec holds user settable values for configuration", +} + +func (InsightsDataGather) SwaggerDoc() map[string]string { + return map_InsightsDataGather +} + +var map_InsightsDataGatherList = map[string]string{ + "": "InsightsDataGatherList is a collection of items Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).", + "metadata": "metadata is the required standard list's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata", + "items": "items is the required list of InsightsDataGather objects it may not exceed 100 items", +} + +func (InsightsDataGatherList) SwaggerDoc() map[string]string { + return map_InsightsDataGatherList +} + +var map_InsightsDataGatherSpec = map[string]string{ + "": "InsightsDataGatherSpec contains the configuration for the data gathering.", + "gatherConfig": "gatherConfig is a required spec attribute that includes all the configuration options related to gathering of the Insights data and its uploading to the ingress.", +} + +func (InsightsDataGatherSpec) SwaggerDoc() map[string]string { + return map_InsightsDataGatherSpec +} + +var map_PersistentVolumeClaimReference = map[string]string{ + "": "PersistentVolumeClaimReference is a reference to a PersistentVolumeClaim.", + "name": "name is the name of the PersistentVolumeClaim that will be used to store the Insights data archive. It is a string that follows the DNS1123 subdomain format. It must be at most 253 characters in length, and must consist only of lower case alphanumeric characters, '-' and '.', and must start and end with an alphanumeric character.", +} + +func (PersistentVolumeClaimReference) SwaggerDoc() map[string]string { + return map_PersistentVolumeClaimReference +} + +var map_PersistentVolumeConfig = map[string]string{ + "": "PersistentVolumeConfig provides configuration options for PersistentVolume storage.", + "claim": "claim is a required field that specifies the configuration of the PersistentVolumeClaim that will be used to store the Insights data archive. The PersistentVolumeClaim must be created in the openshift-insights namespace.", + "mountPath": "mountPath is an optional field specifying the directory where the PVC will be mounted inside the Insights data gathering Pod. When omitted, this means no opinion and the platform is left to choose a reasonable default, which is subject to change over time. The current default mount path is /var/lib/insights-operator The path may not exceed 1024 characters and must not contain a colon.", +} + +func (PersistentVolumeConfig) SwaggerDoc() map[string]string { + return map_PersistentVolumeConfig +} + +var map_Storage = map[string]string{ + "": "Storage provides persistent storage configuration options for gathering jobs. If the type is set to PersistentVolume, then the PersistentVolume must be defined. If the type is set to Ephemeral, then the PersistentVolume must not be defined.", + "type": "type is a required field that specifies the type of storage that will be used to store the Insights data archive. Valid values are \"PersistentVolume\" and \"Ephemeral\". When set to Ephemeral, the Insights data archive is stored in the ephemeral storage of the gathering job. When set to PersistentVolume, the Insights data archive is stored in the PersistentVolume that is defined by the persistentVolume field.", + "persistentVolume": "persistentVolume is an optional field that specifies the PersistentVolume that will be used to store the Insights data archive. The PersistentVolume must be created in the openshift-insights namespace.", +} + +func (Storage) SwaggerDoc() map[string]string { + return map_Storage +} + var map_AWSKMSConfig = map[string]string{ "": "AWSKMSConfig defines the KMS config specific to AWS KMS provider", "keyARN": "keyARN specifies the Amazon Resource Name (ARN) of the AWS KMS key used for encryption. The value must adhere to the format `arn:aws:kms:::key/`, where: - `` is the AWS region consisting of lowercase letters and hyphens followed by a number. - `` is a 12-digit numeric identifier for the AWS account. - `` is a unique identifier for the KMS key, consisting of lowercase hexadecimal characters and hyphens.", diff --git a/vendor/github.com/openshift/api/config/v1alpha1/types_cluster_monitoring.go b/vendor/github.com/openshift/api/config/v1alpha1/types_cluster_monitoring.go index c048c64ef1..f6d4cd3420 100644 --- a/vendor/github.com/openshift/api/config/v1alpha1/types_cluster_monitoring.go +++ b/vendor/github.com/openshift/api/config/v1alpha1/types_cluster_monitoring.go @@ -81,14 +81,19 @@ type ClusterMonitoringSpec struct { // When omitted, this means no opinion and the platform is left to choose a reasonable default, which is subject to change over time. // The current default value is `Disabled`. // +optional - UserDefined *UserDefinedMonitoring `json:"userDefined,omitempty"` + UserDefined UserDefinedMonitoring `json:"userDefined,omitempty,omitzero"` // alertmanagerConfig allows users to configure how the default Alertmanager instance // should be deployed in the `openshift-monitoring` namespace. // alertmanagerConfig is optional. // When omitted, this means no opinion and the platform is left to choose a reasonable default, that is subject to change over time. // The current default value is `DefaultConfig`. // +optional - AlertmanagerConfig *AlertmanagerConfig `json:"alertmanagerConfig,omitempty"` + AlertmanagerConfig AlertmanagerConfig `json:"alertmanagerConfig,omitempty,omitzero"` + // metricsServerConfig is an optional field that can be used to configure the Kubernetes Metrics Server that runs in the openshift-monitoring namespace. + // Specifically, it can configure how the Metrics Server instance is deployed, pod scheduling, its audit policy and log verbosity. + // When omitted, this means no opinion and the platform is left to choose a reasonable default, which is subject to change over time. + // +optional + MetricsServerConfig MetricsServerConfig `json:"metricsServerConfig,omitempty,omitzero"` } // UserDefinedMonitoring config for user-defined projects. @@ -128,12 +133,12 @@ type AlertmanagerConfig struct { // // +unionDiscriminator // +required - DeploymentMode AlertManagerDeployMode `json:"deploymentMode"` + DeploymentMode AlertManagerDeployMode `json:"deploymentMode,omitempty"` // customConfig must be set when deploymentMode is CustomConfig, and must be unset otherwise. // When set to CustomConfig, the Alertmanager will be deployed with custom configuration. // +optional - CustomConfig *AlertmanagerCustomConfig `json:"customConfig,omitempty"` + CustomConfig AlertmanagerCustomConfig `json:"customConfig,omitempty,omitzero"` } // AlertmanagerCustomConfig represents the configuration for a custom Alertmanager deployment. @@ -153,7 +158,7 @@ type AlertmanagerCustomConfig struct { // When omitted, this means no opinion and the platform is left to choose a reasonable default, that is subject to change over time. // The current default value is `Info`. // +optional - LogLevel LogLevel `json:"logLevel"` + LogLevel LogLevel `json:"logLevel,omitempty"` // nodeSelector defines the nodes on which the Pods are scheduled // nodeSelector is optional. // @@ -291,9 +296,10 @@ type ContainerResource struct { // This field is required. // name must consist only of alphanumeric characters, `-`, `_` and `.` and must start and end with an alphanumeric character. // +required + // +kubebuilder:validation:MinLength=1 // +kubebuilder:validation:MaxLength=253 // +kubebuilder:validation:XValidation:rule="!format.qualifiedName().validate(self).hasValue()",message="name must consist only of alphanumeric characters, `-`, `_` and `.` and must start and end with an alphanumeric character" - Name string `json:"name"` + Name string `json:"name,omitempty"` // request is the minimum amount of the resource required (e.g. "2Mi", "1Gi"). // This field is optional. @@ -322,3 +328,135 @@ type ContainerResource struct { // +kubebuilder:validation:XValidation:rule="!format.dns1123Subdomain().validate(self).hasValue()",message="a lowercase RFC 1123 subdomain must consist of lower case alphanumeric characters, '-' or '.', and must start and end with an alphanumeric character." // +kubebuilder:validation:MaxLength=63 type SecretName string + +// MetricsServerConfig provides configuration options for the Metrics Server instance +// that runs in the `openshift-monitoring` namespace. Use this configuration to control +// how the Metrics Server instance is deployed, how it logs, and how its pods are scheduled. +// +kubebuilder:validation:MinProperties=1 +type MetricsServerConfig struct { + // audit defines the audit configuration used by the Metrics Server instance. + // audit is optional. + // When omitted, this means no opinion and the platform is left to choose a reasonable default, that is subject to change over time. + //The current default sets audit.profile to Metadata + // +optional + Audit Audit `json:"audit,omitempty,omitzero"` + // nodeSelector defines the nodes on which the Pods are scheduled + // nodeSelector is optional. + // + // When omitted, this means the user has no opinion and the platform is left + // to choose reasonable defaults. These defaults are subject to change over time. + // The current default value is `kubernetes.io/os: linux`. + // +optional + // +kubebuilder:validation:MinProperties=1 + // +kubebuilder:validation:MaxProperties=10 + NodeSelector map[string]string `json:"nodeSelector,omitempty"` + // tolerations defines tolerations for the pods. + // tolerations is optional. + // + // When omitted, this means the user has no opinion and the platform is left + // to choose reasonable defaults. These defaults are subject to change over time. + // Defaults are empty/unset. + // Maximum length for this list is 10 + // Minimum length for this list is 1 + // +kubebuilder:validation:MaxItems=10 + // +kubebuilder:validation:MinItems=1 + // +listType=atomic + // +optional + Tolerations []v1.Toleration `json:"tolerations,omitempty"` + // verbosity defines the verbosity of log messages for Metrics Server. + // Valid values are Errors, Info, Trace, TraceAll and omitted. + // When set to Errors, only critical messages and errors are logged. + // When set to Info, only basic information messages are logged. + // When set to Trace, information useful for general debugging is logged. + // When set to TraceAll, detailed information about metric scraping is logged. + // When omitted, this means no opinion and the platform is left to choose a reasonable default, that is subject to change over time. + // The current default value is `Errors` + // +optional + Verbosity VerbosityLevel `json:"verbosity,omitempty,omitzero"` + // resources defines the compute resource requests and limits for the Metrics Server container. + // This includes CPU, memory and HugePages constraints to help control scheduling and resource usage. + // When not specified, defaults are used by the platform. Requests cannot exceed limits. + // This field is optional. + // More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + // This is a simplified API that maps to Kubernetes ResourceRequirements. + // The current default values are: + // resources: + // - name: cpu + // request: 4m + // limit: null + // - name: memory + // request: 40Mi + // limit: null + // Maximum length for this list is 10. + // Minimum length for this list is 1. + // +optional + // +listType=map + // +listMapKey=name + // +kubebuilder:validation:MaxItems=10 + // +kubebuilder:validation:MinItems=1 + Resources []ContainerResource `json:"resources,omitempty"` + // topologySpreadConstraints defines rules for how Metrics Server Pods should be distributed + // across topology domains such as zones, nodes, or other user-defined labels. + // topologySpreadConstraints is optional. + // This helps improve high availability and resource efficiency by avoiding placing + // too many replicas in the same failure domain. + // + // When omitted, this means no opinion and the platform is left to choose a default, which is subject to change over time. + // This field maps directly to the `topologySpreadConstraints` field in the Pod spec. + // Default is empty list. + // Maximum length for this list is 10. + // Minimum length for this list is 1 + // Entries must have unique topologyKey and whenUnsatisfiable pairs. + // +kubebuilder:validation:MaxItems=10 + // +kubebuilder:validation:MinItems=1 + // +listType=map + // +listMapKey=topologyKey + // +listMapKey=whenUnsatisfiable + // +optional + TopologySpreadConstraints []v1.TopologySpreadConstraint `json:"topologySpreadConstraints,omitempty"` +} + +// AuditProfile defines the audit log level for the Metrics Server. +// +kubebuilder:validation:Enum=None;Metadata;Request;RequestResponse +type AuditProfile string + +const ( + // AuditProfileNone disables audit logging + AuditProfileNone AuditProfile = "None" + // AuditProfileMetadata logs request metadata (requesting user, timestamp, resource, verb, etc.) but not request or response body + AuditProfileMetadata AuditProfile = "Metadata" + // AuditProfileRequest logs event metadata and request body but not response body + AuditProfileRequest AuditProfile = "Request" + // AuditProfileRequestResponse logs event metadata, request and response bodies + AuditProfileRequestResponse AuditProfile = "RequestResponse" +) + +// VerbosityLevel defines the verbosity of log messages for Metrics Server. +// +kubebuilder:validation:Enum=Errors;Info;Trace;TraceAll +type VerbosityLevel string + +const ( + // VerbosityLevelErrors means only critical messages and errors are logged. + VerbosityLevelErrors VerbosityLevel = "Errors" + // VerbosityLevelInfo means basic informational messages are logged. + VerbosityLevelInfo VerbosityLevel = "Info" + // VerbosityLevelTrace means extended information useful for general debugging is logged. + VerbosityLevelTrace VerbosityLevel = "Trace" + // VerbosityLevelTraceAll means detailed information about metric scraping operations is logged. + VerbosityLevelTraceAll VerbosityLevel = "TraceAll" +) + +// Audit profile configurations +type Audit struct { + // profile is a required field for configuring the audit log level of the Kubernetes Metrics Server. + // Allowed values are None, Metadata, Request, or RequestResponse. + // When set to None, audit logging is disabled and no audit events are recorded. + // When set to Metadata, only request metadata (such as requesting user, timestamp, resource, verb, etc.) is logged, but not the request or response body. + // When set to Request, event metadata and the request body are logged, but not the response body. + // When set to RequestResponse, event metadata, request body, and response body are all logged, providing the most detailed audit information. + // + // See: https://kubernetes.io/docs/tasks/debug-application-cluster/audit/#audit-policy + // for more information about auditing and log levels. + // +required + Profile AuditProfile `json:"profile,omitempty"` +} diff --git a/vendor/github.com/openshift/api/config/v1alpha1/zz_generated.crd-manifests/0000_10_config-operator_01_clustermonitoring-CustomNoUpgrade.crd.yaml b/vendor/github.com/openshift/api/config/v1alpha1/zz_generated.crd-manifests/0000_10_config-operator_01_clustermonitoring-CustomNoUpgrade.crd.yaml index 267d0afb1a..cdc019885b 100644 --- a/vendor/github.com/openshift/api/config/v1alpha1/zz_generated.crd-manifests/0000_10_config-operator_01_clustermonitoring-CustomNoUpgrade.crd.yaml +++ b/vendor/github.com/openshift/api/config/v1alpha1/zz_generated.crd-manifests/0000_10_config-operator_01_clustermonitoring-CustomNoUpgrade.crd.yaml @@ -138,6 +138,7 @@ spec: This field is required. name must consist only of alphanumeric characters, `-`, `_` and `.` and must start and end with an alphanumeric character. maxLength: 253 + minLength: 1 type: string x-kubernetes-validations: - message: name must consist only of alphanumeric characters, @@ -900,6 +901,393 @@ spec: and forbidden otherwise rule: 'self.deploymentMode == ''CustomConfig'' ? has(self.customConfig) : !has(self.customConfig)' + metricsServerConfig: + description: |- + metricsServerConfig is an optional field that can be used to configure the Kubernetes Metrics Server that runs in the openshift-monitoring namespace. + Specifically, it can configure how the Metrics Server instance is deployed, pod scheduling, its audit policy and log verbosity. + When omitted, this means no opinion and the platform is left to choose a reasonable default, which is subject to change over time. + minProperties: 1 + properties: + audit: + description: |- + audit defines the audit configuration used by the Metrics Server instance. + audit is optional. + When omitted, this means no opinion and the platform is left to choose a reasonable default, that is subject to change over time. + The current default sets audit.profile to Metadata + properties: + profile: + description: |- + profile is a required field for configuring the audit log level of the Kubernetes Metrics Server. + Allowed values are None, Metadata, Request, or RequestResponse. + When set to None, audit logging is disabled and no audit events are recorded. + When set to Metadata, only request metadata (such as requesting user, timestamp, resource, verb, etc.) is logged, but not the request or response body. + When set to Request, event metadata and the request body are logged, but not the response body. + When set to RequestResponse, event metadata, request body, and response body are all logged, providing the most detailed audit information. + + See: https://kubernetes.io/docs/tasks/debug-application-cluster/audit/#audit-policy + for more information about auditing and log levels. + enum: + - None + - Metadata + - Request + - RequestResponse + type: string + required: + - profile + type: object + nodeSelector: + additionalProperties: + type: string + description: |- + nodeSelector defines the nodes on which the Pods are scheduled + nodeSelector is optional. + + When omitted, this means the user has no opinion and the platform is left + to choose reasonable defaults. These defaults are subject to change over time. + The current default value is `kubernetes.io/os: linux`. + maxProperties: 10 + minProperties: 1 + type: object + resources: + description: |- + resources defines the compute resource requests and limits for the Metrics Server container. + This includes CPU, memory and HugePages constraints to help control scheduling and resource usage. + When not specified, defaults are used by the platform. Requests cannot exceed limits. + This field is optional. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + This is a simplified API that maps to Kubernetes ResourceRequirements. + The current default values are: + resources: + - name: cpu + request: 4m + limit: null + - name: memory + request: 40Mi + limit: null + Maximum length for this list is 10. + Minimum length for this list is 1. + items: + description: ContainerResource defines a single resource requirement + for a container. + properties: + limit: + anyOf: + - type: integer + - type: string + description: |- + limit is the maximum amount of the resource allowed (e.g. "2Mi", "1Gi"). + This field is optional. + When request is specified, limit cannot be less than request. + The value must be greater than 0 when specified. + maxLength: 20 + minLength: 1 + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + x-kubernetes-validations: + - message: limit must be a positive, non-zero quantity + rule: isQuantity(self) && quantity(self).isGreaterThan(quantity('0')) + name: + description: |- + name of the resource (e.g. "cpu", "memory", "hugepages-2Mi"). + This field is required. + name must consist only of alphanumeric characters, `-`, `_` and `.` and must start and end with an alphanumeric character. + maxLength: 253 + minLength: 1 + type: string + x-kubernetes-validations: + - message: name must consist only of alphanumeric characters, + `-`, `_` and `.` and must start and end with an alphanumeric + character + rule: '!format.qualifiedName().validate(self).hasValue()' + request: + anyOf: + - type: integer + - type: string + description: |- + request is the minimum amount of the resource required (e.g. "2Mi", "1Gi"). + This field is optional. + When limit is specified, request cannot be greater than limit. + maxLength: 20 + minLength: 1 + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + x-kubernetes-validations: + - message: request must be a positive, non-zero quantity + rule: isQuantity(self) && quantity(self).isGreaterThan(quantity('0')) + required: + - name + type: object + x-kubernetes-validations: + - message: at least one of request or limit must be set + rule: has(self.request) || has(self.limit) + - message: limit must be greater than or equal to request + rule: '!(has(self.request) && has(self.limit)) || quantity(self.limit).compareTo(quantity(self.request)) + >= 0' + maxItems: 10 + minItems: 1 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + tolerations: + description: |- + tolerations defines tolerations for the pods. + tolerations is optional. + + When omitted, this means the user has no opinion and the platform is left + to choose reasonable defaults. These defaults are subject to change over time. + Defaults are empty/unset. + Maximum length for this list is 10 + Minimum length for this list is 1 + items: + description: |- + The pod this Toleration is attached to tolerates any taint that matches + the triple using the matching operator . + properties: + effect: + description: |- + Effect indicates the taint effect to match. Empty means match all taint effects. + When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute. + type: string + key: + description: |- + Key is the taint key that the toleration applies to. Empty means match all taint keys. + If the key is empty, operator must be Exists; this combination means to match all values and all keys. + type: string + operator: + description: |- + Operator represents a key's relationship to the value. + Valid operators are Exists and Equal. Defaults to Equal. + Exists is equivalent to wildcard for value, so that a pod can + tolerate all taints of a particular category. + type: string + tolerationSeconds: + description: |- + TolerationSeconds represents the period of time the toleration (which must be + of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, + it is not set, which means tolerate the taint forever (do not evict). Zero and + negative values will be treated as 0 (evict immediately) by the system. + format: int64 + type: integer + value: + description: |- + Value is the taint value the toleration matches to. + If the operator is Exists, the value should be empty, otherwise just a regular string. + type: string + type: object + maxItems: 10 + minItems: 1 + type: array + x-kubernetes-list-type: atomic + topologySpreadConstraints: + description: |- + topologySpreadConstraints defines rules for how Metrics Server Pods should be distributed + across topology domains such as zones, nodes, or other user-defined labels. + topologySpreadConstraints is optional. + This helps improve high availability and resource efficiency by avoiding placing + too many replicas in the same failure domain. + + When omitted, this means no opinion and the platform is left to choose a default, which is subject to change over time. + This field maps directly to the `topologySpreadConstraints` field in the Pod spec. + Default is empty list. + Maximum length for this list is 10. + Minimum length for this list is 1 + Entries must have unique topologyKey and whenUnsatisfiable pairs. + items: + description: TopologySpreadConstraint specifies how to spread + matching pods among the given topology. + properties: + labelSelector: + description: |- + LabelSelector is used to find matching pods. + Pods that match this label selector are counted to determine the number of pods + in their corresponding topology domain. + properties: + matchExpressions: + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector + applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + matchLabelKeys: + description: |- + MatchLabelKeys is a set of pod label keys to select the pods over which + spreading will be calculated. The keys are used to lookup values from the + incoming pod labels, those key-value labels are ANDed with labelSelector + to select the group of existing pods over which spreading will be calculated + for the incoming pod. The same key is forbidden to exist in both MatchLabelKeys and LabelSelector. + MatchLabelKeys cannot be set when LabelSelector isn't set. + Keys that don't exist in the incoming pod labels will + be ignored. A null or empty list means only match against labelSelector. + + This is a beta field and requires the MatchLabelKeysInPodTopologySpread feature gate to be enabled (enabled by default). + items: + type: string + type: array + x-kubernetes-list-type: atomic + maxSkew: + description: |- + MaxSkew describes the degree to which pods may be unevenly distributed. + When `whenUnsatisfiable=DoNotSchedule`, it is the maximum permitted difference + between the number of matching pods in the target topology and the global minimum. + The global minimum is the minimum number of matching pods in an eligible domain + or zero if the number of eligible domains is less than MinDomains. + For example, in a 3-zone cluster, MaxSkew is set to 1, and pods with the same + labelSelector spread as 2/2/1: + In this case, the global minimum is 1. + | zone1 | zone2 | zone3 | + | P P | P P | P | + - if MaxSkew is 1, incoming pod can only be scheduled to zone3 to become 2/2/2; + scheduling it onto zone1(zone2) would make the ActualSkew(3-1) on zone1(zone2) + violate MaxSkew(1). + - if MaxSkew is 2, incoming pod can be scheduled onto any zone. + When `whenUnsatisfiable=ScheduleAnyway`, it is used to give higher precedence + to topologies that satisfy it. + It's a required field. Default value is 1 and 0 is not allowed. + format: int32 + type: integer + minDomains: + description: |- + MinDomains indicates a minimum number of eligible domains. + When the number of eligible domains with matching topology keys is less than minDomains, + Pod Topology Spread treats "global minimum" as 0, and then the calculation of Skew is performed. + And when the number of eligible domains with matching topology keys equals or greater than minDomains, + this value has no effect on scheduling. + As a result, when the number of eligible domains is less than minDomains, + scheduler won't schedule more than maxSkew Pods to those domains. + If value is nil, the constraint behaves as if MinDomains is equal to 1. + Valid values are integers greater than 0. + When value is not nil, WhenUnsatisfiable must be DoNotSchedule. + + For example, in a 3-zone cluster, MaxSkew is set to 2, MinDomains is set to 5 and pods with the same + labelSelector spread as 2/2/2: + | zone1 | zone2 | zone3 | + | P P | P P | P P | + The number of domains is less than 5(MinDomains), so "global minimum" is treated as 0. + In this situation, new pod with the same labelSelector cannot be scheduled, + because computed skew will be 3(3 - 0) if new Pod is scheduled to any of the three zones, + it will violate MaxSkew. + format: int32 + type: integer + nodeAffinityPolicy: + description: |- + NodeAffinityPolicy indicates how we will treat Pod's nodeAffinity/nodeSelector + when calculating pod topology spread skew. Options are: + - Honor: only nodes matching nodeAffinity/nodeSelector are included in the calculations. + - Ignore: nodeAffinity/nodeSelector are ignored. All nodes are included in the calculations. + + If this value is nil, the behavior is equivalent to the Honor policy. + type: string + nodeTaintsPolicy: + description: |- + NodeTaintsPolicy indicates how we will treat node taints when calculating + pod topology spread skew. Options are: + - Honor: nodes without taints, along with tainted nodes for which the incoming pod + has a toleration, are included. + - Ignore: node taints are ignored. All nodes are included. + + If this value is nil, the behavior is equivalent to the Ignore policy. + type: string + topologyKey: + description: |- + TopologyKey is the key of node labels. Nodes that have a label with this key + and identical values are considered to be in the same topology. + We consider each as a "bucket", and try to put balanced number + of pods into each bucket. + We define a domain as a particular instance of a topology. + Also, we define an eligible domain as a domain whose nodes meet the requirements of + nodeAffinityPolicy and nodeTaintsPolicy. + e.g. If TopologyKey is "kubernetes.io/hostname", each Node is a domain of that topology. + And, if TopologyKey is "topology.kubernetes.io/zone", each zone is a domain of that topology. + It's a required field. + type: string + whenUnsatisfiable: + description: |- + WhenUnsatisfiable indicates how to deal with a pod if it doesn't satisfy + the spread constraint. + - DoNotSchedule (default) tells the scheduler not to schedule it. + - ScheduleAnyway tells the scheduler to schedule the pod in any location, + but giving higher precedence to topologies that would help reduce the + skew. + A constraint is considered "Unsatisfiable" for an incoming pod + if and only if every possible node assignment for that pod would violate + "MaxSkew" on some topology. + For example, in a 3-zone cluster, MaxSkew is set to 1, and pods with the same + labelSelector spread as 3/1/1: + | zone1 | zone2 | zone3 | + | P P P | P | P | + If WhenUnsatisfiable is set to DoNotSchedule, incoming pod can only be scheduled + to zone2(zone3) to become 3/2/1(3/1/2) as ActualSkew(2-1) on zone2(zone3) satisfies + MaxSkew(1). In other words, the cluster can still be imbalanced, but scheduler + won't make it *more* imbalanced. + It's a required field. + type: string + required: + - maxSkew + - topologyKey + - whenUnsatisfiable + type: object + maxItems: 10 + minItems: 1 + type: array + x-kubernetes-list-map-keys: + - topologyKey + - whenUnsatisfiable + x-kubernetes-list-type: map + verbosity: + description: |- + verbosity defines the verbosity of log messages for Metrics Server. + Valid values are Errors, Info, Trace, TraceAll and omitted. + When set to Errors, only critical messages and errors are logged. + When set to Info, only basic information messages are logged. + When set to Trace, information useful for general debugging is logged. + When set to TraceAll, detailed information about metric scraping is logged. + When omitted, this means no opinion and the platform is left to choose a reasonable default, that is subject to change over time. + The current default value is `Errors` + enum: + - Errors + - Info + - Trace + - TraceAll + type: string + type: object userDefined: description: |- userDefined set the deployment mode for user-defined monitoring in addition to the default platform monitoring. diff --git a/vendor/github.com/openshift/api/config/v1alpha1/zz_generated.crd-manifests/0000_10_config-operator_01_clustermonitoring-DevPreviewNoUpgrade.crd.yaml b/vendor/github.com/openshift/api/config/v1alpha1/zz_generated.crd-manifests/0000_10_config-operator_01_clustermonitoring-DevPreviewNoUpgrade.crd.yaml index cc80c5fb6c..f79bea45d5 100644 --- a/vendor/github.com/openshift/api/config/v1alpha1/zz_generated.crd-manifests/0000_10_config-operator_01_clustermonitoring-DevPreviewNoUpgrade.crd.yaml +++ b/vendor/github.com/openshift/api/config/v1alpha1/zz_generated.crd-manifests/0000_10_config-operator_01_clustermonitoring-DevPreviewNoUpgrade.crd.yaml @@ -138,6 +138,7 @@ spec: This field is required. name must consist only of alphanumeric characters, `-`, `_` and `.` and must start and end with an alphanumeric character. maxLength: 253 + minLength: 1 type: string x-kubernetes-validations: - message: name must consist only of alphanumeric characters, @@ -900,6 +901,393 @@ spec: and forbidden otherwise rule: 'self.deploymentMode == ''CustomConfig'' ? has(self.customConfig) : !has(self.customConfig)' + metricsServerConfig: + description: |- + metricsServerConfig is an optional field that can be used to configure the Kubernetes Metrics Server that runs in the openshift-monitoring namespace. + Specifically, it can configure how the Metrics Server instance is deployed, pod scheduling, its audit policy and log verbosity. + When omitted, this means no opinion and the platform is left to choose a reasonable default, which is subject to change over time. + minProperties: 1 + properties: + audit: + description: |- + audit defines the audit configuration used by the Metrics Server instance. + audit is optional. + When omitted, this means no opinion and the platform is left to choose a reasonable default, that is subject to change over time. + The current default sets audit.profile to Metadata + properties: + profile: + description: |- + profile is a required field for configuring the audit log level of the Kubernetes Metrics Server. + Allowed values are None, Metadata, Request, or RequestResponse. + When set to None, audit logging is disabled and no audit events are recorded. + When set to Metadata, only request metadata (such as requesting user, timestamp, resource, verb, etc.) is logged, but not the request or response body. + When set to Request, event metadata and the request body are logged, but not the response body. + When set to RequestResponse, event metadata, request body, and response body are all logged, providing the most detailed audit information. + + See: https://kubernetes.io/docs/tasks/debug-application-cluster/audit/#audit-policy + for more information about auditing and log levels. + enum: + - None + - Metadata + - Request + - RequestResponse + type: string + required: + - profile + type: object + nodeSelector: + additionalProperties: + type: string + description: |- + nodeSelector defines the nodes on which the Pods are scheduled + nodeSelector is optional. + + When omitted, this means the user has no opinion and the platform is left + to choose reasonable defaults. These defaults are subject to change over time. + The current default value is `kubernetes.io/os: linux`. + maxProperties: 10 + minProperties: 1 + type: object + resources: + description: |- + resources defines the compute resource requests and limits for the Metrics Server container. + This includes CPU, memory and HugePages constraints to help control scheduling and resource usage. + When not specified, defaults are used by the platform. Requests cannot exceed limits. + This field is optional. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + This is a simplified API that maps to Kubernetes ResourceRequirements. + The current default values are: + resources: + - name: cpu + request: 4m + limit: null + - name: memory + request: 40Mi + limit: null + Maximum length for this list is 10. + Minimum length for this list is 1. + items: + description: ContainerResource defines a single resource requirement + for a container. + properties: + limit: + anyOf: + - type: integer + - type: string + description: |- + limit is the maximum amount of the resource allowed (e.g. "2Mi", "1Gi"). + This field is optional. + When request is specified, limit cannot be less than request. + The value must be greater than 0 when specified. + maxLength: 20 + minLength: 1 + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + x-kubernetes-validations: + - message: limit must be a positive, non-zero quantity + rule: isQuantity(self) && quantity(self).isGreaterThan(quantity('0')) + name: + description: |- + name of the resource (e.g. "cpu", "memory", "hugepages-2Mi"). + This field is required. + name must consist only of alphanumeric characters, `-`, `_` and `.` and must start and end with an alphanumeric character. + maxLength: 253 + minLength: 1 + type: string + x-kubernetes-validations: + - message: name must consist only of alphanumeric characters, + `-`, `_` and `.` and must start and end with an alphanumeric + character + rule: '!format.qualifiedName().validate(self).hasValue()' + request: + anyOf: + - type: integer + - type: string + description: |- + request is the minimum amount of the resource required (e.g. "2Mi", "1Gi"). + This field is optional. + When limit is specified, request cannot be greater than limit. + maxLength: 20 + minLength: 1 + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + x-kubernetes-validations: + - message: request must be a positive, non-zero quantity + rule: isQuantity(self) && quantity(self).isGreaterThan(quantity('0')) + required: + - name + type: object + x-kubernetes-validations: + - message: at least one of request or limit must be set + rule: has(self.request) || has(self.limit) + - message: limit must be greater than or equal to request + rule: '!(has(self.request) && has(self.limit)) || quantity(self.limit).compareTo(quantity(self.request)) + >= 0' + maxItems: 10 + minItems: 1 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + tolerations: + description: |- + tolerations defines tolerations for the pods. + tolerations is optional. + + When omitted, this means the user has no opinion and the platform is left + to choose reasonable defaults. These defaults are subject to change over time. + Defaults are empty/unset. + Maximum length for this list is 10 + Minimum length for this list is 1 + items: + description: |- + The pod this Toleration is attached to tolerates any taint that matches + the triple using the matching operator . + properties: + effect: + description: |- + Effect indicates the taint effect to match. Empty means match all taint effects. + When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute. + type: string + key: + description: |- + Key is the taint key that the toleration applies to. Empty means match all taint keys. + If the key is empty, operator must be Exists; this combination means to match all values and all keys. + type: string + operator: + description: |- + Operator represents a key's relationship to the value. + Valid operators are Exists and Equal. Defaults to Equal. + Exists is equivalent to wildcard for value, so that a pod can + tolerate all taints of a particular category. + type: string + tolerationSeconds: + description: |- + TolerationSeconds represents the period of time the toleration (which must be + of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, + it is not set, which means tolerate the taint forever (do not evict). Zero and + negative values will be treated as 0 (evict immediately) by the system. + format: int64 + type: integer + value: + description: |- + Value is the taint value the toleration matches to. + If the operator is Exists, the value should be empty, otherwise just a regular string. + type: string + type: object + maxItems: 10 + minItems: 1 + type: array + x-kubernetes-list-type: atomic + topologySpreadConstraints: + description: |- + topologySpreadConstraints defines rules for how Metrics Server Pods should be distributed + across topology domains such as zones, nodes, or other user-defined labels. + topologySpreadConstraints is optional. + This helps improve high availability and resource efficiency by avoiding placing + too many replicas in the same failure domain. + + When omitted, this means no opinion and the platform is left to choose a default, which is subject to change over time. + This field maps directly to the `topologySpreadConstraints` field in the Pod spec. + Default is empty list. + Maximum length for this list is 10. + Minimum length for this list is 1 + Entries must have unique topologyKey and whenUnsatisfiable pairs. + items: + description: TopologySpreadConstraint specifies how to spread + matching pods among the given topology. + properties: + labelSelector: + description: |- + LabelSelector is used to find matching pods. + Pods that match this label selector are counted to determine the number of pods + in their corresponding topology domain. + properties: + matchExpressions: + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector + applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + matchLabelKeys: + description: |- + MatchLabelKeys is a set of pod label keys to select the pods over which + spreading will be calculated. The keys are used to lookup values from the + incoming pod labels, those key-value labels are ANDed with labelSelector + to select the group of existing pods over which spreading will be calculated + for the incoming pod. The same key is forbidden to exist in both MatchLabelKeys and LabelSelector. + MatchLabelKeys cannot be set when LabelSelector isn't set. + Keys that don't exist in the incoming pod labels will + be ignored. A null or empty list means only match against labelSelector. + + This is a beta field and requires the MatchLabelKeysInPodTopologySpread feature gate to be enabled (enabled by default). + items: + type: string + type: array + x-kubernetes-list-type: atomic + maxSkew: + description: |- + MaxSkew describes the degree to which pods may be unevenly distributed. + When `whenUnsatisfiable=DoNotSchedule`, it is the maximum permitted difference + between the number of matching pods in the target topology and the global minimum. + The global minimum is the minimum number of matching pods in an eligible domain + or zero if the number of eligible domains is less than MinDomains. + For example, in a 3-zone cluster, MaxSkew is set to 1, and pods with the same + labelSelector spread as 2/2/1: + In this case, the global minimum is 1. + | zone1 | zone2 | zone3 | + | P P | P P | P | + - if MaxSkew is 1, incoming pod can only be scheduled to zone3 to become 2/2/2; + scheduling it onto zone1(zone2) would make the ActualSkew(3-1) on zone1(zone2) + violate MaxSkew(1). + - if MaxSkew is 2, incoming pod can be scheduled onto any zone. + When `whenUnsatisfiable=ScheduleAnyway`, it is used to give higher precedence + to topologies that satisfy it. + It's a required field. Default value is 1 and 0 is not allowed. + format: int32 + type: integer + minDomains: + description: |- + MinDomains indicates a minimum number of eligible domains. + When the number of eligible domains with matching topology keys is less than minDomains, + Pod Topology Spread treats "global minimum" as 0, and then the calculation of Skew is performed. + And when the number of eligible domains with matching topology keys equals or greater than minDomains, + this value has no effect on scheduling. + As a result, when the number of eligible domains is less than minDomains, + scheduler won't schedule more than maxSkew Pods to those domains. + If value is nil, the constraint behaves as if MinDomains is equal to 1. + Valid values are integers greater than 0. + When value is not nil, WhenUnsatisfiable must be DoNotSchedule. + + For example, in a 3-zone cluster, MaxSkew is set to 2, MinDomains is set to 5 and pods with the same + labelSelector spread as 2/2/2: + | zone1 | zone2 | zone3 | + | P P | P P | P P | + The number of domains is less than 5(MinDomains), so "global minimum" is treated as 0. + In this situation, new pod with the same labelSelector cannot be scheduled, + because computed skew will be 3(3 - 0) if new Pod is scheduled to any of the three zones, + it will violate MaxSkew. + format: int32 + type: integer + nodeAffinityPolicy: + description: |- + NodeAffinityPolicy indicates how we will treat Pod's nodeAffinity/nodeSelector + when calculating pod topology spread skew. Options are: + - Honor: only nodes matching nodeAffinity/nodeSelector are included in the calculations. + - Ignore: nodeAffinity/nodeSelector are ignored. All nodes are included in the calculations. + + If this value is nil, the behavior is equivalent to the Honor policy. + type: string + nodeTaintsPolicy: + description: |- + NodeTaintsPolicy indicates how we will treat node taints when calculating + pod topology spread skew. Options are: + - Honor: nodes without taints, along with tainted nodes for which the incoming pod + has a toleration, are included. + - Ignore: node taints are ignored. All nodes are included. + + If this value is nil, the behavior is equivalent to the Ignore policy. + type: string + topologyKey: + description: |- + TopologyKey is the key of node labels. Nodes that have a label with this key + and identical values are considered to be in the same topology. + We consider each as a "bucket", and try to put balanced number + of pods into each bucket. + We define a domain as a particular instance of a topology. + Also, we define an eligible domain as a domain whose nodes meet the requirements of + nodeAffinityPolicy and nodeTaintsPolicy. + e.g. If TopologyKey is "kubernetes.io/hostname", each Node is a domain of that topology. + And, if TopologyKey is "topology.kubernetes.io/zone", each zone is a domain of that topology. + It's a required field. + type: string + whenUnsatisfiable: + description: |- + WhenUnsatisfiable indicates how to deal with a pod if it doesn't satisfy + the spread constraint. + - DoNotSchedule (default) tells the scheduler not to schedule it. + - ScheduleAnyway tells the scheduler to schedule the pod in any location, + but giving higher precedence to topologies that would help reduce the + skew. + A constraint is considered "Unsatisfiable" for an incoming pod + if and only if every possible node assignment for that pod would violate + "MaxSkew" on some topology. + For example, in a 3-zone cluster, MaxSkew is set to 1, and pods with the same + labelSelector spread as 3/1/1: + | zone1 | zone2 | zone3 | + | P P P | P | P | + If WhenUnsatisfiable is set to DoNotSchedule, incoming pod can only be scheduled + to zone2(zone3) to become 3/2/1(3/1/2) as ActualSkew(2-1) on zone2(zone3) satisfies + MaxSkew(1). In other words, the cluster can still be imbalanced, but scheduler + won't make it *more* imbalanced. + It's a required field. + type: string + required: + - maxSkew + - topologyKey + - whenUnsatisfiable + type: object + maxItems: 10 + minItems: 1 + type: array + x-kubernetes-list-map-keys: + - topologyKey + - whenUnsatisfiable + x-kubernetes-list-type: map + verbosity: + description: |- + verbosity defines the verbosity of log messages for Metrics Server. + Valid values are Errors, Info, Trace, TraceAll and omitted. + When set to Errors, only critical messages and errors are logged. + When set to Info, only basic information messages are logged. + When set to Trace, information useful for general debugging is logged. + When set to TraceAll, detailed information about metric scraping is logged. + When omitted, this means no opinion and the platform is left to choose a reasonable default, that is subject to change over time. + The current default value is `Errors` + enum: + - Errors + - Info + - Trace + - TraceAll + type: string + type: object userDefined: description: |- userDefined set the deployment mode for user-defined monitoring in addition to the default platform monitoring. diff --git a/vendor/github.com/openshift/api/config/v1alpha1/zz_generated.crd-manifests/0000_10_config-operator_01_clustermonitoring-TechPreviewNoUpgrade.crd.yaml b/vendor/github.com/openshift/api/config/v1alpha1/zz_generated.crd-manifests/0000_10_config-operator_01_clustermonitoring-TechPreviewNoUpgrade.crd.yaml index d6029a85f6..44c1184e1a 100644 --- a/vendor/github.com/openshift/api/config/v1alpha1/zz_generated.crd-manifests/0000_10_config-operator_01_clustermonitoring-TechPreviewNoUpgrade.crd.yaml +++ b/vendor/github.com/openshift/api/config/v1alpha1/zz_generated.crd-manifests/0000_10_config-operator_01_clustermonitoring-TechPreviewNoUpgrade.crd.yaml @@ -138,6 +138,7 @@ spec: This field is required. name must consist only of alphanumeric characters, `-`, `_` and `.` and must start and end with an alphanumeric character. maxLength: 253 + minLength: 1 type: string x-kubernetes-validations: - message: name must consist only of alphanumeric characters, @@ -900,6 +901,393 @@ spec: and forbidden otherwise rule: 'self.deploymentMode == ''CustomConfig'' ? has(self.customConfig) : !has(self.customConfig)' + metricsServerConfig: + description: |- + metricsServerConfig is an optional field that can be used to configure the Kubernetes Metrics Server that runs in the openshift-monitoring namespace. + Specifically, it can configure how the Metrics Server instance is deployed, pod scheduling, its audit policy and log verbosity. + When omitted, this means no opinion and the platform is left to choose a reasonable default, which is subject to change over time. + minProperties: 1 + properties: + audit: + description: |- + audit defines the audit configuration used by the Metrics Server instance. + audit is optional. + When omitted, this means no opinion and the platform is left to choose a reasonable default, that is subject to change over time. + The current default sets audit.profile to Metadata + properties: + profile: + description: |- + profile is a required field for configuring the audit log level of the Kubernetes Metrics Server. + Allowed values are None, Metadata, Request, or RequestResponse. + When set to None, audit logging is disabled and no audit events are recorded. + When set to Metadata, only request metadata (such as requesting user, timestamp, resource, verb, etc.) is logged, but not the request or response body. + When set to Request, event metadata and the request body are logged, but not the response body. + When set to RequestResponse, event metadata, request body, and response body are all logged, providing the most detailed audit information. + + See: https://kubernetes.io/docs/tasks/debug-application-cluster/audit/#audit-policy + for more information about auditing and log levels. + enum: + - None + - Metadata + - Request + - RequestResponse + type: string + required: + - profile + type: object + nodeSelector: + additionalProperties: + type: string + description: |- + nodeSelector defines the nodes on which the Pods are scheduled + nodeSelector is optional. + + When omitted, this means the user has no opinion and the platform is left + to choose reasonable defaults. These defaults are subject to change over time. + The current default value is `kubernetes.io/os: linux`. + maxProperties: 10 + minProperties: 1 + type: object + resources: + description: |- + resources defines the compute resource requests and limits for the Metrics Server container. + This includes CPU, memory and HugePages constraints to help control scheduling and resource usage. + When not specified, defaults are used by the platform. Requests cannot exceed limits. + This field is optional. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + This is a simplified API that maps to Kubernetes ResourceRequirements. + The current default values are: + resources: + - name: cpu + request: 4m + limit: null + - name: memory + request: 40Mi + limit: null + Maximum length for this list is 10. + Minimum length for this list is 1. + items: + description: ContainerResource defines a single resource requirement + for a container. + properties: + limit: + anyOf: + - type: integer + - type: string + description: |- + limit is the maximum amount of the resource allowed (e.g. "2Mi", "1Gi"). + This field is optional. + When request is specified, limit cannot be less than request. + The value must be greater than 0 when specified. + maxLength: 20 + minLength: 1 + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + x-kubernetes-validations: + - message: limit must be a positive, non-zero quantity + rule: isQuantity(self) && quantity(self).isGreaterThan(quantity('0')) + name: + description: |- + name of the resource (e.g. "cpu", "memory", "hugepages-2Mi"). + This field is required. + name must consist only of alphanumeric characters, `-`, `_` and `.` and must start and end with an alphanumeric character. + maxLength: 253 + minLength: 1 + type: string + x-kubernetes-validations: + - message: name must consist only of alphanumeric characters, + `-`, `_` and `.` and must start and end with an alphanumeric + character + rule: '!format.qualifiedName().validate(self).hasValue()' + request: + anyOf: + - type: integer + - type: string + description: |- + request is the minimum amount of the resource required (e.g. "2Mi", "1Gi"). + This field is optional. + When limit is specified, request cannot be greater than limit. + maxLength: 20 + minLength: 1 + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + x-kubernetes-validations: + - message: request must be a positive, non-zero quantity + rule: isQuantity(self) && quantity(self).isGreaterThan(quantity('0')) + required: + - name + type: object + x-kubernetes-validations: + - message: at least one of request or limit must be set + rule: has(self.request) || has(self.limit) + - message: limit must be greater than or equal to request + rule: '!(has(self.request) && has(self.limit)) || quantity(self.limit).compareTo(quantity(self.request)) + >= 0' + maxItems: 10 + minItems: 1 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + tolerations: + description: |- + tolerations defines tolerations for the pods. + tolerations is optional. + + When omitted, this means the user has no opinion and the platform is left + to choose reasonable defaults. These defaults are subject to change over time. + Defaults are empty/unset. + Maximum length for this list is 10 + Minimum length for this list is 1 + items: + description: |- + The pod this Toleration is attached to tolerates any taint that matches + the triple using the matching operator . + properties: + effect: + description: |- + Effect indicates the taint effect to match. Empty means match all taint effects. + When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute. + type: string + key: + description: |- + Key is the taint key that the toleration applies to. Empty means match all taint keys. + If the key is empty, operator must be Exists; this combination means to match all values and all keys. + type: string + operator: + description: |- + Operator represents a key's relationship to the value. + Valid operators are Exists and Equal. Defaults to Equal. + Exists is equivalent to wildcard for value, so that a pod can + tolerate all taints of a particular category. + type: string + tolerationSeconds: + description: |- + TolerationSeconds represents the period of time the toleration (which must be + of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, + it is not set, which means tolerate the taint forever (do not evict). Zero and + negative values will be treated as 0 (evict immediately) by the system. + format: int64 + type: integer + value: + description: |- + Value is the taint value the toleration matches to. + If the operator is Exists, the value should be empty, otherwise just a regular string. + type: string + type: object + maxItems: 10 + minItems: 1 + type: array + x-kubernetes-list-type: atomic + topologySpreadConstraints: + description: |- + topologySpreadConstraints defines rules for how Metrics Server Pods should be distributed + across topology domains such as zones, nodes, or other user-defined labels. + topologySpreadConstraints is optional. + This helps improve high availability and resource efficiency by avoiding placing + too many replicas in the same failure domain. + + When omitted, this means no opinion and the platform is left to choose a default, which is subject to change over time. + This field maps directly to the `topologySpreadConstraints` field in the Pod spec. + Default is empty list. + Maximum length for this list is 10. + Minimum length for this list is 1 + Entries must have unique topologyKey and whenUnsatisfiable pairs. + items: + description: TopologySpreadConstraint specifies how to spread + matching pods among the given topology. + properties: + labelSelector: + description: |- + LabelSelector is used to find matching pods. + Pods that match this label selector are counted to determine the number of pods + in their corresponding topology domain. + properties: + matchExpressions: + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector + applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + matchLabelKeys: + description: |- + MatchLabelKeys is a set of pod label keys to select the pods over which + spreading will be calculated. The keys are used to lookup values from the + incoming pod labels, those key-value labels are ANDed with labelSelector + to select the group of existing pods over which spreading will be calculated + for the incoming pod. The same key is forbidden to exist in both MatchLabelKeys and LabelSelector. + MatchLabelKeys cannot be set when LabelSelector isn't set. + Keys that don't exist in the incoming pod labels will + be ignored. A null or empty list means only match against labelSelector. + + This is a beta field and requires the MatchLabelKeysInPodTopologySpread feature gate to be enabled (enabled by default). + items: + type: string + type: array + x-kubernetes-list-type: atomic + maxSkew: + description: |- + MaxSkew describes the degree to which pods may be unevenly distributed. + When `whenUnsatisfiable=DoNotSchedule`, it is the maximum permitted difference + between the number of matching pods in the target topology and the global minimum. + The global minimum is the minimum number of matching pods in an eligible domain + or zero if the number of eligible domains is less than MinDomains. + For example, in a 3-zone cluster, MaxSkew is set to 1, and pods with the same + labelSelector spread as 2/2/1: + In this case, the global minimum is 1. + | zone1 | zone2 | zone3 | + | P P | P P | P | + - if MaxSkew is 1, incoming pod can only be scheduled to zone3 to become 2/2/2; + scheduling it onto zone1(zone2) would make the ActualSkew(3-1) on zone1(zone2) + violate MaxSkew(1). + - if MaxSkew is 2, incoming pod can be scheduled onto any zone. + When `whenUnsatisfiable=ScheduleAnyway`, it is used to give higher precedence + to topologies that satisfy it. + It's a required field. Default value is 1 and 0 is not allowed. + format: int32 + type: integer + minDomains: + description: |- + MinDomains indicates a minimum number of eligible domains. + When the number of eligible domains with matching topology keys is less than minDomains, + Pod Topology Spread treats "global minimum" as 0, and then the calculation of Skew is performed. + And when the number of eligible domains with matching topology keys equals or greater than minDomains, + this value has no effect on scheduling. + As a result, when the number of eligible domains is less than minDomains, + scheduler won't schedule more than maxSkew Pods to those domains. + If value is nil, the constraint behaves as if MinDomains is equal to 1. + Valid values are integers greater than 0. + When value is not nil, WhenUnsatisfiable must be DoNotSchedule. + + For example, in a 3-zone cluster, MaxSkew is set to 2, MinDomains is set to 5 and pods with the same + labelSelector spread as 2/2/2: + | zone1 | zone2 | zone3 | + | P P | P P | P P | + The number of domains is less than 5(MinDomains), so "global minimum" is treated as 0. + In this situation, new pod with the same labelSelector cannot be scheduled, + because computed skew will be 3(3 - 0) if new Pod is scheduled to any of the three zones, + it will violate MaxSkew. + format: int32 + type: integer + nodeAffinityPolicy: + description: |- + NodeAffinityPolicy indicates how we will treat Pod's nodeAffinity/nodeSelector + when calculating pod topology spread skew. Options are: + - Honor: only nodes matching nodeAffinity/nodeSelector are included in the calculations. + - Ignore: nodeAffinity/nodeSelector are ignored. All nodes are included in the calculations. + + If this value is nil, the behavior is equivalent to the Honor policy. + type: string + nodeTaintsPolicy: + description: |- + NodeTaintsPolicy indicates how we will treat node taints when calculating + pod topology spread skew. Options are: + - Honor: nodes without taints, along with tainted nodes for which the incoming pod + has a toleration, are included. + - Ignore: node taints are ignored. All nodes are included. + + If this value is nil, the behavior is equivalent to the Ignore policy. + type: string + topologyKey: + description: |- + TopologyKey is the key of node labels. Nodes that have a label with this key + and identical values are considered to be in the same topology. + We consider each as a "bucket", and try to put balanced number + of pods into each bucket. + We define a domain as a particular instance of a topology. + Also, we define an eligible domain as a domain whose nodes meet the requirements of + nodeAffinityPolicy and nodeTaintsPolicy. + e.g. If TopologyKey is "kubernetes.io/hostname", each Node is a domain of that topology. + And, if TopologyKey is "topology.kubernetes.io/zone", each zone is a domain of that topology. + It's a required field. + type: string + whenUnsatisfiable: + description: |- + WhenUnsatisfiable indicates how to deal with a pod if it doesn't satisfy + the spread constraint. + - DoNotSchedule (default) tells the scheduler not to schedule it. + - ScheduleAnyway tells the scheduler to schedule the pod in any location, + but giving higher precedence to topologies that would help reduce the + skew. + A constraint is considered "Unsatisfiable" for an incoming pod + if and only if every possible node assignment for that pod would violate + "MaxSkew" on some topology. + For example, in a 3-zone cluster, MaxSkew is set to 1, and pods with the same + labelSelector spread as 3/1/1: + | zone1 | zone2 | zone3 | + | P P P | P | P | + If WhenUnsatisfiable is set to DoNotSchedule, incoming pod can only be scheduled + to zone2(zone3) to become 3/2/1(3/1/2) as ActualSkew(2-1) on zone2(zone3) satisfies + MaxSkew(1). In other words, the cluster can still be imbalanced, but scheduler + won't make it *more* imbalanced. + It's a required field. + type: string + required: + - maxSkew + - topologyKey + - whenUnsatisfiable + type: object + maxItems: 10 + minItems: 1 + type: array + x-kubernetes-list-map-keys: + - topologyKey + - whenUnsatisfiable + x-kubernetes-list-type: map + verbosity: + description: |- + verbosity defines the verbosity of log messages for Metrics Server. + Valid values are Errors, Info, Trace, TraceAll and omitted. + When set to Errors, only critical messages and errors are logged. + When set to Info, only basic information messages are logged. + When set to Trace, information useful for general debugging is logged. + When set to TraceAll, detailed information about metric scraping is logged. + When omitted, this means no opinion and the platform is left to choose a reasonable default, that is subject to change over time. + The current default value is `Errors` + enum: + - Errors + - Info + - Trace + - TraceAll + type: string + type: object userDefined: description: |- userDefined set the deployment mode for user-defined monitoring in addition to the default platform monitoring. diff --git a/vendor/github.com/openshift/api/config/v1alpha1/zz_generated.deepcopy.go b/vendor/github.com/openshift/api/config/v1alpha1/zz_generated.deepcopy.go index 144b173f6b..6549f6cbe4 100644 --- a/vendor/github.com/openshift/api/config/v1alpha1/zz_generated.deepcopy.go +++ b/vendor/github.com/openshift/api/config/v1alpha1/zz_generated.deepcopy.go @@ -14,11 +14,7 @@ import ( // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *AlertmanagerConfig) DeepCopyInto(out *AlertmanagerConfig) { *out = *in - if in.CustomConfig != nil { - in, out := &in.CustomConfig, &out.CustomConfig - *out = new(AlertmanagerCustomConfig) - (*in).DeepCopyInto(*out) - } + in.CustomConfig.DeepCopyInto(&out.CustomConfig) return } @@ -86,6 +82,22 @@ func (in *AlertmanagerCustomConfig) DeepCopy() *AlertmanagerCustomConfig { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *Audit) DeepCopyInto(out *Audit) { + *out = *in + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Audit. +func (in *Audit) DeepCopy() *Audit { + if in == nil { + return nil + } + out := new(Audit) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *Backup) DeepCopyInto(out *Backup) { *out = *in @@ -350,16 +362,9 @@ func (in *ClusterMonitoringList) DeepCopyObject() runtime.Object { // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *ClusterMonitoringSpec) DeepCopyInto(out *ClusterMonitoringSpec) { *out = *in - if in.UserDefined != nil { - in, out := &in.UserDefined, &out.UserDefined - *out = new(UserDefinedMonitoring) - **out = **in - } - if in.AlertmanagerConfig != nil { - in, out := &in.AlertmanagerConfig, &out.AlertmanagerConfig - *out = new(AlertmanagerConfig) - (*in).DeepCopyInto(*out) - } + out.UserDefined = in.UserDefined + in.AlertmanagerConfig.DeepCopyInto(&out.AlertmanagerConfig) + in.MetricsServerConfig.DeepCopyInto(&out.MetricsServerConfig) return } @@ -677,6 +682,51 @@ func (in *InsightsDataGatherStatus) DeepCopy() *InsightsDataGatherStatus { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *MetricsServerConfig) DeepCopyInto(out *MetricsServerConfig) { + *out = *in + out.Audit = in.Audit + if in.NodeSelector != nil { + in, out := &in.NodeSelector, &out.NodeSelector + *out = make(map[string]string, len(*in)) + for key, val := range *in { + (*out)[key] = val + } + } + if in.Tolerations != nil { + in, out := &in.Tolerations, &out.Tolerations + *out = make([]v1.Toleration, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } + if in.Resources != nil { + in, out := &in.Resources, &out.Resources + *out = make([]ContainerResource, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } + if in.TopologySpreadConstraints != nil { + in, out := &in.TopologySpreadConstraints, &out.TopologySpreadConstraints + *out = make([]v1.TopologySpreadConstraint, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new MetricsServerConfig. +func (in *MetricsServerConfig) DeepCopy() *MetricsServerConfig { + if in == nil { + return nil + } + out := new(MetricsServerConfig) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *PKI) DeepCopyInto(out *PKI) { *out = *in diff --git a/vendor/github.com/openshift/api/config/v1alpha1/zz_generated.swagger_doc_generated.go b/vendor/github.com/openshift/api/config/v1alpha1/zz_generated.swagger_doc_generated.go index b6ff150fcb..6ba6ad11f4 100644 --- a/vendor/github.com/openshift/api/config/v1alpha1/zz_generated.swagger_doc_generated.go +++ b/vendor/github.com/openshift/api/config/v1alpha1/zz_generated.swagger_doc_generated.go @@ -143,6 +143,15 @@ func (AlertmanagerCustomConfig) SwaggerDoc() map[string]string { return map_AlertmanagerCustomConfig } +var map_Audit = map[string]string{ + "": "Audit profile configurations", + "profile": "profile is a required field for configuring the audit log level of the Kubernetes Metrics Server. Allowed values are None, Metadata, Request, or RequestResponse. When set to None, audit logging is disabled and no audit events are recorded. When set to Metadata, only request metadata (such as requesting user, timestamp, resource, verb, etc.) is logged, but not the request or response body. When set to Request, event metadata and the request body are logged, but not the response body. When set to RequestResponse, event metadata, request body, and response body are all logged, providing the most detailed audit information.\n\nSee: https://kubernetes.io/docs/tasks/debug-application-cluster/audit/#audit-policy for more information about auditing and log levels.", +} + +func (Audit) SwaggerDoc() map[string]string { + return map_Audit +} + var map_ClusterMonitoring = map[string]string{ "": "ClusterMonitoring is the Custom Resource object which holds the current status of Cluster Monitoring Operator. CMO is a central component of the monitoring stack.\n\nCompatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support. ClusterMonitoring is the Schema for the Cluster Monitoring Operators API", "metadata": "metadata is the standard object metadata.", @@ -165,9 +174,10 @@ func (ClusterMonitoringList) SwaggerDoc() map[string]string { } var map_ClusterMonitoringSpec = map[string]string{ - "": "ClusterMonitoringSpec defines the desired state of Cluster Monitoring Operator", - "userDefined": "userDefined set the deployment mode for user-defined monitoring in addition to the default platform monitoring. userDefined is optional. When omitted, this means no opinion and the platform is left to choose a reasonable default, which is subject to change over time. The current default value is `Disabled`.", - "alertmanagerConfig": "alertmanagerConfig allows users to configure how the default Alertmanager instance should be deployed in the `openshift-monitoring` namespace. alertmanagerConfig is optional. When omitted, this means no opinion and the platform is left to choose a reasonable default, that is subject to change over time. The current default value is `DefaultConfig`.", + "": "ClusterMonitoringSpec defines the desired state of Cluster Monitoring Operator", + "userDefined": "userDefined set the deployment mode for user-defined monitoring in addition to the default platform monitoring. userDefined is optional. When omitted, this means no opinion and the platform is left to choose a reasonable default, which is subject to change over time. The current default value is `Disabled`.", + "alertmanagerConfig": "alertmanagerConfig allows users to configure how the default Alertmanager instance should be deployed in the `openshift-monitoring` namespace. alertmanagerConfig is optional. When omitted, this means no opinion and the platform is left to choose a reasonable default, that is subject to change over time. The current default value is `DefaultConfig`.", + "metricsServerConfig": "metricsServerConfig is an optional field that can be used to configure the Kubernetes Metrics Server that runs in the openshift-monitoring namespace. Specifically, it can configure how the Metrics Server instance is deployed, pod scheduling, its audit policy and log verbosity. When omitted, this means no opinion and the platform is left to choose a reasonable default, which is subject to change over time.", } func (ClusterMonitoringSpec) SwaggerDoc() map[string]string { @@ -193,6 +203,20 @@ func (ContainerResource) SwaggerDoc() map[string]string { return map_ContainerResource } +var map_MetricsServerConfig = map[string]string{ + "": "MetricsServerConfig provides configuration options for the Metrics Server instance that runs in the `openshift-monitoring` namespace. Use this configuration to control how the Metrics Server instance is deployed, how it logs, and how its pods are scheduled.", + "audit": "audit defines the audit configuration used by the Metrics Server instance. audit is optional. When omitted, this means no opinion and the platform is left to choose a reasonable default, that is subject to change over time. The current default sets audit.profile to Metadata", + "nodeSelector": "nodeSelector defines the nodes on which the Pods are scheduled nodeSelector is optional.\n\nWhen omitted, this means the user has no opinion and the platform is left to choose reasonable defaults. These defaults are subject to change over time. The current default value is `kubernetes.io/os: linux`.", + "tolerations": "tolerations defines tolerations for the pods. tolerations is optional.\n\nWhen omitted, this means the user has no opinion and the platform is left to choose reasonable defaults. These defaults are subject to change over time. Defaults are empty/unset. Maximum length for this list is 10 Minimum length for this list is 1", + "verbosity": "verbosity defines the verbosity of log messages for Metrics Server. Valid values are Errors, Info, Trace, TraceAll and omitted. When set to Errors, only critical messages and errors are logged. When set to Info, only basic information messages are logged. When set to Trace, information useful for general debugging is logged. When set to TraceAll, detailed information about metric scraping is logged. When omitted, this means no opinion and the platform is left to choose a reasonable default, that is subject to change over time. The current default value is `Errors`", + "resources": "resources defines the compute resource requests and limits for the Metrics Server container. This includes CPU, memory and HugePages constraints to help control scheduling and resource usage. When not specified, defaults are used by the platform. Requests cannot exceed limits. This field is optional. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ This is a simplified API that maps to Kubernetes ResourceRequirements. The current default values are:\n resources:\n - name: cpu\n request: 4m\n limit: null\n - name: memory\n request: 40Mi\n limit: null\nMaximum length for this list is 10. Minimum length for this list is 1.", + "topologySpreadConstraints": "topologySpreadConstraints defines rules for how Metrics Server Pods should be distributed across topology domains such as zones, nodes, or other user-defined labels. topologySpreadConstraints is optional. This helps improve high availability and resource efficiency by avoiding placing too many replicas in the same failure domain.\n\nWhen omitted, this means no opinion and the platform is left to choose a default, which is subject to change over time. This field maps directly to the `topologySpreadConstraints` field in the Pod spec. Default is empty list. Maximum length for this list is 10. Minimum length for this list is 1 Entries must have unique topologyKey and whenUnsatisfiable pairs.", +} + +func (MetricsServerConfig) SwaggerDoc() map[string]string { + return map_MetricsServerConfig +} + var map_UserDefinedMonitoring = map[string]string{ "": "UserDefinedMonitoring config for user-defined projects.", "mode": "mode defines the different configurations of UserDefinedMonitoring Valid values are Disabled and NamespaceIsolated Disabled disables monitoring for user-defined projects. This restricts the default monitoring stack, installed in the openshift-monitoring project, to monitor only platform namespaces, which prevents any custom monitoring configurations or resources from being applied to user-defined namespaces. NamespaceIsolated enables monitoring for user-defined projects with namespace-scoped tenancy. This ensures that metrics, alerts, and monitoring data are isolated at the namespace level. The current default value is `Disabled`.", diff --git a/vendor/github.com/openshift/api/console/v1/types_console_cli_download.go b/vendor/github.com/openshift/api/console/v1/types_console_cli_download.go index 90c32815ce..cd61e14a8a 100644 --- a/vendor/github.com/openshift/api/console/v1/types_console_cli_download.go +++ b/vendor/github.com/openshift/api/console/v1/types_console_cli_download.go @@ -18,7 +18,7 @@ import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" // +kubebuilder:metadata:annotations="description=Extension for configuring openshift web console command line interface (CLI) downloads." // +kubebuilder:metadata:annotations="displayName=ConsoleCLIDownload" // +kubebuilder:printcolumn:name=Display name,JSONPath=.spec.displayName,type=string -// +kubebuilder:printcolumn:name=Age,JSONPath=.metadata.creationTimestamp,type=string +// +kubebuilder:printcolumn:name=Age,JSONPath=.metadata.creationTimestamp,type=date // +openshift:compatibility-gen:level=2 type ConsoleCLIDownload struct { metav1.TypeMeta `json:",inline"` diff --git a/vendor/github.com/openshift/api/console/v1/types_console_link.go b/vendor/github.com/openshift/api/console/v1/types_console_link.go index 977fcbda97..a84572925d 100644 --- a/vendor/github.com/openshift/api/console/v1/types_console_link.go +++ b/vendor/github.com/openshift/api/console/v1/types_console_link.go @@ -19,7 +19,7 @@ import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" // +kubebuilder:metadata:annotations="displayName=ConsoleLinks" // +kubebuilder:printcolumn:name=Text,JSONPath=.spec.text,type=string // +kubebuilder:printcolumn:name=URL,JSONPath=.spec.href,type=string -// +kubebuilder:printcolumn:name=Menu,JSONPath=.spec.menu,type=string +// +kubebuilder:printcolumn:name=Location,JSONPath=.spec.location,type=string // +kubebuilder:printcolumn:name=Age,JSONPath=.metadata.creationTimestamp,type=date // +openshift:compatibility-gen:level=2 type ConsoleLink struct { diff --git a/vendor/github.com/openshift/api/console/v1/zz_generated.featuregated-crd-manifests.yaml b/vendor/github.com/openshift/api/console/v1/zz_generated.featuregated-crd-manifests.yaml index 250f873a09..caa676e691 100644 --- a/vendor/github.com/openshift/api/console/v1/zz_generated.featuregated-crd-manifests.yaml +++ b/vendor/github.com/openshift/api/console/v1/zz_generated.featuregated-crd-manifests.yaml @@ -22,7 +22,7 @@ consoleclidownloads.console.openshift.io: type: string - jsonPath: .metadata.creationTimestamp name: Age - type: string + type: date Scope: Cluster ShortNames: null TopLevelFeatureGates: [] @@ -85,8 +85,8 @@ consolelinks.console.openshift.io: - jsonPath: .spec.href name: URL type: string - - jsonPath: .spec.menu - name: Menu + - jsonPath: .spec.location + name: Location type: string - jsonPath: .metadata.creationTimestamp name: Age diff --git a/vendor/github.com/openshift/api/features.md b/vendor/github.com/openshift/api/features.md index 0a31a8efa9..54c9fd3dea 100644 --- a/vendor/github.com/openshift/api/features.md +++ b/vendor/github.com/openshift/api/features.md @@ -27,6 +27,9 @@ | AzureDualStackInstall| | | Enabled | Enabled | Enabled | Enabled | | AzureMultiDisk| | | Enabled | Enabled | Enabled | Enabled | | BootcNodeManagement| | | Enabled | Enabled | Enabled | Enabled | +| CBORServingAndStorage| | | Enabled | Enabled | Enabled | Enabled | +| ClientsAllowCBOR| | | Enabled | Enabled | Enabled | Enabled | +| ClientsPreferCBOR| | | Enabled | Enabled | Enabled | Enabled | | ClusterAPIInstallIBMCloud| | | Enabled | Enabled | Enabled | Enabled | | ClusterMonitoringConfig| | | Enabled | Enabled | Enabled | Enabled | | ClusterVersionOperatorConfiguration| | | Enabled | Enabled | Enabled | Enabled | @@ -35,8 +38,8 @@ | DyanmicServiceEndpointIBMCloud| | | Enabled | Enabled | Enabled | Enabled | | DynamicResourceAllocation| | | Enabled | Enabled | Enabled | Enabled | | EtcdBackendQuota| | | Enabled | Enabled | Enabled | Enabled | +| EventTTL| | | Enabled | Enabled | Enabled | Enabled | | Example| | | Enabled | Enabled | Enabled | Enabled | -| ExternalOIDCWithUIDAndExtraClaimMappings| | | Enabled | Enabled | Enabled | Enabled | | GCPClusterHostedDNS| | | Enabled | Enabled | Enabled | Enabled | | GCPCustomAPIEndpoints| | | Enabled | Enabled | Enabled | Enabled | | GCPCustomAPIEndpointsInstall| | | Enabled | Enabled | Enabled | Enabled | @@ -45,19 +48,18 @@ | ImageStreamImportMode| | | Enabled | Enabled | Enabled | Enabled | | IngressControllerDynamicConfigurationManager| | | Enabled | Enabled | Enabled | Enabled | | InsightsConfig| | | Enabled | Enabled | Enabled | Enabled | -| InsightsConfigAPI| | | Enabled | Enabled | Enabled | Enabled | | InsightsOnDemandDataGather| | | Enabled | Enabled | Enabled | Enabled | | IrreconcilableMachineConfig| | | Enabled | Enabled | Enabled | Enabled | | KMSEncryptionProvider| | | Enabled | Enabled | Enabled | Enabled | | MachineAPIMigration| | | Enabled | Enabled | Enabled | Enabled | | ManagedBootImagesAzure| | | Enabled | Enabled | Enabled | Enabled | +| ManagedBootImagesCPMS| | | Enabled | Enabled | Enabled | Enabled | | ManagedBootImagesvSphere| | | Enabled | Enabled | Enabled | Enabled | | MaxUnavailableStatefulSet| | | Enabled | Enabled | Enabled | Enabled | | MinimumKubeletVersion| | | Enabled | Enabled | Enabled | Enabled | | MixedCPUsAllocation| | | Enabled | Enabled | Enabled | Enabled | | MultiDiskSetup| | | Enabled | Enabled | Enabled | Enabled | | MutatingAdmissionPolicy| | | Enabled | Enabled | Enabled | Enabled | -| NodeSwap| | | Enabled | Enabled | Enabled | Enabled | | NutanixMultiSubnets| | | Enabled | Enabled | Enabled | Enabled | | OVNObservability| | | Enabled | Enabled | Enabled | Enabled | | PreconfiguredUDNAddresses| | | Enabled | Enabled | Enabled | Enabled | @@ -67,9 +69,7 @@ | TranslateStreamCloseWebsocketRequests| | | Enabled | Enabled | Enabled | Enabled | | VSphereConfigurableMaxAllowedBlockVolumesPerNode| | | Enabled | Enabled | Enabled | Enabled | | VSphereHostVMGroupZonal| | | Enabled | Enabled | Enabled | Enabled | -| VolumeAttributesClass| | | Enabled | Enabled | Enabled | Enabled | | VolumeGroupSnapshot| | | Enabled | Enabled | Enabled | Enabled | -| ExternalOIDC| Enabled | | Enabled | Enabled | Enabled | Enabled | | AdditionalRoutingCapabilities| Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | | AdminNetworkPolicy| Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | | AlibabaPlatform| Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | @@ -77,12 +77,13 @@ | BuildCSIVolumes| Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | | CPMSMachineNamePrefix| Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | | ConsolePluginContentSecurityPolicy| Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | +| ExternalOIDC| Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | +| ExternalOIDCWithUIDAndExtraClaimMappings| Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | | GCPClusterHostedDNSInstall| Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | | GatewayAPI| Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | | GatewayAPIController| Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | | HighlyAvailableArbiter| Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | | ImageVolume| Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | -| IngressControllerLBSubnetsAWS| Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | | KMSv1| Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | | MachineConfigNodes| Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | | ManagedBootImages| Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | @@ -97,7 +98,6 @@ | RouteAdvertisements| Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | | RouteExternalCertificate| Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | | ServiceAccountTokenNodeBinding| Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | -| SetEIPForNLBIngressController| Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | | SigstoreImageVerification| Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | | StoragePerformantSecurityPolicy| Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | | UpgradeStatus| Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | @@ -105,3 +105,4 @@ | UserNamespacesSupport| Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | | VSphereMultiDisk| Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | | VSphereMultiNetworks| Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | +| VolumeAttributesClass| Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | diff --git a/vendor/github.com/openshift/api/features/features.go b/vendor/github.com/openshift/api/features/features.go index d3ad9b28e6..5d3836a436 100644 --- a/vendor/github.com/openshift/api/features/features.go +++ b/vendor/github.com/openshift/api/features/features.go @@ -68,14 +68,6 @@ var ( enableIn(configv1.Default, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). mustRegister() - FeatureGateSetEIPForNLBIngressController = newFeatureGate("SetEIPForNLBIngressController"). - reportProblemsToJiraComponent("Networking / router"). - contactPerson("miheer"). - productScope(ocpSpecific). - enhancementPR(legacyFeatureGateWithoutEnhancement). - enableIn(configv1.Default, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). - mustRegister() - FeatureGateOpenShiftPodSecurityAdmission = newFeatureGate("OpenShiftPodSecurityAdmission"). reportProblemsToJiraComponent("auth"). contactPerson("ibihim"). @@ -92,24 +84,6 @@ var ( enableIn(configv1.Default, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). mustRegister() - // OpenShift and Node Team will keep this turned off until evictions and - // disk provisioning are fixed even though upstream will take this GA. - FeatureGateNodeSwap = newFeatureGate("NodeSwap"). - reportProblemsToJiraComponent("node"). - contactPerson("haircommander"). - productScope(kubernetes). - enhancementPR("https://github.com/kubernetes/enhancements/issues/2400"). - enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). - mustRegister() - - FeatureGateInsightsConfigAPI = newFeatureGate("InsightsConfigAPI"). - reportProblemsToJiraComponent("insights"). - contactPerson("tremes"). - productScope(ocpSpecific). - enhancementPR(legacyFeatureGateWithoutEnhancement). - enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). - mustRegister() - FeatureGateDynamicResourceAllocation = newFeatureGate("DynamicResourceAllocation"). reportProblemsToJiraComponent("scheduling"). contactPerson("jchaloup"). @@ -379,6 +353,14 @@ var ( enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). mustRegister() + FeatureGateManagedBootImagesCPMS = newFeatureGate("ManagedBootImagesCPMS"). + reportProblemsToJiraComponent("MachineConfigOperator"). + contactPerson("djoshy"). + productScope(ocpSpecific). + enhancementPR("https://github.com/openshift/enhancements/pull/1818"). + enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). + mustRegister() + FeatureGateBootImageSkewEnforcement = newFeatureGate("BootImageSkewEnforcement"). reportProblemsToJiraComponent("MachineConfigOperator"). contactPerson("djoshy"). @@ -440,7 +422,7 @@ var ( contactPerson("dfajmon"). productScope(kubernetes). enhancementPR("https://github.com/kubernetes/enhancements/issues/3751"). - enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). + enableIn(configv1.Default, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). mustRegister() FeatureGateVolumeGroupSnapshot = newFeatureGate("VolumeGroupSnapshot"). @@ -464,8 +446,7 @@ var ( contactPerson("liouk"). productScope(ocpSpecific). enhancementPR("https://github.com/openshift/enhancements/pull/1596"). - enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). - enableForClusterProfile(Hypershift, configv1.Default, configv1.TechPreviewNoUpgrade). + enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade, configv1.Default). mustRegister() FeatureGateExternalOIDCWithAdditionalClaimMappings = newFeatureGate("ExternalOIDCWithUIDAndExtraClaimMappings"). @@ -473,8 +454,7 @@ var ( contactPerson("bpalmer"). productScope(ocpSpecific). enhancementPR("https://github.com/openshift/enhancements/pull/1777"). - enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). - enableForClusterProfile(Hypershift, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). + enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade, configv1.Default). mustRegister() FeatureGateExample = newFeatureGate("Example"). @@ -596,14 +576,6 @@ var ( enhancementPR(legacyFeatureGateWithoutEnhancement). mustRegister() - FeatureGateIngressControllerLBSubnetsAWS = newFeatureGate("IngressControllerLBSubnetsAWS"). - reportProblemsToJiraComponent("Routing"). - contactPerson("miciah"). - productScope(ocpSpecific). - enhancementPR(legacyFeatureGateWithoutEnhancement). - enableIn(configv1.Default, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). - mustRegister() - FeatureGateImageStreamImportMode = newFeatureGate("ImageStreamImportMode"). reportProblemsToJiraComponent("Multi-Arch"). contactPerson("psundara"). @@ -881,4 +853,36 @@ var ( enhancementPR("https://github.com/openshift/enhancements/pull/1806"). enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). mustRegister() + + FeatureCBORServingAndStorage = newFeatureGate("CBORServingAndStorage"). + reportProblemsToJiraComponent("kube-apiserver"). + contactPerson("benluddy"). + productScope(kubernetes). + enhancementPR("https://github.com/kubernetes/enhancements/issues/4222"). + enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). + mustRegister() + + FeatureCBORClientsAllowCBOR = newFeatureGate("ClientsAllowCBOR"). + reportProblemsToJiraComponent("kube-apiserver"). + contactPerson("benluddy"). + productScope(kubernetes). + enhancementPR("https://github.com/kubernetes/enhancements/issues/4222"). + enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). + mustRegister() + + FeatureClientsPreferCBOR = newFeatureGate("ClientsPreferCBOR"). + reportProblemsToJiraComponent("kube-apiserver"). + contactPerson("benluddy"). + productScope(kubernetes). + enhancementPR("https://github.com/kubernetes/enhancements/issues/4222"). + enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). + mustRegister() + + FeatureEventTTL = newFeatureGate("EventTTL"). + reportProblemsToJiraComponent("kube-apiserver"). + contactPerson("tjungblu"). + productScope(ocpSpecific). + enhancementPR("https://github.com/openshift/enhancements/pull/1857"). + enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). + mustRegister() ) diff --git a/vendor/github.com/openshift/api/machine/v1beta1/types_awsprovider.go b/vendor/github.com/openshift/api/machine/v1beta1/types_awsprovider.go index db15df2cc4..b3b38bc6cc 100644 --- a/vendor/github.com/openshift/api/machine/v1beta1/types_awsprovider.go +++ b/vendor/github.com/openshift/api/machine/v1beta1/types_awsprovider.go @@ -17,6 +17,13 @@ type AWSMachineProviderConfig struct { AMI AWSResourceReference `json:"ami"` // instanceType is the type of instance to create. Example: m4.xlarge InstanceType string `json:"instanceType"` + // cpuOptions defines CPU-related settings for the instance, including the confidential computing policy. + // When omitted, this means no opinion and the AWS platform is left to choose a reasonable default. + // More info: + // https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CpuOptionsRequest.html, + // https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/cpu-options-supported-instances-values.html + // +optional + CPUOptions *CPUOptions `json:"cpuOptions,omitempty,omitzero"` // tags is the set of tags to add to apply to an instance, in addition to the ones // added by default by the actuator. These tags are additive. The actuator will ensure // these tags are present, but will not remove any other tags that may exist on the @@ -109,6 +116,37 @@ type AWSMachineProviderConfig struct { MarketType MarketType `json:"marketType,omitempty"` } +// AWSConfidentialComputePolicy represents the confidential compute configuration for the instance. +// +kubebuilder:validation:Enum=Disabled;AMDEncryptedVirtualizationNestedPaging +type AWSConfidentialComputePolicy string + +const ( + // AWSConfidentialComputePolicyDisabled disables confidential computing for the instance. + AWSConfidentialComputePolicyDisabled AWSConfidentialComputePolicy = "Disabled" + // AWSConfidentialComputePolicySEVSNP enables AMD SEV-SNP as the confidential computing technology for the instance. + AWSConfidentialComputePolicySEVSNP AWSConfidentialComputePolicy = "AMDEncryptedVirtualizationNestedPaging" +) + +// CPUOptions defines CPU-related settings for the instance, including the confidential computing policy. +// If provided, it must not be empty — at least one field must be set. +// +kubebuilder:validation:MinProperties=1 +type CPUOptions struct { + // confidentialCompute specifies whether confidential computing should be enabled for the instance, + // and, if so, which confidential computing technology to use. + // Valid values are: Disabled, AMDEncryptedVirtualizationNestedPaging and omitted. + // When set to Disabled, confidential computing will be disabled for the instance. + // When set to AMDEncryptedVirtualizationNestedPaging, AMD SEV-SNP will be used as the confidential computing technology for the instance. + // In this case, ensure the following conditions are met: + // 1) The selected instance type supports AMD SEV-SNP. + // 2) The selected AWS region supports AMD SEV-SNP. + // 3) The selected AMI supports AMD SEV-SNP. + // More details can be checked at https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/sev-snp.html + // When omitted, this means no opinion and the AWS platform is left to choose a reasonable default, + // which is subject to change without notice. The current default is Disabled. + // +optional + ConfidentialCompute *AWSConfidentialComputePolicy `json:"confidentialCompute,omitempty"` +} + // BlockDeviceMappingSpec describes a block device mapping type BlockDeviceMappingSpec struct { // The device name exposed to the machine (for example, /dev/sdh or xvdh). diff --git a/vendor/github.com/openshift/api/machine/v1beta1/zz_generated.deepcopy.go b/vendor/github.com/openshift/api/machine/v1beta1/zz_generated.deepcopy.go index 7763435a9e..5aa4f90a49 100644 --- a/vendor/github.com/openshift/api/machine/v1beta1/zz_generated.deepcopy.go +++ b/vendor/github.com/openshift/api/machine/v1beta1/zz_generated.deepcopy.go @@ -18,6 +18,11 @@ func (in *AWSMachineProviderConfig) DeepCopyInto(out *AWSMachineProviderConfig) out.TypeMeta = in.TypeMeta in.ObjectMeta.DeepCopyInto(&out.ObjectMeta) in.AMI.DeepCopyInto(&out.AMI) + if in.CPUOptions != nil { + in, out := &in.CPUOptions, &out.CPUOptions + *out = new(CPUOptions) + (*in).DeepCopyInto(*out) + } if in.Tags != nil { in, out := &in.Tags, &out.Tags *out = make([]TagSpecification, len(*in)) @@ -411,6 +416,27 @@ func (in *BlockDeviceMappingSpec) DeepCopy() *BlockDeviceMappingSpec { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *CPUOptions) DeepCopyInto(out *CPUOptions) { + *out = *in + if in.ConfidentialCompute != nil { + in, out := &in.ConfidentialCompute, &out.ConfidentialCompute + *out = new(AWSConfidentialComputePolicy) + **out = **in + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CPUOptions. +func (in *CPUOptions) DeepCopy() *CPUOptions { + if in == nil { + return nil + } + out := new(CPUOptions) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *Condition) DeepCopyInto(out *Condition) { *out = *in diff --git a/vendor/github.com/openshift/api/machine/v1beta1/zz_generated.swagger_doc_generated.go b/vendor/github.com/openshift/api/machine/v1beta1/zz_generated.swagger_doc_generated.go index e40d744f60..4a1b969a81 100644 --- a/vendor/github.com/openshift/api/machine/v1beta1/zz_generated.swagger_doc_generated.go +++ b/vendor/github.com/openshift/api/machine/v1beta1/zz_generated.swagger_doc_generated.go @@ -15,6 +15,7 @@ var map_AWSMachineProviderConfig = map[string]string{ "": "AWSMachineProviderConfig is the Schema for the awsmachineproviderconfigs API Compatibility level 2: Stable within a major release for a minimum of 9 months or 3 minor releases (whichever is longer).", "ami": "ami is the reference to the AMI from which to create the machine instance.", "instanceType": "instanceType is the type of instance to create. Example: m4.xlarge", + "cpuOptions": "cpuOptions defines CPU-related settings for the instance, including the confidential computing policy. When omitted, this means no opinion and the AWS platform is left to choose a reasonable default. More info: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CpuOptionsRequest.html, https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/cpu-options-supported-instances-values.html", "tags": "tags is the set of tags to add to apply to an instance, in addition to the ones added by default by the actuator. These tags are additive. The actuator will ensure these tags are present, but will not remove any other tags that may exist on the instance.", "iamInstanceProfile": "iamInstanceProfile is a reference to an IAM role to assign to the instance", "userDataSecret": "userDataSecret contains a local reference to a secret that contains the UserData to apply to the instance", @@ -82,6 +83,15 @@ func (BlockDeviceMappingSpec) SwaggerDoc() map[string]string { return map_BlockDeviceMappingSpec } +var map_CPUOptions = map[string]string{ + "": "CPUOptions defines CPU-related settings for the instance, including the confidential computing policy. If provided, it must not be empty — at least one field must be set.", + "confidentialCompute": "confidentialCompute specifies whether confidential computing should be enabled for the instance, and, if so, which confidential computing technology to use. Valid values are: Disabled, AMDEncryptedVirtualizationNestedPaging and omitted. When set to Disabled, confidential computing will be disabled for the instance. When set to AMDEncryptedVirtualizationNestedPaging, AMD SEV-SNP will be used as the confidential computing technology for the instance. In this case, ensure the following conditions are met: 1) The selected instance type supports AMD SEV-SNP. 2) The selected AWS region supports AMD SEV-SNP. 3) The selected AMI supports AMD SEV-SNP. More details can be checked at https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/sev-snp.html When omitted, this means no opinion and the AWS platform is left to choose a reasonable default, which is subject to change without notice. The current default is Disabled.", +} + +func (CPUOptions) SwaggerDoc() map[string]string { + return map_CPUOptions +} + var map_EBSBlockDeviceSpec = map[string]string{ "": "EBSBlockDeviceSpec describes a block device for an EBS volume. https://docs.aws.amazon.com/goto/WebAPI/ec2-2016-11-15/EbsBlockDevice", "deleteOnTermination": "Indicates whether the EBS volume is deleted on machine termination.\n\nDeprecated: setting this field has no effect.", diff --git a/vendor/github.com/openshift/api/machineconfiguration/v1/types_machineconfignode.go b/vendor/github.com/openshift/api/machineconfiguration/v1/types_machineconfignode.go index effe1656e3..97460171b0 100644 --- a/vendor/github.com/openshift/api/machineconfiguration/v1/types_machineconfignode.go +++ b/vendor/github.com/openshift/api/machineconfiguration/v1/types_machineconfignode.go @@ -17,6 +17,7 @@ import ( // +kubebuilder:printcolumn:name="DesiredConfig",type="string",JSONPath=.spec.configVersion.desired,priority=0 // +kubebuilder:printcolumn:name="CurrentConfig",type="string",JSONPath=.status.configVersion.current,priority=0 // +kubebuilder:printcolumn:name="Updated",type="string",JSONPath=.status.conditions[?(@.type=="Updated")].status,priority=0 +// +kubebuilder:printcolumn:name="Age",type="date",JSONPath=".metadata.creationTimestamp",priority=0 // +kubebuilder:printcolumn:name="UpdatePrepared",type="string",JSONPath=.status.conditions[?(@.type=="UpdatePrepared")].status,priority=1 // +kubebuilder:printcolumn:name="UpdateExecuted",type="string",JSONPath=.status.conditions[?(@.type=="UpdateExecuted")].status,priority=1 // +kubebuilder:printcolumn:name="UpdatePostActionComplete",type="string",JSONPath=.status.conditions[?(@.type=="UpdatePostActionComplete")].status,priority=1 diff --git a/vendor/github.com/openshift/api/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_machineconfignodes-CustomNoUpgrade.crd.yaml b/vendor/github.com/openshift/api/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_machineconfignodes-CustomNoUpgrade.crd.yaml index 46d9a6ea46..03e01cd2f6 100644 --- a/vendor/github.com/openshift/api/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_machineconfignodes-CustomNoUpgrade.crd.yaml +++ b/vendor/github.com/openshift/api/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_machineconfignodes-CustomNoUpgrade.crd.yaml @@ -32,6 +32,9 @@ spec: - jsonPath: .status.conditions[?(@.type=="Updated")].status name: Updated type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date - jsonPath: .status.conditions[?(@.type=="UpdatePrepared")].status name: UpdatePrepared priority: 1 diff --git a/vendor/github.com/openshift/api/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_machineconfignodes-Default.crd.yaml b/vendor/github.com/openshift/api/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_machineconfignodes-Default.crd.yaml index 21d9caaa42..4e96be5ea9 100644 --- a/vendor/github.com/openshift/api/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_machineconfignodes-Default.crd.yaml +++ b/vendor/github.com/openshift/api/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_machineconfignodes-Default.crd.yaml @@ -32,6 +32,9 @@ spec: - jsonPath: .status.conditions[?(@.type=="Updated")].status name: Updated type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date - jsonPath: .status.conditions[?(@.type=="UpdatePrepared")].status name: UpdatePrepared priority: 1 diff --git a/vendor/github.com/openshift/api/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_machineconfignodes-DevPreviewNoUpgrade.crd.yaml b/vendor/github.com/openshift/api/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_machineconfignodes-DevPreviewNoUpgrade.crd.yaml index a68b8d0adf..15523b5db1 100644 --- a/vendor/github.com/openshift/api/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_machineconfignodes-DevPreviewNoUpgrade.crd.yaml +++ b/vendor/github.com/openshift/api/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_machineconfignodes-DevPreviewNoUpgrade.crd.yaml @@ -32,6 +32,9 @@ spec: - jsonPath: .status.conditions[?(@.type=="Updated")].status name: Updated type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date - jsonPath: .status.conditions[?(@.type=="UpdatePrepared")].status name: UpdatePrepared priority: 1 diff --git a/vendor/github.com/openshift/api/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_machineconfignodes-TechPreviewNoUpgrade.crd.yaml b/vendor/github.com/openshift/api/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_machineconfignodes-TechPreviewNoUpgrade.crd.yaml index 74d7000f65..02402f7505 100644 --- a/vendor/github.com/openshift/api/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_machineconfignodes-TechPreviewNoUpgrade.crd.yaml +++ b/vendor/github.com/openshift/api/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_machineconfignodes-TechPreviewNoUpgrade.crd.yaml @@ -32,6 +32,9 @@ spec: - jsonPath: .status.conditions[?(@.type=="Updated")].status name: Updated type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date - jsonPath: .status.conditions[?(@.type=="UpdatePrepared")].status name: UpdatePrepared priority: 1 diff --git a/vendor/github.com/openshift/api/machineconfiguration/v1/zz_generated.featuregated-crd-manifests.yaml b/vendor/github.com/openshift/api/machineconfiguration/v1/zz_generated.featuregated-crd-manifests.yaml index d80bfc5848..7d78ab9646 100644 --- a/vendor/github.com/openshift/api/machineconfiguration/v1/zz_generated.featuregated-crd-manifests.yaml +++ b/vendor/github.com/openshift/api/machineconfiguration/v1/zz_generated.featuregated-crd-manifests.yaml @@ -142,6 +142,9 @@ machineconfignodes.machineconfiguration.openshift.io: - jsonPath: .status.conditions[?(@.type=="Updated")].status name: Updated type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date - jsonPath: .status.conditions[?(@.type=="UpdatePrepared")].status name: UpdatePrepared priority: 1 diff --git a/vendor/github.com/openshift/api/operator/v1/types_ingress.go b/vendor/github.com/openshift/api/operator/v1/types_ingress.go index 35b50a8fbd..2dac08f099 100644 --- a/vendor/github.com/openshift/api/operator/v1/types_ingress.go +++ b/vendor/github.com/openshift/api/operator/v1/types_ingress.go @@ -460,7 +460,7 @@ var ( type CIDR string // LoadBalancerStrategy holds parameters for a load balancer. -// +openshift:validation:FeatureGateAwareXValidation:featureGate=SetEIPForNLBIngressController,rule="!has(self.scope) || self.scope != 'Internal' || !has(self.providerParameters) || !has(self.providerParameters.aws) || !has(self.providerParameters.aws.networkLoadBalancer) || !has(self.providerParameters.aws.networkLoadBalancer.eipAllocations)",message="eipAllocations are forbidden when the scope is Internal." +// +kubebuilder:validation:XValidation:rule="!has(self.scope) || self.scope != 'Internal' || !has(self.providerParameters) || !has(self.providerParameters.aws) || !has(self.providerParameters.aws.networkLoadBalancer) || !has(self.providerParameters.aws.networkLoadBalancer.eipAllocations)",message="eipAllocations are forbidden when the scope is Internal." // +kubebuilder:validation:XValidation:rule=`!has(self.scope) || self.scope != 'Internal' || !has(self.providerParameters) || !has(self.providerParameters.openstack) || !has(self.providerParameters.openstack.floatingIP) || self.providerParameters.openstack.floatingIP == ""`,message="cannot specify a floating ip when scope is internal" type LoadBalancerStrategy struct { // scope indicates the scope at which the load balancer is exposed. @@ -797,15 +797,14 @@ type AWSClassicLoadBalancerParameters struct { // in the status of the IngressController object. // // +optional - // +openshift:enable:FeatureGate=IngressControllerLBSubnetsAWS Subnets *AWSSubnets `json:"subnets,omitempty"` } // AWSNetworkLoadBalancerParameters holds configuration parameters for an // AWS Network load balancer. For Example: Setting AWS EIPs https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/elastic-ip-addresses-eip.html -// +openshift:validation:FeatureGateAwareXValidation:requiredFeatureGate=SetEIPForNLBIngressController;IngressControllerLBSubnetsAWS,rule=`has(self.subnets) && has(self.subnets.ids) && has(self.subnets.names) && has(self.eipAllocations) ? size(self.subnets.ids + self.subnets.names) == size(self.eipAllocations) : true`,message="number of subnets must be equal to number of eipAllocations" -// +openshift:validation:FeatureGateAwareXValidation:requiredFeatureGate=SetEIPForNLBIngressController;IngressControllerLBSubnetsAWS,rule=`has(self.subnets) && has(self.subnets.ids) && !has(self.subnets.names) && has(self.eipAllocations) ? size(self.subnets.ids) == size(self.eipAllocations) : true`,message="number of subnets must be equal to number of eipAllocations" -// +openshift:validation:FeatureGateAwareXValidation:requiredFeatureGate=SetEIPForNLBIngressController;IngressControllerLBSubnetsAWS,rule=`has(self.subnets) && has(self.subnets.names) && !has(self.subnets.ids) && has(self.eipAllocations) ? size(self.subnets.names) == size(self.eipAllocations) : true`,message="number of subnets must be equal to number of eipAllocations" +// +kubebuilder:validation:XValidation:rule=`has(self.subnets) && has(self.subnets.ids) && has(self.subnets.names) && has(self.eipAllocations) ? size(self.subnets.ids + self.subnets.names) == size(self.eipAllocations) : true`,message="number of subnets must be equal to number of eipAllocations" +// +kubebuilder:validation:XValidation:rule=`has(self.subnets) && has(self.subnets.ids) && !has(self.subnets.names) && has(self.eipAllocations) ? size(self.subnets.ids) == size(self.eipAllocations) : true`,message="number of subnets must be equal to number of eipAllocations" +// +kubebuilder:validation:XValidation:rule=`has(self.subnets) && has(self.subnets.names) && !has(self.subnets.ids) && has(self.eipAllocations) ? size(self.subnets.names) == size(self.eipAllocations) : true`,message="number of subnets must be equal to number of eipAllocations" type AWSNetworkLoadBalancerParameters struct { // subnets specifies the subnets to which the load balancer will // attach. The subnets may be specified by either their @@ -821,7 +820,6 @@ type AWSNetworkLoadBalancerParameters struct { // in the status of the IngressController object. // // +optional - // +openshift:enable:FeatureGate=IngressControllerLBSubnetsAWS Subnets *AWSSubnets `json:"subnets,omitempty"` // eipAllocations is a list of IDs for Elastic IP (EIP) addresses that @@ -837,7 +835,6 @@ type AWSNetworkLoadBalancerParameters struct { // See https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/elastic-ip-addresses-eip.html for general // information about configuration, characteristics, and limitations of Elastic IP addresses. // - // +openshift:enable:FeatureGate=SetEIPForNLBIngressController // +optional // +listType=atomic // +kubebuilder:validation:XValidation:rule=`self.all(x, self.exists_one(y, x == y))`,message="eipAllocations cannot contain duplicates" diff --git a/vendor/github.com/openshift/api/operator/v1/types_kubeapiserver.go b/vendor/github.com/openshift/api/operator/v1/types_kubeapiserver.go index 7d468755a1..1461f11a12 100644 --- a/vendor/github.com/openshift/api/operator/v1/types_kubeapiserver.go +++ b/vendor/github.com/openshift/api/operator/v1/types_kubeapiserver.go @@ -35,6 +35,21 @@ type KubeAPIServer struct { type KubeAPIServerSpec struct { StaticPodOperatorSpec `json:",inline"` + + // eventTTLMinutes specifies the amount of time that the events are stored before being deleted. + // The TTL is allowed between 5 minutes minimum up to a maximum of 180 minutes (3 hours). + // + // Lowering this value will reduce the storage required in etcd. Note that this setting will only apply + // to new events being created and will not update existing events. + // + // When omitted this means no opinion, and the platform is left to choose a reasonable default, which is subject to change over time. + // The current default value is 3h (180 minutes). + // + // +openshift:enable:FeatureGate=EventTTL + // +kubebuilder:validation:Minimum=5 + // +kubebuilder:validation:Maximum=180 + // +optional + EventTTLMinutes int32 `json:"eventTTLMinutes,omitempty"` } type KubeAPIServerStatus struct { @@ -46,6 +61,7 @@ type KubeAPIServerStatus struct { // The default expiration for the items is set by the platform and it defaults to 24h. // see: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#service-account-token-volume-projection // +optional + // +listType=atomic ServiceAccountIssuers []ServiceAccountIssuerStatus `json:"serviceAccountIssuers,omitempty"` } diff --git a/vendor/github.com/openshift/api/operator/v1/types_machineconfiguration.go b/vendor/github.com/openshift/api/operator/v1/types_machineconfiguration.go index 8f779db2a6..c6bcd22bc0 100644 --- a/vendor/github.com/openshift/api/operator/v1/types_machineconfiguration.go +++ b/vendor/github.com/openshift/api/operator/v1/types_machineconfiguration.go @@ -17,6 +17,9 @@ import ( // // Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer). // +openshift:compatibility-gen:level=1 +// +openshift:validation:FeatureGateAwareXValidation:featureGate=BootImageSkewEnforcement,rule="self.?status.bootImageSkewEnforcementStatus.mode.orValue(\"\") == 'Automatic' ? self.?spec.managedBootImages.hasValue() || self.?status.managedBootImagesStatus.hasValue() : true",message="when skew enforcement is in Automatic mode, a boot image configuration is required" +// +openshift:validation:FeatureGateAwareXValidation:featureGate=BootImageSkewEnforcement,rule="self.?status.bootImageSkewEnforcementStatus.mode.orValue(\"\") == 'Automatic' ? !(self.?spec.managedBootImages.machineManagers.hasValue()) || self.spec.managedBootImages.machineManagers.exists(m, m.selection.mode == 'All' && m.resource == 'machinesets' && m.apiGroup == 'machine.openshift.io') : true",message="when skew enforcement is in Automatic mode, managedBootImages must contain a MachineManager opting in all MachineAPI MachineSets" +// +openshift:validation:FeatureGateAwareXValidation:featureGate=BootImageSkewEnforcement,rule="self.?status.bootImageSkewEnforcementStatus.mode.orValue(\"\") == 'Automatic' ? !(self.?status.managedBootImagesStatus.machineManagers.hasValue()) || self.status.managedBootImagesStatus.machineManagers.exists(m, m.selection.mode == 'All' && m.resource == 'machinesets' && m.apiGroup == 'machine.openshift.io'): true",message="when skew enforcement is in Automatic mode, managedBootImagesStatus must contain a MachineManager opting in all MachineAPI MachineSets" type MachineConfiguration struct { metav1.TypeMeta `json:",inline"` @@ -36,8 +39,6 @@ type MachineConfiguration struct { type MachineConfigurationSpec struct { StaticPodOperatorSpec `json:",inline"` - // TODO(jkyros): This is where we put our knobs and dials - // managedBootImages allows configuration for the management of boot images for machine // resources within the cluster. This configuration allows users to select resources that should // be updated to the latest boot images during cluster upgrades, ensuring that new machines @@ -65,8 +66,186 @@ type MachineConfigurationSpec struct { // +openshift:enable:FeatureGate=IrreconcilableMachineConfig // +optional IrreconcilableValidationOverrides IrreconcilableValidationOverrides `json:"irreconcilableValidationOverrides,omitempty,omitzero"` + + // bootImageSkewEnforcement allows an admin to configure how boot image version skew is + // enforced on the cluster. + // When omitted, this will default to Automatic for clusters that support automatic boot image updates. + // For clusters that do not support automatic boot image updates, cluster upgrades will be disabled until + // a skew enforcement mode has been specified. + // When version skew is being enforced, cluster upgrades will be disabled until the version skew is deemed + // acceptable for the current release payload. + // +openshift:enable:FeatureGate=BootImageSkewEnforcement + // +optional + BootImageSkewEnforcement BootImageSkewEnforcementConfig `json:"bootImageSkewEnforcement,omitempty,omitzero"` } +// BootImageSkewEnforcementConfig is used to configure how boot image version skew is enforced on the cluster. +// +kubebuilder:validation:XValidation:rule="has(self.mode) && (self.mode =='Manual') ? has(self.manual) : !has(self.manual)",message="manual is required when mode is Manual, and forbidden otherwise" +// +union +type BootImageSkewEnforcementConfig struct { + // mode determines the underlying behavior of skew enforcement mechanism. + // Valid values are Manual and None. + // Manual means that the cluster admin is expected to perform manual boot image updates and store the OCP + // & RHCOS version associated with the last boot image update in the manual field. + // In Manual mode, the MCO will prevent upgrades when the boot image skew exceeds the + // skew limit described by the release image. + // None means that the MCO will no longer monitor the boot image skew. This may affect + // the cluster's ability to scale. + // This field is required. + // +unionDiscriminator + // +required + Mode BootImageSkewEnforcementConfigMode `json:"mode,omitempty"` + + // manual describes the current boot image of the cluster. + // This should be set to the oldest boot image used amongst all machine resources in the cluster. + // This must include either the RHCOS version of the boot image or the OCP release version which shipped with that + // RHCOS boot image. + // Required when mode is set to "Manual" and forbidden otherwise. + // +optional + Manual ClusterBootImageManual `json:"manual,omitempty,omitzero"` +} + +// ClusterBootImageManual is used to describe the cluster boot image in Manual mode. +// +kubebuilder:validation:XValidation:rule="has(self.mode) && (self.mode =='OCPVersion') ? has(self.ocpVersion) : !has(self.ocpVersion)",message="ocpVersion is required when mode is OCPVersion, and forbidden otherwise" +// +kubebuilder:validation:XValidation:rule="has(self.mode) && (self.mode =='RHCOSVersion') ? has(self.rhcosVersion) : !has(self.rhcosVersion)",message="rhcosVersion is required when mode is RHCOSVersion, and forbidden otherwise" +// +union +type ClusterBootImageManual struct { + // mode is used to configure which boot image field is defined in Manual mode. + // Valid values are OCPVersion and RHCOSVersion. + // OCPVersion means that the cluster admin is expected to set the OCP version associated with the last boot image update + // in the OCPVersion field. + // RHCOSVersion means that the cluster admin is expected to set the RHCOS version associated with the last boot image update + // in the RHCOSVersion field. + // This field is required. + // +unionDiscriminator + // +required + Mode ClusterBootImageManualMode `json:"mode,omitempty"` + + // ocpVersion provides a string which represents the OCP version of the boot image. + // This field must match the OCP semver compatible format of x.y.z. This field must be between + // 5 and 10 characters long. + // Required when mode is set to "OCPVersion" and forbidden otherwise. + // +kubebuilder:validation:XValidation:rule="self.matches('^[0-9]+\\\\.[0-9]+\\\\.[0-9]+$')",message="ocpVersion must match the OCP semver compatible format of x.y.z" + // +kubebuilder:validation:MaxLength:=10 + // +kubebuilder:validation:MinLength:=5 + // +optional + OCPVersion string `json:"ocpVersion,omitempty"` + + // rhcosVersion provides a string which represents the RHCOS version of the boot image + // This field must match rhcosVersion formatting of [major].[minor].[datestamp(YYYYMMDD)]-[buildnumber] or the legacy + // format of [major].[minor].[timestamp(YYYYMMDDHHmm)]-[buildnumber]. This field must be between + // 14 and 21 characters long. + // Required when mode is set to "RHCOSVersion" and forbidden otherwise. + // +kubebuilder:validation:XValidation:rule="self.matches('^[0-9]+\\\\.[0-9]+\\\\.([0-9]{8}|[0-9]{12})-[0-9]+$')",message="rhcosVersion must match format [major].[minor].[datestamp(YYYYMMDD)]-[buildnumber] or must match legacy format [major].[minor].[timestamp(YYYYMMDDHHmm)]-[buildnumber]" + // +kubebuilder:validation:MaxLength:=21 + // +kubebuilder:validation:MinLength:=14 + // +optional + RHCOSVersion string `json:"rhcosVersion,omitempty"` +} + +// ClusterBootImageManualMode is a string enum used to define the cluster's boot image in manual mode. +// +kubebuilder:validation:Enum:="OCPVersion";"RHCOSVersion" +type ClusterBootImageManualMode string + +const ( + // OCPVersion represents a configuration mode used to define the OCPVersion. + ClusterBootImageSpecModeOCPVersion ClusterBootImageManualMode = "OCPVersion" + + // RHCOSVersion represents a configuration mode used to define the RHCOSVersion. + ClusterBootImageSpecModeRHCOSVersion ClusterBootImageManualMode = "RHCOSVersion" +) + +// BootImageSkewEnforcementStatus is the type for the status object. It represents the cluster defaults when +// the boot image skew enforcement configuration is undefined and reflects the actual configuration when it is defined. +// +kubebuilder:validation:XValidation:rule="has(self.mode) && (self.mode == 'Automatic') ? has(self.automatic) : !has(self.automatic)",message="automatic is required when mode is Automatic, and forbidden otherwise" +// +kubebuilder:validation:XValidation:rule="has(self.mode) && (self.mode == 'Manual') ? has(self.manual) : !has(self.manual)",message="manual is required when mode is Manual, and forbidden otherwise" +// +union +type BootImageSkewEnforcementStatus struct { + // mode determines the underlying behavior of skew enforcement mechanism. + // Valid values are Automatic, Manual and None. + // Automatic means that the MCO will perform boot image updates and store the + // OCP & RHCOS version associated with the last boot image update in the automatic field. + // Manual means that the cluster admin is expected to perform manual boot image updates and store the OCP + // & RHCOS version associated with the last boot image update in the manual field. + // In Automatic and Manual mode, the MCO will prevent upgrades when the boot image skew exceeds the + // skew limit described by the release image. + // None means that the MCO will no longer monitor the boot image skew. This may affect + // the cluster's ability to scale. + // This field is required. + // +unionDiscriminator + // +required + Mode BootImageSkewEnforcementModeStatus `json:"mode,omitempty"` + + // automatic describes the current boot image of the cluster. + // This will be populated by the MCO when performing boot image updates. This value will be compared against + // the cluster's skew limit to determine skew compliance. + // Required when mode is set to "Automatic" and forbidden otherwise. + // +optional + Automatic ClusterBootImageAutomatic `json:"automatic,omitempty,omitzero"` + + // manual describes the current boot image of the cluster. + // This will be populated by the MCO using the values provided in the spec.bootImageSkewEnforcement.manual field. + // This value will be compared against the cluster's skew limit to determine skew compliance. + // Required when mode is set to "Manual" and forbidden otherwise. + // +optional + Manual ClusterBootImageManual `json:"manual,omitempty,omitzero"` +} + +// ClusterBootImageAutomatic is used to describe the cluster boot image in Automatic mode. It stores the RHCOS version of the +// boot image and the OCP release version which shipped with that RHCOS boot image. At least one of these values are required. +// If ocpVersion and rhcosVersion are defined, both values will be used for checking skew compliance. +// If only ocpVersion is defined, only that value will be used for checking skew compliance. +// If only rhcosVersion is defined, only that value will be used for checking skew compliance. +// +kubebuilder:validation:XValidation:rule="has(self.ocpVersion) || has(self.rhcosVersion)",message="at least one of ocpVersion or rhcosVersion is required" +// +kubebuilder:validation:MinProperties=1 +type ClusterBootImageAutomatic struct { + // ocpVersion provides a string which represents the OCP version of the boot image. + // This field must match the OCP semver compatible format of x.y.z. This field must be between + // 5 and 10 characters long. + // +kubebuilder:validation:XValidation:rule="self.matches('^[0-9]+\\\\.[0-9]+\\\\.[0-9]+$')",message="ocpVersion must match the OCP semver compatible format of x.y.z" + // +kubebuilder:validation:MaxLength:=10 + // +kubebuilder:validation:MinLength:=5 + // +optional + OCPVersion string `json:"ocpVersion,omitempty"` + + // rhcosVersion provides a string which represents the RHCOS version of the boot image + // This field must match rhcosVersion formatting of [major].[minor].[datestamp(YYYYMMDD)]-[buildnumber] or the legacy + // format of [major].[minor].[timestamp(YYYYMMDDHHmm)]-[buildnumber]. This field must be between + // 14 and 21 characters long. + // +kubebuilder:validation:XValidation:rule="self.matches('^[0-9]+\\\\.[0-9]+\\\\.([0-9]{8}|[0-9]{12})-[0-9]+$')",message="rhcosVersion must match format [major].[minor].[datestamp(YYYYMMDD)]-[buildnumber] or must match legacy format [major].[minor].[timestamp(YYYYMMDDHHmm)]-[buildnumber]" + // +kubebuilder:validation:MaxLength:=21 + // +kubebuilder:validation:MinLength:=14 + // +optional + RHCOSVersion string `json:"rhcosVersion,omitempty"` +} + +// BootImageSkewEnforcementConfigMode is a string enum used to configure the cluster's boot image skew enforcement mode. +// +kubebuilder:validation:Enum:="Manual";"None" +type BootImageSkewEnforcementConfigMode string + +const ( + // Manual represents a configuration mode that allows manual skew enforcement. + BootImageSkewEnforcementConfigModeManual BootImageSkewEnforcementConfigMode = "Manual" + + // None represents a configuration mode that disables boot image skew enforcement. + BootImageSkewEnforcementConfigModeNone BootImageSkewEnforcementConfigMode = "None" +) + +// BootImageSkewEnforcementModeStatus is a string enum used to indicate the cluster's boot image skew enforcement mode. +// +kubebuilder:validation:Enum:="Automatic";"Manual";"None" +type BootImageSkewEnforcementModeStatus string + +const ( + // Automatic represents a configuration mode that allows automatic skew enforcement. + BootImageSkewEnforcementModeStatusAutomatic BootImageSkewEnforcementModeStatus = "Automatic" + + // Manual represents a configuration mode that allows manual skew enforcement. + BootImageSkewEnforcementModeStatusManual BootImageSkewEnforcementModeStatus = "Manual" + + // None represents a configuration mode that disables boot image skew enforcement. + BootImageSkewEnforcementModeStatusNone BootImageSkewEnforcementModeStatus = "None" +) + type MachineConfigurationStatus struct { // observedGeneration is the last generation change you've dealt with // +optional @@ -111,6 +290,16 @@ type MachineConfigurationStatus struct { // +openshift:enable:FeatureGate=ManagedBootImages // +optional ManagedBootImagesStatus ManagedBootImages `json:"managedBootImagesStatus"` + + // bootImageSkewEnforcementStatus reflects what the latest cluster-validated boot image skew enforcement + // configuration is and will be used by Machine Config Controller while performing boot image skew enforcement. + // When omitted, the MCO has no knowledge of how to enforce boot image skew. When the MCO does not know how + // boot image skew should be enforced, cluster upgrades will be blocked until it can either automatically + // determine skew enforcement or there is an explicit skew enforcement configuration provided in the + // spec.bootImageSkewEnforcement field. + // +openshift:enable:FeatureGate=BootImageSkewEnforcement + // +optional + BootImageSkewEnforcementStatus BootImageSkewEnforcementStatus `json:"bootImageSkewEnforcementStatus,omitempty,omitzero"` } // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object @@ -177,10 +366,12 @@ type ManagedBootImages struct { // MachineManager describes a target machine resource that is registered for boot image updates. It stores identifying information // such as the resource type and the API Group of the resource. It also provides granular control via the selection field. +// +openshift:validation:FeatureGateAwareXValidation:requiredFeatureGate=ManagedBootImages;ManagedBootImagesCPMS,rule="self.resource != 'controlplanemachinesets' || self.selection.mode == 'All' || self.selection.mode == 'None'", message="Only All or None selection mode is permitted for ControlPlaneMachineSets" type MachineManager struct { // resource is the machine management resource's type. - // The only current valid value is machinesets. + // Valid values are machinesets and controlplanemachinesets. // machinesets means that the machine manager will only register resources of the kind MachineSet. + // controlplanemachinesets means that the machine manager will only register resources of the kind ControlPlaneMachineSet. // +required Resource MachineManagerMachineSetsResourceType `json:"resource"` @@ -199,9 +390,10 @@ type MachineManager struct { // +union type MachineManagerSelector struct { // mode determines how machine managers will be selected for updates. - // Valid values are All and Partial. + // Valid values are All, Partial and None. // All means that every resource matched by the machine manager will be updated. // Partial requires specified selector(s) and allows customisation of which resources matched by the machine manager will be updated. + // Partial is not permitted for the controlplanemachinesets resource type as they are a singleton within the cluster. // None means that every resource matched by the machine manager will not be updated. // +unionDiscriminator // +required @@ -238,12 +430,15 @@ const ( // MachineManagerManagedResourceType is a string enum used in the MachineManager type to describe the resource // type to be registered. -// +kubebuilder:validation:Enum:="machinesets" +// +openshift:validation:FeatureGateAwareEnum:requiredFeatureGate=ManagedBootImages,enum=machinesets +// +openshift:validation:FeatureGateAwareEnum:requiredFeatureGate=ManagedBootImages;ManagedBootImagesCPMS,enum=machinesets;controlplanemachinesets type MachineManagerMachineSetsResourceType string const ( // MachineSets represent the MachineSet resource type, which manage a group of machines and belong to the Openshift machine API group. MachineSets MachineManagerMachineSetsResourceType = "machinesets" + // ControlPlaneMachineSets represent the ControlPlaneMachineSets resource type, which manage a group of control-plane machines and belong to the Openshift machine API group. + ControlPlaneMachineSets MachineManagerMachineSetsResourceType = "controlplanemachinesets" ) // MachineManagerManagedAPIGroupType is a string enum used in in the MachineManager type to describe the APIGroup @@ -253,7 +448,7 @@ type MachineManagerMachineSetsAPIGroupType string const ( // MachineAPI represent the traditional MAPI Group that a machineset may belong to. - // This feature only supports MAPI machinesets at this time. + // This feature only supports MAPI machinesets and controlplanemachinesets at this time. MachineAPI MachineManagerMachineSetsAPIGroupType = "machine.openshift.io" ) diff --git a/vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_20_kube-apiserver_01_kubeapiservers-CustomNoUpgrade.crd.yaml b/vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_20_kube-apiserver_01_kubeapiservers-CustomNoUpgrade.crd.yaml new file mode 100644 index 0000000000..ba2587dc9d --- /dev/null +++ b/vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_20_kube-apiserver_01_kubeapiservers-CustomNoUpgrade.crd.yaml @@ -0,0 +1,349 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.openshift.io: https://github.com/openshift/api/pull/475 + api.openshift.io/merged-by-featuregates: "true" + include.release.openshift.io/ibm-cloud-managed: "true" + include.release.openshift.io/self-managed-high-availability: "true" + release.openshift.io/feature-set: CustomNoUpgrade + name: kubeapiservers.operator.openshift.io +spec: + group: operator.openshift.io + names: + categories: + - coreoperators + kind: KubeAPIServer + listKind: KubeAPIServerList + plural: kubeapiservers + singular: kubeapiserver + scope: Cluster + versions: + - name: v1 + schema: + openAPIV3Schema: + description: |- + KubeAPIServer provides information to configure an operator to manage kube-apiserver. + + Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer). + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: spec is the specification of the desired behavior of the + Kubernetes API Server + properties: + eventTTLMinutes: + description: |- + eventTTLMinutes specifies the amount of time that the events are stored before being deleted. + The TTL is allowed between 5 minutes minimum up to a maximum of 180 minutes (3 hours). + + Lowering this value will reduce the storage required in etcd. Note that this setting will only apply + to new events being created and will not update existing events. + + When omitted this means no opinion, and the platform is left to choose a reasonable default, which is subject to change over time. + The current default value is 3h (180 minutes). + format: int32 + maximum: 180 + minimum: 5 + type: integer + failedRevisionLimit: + description: |- + failedRevisionLimit is the number of failed static pod installer revisions to keep on disk and in the api + -1 = unlimited, 0 or unset = 5 (default) + format: int32 + type: integer + forceRedeploymentReason: + description: |- + forceRedeploymentReason can be used to force the redeployment of the operand by providing a unique string. + This provides a mechanism to kick a previously failed deployment and provide a reason why you think it will work + this time instead of failing again on the same config. + type: string + logLevel: + default: Normal + description: |- + logLevel is an intent based logging for an overall component. It does not give fine grained control, but it is a + simple way to manage coarse grained logging choices that operators have to interpret for their operands. + + Valid values are: "Normal", "Debug", "Trace", "TraceAll". + Defaults to "Normal". + enum: + - "" + - Normal + - Debug + - Trace + - TraceAll + type: string + managementState: + description: managementState indicates whether and how the operator + should manage the component + pattern: ^(Managed|Force)$ + type: string + observedConfig: + description: |- + observedConfig holds a sparse config that controller has observed from the cluster state. It exists in spec because + it is an input to the level for the operator + nullable: true + type: object + x-kubernetes-preserve-unknown-fields: true + operatorLogLevel: + default: Normal + description: |- + operatorLogLevel is an intent based logging for the operator itself. It does not give fine grained control, but it is a + simple way to manage coarse grained logging choices that operators have to interpret for themselves. + + Valid values are: "Normal", "Debug", "Trace", "TraceAll". + Defaults to "Normal". + enum: + - "" + - Normal + - Debug + - Trace + - TraceAll + type: string + succeededRevisionLimit: + description: |- + succeededRevisionLimit is the number of successful static pod installer revisions to keep on disk and in the api + -1 = unlimited, 0 or unset = 5 (default) + format: int32 + type: integer + unsupportedConfigOverrides: + description: |- + unsupportedConfigOverrides overrides the final configuration that was computed by the operator. + Red Hat does not support the use of this field. + Misuse of this field could lead to unexpected behavior or conflict with other configuration options. + Seek guidance from the Red Hat support before using this field. + Use of this property blocks cluster upgrades, it must be removed before upgrading your cluster. + nullable: true + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + status: + description: status is the most recently observed status of the Kubernetes + API Server + properties: + conditions: + description: conditions is a list of conditions and their status + items: + description: OperatorCondition is just the standard condition fields. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + type: string + reason: + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - status + - type + type: object + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + generations: + description: generations are used to determine when an item needs + to be reconciled or has changed in a way that needs a reaction. + items: + description: GenerationStatus keeps track of the generation for + a given resource so that decisions about forced updates can be + made. + properties: + group: + description: group is the group of the thing you're tracking + type: string + hash: + description: hash is an optional field set for resources without + generation that are content sensitive like secrets and configmaps + type: string + lastGeneration: + description: lastGeneration is the last generation of the workload + controller involved + format: int64 + type: integer + name: + description: name is the name of the thing you're tracking + type: string + namespace: + description: namespace is where the thing you're tracking is + type: string + resource: + description: resource is the resource type of the thing you're + tracking + type: string + required: + - group + - name + - namespace + - resource + type: object + type: array + x-kubernetes-list-map-keys: + - group + - resource + - namespace + - name + x-kubernetes-list-type: map + latestAvailableRevision: + description: latestAvailableRevision is the deploymentID of the most + recent deployment + format: int32 + type: integer + x-kubernetes-validations: + - message: must only increase + rule: self >= oldSelf + latestAvailableRevisionReason: + description: latestAvailableRevisionReason describe the detailed reason + for the most recent deployment + type: string + nodeStatuses: + description: nodeStatuses track the deployment values and errors across + individual nodes + items: + description: NodeStatus provides information about the current state + of a particular node managed by this operator. + properties: + currentRevision: + description: |- + currentRevision is the generation of the most recently successful deployment. + Can not be set on creation of a nodeStatus. Updates must only increase the value. + format: int32 + type: integer + x-kubernetes-validations: + - message: must only increase + rule: self >= oldSelf + lastFailedCount: + description: lastFailedCount is how often the installer pod + of the last failed revision failed. + type: integer + lastFailedReason: + description: lastFailedReason is a machine readable failure + reason string. + type: string + lastFailedRevision: + description: lastFailedRevision is the generation of the deployment + we tried and failed to deploy. + format: int32 + type: integer + lastFailedRevisionErrors: + description: lastFailedRevisionErrors is a list of human readable + errors during the failed deployment referenced in lastFailedRevision. + items: + type: string + type: array + x-kubernetes-list-type: atomic + lastFailedTime: + description: lastFailedTime is the time the last failed revision + failed the last time. + format: date-time + type: string + lastFallbackCount: + description: lastFallbackCount is how often a fallback to a + previous revision happened. + type: integer + nodeName: + description: nodeName is the name of the node + type: string + targetRevision: + description: |- + targetRevision is the generation of the deployment we're trying to apply. + Can not be set on creation of a nodeStatus. + format: int32 + type: integer + required: + - nodeName + type: object + x-kubernetes-validations: + - fieldPath: .currentRevision + message: cannot be unset once set + rule: has(self.currentRevision) || !has(oldSelf.currentRevision) + - fieldPath: .currentRevision + message: currentRevision can not be set on creation of a nodeStatus + optionalOldSelf: true + rule: oldSelf.hasValue() || !has(self.currentRevision) + - fieldPath: .targetRevision + message: targetRevision can not be set on creation of a nodeStatus + optionalOldSelf: true + rule: oldSelf.hasValue() || !has(self.targetRevision) + type: array + x-kubernetes-list-map-keys: + - nodeName + x-kubernetes-list-type: map + x-kubernetes-validations: + - message: no more than 1 node status may have a nonzero targetRevision + rule: size(self.filter(status, status.?targetRevision.orValue(0) + != 0)) <= 1 + observedGeneration: + description: observedGeneration is the last generation change you've + dealt with + format: int64 + type: integer + readyReplicas: + description: readyReplicas indicates how many replicas are ready and + at the desired state + format: int32 + type: integer + serviceAccountIssuers: + description: |- + serviceAccountIssuers tracks history of used service account issuers. + The item without expiration time represents the currently used service account issuer. + The other items represents service account issuers that were used previously and are still being trusted. + The default expiration for the items is set by the platform and it defaults to 24h. + see: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#service-account-token-volume-projection + items: + properties: + expirationTime: + description: |- + expirationTime is the time after which this service account issuer will be pruned and removed from the trusted list + of service account issuers. + format: date-time + type: string + name: + description: name is the name of the service account issuer + type: string + type: object + type: array + x-kubernetes-list-type: atomic + version: + description: version is the level this availability applies to + type: string + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} diff --git a/vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_20_kube-apiserver_01_kubeapiservers.crd.yaml b/vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_20_kube-apiserver_01_kubeapiservers-Default.crd.yaml similarity index 99% rename from vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_20_kube-apiserver_01_kubeapiservers.crd.yaml rename to vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_20_kube-apiserver_01_kubeapiservers-Default.crd.yaml index a8664362d6..3e7c51dc6f 100644 --- a/vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_20_kube-apiserver_01_kubeapiservers.crd.yaml +++ b/vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_20_kube-apiserver_01_kubeapiservers-Default.crd.yaml @@ -6,6 +6,7 @@ metadata: api.openshift.io/merged-by-featuregates: "true" include.release.openshift.io/ibm-cloud-managed: "true" include.release.openshift.io/self-managed-high-availability: "true" + release.openshift.io/feature-set: Default name: kubeapiservers.operator.openshift.io spec: group: operator.openshift.io @@ -320,6 +321,7 @@ spec: type: string type: object type: array + x-kubernetes-list-type: atomic version: description: version is the level this availability applies to type: string diff --git a/vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_20_kube-apiserver_01_kubeapiservers-DevPreviewNoUpgrade.crd.yaml b/vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_20_kube-apiserver_01_kubeapiservers-DevPreviewNoUpgrade.crd.yaml new file mode 100644 index 0000000000..b0d11038de --- /dev/null +++ b/vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_20_kube-apiserver_01_kubeapiservers-DevPreviewNoUpgrade.crd.yaml @@ -0,0 +1,349 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.openshift.io: https://github.com/openshift/api/pull/475 + api.openshift.io/merged-by-featuregates: "true" + include.release.openshift.io/ibm-cloud-managed: "true" + include.release.openshift.io/self-managed-high-availability: "true" + release.openshift.io/feature-set: DevPreviewNoUpgrade + name: kubeapiservers.operator.openshift.io +spec: + group: operator.openshift.io + names: + categories: + - coreoperators + kind: KubeAPIServer + listKind: KubeAPIServerList + plural: kubeapiservers + singular: kubeapiserver + scope: Cluster + versions: + - name: v1 + schema: + openAPIV3Schema: + description: |- + KubeAPIServer provides information to configure an operator to manage kube-apiserver. + + Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer). + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: spec is the specification of the desired behavior of the + Kubernetes API Server + properties: + eventTTLMinutes: + description: |- + eventTTLMinutes specifies the amount of time that the events are stored before being deleted. + The TTL is allowed between 5 minutes minimum up to a maximum of 180 minutes (3 hours). + + Lowering this value will reduce the storage required in etcd. Note that this setting will only apply + to new events being created and will not update existing events. + + When omitted this means no opinion, and the platform is left to choose a reasonable default, which is subject to change over time. + The current default value is 3h (180 minutes). + format: int32 + maximum: 180 + minimum: 5 + type: integer + failedRevisionLimit: + description: |- + failedRevisionLimit is the number of failed static pod installer revisions to keep on disk and in the api + -1 = unlimited, 0 or unset = 5 (default) + format: int32 + type: integer + forceRedeploymentReason: + description: |- + forceRedeploymentReason can be used to force the redeployment of the operand by providing a unique string. + This provides a mechanism to kick a previously failed deployment and provide a reason why you think it will work + this time instead of failing again on the same config. + type: string + logLevel: + default: Normal + description: |- + logLevel is an intent based logging for an overall component. It does not give fine grained control, but it is a + simple way to manage coarse grained logging choices that operators have to interpret for their operands. + + Valid values are: "Normal", "Debug", "Trace", "TraceAll". + Defaults to "Normal". + enum: + - "" + - Normal + - Debug + - Trace + - TraceAll + type: string + managementState: + description: managementState indicates whether and how the operator + should manage the component + pattern: ^(Managed|Force)$ + type: string + observedConfig: + description: |- + observedConfig holds a sparse config that controller has observed from the cluster state. It exists in spec because + it is an input to the level for the operator + nullable: true + type: object + x-kubernetes-preserve-unknown-fields: true + operatorLogLevel: + default: Normal + description: |- + operatorLogLevel is an intent based logging for the operator itself. It does not give fine grained control, but it is a + simple way to manage coarse grained logging choices that operators have to interpret for themselves. + + Valid values are: "Normal", "Debug", "Trace", "TraceAll". + Defaults to "Normal". + enum: + - "" + - Normal + - Debug + - Trace + - TraceAll + type: string + succeededRevisionLimit: + description: |- + succeededRevisionLimit is the number of successful static pod installer revisions to keep on disk and in the api + -1 = unlimited, 0 or unset = 5 (default) + format: int32 + type: integer + unsupportedConfigOverrides: + description: |- + unsupportedConfigOverrides overrides the final configuration that was computed by the operator. + Red Hat does not support the use of this field. + Misuse of this field could lead to unexpected behavior or conflict with other configuration options. + Seek guidance from the Red Hat support before using this field. + Use of this property blocks cluster upgrades, it must be removed before upgrading your cluster. + nullable: true + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + status: + description: status is the most recently observed status of the Kubernetes + API Server + properties: + conditions: + description: conditions is a list of conditions and their status + items: + description: OperatorCondition is just the standard condition fields. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + type: string + reason: + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - status + - type + type: object + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + generations: + description: generations are used to determine when an item needs + to be reconciled or has changed in a way that needs a reaction. + items: + description: GenerationStatus keeps track of the generation for + a given resource so that decisions about forced updates can be + made. + properties: + group: + description: group is the group of the thing you're tracking + type: string + hash: + description: hash is an optional field set for resources without + generation that are content sensitive like secrets and configmaps + type: string + lastGeneration: + description: lastGeneration is the last generation of the workload + controller involved + format: int64 + type: integer + name: + description: name is the name of the thing you're tracking + type: string + namespace: + description: namespace is where the thing you're tracking is + type: string + resource: + description: resource is the resource type of the thing you're + tracking + type: string + required: + - group + - name + - namespace + - resource + type: object + type: array + x-kubernetes-list-map-keys: + - group + - resource + - namespace + - name + x-kubernetes-list-type: map + latestAvailableRevision: + description: latestAvailableRevision is the deploymentID of the most + recent deployment + format: int32 + type: integer + x-kubernetes-validations: + - message: must only increase + rule: self >= oldSelf + latestAvailableRevisionReason: + description: latestAvailableRevisionReason describe the detailed reason + for the most recent deployment + type: string + nodeStatuses: + description: nodeStatuses track the deployment values and errors across + individual nodes + items: + description: NodeStatus provides information about the current state + of a particular node managed by this operator. + properties: + currentRevision: + description: |- + currentRevision is the generation of the most recently successful deployment. + Can not be set on creation of a nodeStatus. Updates must only increase the value. + format: int32 + type: integer + x-kubernetes-validations: + - message: must only increase + rule: self >= oldSelf + lastFailedCount: + description: lastFailedCount is how often the installer pod + of the last failed revision failed. + type: integer + lastFailedReason: + description: lastFailedReason is a machine readable failure + reason string. + type: string + lastFailedRevision: + description: lastFailedRevision is the generation of the deployment + we tried and failed to deploy. + format: int32 + type: integer + lastFailedRevisionErrors: + description: lastFailedRevisionErrors is a list of human readable + errors during the failed deployment referenced in lastFailedRevision. + items: + type: string + type: array + x-kubernetes-list-type: atomic + lastFailedTime: + description: lastFailedTime is the time the last failed revision + failed the last time. + format: date-time + type: string + lastFallbackCount: + description: lastFallbackCount is how often a fallback to a + previous revision happened. + type: integer + nodeName: + description: nodeName is the name of the node + type: string + targetRevision: + description: |- + targetRevision is the generation of the deployment we're trying to apply. + Can not be set on creation of a nodeStatus. + format: int32 + type: integer + required: + - nodeName + type: object + x-kubernetes-validations: + - fieldPath: .currentRevision + message: cannot be unset once set + rule: has(self.currentRevision) || !has(oldSelf.currentRevision) + - fieldPath: .currentRevision + message: currentRevision can not be set on creation of a nodeStatus + optionalOldSelf: true + rule: oldSelf.hasValue() || !has(self.currentRevision) + - fieldPath: .targetRevision + message: targetRevision can not be set on creation of a nodeStatus + optionalOldSelf: true + rule: oldSelf.hasValue() || !has(self.targetRevision) + type: array + x-kubernetes-list-map-keys: + - nodeName + x-kubernetes-list-type: map + x-kubernetes-validations: + - message: no more than 1 node status may have a nonzero targetRevision + rule: size(self.filter(status, status.?targetRevision.orValue(0) + != 0)) <= 1 + observedGeneration: + description: observedGeneration is the last generation change you've + dealt with + format: int64 + type: integer + readyReplicas: + description: readyReplicas indicates how many replicas are ready and + at the desired state + format: int32 + type: integer + serviceAccountIssuers: + description: |- + serviceAccountIssuers tracks history of used service account issuers. + The item without expiration time represents the currently used service account issuer. + The other items represents service account issuers that were used previously and are still being trusted. + The default expiration for the items is set by the platform and it defaults to 24h. + see: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#service-account-token-volume-projection + items: + properties: + expirationTime: + description: |- + expirationTime is the time after which this service account issuer will be pruned and removed from the trusted list + of service account issuers. + format: date-time + type: string + name: + description: name is the name of the service account issuer + type: string + type: object + type: array + x-kubernetes-list-type: atomic + version: + description: version is the level this availability applies to + type: string + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} diff --git a/vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_20_kube-apiserver_01_kubeapiservers-TechPreviewNoUpgrade.crd.yaml b/vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_20_kube-apiserver_01_kubeapiservers-TechPreviewNoUpgrade.crd.yaml new file mode 100644 index 0000000000..48d0d6a709 --- /dev/null +++ b/vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_20_kube-apiserver_01_kubeapiservers-TechPreviewNoUpgrade.crd.yaml @@ -0,0 +1,349 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.openshift.io: https://github.com/openshift/api/pull/475 + api.openshift.io/merged-by-featuregates: "true" + include.release.openshift.io/ibm-cloud-managed: "true" + include.release.openshift.io/self-managed-high-availability: "true" + release.openshift.io/feature-set: TechPreviewNoUpgrade + name: kubeapiservers.operator.openshift.io +spec: + group: operator.openshift.io + names: + categories: + - coreoperators + kind: KubeAPIServer + listKind: KubeAPIServerList + plural: kubeapiservers + singular: kubeapiserver + scope: Cluster + versions: + - name: v1 + schema: + openAPIV3Schema: + description: |- + KubeAPIServer provides information to configure an operator to manage kube-apiserver. + + Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer). + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: spec is the specification of the desired behavior of the + Kubernetes API Server + properties: + eventTTLMinutes: + description: |- + eventTTLMinutes specifies the amount of time that the events are stored before being deleted. + The TTL is allowed between 5 minutes minimum up to a maximum of 180 minutes (3 hours). + + Lowering this value will reduce the storage required in etcd. Note that this setting will only apply + to new events being created and will not update existing events. + + When omitted this means no opinion, and the platform is left to choose a reasonable default, which is subject to change over time. + The current default value is 3h (180 minutes). + format: int32 + maximum: 180 + minimum: 5 + type: integer + failedRevisionLimit: + description: |- + failedRevisionLimit is the number of failed static pod installer revisions to keep on disk and in the api + -1 = unlimited, 0 or unset = 5 (default) + format: int32 + type: integer + forceRedeploymentReason: + description: |- + forceRedeploymentReason can be used to force the redeployment of the operand by providing a unique string. + This provides a mechanism to kick a previously failed deployment and provide a reason why you think it will work + this time instead of failing again on the same config. + type: string + logLevel: + default: Normal + description: |- + logLevel is an intent based logging for an overall component. It does not give fine grained control, but it is a + simple way to manage coarse grained logging choices that operators have to interpret for their operands. + + Valid values are: "Normal", "Debug", "Trace", "TraceAll". + Defaults to "Normal". + enum: + - "" + - Normal + - Debug + - Trace + - TraceAll + type: string + managementState: + description: managementState indicates whether and how the operator + should manage the component + pattern: ^(Managed|Force)$ + type: string + observedConfig: + description: |- + observedConfig holds a sparse config that controller has observed from the cluster state. It exists in spec because + it is an input to the level for the operator + nullable: true + type: object + x-kubernetes-preserve-unknown-fields: true + operatorLogLevel: + default: Normal + description: |- + operatorLogLevel is an intent based logging for the operator itself. It does not give fine grained control, but it is a + simple way to manage coarse grained logging choices that operators have to interpret for themselves. + + Valid values are: "Normal", "Debug", "Trace", "TraceAll". + Defaults to "Normal". + enum: + - "" + - Normal + - Debug + - Trace + - TraceAll + type: string + succeededRevisionLimit: + description: |- + succeededRevisionLimit is the number of successful static pod installer revisions to keep on disk and in the api + -1 = unlimited, 0 or unset = 5 (default) + format: int32 + type: integer + unsupportedConfigOverrides: + description: |- + unsupportedConfigOverrides overrides the final configuration that was computed by the operator. + Red Hat does not support the use of this field. + Misuse of this field could lead to unexpected behavior or conflict with other configuration options. + Seek guidance from the Red Hat support before using this field. + Use of this property blocks cluster upgrades, it must be removed before upgrading your cluster. + nullable: true + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + status: + description: status is the most recently observed status of the Kubernetes + API Server + properties: + conditions: + description: conditions is a list of conditions and their status + items: + description: OperatorCondition is just the standard condition fields. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + type: string + reason: + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - status + - type + type: object + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + generations: + description: generations are used to determine when an item needs + to be reconciled or has changed in a way that needs a reaction. + items: + description: GenerationStatus keeps track of the generation for + a given resource so that decisions about forced updates can be + made. + properties: + group: + description: group is the group of the thing you're tracking + type: string + hash: + description: hash is an optional field set for resources without + generation that are content sensitive like secrets and configmaps + type: string + lastGeneration: + description: lastGeneration is the last generation of the workload + controller involved + format: int64 + type: integer + name: + description: name is the name of the thing you're tracking + type: string + namespace: + description: namespace is where the thing you're tracking is + type: string + resource: + description: resource is the resource type of the thing you're + tracking + type: string + required: + - group + - name + - namespace + - resource + type: object + type: array + x-kubernetes-list-map-keys: + - group + - resource + - namespace + - name + x-kubernetes-list-type: map + latestAvailableRevision: + description: latestAvailableRevision is the deploymentID of the most + recent deployment + format: int32 + type: integer + x-kubernetes-validations: + - message: must only increase + rule: self >= oldSelf + latestAvailableRevisionReason: + description: latestAvailableRevisionReason describe the detailed reason + for the most recent deployment + type: string + nodeStatuses: + description: nodeStatuses track the deployment values and errors across + individual nodes + items: + description: NodeStatus provides information about the current state + of a particular node managed by this operator. + properties: + currentRevision: + description: |- + currentRevision is the generation of the most recently successful deployment. + Can not be set on creation of a nodeStatus. Updates must only increase the value. + format: int32 + type: integer + x-kubernetes-validations: + - message: must only increase + rule: self >= oldSelf + lastFailedCount: + description: lastFailedCount is how often the installer pod + of the last failed revision failed. + type: integer + lastFailedReason: + description: lastFailedReason is a machine readable failure + reason string. + type: string + lastFailedRevision: + description: lastFailedRevision is the generation of the deployment + we tried and failed to deploy. + format: int32 + type: integer + lastFailedRevisionErrors: + description: lastFailedRevisionErrors is a list of human readable + errors during the failed deployment referenced in lastFailedRevision. + items: + type: string + type: array + x-kubernetes-list-type: atomic + lastFailedTime: + description: lastFailedTime is the time the last failed revision + failed the last time. + format: date-time + type: string + lastFallbackCount: + description: lastFallbackCount is how often a fallback to a + previous revision happened. + type: integer + nodeName: + description: nodeName is the name of the node + type: string + targetRevision: + description: |- + targetRevision is the generation of the deployment we're trying to apply. + Can not be set on creation of a nodeStatus. + format: int32 + type: integer + required: + - nodeName + type: object + x-kubernetes-validations: + - fieldPath: .currentRevision + message: cannot be unset once set + rule: has(self.currentRevision) || !has(oldSelf.currentRevision) + - fieldPath: .currentRevision + message: currentRevision can not be set on creation of a nodeStatus + optionalOldSelf: true + rule: oldSelf.hasValue() || !has(self.currentRevision) + - fieldPath: .targetRevision + message: targetRevision can not be set on creation of a nodeStatus + optionalOldSelf: true + rule: oldSelf.hasValue() || !has(self.targetRevision) + type: array + x-kubernetes-list-map-keys: + - nodeName + x-kubernetes-list-type: map + x-kubernetes-validations: + - message: no more than 1 node status may have a nonzero targetRevision + rule: size(self.filter(status, status.?targetRevision.orValue(0) + != 0)) <= 1 + observedGeneration: + description: observedGeneration is the last generation change you've + dealt with + format: int64 + type: integer + readyReplicas: + description: readyReplicas indicates how many replicas are ready and + at the desired state + format: int32 + type: integer + serviceAccountIssuers: + description: |- + serviceAccountIssuers tracks history of used service account issuers. + The item without expiration time represents the currently used service account issuer. + The other items represents service account issuers that were used previously and are still being trusted. + The default expiration for the items is set by the platform and it defaults to 24h. + see: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#service-account-token-volume-projection + items: + properties: + expirationTime: + description: |- + expirationTime is the time after which this service account issuer will be pruned and removed from the trusted list + of service account issuers. + format: date-time + type: string + name: + description: name is the name of the service account issuer + type: string + type: object + type: array + x-kubernetes-list-type: atomic + version: + description: version is the level this availability applies to + type: string + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} diff --git a/vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_80_machine-config_01_machineconfigurations-CustomNoUpgrade.crd.yaml b/vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_80_machine-config_01_machineconfigurations-CustomNoUpgrade.crd.yaml index da62cb7eec..c165fca6bf 100644 --- a/vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_80_machine-config_01_machineconfigurations-CustomNoUpgrade.crd.yaml +++ b/vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_80_machine-config_01_machineconfigurations-CustomNoUpgrade.crd.yaml @@ -46,6 +46,98 @@ spec: description: spec is the specification of the desired behavior of the Machine Config Operator properties: + bootImageSkewEnforcement: + description: |- + bootImageSkewEnforcement allows an admin to configure how boot image version skew is + enforced on the cluster. + When omitted, this will default to Automatic for clusters that support automatic boot image updates. + For clusters that do not support automatic boot image updates, cluster upgrades will be disabled until + a skew enforcement mode has been specified. + When version skew is being enforced, cluster upgrades will be disabled until the version skew is deemed + acceptable for the current release payload. + properties: + manual: + description: |- + manual describes the current boot image of the cluster. + This should be set to the oldest boot image used amongst all machine resources in the cluster. + This must include either the RHCOS version of the boot image or the OCP release version which shipped with that + RHCOS boot image. + Required when mode is set to "Manual" and forbidden otherwise. + properties: + mode: + description: |- + mode is used to configure which boot image field is defined in Manual mode. + Valid values are OCPVersion and RHCOSVersion. + OCPVersion means that the cluster admin is expected to set the OCP version associated with the last boot image update + in the OCPVersion field. + RHCOSVersion means that the cluster admin is expected to set the RHCOS version associated with the last boot image update + in the RHCOSVersion field. + This field is required. + enum: + - OCPVersion + - RHCOSVersion + type: string + ocpVersion: + description: |- + ocpVersion provides a string which represents the OCP version of the boot image. + This field must match the OCP semver compatible format of x.y.z. This field must be between + 5 and 10 characters long. + Required when mode is set to "OCPVersion" and forbidden otherwise. + maxLength: 10 + minLength: 5 + type: string + x-kubernetes-validations: + - message: ocpVersion must match the OCP semver compatible + format of x.y.z + rule: self.matches('^[0-9]+\\.[0-9]+\\.[0-9]+$') + rhcosVersion: + description: |- + rhcosVersion provides a string which represents the RHCOS version of the boot image + This field must match rhcosVersion formatting of [major].[minor].[datestamp(YYYYMMDD)]-[buildnumber] or the legacy + format of [major].[minor].[timestamp(YYYYMMDDHHmm)]-[buildnumber]. This field must be between + 14 and 21 characters long. + Required when mode is set to "RHCOSVersion" and forbidden otherwise. + maxLength: 21 + minLength: 14 + type: string + x-kubernetes-validations: + - message: rhcosVersion must match format [major].[minor].[datestamp(YYYYMMDD)]-[buildnumber] + or must match legacy format [major].[minor].[timestamp(YYYYMMDDHHmm)]-[buildnumber] + rule: self.matches('^[0-9]+\\.[0-9]+\\.([0-9]{8}|[0-9]{12})-[0-9]+$') + required: + - mode + type: object + x-kubernetes-validations: + - message: ocpVersion is required when mode is OCPVersion, and + forbidden otherwise + rule: 'has(self.mode) && (self.mode ==''OCPVersion'') ? has(self.ocpVersion) + : !has(self.ocpVersion)' + - message: rhcosVersion is required when mode is RHCOSVersion, + and forbidden otherwise + rule: 'has(self.mode) && (self.mode ==''RHCOSVersion'') ? has(self.rhcosVersion) + : !has(self.rhcosVersion)' + mode: + description: |- + mode determines the underlying behavior of skew enforcement mechanism. + Valid values are Manual and None. + Manual means that the cluster admin is expected to perform manual boot image updates and store the OCP + & RHCOS version associated with the last boot image update in the manual field. + In Manual mode, the MCO will prevent upgrades when the boot image skew exceeds the + skew limit described by the release image. + None means that the MCO will no longer monitor the boot image skew. This may affect + the cluster's ability to scale. + This field is required. + enum: + - Manual + - None + type: string + required: + - mode + type: object + x-kubernetes-validations: + - message: manual is required when mode is Manual, and forbidden otherwise + rule: 'has(self.mode) && (self.mode ==''Manual'') ? has(self.manual) + : !has(self.manual)' failedRevisionLimit: description: |- failedRevisionLimit is the number of failed static pod installer revisions to keep on disk and in the api @@ -136,10 +228,12 @@ spec: resource: description: |- resource is the machine management resource's type. - The only current valid value is machinesets. + Valid values are machinesets and controlplanemachinesets. machinesets means that the machine manager will only register resources of the kind MachineSet. + controlplanemachinesets means that the machine manager will only register resources of the kind ControlPlaneMachineSet. enum: - machinesets + - controlplanemachinesets type: string selection: description: selection allows granular control of the machine @@ -149,9 +243,10 @@ spec: mode: description: |- mode determines how machine managers will be selected for updates. - Valid values are All and Partial. + Valid values are All, Partial and None. All means that every resource matched by the machine manager will be updated. Partial requires specified selector(s) and allows customisation of which resources matched by the machine manager will be updated. + Partial is not permitted for the controlplanemachinesets resource type as they are a singleton within the cluster. None means that every resource matched by the machine manager will not be updated. enum: - All @@ -228,6 +323,11 @@ spec: - resource - selection type: object + x-kubernetes-validations: + - message: Only All or None selection mode is permitted for + ControlPlaneMachineSets + rule: self.resource != 'controlplanemachinesets' || self.selection.mode + == 'All' || self.selection.mode == 'None' maxItems: 5 type: array x-kubernetes-list-map-keys: @@ -682,6 +782,140 @@ spec: description: status is the most recently observed status of the Machine Config Operator properties: + bootImageSkewEnforcementStatus: + description: |- + bootImageSkewEnforcementStatus reflects what the latest cluster-validated boot image skew enforcement + configuration is and will be used by Machine Config Controller while performing boot image skew enforcement. + When omitted, the MCO has no knowledge of how to enforce boot image skew. When the MCO does not know how + boot image skew should be enforced, cluster upgrades will be blocked until it can either automatically + determine skew enforcement or there is an explicit skew enforcement configuration provided in the + spec.bootImageSkewEnforcement field. + properties: + automatic: + description: |- + automatic describes the current boot image of the cluster. + This will be populated by the MCO when performing boot image updates. This value will be compared against + the cluster's skew limit to determine skew compliance. + Required when mode is set to "Automatic" and forbidden otherwise. + minProperties: 1 + properties: + ocpVersion: + description: |- + ocpVersion provides a string which represents the OCP version of the boot image. + This field must match the OCP semver compatible format of x.y.z. This field must be between + 5 and 10 characters long. + maxLength: 10 + minLength: 5 + type: string + x-kubernetes-validations: + - message: ocpVersion must match the OCP semver compatible + format of x.y.z + rule: self.matches('^[0-9]+\\.[0-9]+\\.[0-9]+$') + rhcosVersion: + description: |- + rhcosVersion provides a string which represents the RHCOS version of the boot image + This field must match rhcosVersion formatting of [major].[minor].[datestamp(YYYYMMDD)]-[buildnumber] or the legacy + format of [major].[minor].[timestamp(YYYYMMDDHHmm)]-[buildnumber]. This field must be between + 14 and 21 characters long. + maxLength: 21 + minLength: 14 + type: string + x-kubernetes-validations: + - message: rhcosVersion must match format [major].[minor].[datestamp(YYYYMMDD)]-[buildnumber] + or must match legacy format [major].[minor].[timestamp(YYYYMMDDHHmm)]-[buildnumber] + rule: self.matches('^[0-9]+\\.[0-9]+\\.([0-9]{8}|[0-9]{12})-[0-9]+$') + type: object + x-kubernetes-validations: + - message: at least one of ocpVersion or rhcosVersion is required + rule: has(self.ocpVersion) || has(self.rhcosVersion) + manual: + description: |- + manual describes the current boot image of the cluster. + This will be populated by the MCO using the values provided in the spec.bootImageSkewEnforcement.manual field. + This value will be compared against the cluster's skew limit to determine skew compliance. + Required when mode is set to "Manual" and forbidden otherwise. + properties: + mode: + description: |- + mode is used to configure which boot image field is defined in Manual mode. + Valid values are OCPVersion and RHCOSVersion. + OCPVersion means that the cluster admin is expected to set the OCP version associated with the last boot image update + in the OCPVersion field. + RHCOSVersion means that the cluster admin is expected to set the RHCOS version associated with the last boot image update + in the RHCOSVersion field. + This field is required. + enum: + - OCPVersion + - RHCOSVersion + type: string + ocpVersion: + description: |- + ocpVersion provides a string which represents the OCP version of the boot image. + This field must match the OCP semver compatible format of x.y.z. This field must be between + 5 and 10 characters long. + Required when mode is set to "OCPVersion" and forbidden otherwise. + maxLength: 10 + minLength: 5 + type: string + x-kubernetes-validations: + - message: ocpVersion must match the OCP semver compatible + format of x.y.z + rule: self.matches('^[0-9]+\\.[0-9]+\\.[0-9]+$') + rhcosVersion: + description: |- + rhcosVersion provides a string which represents the RHCOS version of the boot image + This field must match rhcosVersion formatting of [major].[minor].[datestamp(YYYYMMDD)]-[buildnumber] or the legacy + format of [major].[minor].[timestamp(YYYYMMDDHHmm)]-[buildnumber]. This field must be between + 14 and 21 characters long. + Required when mode is set to "RHCOSVersion" and forbidden otherwise. + maxLength: 21 + minLength: 14 + type: string + x-kubernetes-validations: + - message: rhcosVersion must match format [major].[minor].[datestamp(YYYYMMDD)]-[buildnumber] + or must match legacy format [major].[minor].[timestamp(YYYYMMDDHHmm)]-[buildnumber] + rule: self.matches('^[0-9]+\\.[0-9]+\\.([0-9]{8}|[0-9]{12})-[0-9]+$') + required: + - mode + type: object + x-kubernetes-validations: + - message: ocpVersion is required when mode is OCPVersion, and + forbidden otherwise + rule: 'has(self.mode) && (self.mode ==''OCPVersion'') ? has(self.ocpVersion) + : !has(self.ocpVersion)' + - message: rhcosVersion is required when mode is RHCOSVersion, + and forbidden otherwise + rule: 'has(self.mode) && (self.mode ==''RHCOSVersion'') ? has(self.rhcosVersion) + : !has(self.rhcosVersion)' + mode: + description: |- + mode determines the underlying behavior of skew enforcement mechanism. + Valid values are Automatic, Manual and None. + Automatic means that the MCO will perform boot image updates and store the + OCP & RHCOS version associated with the last boot image update in the automatic field. + Manual means that the cluster admin is expected to perform manual boot image updates and store the OCP + & RHCOS version associated with the last boot image update in the manual field. + In Automatic and Manual mode, the MCO will prevent upgrades when the boot image skew exceeds the + skew limit described by the release image. + None means that the MCO will no longer monitor the boot image skew. This may affect + the cluster's ability to scale. + This field is required. + enum: + - Automatic + - Manual + - None + type: string + required: + - mode + type: object + x-kubernetes-validations: + - message: automatic is required when mode is Automatic, and forbidden + otherwise + rule: 'has(self.mode) && (self.mode == ''Automatic'') ? has(self.automatic) + : !has(self.automatic)' + - message: manual is required when mode is Manual, and forbidden otherwise + rule: 'has(self.mode) && (self.mode == ''Manual'') ? has(self.manual) + : !has(self.manual)' conditions: description: conditions is a list of conditions and their status items: @@ -767,10 +1001,12 @@ spec: resource: description: |- resource is the machine management resource's type. - The only current valid value is machinesets. + Valid values are machinesets and controlplanemachinesets. machinesets means that the machine manager will only register resources of the kind MachineSet. + controlplanemachinesets means that the machine manager will only register resources of the kind ControlPlaneMachineSet. enum: - machinesets + - controlplanemachinesets type: string selection: description: selection allows granular control of the machine @@ -780,9 +1016,10 @@ spec: mode: description: |- mode determines how machine managers will be selected for updates. - Valid values are All and Partial. + Valid values are All, Partial and None. All means that every resource matched by the machine manager will be updated. Partial requires specified selector(s) and allows customisation of which resources matched by the machine manager will be updated. + Partial is not permitted for the controlplanemachinesets resource type as they are a singleton within the cluster. None means that every resource matched by the machine manager will not be updated. enum: - All @@ -859,6 +1096,11 @@ spec: - resource - selection type: object + x-kubernetes-validations: + - message: Only All or None selection mode is permitted for + ControlPlaneMachineSets + rule: self.resource != 'controlplanemachinesets' || self.selection.mode + == 'All' || self.selection.mode == 'None' maxItems: 5 type: array x-kubernetes-list-map-keys: @@ -1276,6 +1518,25 @@ spec: required: - spec type: object + x-kubernetes-validations: + - message: when skew enforcement is in Automatic mode, a boot image configuration + is required + rule: 'self.?status.bootImageSkewEnforcementStatus.mode.orValue("") == ''Automatic'' + ? self.?spec.managedBootImages.hasValue() || self.?status.managedBootImagesStatus.hasValue() + : true' + - message: when skew enforcement is in Automatic mode, managedBootImages must + contain a MachineManager opting in all MachineAPI MachineSets + rule: 'self.?status.bootImageSkewEnforcementStatus.mode.orValue("") == ''Automatic'' + ? !(self.?spec.managedBootImages.machineManagers.hasValue()) || self.spec.managedBootImages.machineManagers.exists(m, + m.selection.mode == ''All'' && m.resource == ''machinesets'' && m.apiGroup + == ''machine.openshift.io'') : true' + - message: when skew enforcement is in Automatic mode, managedBootImagesStatus + must contain a MachineManager opting in all MachineAPI MachineSets + rule: 'self.?status.bootImageSkewEnforcementStatus.mode.orValue("") == ''Automatic'' + ? !(self.?status.managedBootImagesStatus.machineManagers.hasValue()) || + self.status.managedBootImagesStatus.machineManagers.exists(m, m.selection.mode + == ''All'' && m.resource == ''machinesets'' && m.apiGroup == ''machine.openshift.io''): + true' served: true storage: true subresources: diff --git a/vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_80_machine-config_01_machineconfigurations-Default.crd.yaml b/vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_80_machine-config_01_machineconfigurations-Default.crd.yaml index 7c8d986928..3de28dcdf3 100644 --- a/vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_80_machine-config_01_machineconfigurations-Default.crd.yaml +++ b/vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_80_machine-config_01_machineconfigurations-Default.crd.yaml @@ -103,8 +103,9 @@ spec: resource: description: |- resource is the machine management resource's type. - The only current valid value is machinesets. + Valid values are machinesets and controlplanemachinesets. machinesets means that the machine manager will only register resources of the kind MachineSet. + controlplanemachinesets means that the machine manager will only register resources of the kind ControlPlaneMachineSet. enum: - machinesets type: string @@ -116,9 +117,10 @@ spec: mode: description: |- mode determines how machine managers will be selected for updates. - Valid values are All and Partial. + Valid values are All, Partial and None. All means that every resource matched by the machine manager will be updated. Partial requires specified selector(s) and allows customisation of which resources matched by the machine manager will be updated. + Partial is not permitted for the controlplanemachinesets resource type as they are a singleton within the cluster. None means that every resource matched by the machine manager will not be updated. enum: - All @@ -734,8 +736,9 @@ spec: resource: description: |- resource is the machine management resource's type. - The only current valid value is machinesets. + Valid values are machinesets and controlplanemachinesets. machinesets means that the machine manager will only register resources of the kind MachineSet. + controlplanemachinesets means that the machine manager will only register resources of the kind ControlPlaneMachineSet. enum: - machinesets type: string @@ -747,9 +750,10 @@ spec: mode: description: |- mode determines how machine managers will be selected for updates. - Valid values are All and Partial. + Valid values are All, Partial and None. All means that every resource matched by the machine manager will be updated. Partial requires specified selector(s) and allows customisation of which resources matched by the machine manager will be updated. + Partial is not permitted for the controlplanemachinesets resource type as they are a singleton within the cluster. None means that every resource matched by the machine manager will not be updated. enum: - All diff --git a/vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_80_machine-config_01_machineconfigurations-DevPreviewNoUpgrade.crd.yaml b/vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_80_machine-config_01_machineconfigurations-DevPreviewNoUpgrade.crd.yaml index 9062795e78..544168f415 100644 --- a/vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_80_machine-config_01_machineconfigurations-DevPreviewNoUpgrade.crd.yaml +++ b/vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_80_machine-config_01_machineconfigurations-DevPreviewNoUpgrade.crd.yaml @@ -46,6 +46,98 @@ spec: description: spec is the specification of the desired behavior of the Machine Config Operator properties: + bootImageSkewEnforcement: + description: |- + bootImageSkewEnforcement allows an admin to configure how boot image version skew is + enforced on the cluster. + When omitted, this will default to Automatic for clusters that support automatic boot image updates. + For clusters that do not support automatic boot image updates, cluster upgrades will be disabled until + a skew enforcement mode has been specified. + When version skew is being enforced, cluster upgrades will be disabled until the version skew is deemed + acceptable for the current release payload. + properties: + manual: + description: |- + manual describes the current boot image of the cluster. + This should be set to the oldest boot image used amongst all machine resources in the cluster. + This must include either the RHCOS version of the boot image or the OCP release version which shipped with that + RHCOS boot image. + Required when mode is set to "Manual" and forbidden otherwise. + properties: + mode: + description: |- + mode is used to configure which boot image field is defined in Manual mode. + Valid values are OCPVersion and RHCOSVersion. + OCPVersion means that the cluster admin is expected to set the OCP version associated with the last boot image update + in the OCPVersion field. + RHCOSVersion means that the cluster admin is expected to set the RHCOS version associated with the last boot image update + in the RHCOSVersion field. + This field is required. + enum: + - OCPVersion + - RHCOSVersion + type: string + ocpVersion: + description: |- + ocpVersion provides a string which represents the OCP version of the boot image. + This field must match the OCP semver compatible format of x.y.z. This field must be between + 5 and 10 characters long. + Required when mode is set to "OCPVersion" and forbidden otherwise. + maxLength: 10 + minLength: 5 + type: string + x-kubernetes-validations: + - message: ocpVersion must match the OCP semver compatible + format of x.y.z + rule: self.matches('^[0-9]+\\.[0-9]+\\.[0-9]+$') + rhcosVersion: + description: |- + rhcosVersion provides a string which represents the RHCOS version of the boot image + This field must match rhcosVersion formatting of [major].[minor].[datestamp(YYYYMMDD)]-[buildnumber] or the legacy + format of [major].[minor].[timestamp(YYYYMMDDHHmm)]-[buildnumber]. This field must be between + 14 and 21 characters long. + Required when mode is set to "RHCOSVersion" and forbidden otherwise. + maxLength: 21 + minLength: 14 + type: string + x-kubernetes-validations: + - message: rhcosVersion must match format [major].[minor].[datestamp(YYYYMMDD)]-[buildnumber] + or must match legacy format [major].[minor].[timestamp(YYYYMMDDHHmm)]-[buildnumber] + rule: self.matches('^[0-9]+\\.[0-9]+\\.([0-9]{8}|[0-9]{12})-[0-9]+$') + required: + - mode + type: object + x-kubernetes-validations: + - message: ocpVersion is required when mode is OCPVersion, and + forbidden otherwise + rule: 'has(self.mode) && (self.mode ==''OCPVersion'') ? has(self.ocpVersion) + : !has(self.ocpVersion)' + - message: rhcosVersion is required when mode is RHCOSVersion, + and forbidden otherwise + rule: 'has(self.mode) && (self.mode ==''RHCOSVersion'') ? has(self.rhcosVersion) + : !has(self.rhcosVersion)' + mode: + description: |- + mode determines the underlying behavior of skew enforcement mechanism. + Valid values are Manual and None. + Manual means that the cluster admin is expected to perform manual boot image updates and store the OCP + & RHCOS version associated with the last boot image update in the manual field. + In Manual mode, the MCO will prevent upgrades when the boot image skew exceeds the + skew limit described by the release image. + None means that the MCO will no longer monitor the boot image skew. This may affect + the cluster's ability to scale. + This field is required. + enum: + - Manual + - None + type: string + required: + - mode + type: object + x-kubernetes-validations: + - message: manual is required when mode is Manual, and forbidden otherwise + rule: 'has(self.mode) && (self.mode ==''Manual'') ? has(self.manual) + : !has(self.manual)' failedRevisionLimit: description: |- failedRevisionLimit is the number of failed static pod installer revisions to keep on disk and in the api @@ -136,10 +228,12 @@ spec: resource: description: |- resource is the machine management resource's type. - The only current valid value is machinesets. + Valid values are machinesets and controlplanemachinesets. machinesets means that the machine manager will only register resources of the kind MachineSet. + controlplanemachinesets means that the machine manager will only register resources of the kind ControlPlaneMachineSet. enum: - machinesets + - controlplanemachinesets type: string selection: description: selection allows granular control of the machine @@ -149,9 +243,10 @@ spec: mode: description: |- mode determines how machine managers will be selected for updates. - Valid values are All and Partial. + Valid values are All, Partial and None. All means that every resource matched by the machine manager will be updated. Partial requires specified selector(s) and allows customisation of which resources matched by the machine manager will be updated. + Partial is not permitted for the controlplanemachinesets resource type as they are a singleton within the cluster. None means that every resource matched by the machine manager will not be updated. enum: - All @@ -228,6 +323,11 @@ spec: - resource - selection type: object + x-kubernetes-validations: + - message: Only All or None selection mode is permitted for + ControlPlaneMachineSets + rule: self.resource != 'controlplanemachinesets' || self.selection.mode + == 'All' || self.selection.mode == 'None' maxItems: 5 type: array x-kubernetes-list-map-keys: @@ -682,6 +782,140 @@ spec: description: status is the most recently observed status of the Machine Config Operator properties: + bootImageSkewEnforcementStatus: + description: |- + bootImageSkewEnforcementStatus reflects what the latest cluster-validated boot image skew enforcement + configuration is and will be used by Machine Config Controller while performing boot image skew enforcement. + When omitted, the MCO has no knowledge of how to enforce boot image skew. When the MCO does not know how + boot image skew should be enforced, cluster upgrades will be blocked until it can either automatically + determine skew enforcement or there is an explicit skew enforcement configuration provided in the + spec.bootImageSkewEnforcement field. + properties: + automatic: + description: |- + automatic describes the current boot image of the cluster. + This will be populated by the MCO when performing boot image updates. This value will be compared against + the cluster's skew limit to determine skew compliance. + Required when mode is set to "Automatic" and forbidden otherwise. + minProperties: 1 + properties: + ocpVersion: + description: |- + ocpVersion provides a string which represents the OCP version of the boot image. + This field must match the OCP semver compatible format of x.y.z. This field must be between + 5 and 10 characters long. + maxLength: 10 + minLength: 5 + type: string + x-kubernetes-validations: + - message: ocpVersion must match the OCP semver compatible + format of x.y.z + rule: self.matches('^[0-9]+\\.[0-9]+\\.[0-9]+$') + rhcosVersion: + description: |- + rhcosVersion provides a string which represents the RHCOS version of the boot image + This field must match rhcosVersion formatting of [major].[minor].[datestamp(YYYYMMDD)]-[buildnumber] or the legacy + format of [major].[minor].[timestamp(YYYYMMDDHHmm)]-[buildnumber]. This field must be between + 14 and 21 characters long. + maxLength: 21 + minLength: 14 + type: string + x-kubernetes-validations: + - message: rhcosVersion must match format [major].[minor].[datestamp(YYYYMMDD)]-[buildnumber] + or must match legacy format [major].[minor].[timestamp(YYYYMMDDHHmm)]-[buildnumber] + rule: self.matches('^[0-9]+\\.[0-9]+\\.([0-9]{8}|[0-9]{12})-[0-9]+$') + type: object + x-kubernetes-validations: + - message: at least one of ocpVersion or rhcosVersion is required + rule: has(self.ocpVersion) || has(self.rhcosVersion) + manual: + description: |- + manual describes the current boot image of the cluster. + This will be populated by the MCO using the values provided in the spec.bootImageSkewEnforcement.manual field. + This value will be compared against the cluster's skew limit to determine skew compliance. + Required when mode is set to "Manual" and forbidden otherwise. + properties: + mode: + description: |- + mode is used to configure which boot image field is defined in Manual mode. + Valid values are OCPVersion and RHCOSVersion. + OCPVersion means that the cluster admin is expected to set the OCP version associated with the last boot image update + in the OCPVersion field. + RHCOSVersion means that the cluster admin is expected to set the RHCOS version associated with the last boot image update + in the RHCOSVersion field. + This field is required. + enum: + - OCPVersion + - RHCOSVersion + type: string + ocpVersion: + description: |- + ocpVersion provides a string which represents the OCP version of the boot image. + This field must match the OCP semver compatible format of x.y.z. This field must be between + 5 and 10 characters long. + Required when mode is set to "OCPVersion" and forbidden otherwise. + maxLength: 10 + minLength: 5 + type: string + x-kubernetes-validations: + - message: ocpVersion must match the OCP semver compatible + format of x.y.z + rule: self.matches('^[0-9]+\\.[0-9]+\\.[0-9]+$') + rhcosVersion: + description: |- + rhcosVersion provides a string which represents the RHCOS version of the boot image + This field must match rhcosVersion formatting of [major].[minor].[datestamp(YYYYMMDD)]-[buildnumber] or the legacy + format of [major].[minor].[timestamp(YYYYMMDDHHmm)]-[buildnumber]. This field must be between + 14 and 21 characters long. + Required when mode is set to "RHCOSVersion" and forbidden otherwise. + maxLength: 21 + minLength: 14 + type: string + x-kubernetes-validations: + - message: rhcosVersion must match format [major].[minor].[datestamp(YYYYMMDD)]-[buildnumber] + or must match legacy format [major].[minor].[timestamp(YYYYMMDDHHmm)]-[buildnumber] + rule: self.matches('^[0-9]+\\.[0-9]+\\.([0-9]{8}|[0-9]{12})-[0-9]+$') + required: + - mode + type: object + x-kubernetes-validations: + - message: ocpVersion is required when mode is OCPVersion, and + forbidden otherwise + rule: 'has(self.mode) && (self.mode ==''OCPVersion'') ? has(self.ocpVersion) + : !has(self.ocpVersion)' + - message: rhcosVersion is required when mode is RHCOSVersion, + and forbidden otherwise + rule: 'has(self.mode) && (self.mode ==''RHCOSVersion'') ? has(self.rhcosVersion) + : !has(self.rhcosVersion)' + mode: + description: |- + mode determines the underlying behavior of skew enforcement mechanism. + Valid values are Automatic, Manual and None. + Automatic means that the MCO will perform boot image updates and store the + OCP & RHCOS version associated with the last boot image update in the automatic field. + Manual means that the cluster admin is expected to perform manual boot image updates and store the OCP + & RHCOS version associated with the last boot image update in the manual field. + In Automatic and Manual mode, the MCO will prevent upgrades when the boot image skew exceeds the + skew limit described by the release image. + None means that the MCO will no longer monitor the boot image skew. This may affect + the cluster's ability to scale. + This field is required. + enum: + - Automatic + - Manual + - None + type: string + required: + - mode + type: object + x-kubernetes-validations: + - message: automatic is required when mode is Automatic, and forbidden + otherwise + rule: 'has(self.mode) && (self.mode == ''Automatic'') ? has(self.automatic) + : !has(self.automatic)' + - message: manual is required when mode is Manual, and forbidden otherwise + rule: 'has(self.mode) && (self.mode == ''Manual'') ? has(self.manual) + : !has(self.manual)' conditions: description: conditions is a list of conditions and their status items: @@ -767,10 +1001,12 @@ spec: resource: description: |- resource is the machine management resource's type. - The only current valid value is machinesets. + Valid values are machinesets and controlplanemachinesets. machinesets means that the machine manager will only register resources of the kind MachineSet. + controlplanemachinesets means that the machine manager will only register resources of the kind ControlPlaneMachineSet. enum: - machinesets + - controlplanemachinesets type: string selection: description: selection allows granular control of the machine @@ -780,9 +1016,10 @@ spec: mode: description: |- mode determines how machine managers will be selected for updates. - Valid values are All and Partial. + Valid values are All, Partial and None. All means that every resource matched by the machine manager will be updated. Partial requires specified selector(s) and allows customisation of which resources matched by the machine manager will be updated. + Partial is not permitted for the controlplanemachinesets resource type as they are a singleton within the cluster. None means that every resource matched by the machine manager will not be updated. enum: - All @@ -859,6 +1096,11 @@ spec: - resource - selection type: object + x-kubernetes-validations: + - message: Only All or None selection mode is permitted for + ControlPlaneMachineSets + rule: self.resource != 'controlplanemachinesets' || self.selection.mode + == 'All' || self.selection.mode == 'None' maxItems: 5 type: array x-kubernetes-list-map-keys: @@ -1276,6 +1518,25 @@ spec: required: - spec type: object + x-kubernetes-validations: + - message: when skew enforcement is in Automatic mode, a boot image configuration + is required + rule: 'self.?status.bootImageSkewEnforcementStatus.mode.orValue("") == ''Automatic'' + ? self.?spec.managedBootImages.hasValue() || self.?status.managedBootImagesStatus.hasValue() + : true' + - message: when skew enforcement is in Automatic mode, managedBootImages must + contain a MachineManager opting in all MachineAPI MachineSets + rule: 'self.?status.bootImageSkewEnforcementStatus.mode.orValue("") == ''Automatic'' + ? !(self.?spec.managedBootImages.machineManagers.hasValue()) || self.spec.managedBootImages.machineManagers.exists(m, + m.selection.mode == ''All'' && m.resource == ''machinesets'' && m.apiGroup + == ''machine.openshift.io'') : true' + - message: when skew enforcement is in Automatic mode, managedBootImagesStatus + must contain a MachineManager opting in all MachineAPI MachineSets + rule: 'self.?status.bootImageSkewEnforcementStatus.mode.orValue("") == ''Automatic'' + ? !(self.?status.managedBootImagesStatus.machineManagers.hasValue()) || + self.status.managedBootImagesStatus.machineManagers.exists(m, m.selection.mode + == ''All'' && m.resource == ''machinesets'' && m.apiGroup == ''machine.openshift.io''): + true' served: true storage: true subresources: diff --git a/vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_80_machine-config_01_machineconfigurations-TechPreviewNoUpgrade.crd.yaml b/vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_80_machine-config_01_machineconfigurations-TechPreviewNoUpgrade.crd.yaml index 390853a26b..14a864201c 100644 --- a/vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_80_machine-config_01_machineconfigurations-TechPreviewNoUpgrade.crd.yaml +++ b/vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_80_machine-config_01_machineconfigurations-TechPreviewNoUpgrade.crd.yaml @@ -136,10 +136,12 @@ spec: resource: description: |- resource is the machine management resource's type. - The only current valid value is machinesets. + Valid values are machinesets and controlplanemachinesets. machinesets means that the machine manager will only register resources of the kind MachineSet. + controlplanemachinesets means that the machine manager will only register resources of the kind ControlPlaneMachineSet. enum: - machinesets + - controlplanemachinesets type: string selection: description: selection allows granular control of the machine @@ -149,9 +151,10 @@ spec: mode: description: |- mode determines how machine managers will be selected for updates. - Valid values are All and Partial. + Valid values are All, Partial and None. All means that every resource matched by the machine manager will be updated. Partial requires specified selector(s) and allows customisation of which resources matched by the machine manager will be updated. + Partial is not permitted for the controlplanemachinesets resource type as they are a singleton within the cluster. None means that every resource matched by the machine manager will not be updated. enum: - All @@ -228,6 +231,11 @@ spec: - resource - selection type: object + x-kubernetes-validations: + - message: Only All or None selection mode is permitted for + ControlPlaneMachineSets + rule: self.resource != 'controlplanemachinesets' || self.selection.mode + == 'All' || self.selection.mode == 'None' maxItems: 5 type: array x-kubernetes-list-map-keys: @@ -767,10 +775,12 @@ spec: resource: description: |- resource is the machine management resource's type. - The only current valid value is machinesets. + Valid values are machinesets and controlplanemachinesets. machinesets means that the machine manager will only register resources of the kind MachineSet. + controlplanemachinesets means that the machine manager will only register resources of the kind ControlPlaneMachineSet. enum: - machinesets + - controlplanemachinesets type: string selection: description: selection allows granular control of the machine @@ -780,9 +790,10 @@ spec: mode: description: |- mode determines how machine managers will be selected for updates. - Valid values are All and Partial. + Valid values are All, Partial and None. All means that every resource matched by the machine manager will be updated. Partial requires specified selector(s) and allows customisation of which resources matched by the machine manager will be updated. + Partial is not permitted for the controlplanemachinesets resource type as they are a singleton within the cluster. None means that every resource matched by the machine manager will not be updated. enum: - All @@ -859,6 +870,11 @@ spec: - resource - selection type: object + x-kubernetes-validations: + - message: Only All or None selection mode is permitted for + ControlPlaneMachineSets + rule: self.resource != 'controlplanemachinesets' || self.selection.mode + == 'All' || self.selection.mode == 'None' maxItems: 5 type: array x-kubernetes-list-map-keys: diff --git a/vendor/github.com/openshift/api/operator/v1/zz_generated.deepcopy.go b/vendor/github.com/openshift/api/operator/v1/zz_generated.deepcopy.go index d2e74e6838..fd83694c23 100644 --- a/vendor/github.com/openshift/api/operator/v1/zz_generated.deepcopy.go +++ b/vendor/github.com/openshift/api/operator/v1/zz_generated.deepcopy.go @@ -390,6 +390,41 @@ func (in *AzureDiskEncryptionSet) DeepCopy() *AzureDiskEncryptionSet { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *BootImageSkewEnforcementConfig) DeepCopyInto(out *BootImageSkewEnforcementConfig) { + *out = *in + out.Manual = in.Manual + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new BootImageSkewEnforcementConfig. +func (in *BootImageSkewEnforcementConfig) DeepCopy() *BootImageSkewEnforcementConfig { + if in == nil { + return nil + } + out := new(BootImageSkewEnforcementConfig) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *BootImageSkewEnforcementStatus) DeepCopyInto(out *BootImageSkewEnforcementStatus) { + *out = *in + out.Automatic = in.Automatic + out.Manual = in.Manual + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new BootImageSkewEnforcementStatus. +func (in *BootImageSkewEnforcementStatus) DeepCopy() *BootImageSkewEnforcementStatus { + if in == nil { + return nil + } + out := new(BootImageSkewEnforcementStatus) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *CSIDriverConfigSpec) DeepCopyInto(out *CSIDriverConfigSpec) { *out = *in @@ -676,6 +711,38 @@ func (in *CloudCredentialStatus) DeepCopy() *CloudCredentialStatus { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *ClusterBootImageAutomatic) DeepCopyInto(out *ClusterBootImageAutomatic) { + *out = *in + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ClusterBootImageAutomatic. +func (in *ClusterBootImageAutomatic) DeepCopy() *ClusterBootImageAutomatic { + if in == nil { + return nil + } + out := new(ClusterBootImageAutomatic) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *ClusterBootImageManual) DeepCopyInto(out *ClusterBootImageManual) { + *out = *in + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ClusterBootImageManual. +func (in *ClusterBootImageManual) DeepCopy() *ClusterBootImageManual { + if in == nil { + return nil + } + out := new(ClusterBootImageManual) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *ClusterCSIDriver) DeepCopyInto(out *ClusterCSIDriver) { *out = *in @@ -3243,6 +3310,7 @@ func (in *MachineConfigurationSpec) DeepCopyInto(out *MachineConfigurationSpec) in.ManagedBootImages.DeepCopyInto(&out.ManagedBootImages) in.NodeDisruptionPolicy.DeepCopyInto(&out.NodeDisruptionPolicy) in.IrreconcilableValidationOverrides.DeepCopyInto(&out.IrreconcilableValidationOverrides) + out.BootImageSkewEnforcement = in.BootImageSkewEnforcement return } @@ -3268,6 +3336,7 @@ func (in *MachineConfigurationStatus) DeepCopyInto(out *MachineConfigurationStat } in.NodeDisruptionPolicyStatus.DeepCopyInto(&out.NodeDisruptionPolicyStatus) in.ManagedBootImagesStatus.DeepCopyInto(&out.ManagedBootImagesStatus) + out.BootImageSkewEnforcementStatus = in.BootImageSkewEnforcementStatus return } diff --git a/vendor/github.com/openshift/api/operator/v1/zz_generated.featuregated-crd-manifests.yaml b/vendor/github.com/openshift/api/operator/v1/zz_generated.featuregated-crd-manifests.yaml index a893b0e0f3..e7c94e2869 100644 --- a/vendor/github.com/openshift/api/operator/v1/zz_generated.featuregated-crd-manifests.yaml +++ b/vendor/github.com/openshift/api/operator/v1/zz_generated.featuregated-crd-manifests.yaml @@ -175,10 +175,7 @@ ingresscontrollers.operator.openshift.io: CRDName: ingresscontrollers.operator.openshift.io Capability: Ingress Category: "" - FeatureGates: - - IngressControllerLBSubnetsAWS - - SetEIPForNLBIngressController - - SetEIPForNLBIngressController+IngressControllerLBSubnetsAWS + FeatureGates: [] FilenameOperatorName: ingress FilenameOperatorOrdering: "00" FilenameRunLevel: "0000_50" @@ -220,7 +217,8 @@ kubeapiservers.operator.openshift.io: CRDName: kubeapiservers.operator.openshift.io Capability: "" Category: coreoperators - FeatureGates: [] + FeatureGates: + - EventTTL FilenameOperatorName: kube-apiserver FilenameOperatorOrdering: "01" FilenameRunLevel: "0000_20" @@ -305,8 +303,10 @@ machineconfigurations.operator.openshift.io: Capability: "" Category: "" FeatureGates: + - BootImageSkewEnforcement - IrreconcilableMachineConfig - ManagedBootImages + - ManagedBootImages+ManagedBootImagesCPMS FilenameOperatorName: machine-config FilenameOperatorOrdering: "01" FilenameRunLevel: "0000_80" diff --git a/vendor/github.com/openshift/api/operator/v1/zz_generated.swagger_doc_generated.go b/vendor/github.com/openshift/api/operator/v1/zz_generated.swagger_doc_generated.go index 206dd98c43..483d9720da 100644 --- a/vendor/github.com/openshift/api/operator/v1/zz_generated.swagger_doc_generated.go +++ b/vendor/github.com/openshift/api/operator/v1/zz_generated.swagger_doc_generated.go @@ -1314,6 +1314,14 @@ func (KubeAPIServerList) SwaggerDoc() map[string]string { return map_KubeAPIServerList } +var map_KubeAPIServerSpec = map[string]string{ + "eventTTLMinutes": "eventTTLMinutes specifies the amount of time that the events are stored before being deleted. The TTL is allowed between 5 minutes minimum up to a maximum of 180 minutes (3 hours).\n\nLowering this value will reduce the storage required in etcd. Note that this setting will only apply to new events being created and will not update existing events.\n\nWhen omitted this means no opinion, and the platform is left to choose a reasonable default, which is subject to change over time. The current default value is 3h (180 minutes).", +} + +func (KubeAPIServerSpec) SwaggerDoc() map[string]string { + return map_KubeAPIServerSpec +} + var map_KubeAPIServerStatus = map[string]string{ "serviceAccountIssuers": "serviceAccountIssuers tracks history of used service account issuers. The item without expiration time represents the currently used service account issuer. The other items represents service account issuers that were used previously and are still being trusted. The default expiration for the items is set by the platform and it defaults to 24h. see: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#service-account-token-volume-projection", } @@ -1379,6 +1387,48 @@ func (KubeStorageVersionMigratorList) SwaggerDoc() map[string]string { return map_KubeStorageVersionMigratorList } +var map_BootImageSkewEnforcementConfig = map[string]string{ + "": "BootImageSkewEnforcementConfig is used to configure how boot image version skew is enforced on the cluster.", + "mode": "mode determines the underlying behavior of skew enforcement mechanism. Valid values are Manual and None. Manual means that the cluster admin is expected to perform manual boot image updates and store the OCP & RHCOS version associated with the last boot image update in the manual field. In Manual mode, the MCO will prevent upgrades when the boot image skew exceeds the skew limit described by the release image. None means that the MCO will no longer monitor the boot image skew. This may affect the cluster's ability to scale. This field is required.", + "manual": "manual describes the current boot image of the cluster. This should be set to the oldest boot image used amongst all machine resources in the cluster. This must include either the RHCOS version of the boot image or the OCP release version which shipped with that RHCOS boot image. Required when mode is set to \"Manual\" and forbidden otherwise.", +} + +func (BootImageSkewEnforcementConfig) SwaggerDoc() map[string]string { + return map_BootImageSkewEnforcementConfig +} + +var map_BootImageSkewEnforcementStatus = map[string]string{ + "": "BootImageSkewEnforcementStatus is the type for the status object. It represents the cluster defaults when the boot image skew enforcement configuration is undefined and reflects the actual configuration when it is defined.", + "mode": "mode determines the underlying behavior of skew enforcement mechanism. Valid values are Automatic, Manual and None. Automatic means that the MCO will perform boot image updates and store the OCP & RHCOS version associated with the last boot image update in the automatic field. Manual means that the cluster admin is expected to perform manual boot image updates and store the OCP & RHCOS version associated with the last boot image update in the manual field. In Automatic and Manual mode, the MCO will prevent upgrades when the boot image skew exceeds the skew limit described by the release image. None means that the MCO will no longer monitor the boot image skew. This may affect the cluster's ability to scale. This field is required.", + "automatic": "automatic describes the current boot image of the cluster. This will be populated by the MCO when performing boot image updates. This value will be compared against the cluster's skew limit to determine skew compliance. Required when mode is set to \"Automatic\" and forbidden otherwise.", + "manual": "manual describes the current boot image of the cluster. This will be populated by the MCO using the values provided in the spec.bootImageSkewEnforcement.manual field. This value will be compared against the cluster's skew limit to determine skew compliance. Required when mode is set to \"Manual\" and forbidden otherwise.", +} + +func (BootImageSkewEnforcementStatus) SwaggerDoc() map[string]string { + return map_BootImageSkewEnforcementStatus +} + +var map_ClusterBootImageAutomatic = map[string]string{ + "": "ClusterBootImageAutomatic is used to describe the cluster boot image in Automatic mode. It stores the RHCOS version of the boot image and the OCP release version which shipped with that RHCOS boot image. At least one of these values are required. If ocpVersion and rhcosVersion are defined, both values will be used for checking skew compliance. If only ocpVersion is defined, only that value will be used for checking skew compliance. If only rhcosVersion is defined, only that value will be used for checking skew compliance.", + "ocpVersion": "ocpVersion provides a string which represents the OCP version of the boot image. This field must match the OCP semver compatible format of x.y.z. This field must be between 5 and 10 characters long.", + "rhcosVersion": "rhcosVersion provides a string which represents the RHCOS version of the boot image This field must match rhcosVersion formatting of [major].[minor].[datestamp(YYYYMMDD)]-[buildnumber] or the legacy format of [major].[minor].[timestamp(YYYYMMDDHHmm)]-[buildnumber]. This field must be between 14 and 21 characters long.", +} + +func (ClusterBootImageAutomatic) SwaggerDoc() map[string]string { + return map_ClusterBootImageAutomatic +} + +var map_ClusterBootImageManual = map[string]string{ + "": "ClusterBootImageManual is used to describe the cluster boot image in Manual mode.", + "mode": "mode is used to configure which boot image field is defined in Manual mode. Valid values are OCPVersion and RHCOSVersion. OCPVersion means that the cluster admin is expected to set the OCP version associated with the last boot image update in the OCPVersion field. RHCOSVersion means that the cluster admin is expected to set the RHCOS version associated with the last boot image update in the RHCOSVersion field. This field is required.", + "ocpVersion": "ocpVersion provides a string which represents the OCP version of the boot image. This field must match the OCP semver compatible format of x.y.z. This field must be between 5 and 10 characters long. Required when mode is set to \"OCPVersion\" and forbidden otherwise.", + "rhcosVersion": "rhcosVersion provides a string which represents the RHCOS version of the boot image This field must match rhcosVersion formatting of [major].[minor].[datestamp(YYYYMMDD)]-[buildnumber] or the legacy format of [major].[minor].[timestamp(YYYYMMDDHHmm)]-[buildnumber]. This field must be between 14 and 21 characters long. Required when mode is set to \"RHCOSVersion\" and forbidden otherwise.", +} + +func (ClusterBootImageManual) SwaggerDoc() map[string]string { + return map_ClusterBootImageManual +} + var map_IrreconcilableValidationOverrides = map[string]string{ "": "IrreconcilableValidationOverrides holds the irreconcilable validations overrides to be applied on each rendered MachineConfig generation.", "storage": "storage can be used to allow making irreconcilable changes to the selected sections under the `spec.config.storage` field of MachineConfig CRs It must have at least one item, may not exceed 3 items and must not contain duplicates. Allowed element values are \"Disks\", \"FileSystems\", \"Raid\" and omitted. When contains \"Disks\" changes to the `spec.config.storage.disks` section of MachineConfig CRs are allowed. When contains \"FileSystems\" changes to the `spec.config.storage.filesystems` section of MachineConfig CRs are allowed. When contains \"Raid\" changes to the `spec.config.storage.raid` section of MachineConfig CRs are allowed. When omitted changes to the `spec.config.storage` section are forbidden.", @@ -1413,6 +1463,7 @@ var map_MachineConfigurationSpec = map[string]string{ "managedBootImages": "managedBootImages allows configuration for the management of boot images for machine resources within the cluster. This configuration allows users to select resources that should be updated to the latest boot images during cluster upgrades, ensuring that new machines always boot with the current cluster version's boot image. When omitted, this means no opinion and the platform is left to choose a reasonable default, which is subject to change over time. The default for each machine manager mode is All for GCP and AWS platforms, and None for all other platforms.", "nodeDisruptionPolicy": "nodeDisruptionPolicy allows an admin to set granular node disruption actions for MachineConfig-based updates, such as drains, service reloads, etc. Specifying this will allow for less downtime when doing small configuration updates to the cluster. This configuration has no effect on cluster upgrades which will still incur node disruption where required.", "irreconcilableValidationOverrides": "irreconcilableValidationOverrides is an optional field that can used to make changes to a MachineConfig that cannot be applied to existing nodes. When specified, the fields configured with validation overrides will no longer reject changes to those respective fields due to them not being able to be applied to existing nodes. Only newly provisioned nodes will have these configurations applied. Existing nodes will report observed configuration differences in their MachineConfigNode status.", + "bootImageSkewEnforcement": "bootImageSkewEnforcement allows an admin to configure how boot image version skew is enforced on the cluster. When omitted, this will default to Automatic for clusters that support automatic boot image updates. For clusters that do not support automatic boot image updates, cluster upgrades will be disabled until a skew enforcement mode has been specified. When version skew is being enforced, cluster upgrades will be disabled until the version skew is deemed acceptable for the current release payload.", } func (MachineConfigurationSpec) SwaggerDoc() map[string]string { @@ -1420,10 +1471,11 @@ func (MachineConfigurationSpec) SwaggerDoc() map[string]string { } var map_MachineConfigurationStatus = map[string]string{ - "observedGeneration": "observedGeneration is the last generation change you've dealt with", - "conditions": "conditions is a list of conditions and their status", - "nodeDisruptionPolicyStatus": "nodeDisruptionPolicyStatus status reflects what the latest cluster-validated policies are, and will be used by the Machine Config Daemon during future node updates.", - "managedBootImagesStatus": "managedBootImagesStatus reflects what the latest cluster-validated boot image configuration is and will be used by Machine Config Controller while performing boot image updates.", + "observedGeneration": "observedGeneration is the last generation change you've dealt with", + "conditions": "conditions is a list of conditions and their status", + "nodeDisruptionPolicyStatus": "nodeDisruptionPolicyStatus status reflects what the latest cluster-validated policies are, and will be used by the Machine Config Daemon during future node updates.", + "managedBootImagesStatus": "managedBootImagesStatus reflects what the latest cluster-validated boot image configuration is and will be used by Machine Config Controller while performing boot image updates.", + "bootImageSkewEnforcementStatus": "bootImageSkewEnforcementStatus reflects what the latest cluster-validated boot image skew enforcement configuration is and will be used by Machine Config Controller while performing boot image skew enforcement. When omitted, the MCO has no knowledge of how to enforce boot image skew. When the MCO does not know how boot image skew should be enforced, cluster upgrades will be blocked until it can either automatically determine skew enforcement or there is an explicit skew enforcement configuration provided in the spec.bootImageSkewEnforcement field.", } func (MachineConfigurationStatus) SwaggerDoc() map[string]string { @@ -1432,7 +1484,7 @@ func (MachineConfigurationStatus) SwaggerDoc() map[string]string { var map_MachineManager = map[string]string{ "": "MachineManager describes a target machine resource that is registered for boot image updates. It stores identifying information such as the resource type and the API Group of the resource. It also provides granular control via the selection field.", - "resource": "resource is the machine management resource's type. The only current valid value is machinesets. machinesets means that the machine manager will only register resources of the kind MachineSet.", + "resource": "resource is the machine management resource's type. Valid values are machinesets and controlplanemachinesets. machinesets means that the machine manager will only register resources of the kind MachineSet. controlplanemachinesets means that the machine manager will only register resources of the kind ControlPlaneMachineSet.", "apiGroup": "apiGroup is name of the APIGroup that the machine management resource belongs to. The only current valid value is machine.openshift.io. machine.openshift.io means that the machine manager will only register resources that belong to OpenShift machine API group.", "selection": "selection allows granular control of the machine management resources that will be registered for boot image updates.", } @@ -1442,7 +1494,7 @@ func (MachineManager) SwaggerDoc() map[string]string { } var map_MachineManagerSelector = map[string]string{ - "mode": "mode determines how machine managers will be selected for updates. Valid values are All and Partial. All means that every resource matched by the machine manager will be updated. Partial requires specified selector(s) and allows customisation of which resources matched by the machine manager will be updated. None means that every resource matched by the machine manager will not be updated.", + "mode": "mode determines how machine managers will be selected for updates. Valid values are All, Partial and None. All means that every resource matched by the machine manager will be updated. Partial requires specified selector(s) and allows customisation of which resources matched by the machine manager will be updated. Partial is not permitted for the controlplanemachinesets resource type as they are a singleton within the cluster. None means that every resource matched by the machine manager will not be updated.", "partial": "partial provides label selector(s) that can be used to match machine management resources. Only permitted when mode is set to \"Partial\".", } diff --git a/vendor/modules.txt b/vendor/modules.txt index 96bd4a0e1d..654fce4a9b 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -1252,7 +1252,7 @@ github.com/openshift-eng/openshift-tests-extension/pkg/ginkgo github.com/openshift-eng/openshift-tests-extension/pkg/junit github.com/openshift-eng/openshift-tests-extension/pkg/util/sets github.com/openshift-eng/openshift-tests-extension/pkg/version -# github.com/openshift/api v0.0.0-20250911131931-2acafd4d1ed2 +# github.com/openshift/api v0.0.0-20251013165757-fe48e8fd548b ## explicit; go 1.24.0 github.com/openshift/api github.com/openshift/api/annotations