diff --git a/go.mod b/go.mod index bd2dccff4..c33020321 100644 --- a/go.mod +++ b/go.mod @@ -8,7 +8,7 @@ require ( github.com/golangci/golangci-lint v1.62.2 github.com/onsi/ginkgo/v2 v2.22.2 github.com/onsi/gomega v1.36.2 - github.com/openshift/api v0.0.0-20250128061932-d2791f98ff08 + github.com/openshift/api v0.0.0-20250620092249-a8cbc218cd2c github.com/openshift/client-go v0.0.0-20250125113824-8e1f0b8fa9a7 github.com/openshift/cluster-api-actuator-pkg/testutils v0.0.0-20250122171707-86066d47a264 github.com/openshift/library-go v0.0.0-20250127111945-0f76e23726cd diff --git a/go.sum b/go.sum index bb17eb2c0..08d89dd15 100644 --- a/go.sum +++ b/go.sum @@ -374,8 +374,8 @@ github.com/onsi/ginkgo/v2 v2.22.2 h1:/3X8Panh8/WwhU/3Ssa6rCKqPLuAkVY2I0RoyDLySlU github.com/onsi/ginkgo/v2 v2.22.2/go.mod h1:oeMosUL+8LtarXBHu/c0bx2D/K9zyQ6uX3cTyztHwsk= github.com/onsi/gomega v1.36.2 h1:koNYke6TVk6ZmnyHrCXba/T/MoLBXFjeC1PtvYgw0A8= github.com/onsi/gomega v1.36.2/go.mod h1:DdwyADRjrc825LhMEkD76cHR5+pUnjhUN8GlHlRPHzY= -github.com/openshift/api v0.0.0-20250128061932-d2791f98ff08 h1:GtCVszgqW3rmgyO8eWX/0UbfTirBNRTK9jFfZ/3Y9hQ= -github.com/openshift/api v0.0.0-20250128061932-d2791f98ff08/go.mod h1:yk60tHAmHhtVpJQo3TwVYq2zpuP70iJIFDCmeKMIzPw= +github.com/openshift/api v0.0.0-20250620092249-a8cbc218cd2c h1:0Np840IRyzpvHLWxcE1AZ8sttVZe+a3Y6QBS3Ge+umA= +github.com/openshift/api v0.0.0-20250620092249-a8cbc218cd2c/go.mod h1:yk60tHAmHhtVpJQo3TwVYq2zpuP70iJIFDCmeKMIzPw= github.com/openshift/client-go v0.0.0-20250125113824-8e1f0b8fa9a7 h1:4iliLcvr1P9EUMZgIaSNEKNQQzBn+L6PSequlFOuB6Q= github.com/openshift/client-go v0.0.0-20250125113824-8e1f0b8fa9a7/go.mod h1:2tcufBE4Cu6RNgDCxcUJepa530kGo5GFVfR9BSnndhI= github.com/openshift/cluster-api-actuator-pkg/testutils v0.0.0-20250122171707-86066d47a264 h1:KoJiId8Ynajf/ZFodvmayFkDODIL7Vow3LmgR5+oVRg= diff --git a/pkg/cloud/vsphere/assets/cloud-controller-manager-deployment.yaml b/pkg/cloud/vsphere/assets/cloud-controller-manager-deployment.yaml index 19a7e6a43..93063328a 100644 --- a/pkg/cloud/vsphere/assets/cloud-controller-manager-deployment.yaml +++ b/pkg/cloud/vsphere/assets/cloud-controller-manager-deployment.yaml @@ -68,6 +68,8 @@ spec: value: {{ .globalCredsSecretName }} - name: ENABLE_ALPHA_DUAL_STACK value: "true" + - name: ADDITIONAL_NODE_LABELS + value: {{ .additionalLabels }} resources: requests: cpu: 200m @@ -99,7 +101,8 @@ spec: --leader-elect-retry-period=26s \ --leader-elect-resource-namespace=openshift-cloud-controller-manager \ --feature-gates={{ .featureGates }} \ - --use-service-account-credentials=true + --use-service-account-credentials=true \ + --node-labels=$(ADDITIONAL_NODE_LABELS) terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - name: host-etc-kube diff --git a/pkg/cloud/vsphere/vsphere.go b/pkg/cloud/vsphere/vsphere.go index 3b0d9fc6b..4438258a6 100644 --- a/pkg/cloud/vsphere/vsphere.go +++ b/pkg/cloud/vsphere/vsphere.go @@ -5,6 +5,7 @@ import ( "fmt" "github.com/asaskevich/govalidator" + "github.com/openshift/api/features" appsv1 "k8s.io/api/apps/v1" rbacv1 "k8s.io/api/rbac/v1" "sigs.k8s.io/controller-runtime/pkg/client" @@ -18,6 +19,8 @@ const ( // see manifests/0000_26_cloud-controller-manager-operator_16_credentialsrequest-vsphere.yaml globalCredsSecretName = "vsphere-cloud-credentials" + + vSpherePlatformTypeLabel = "node.openshift.io/platform-type=vsphere" ) var ( @@ -45,6 +48,7 @@ var templateValuesValidationMap = map[string]interface{}{ "globalCredsSecretName": "required,type(string)", "cloudproviderName": "required,type(string)", "featureGates": "type(string)", + "additionalLabels": "type(string)", } type vsphereAssets struct { @@ -57,6 +61,12 @@ func (assets *vsphereAssets) GetRenderedResources() []client.Object { } func getTemplateValues(images *imagesReference, operatorConfig config.OperatorConfig) (common.TemplateValues, error) { + additionalLabels := "" + + // We are only going to set the new platform-type node labels if the featuregate is enabled. + if operatorConfig.OCPFeatureGates.Enabled(features.FeatureGateVSphereMixedNodeEnv) { + additionalLabels = vSpherePlatformTypeLabel + } values := common.TemplateValues{ "images": images, "infrastructureName": operatorConfig.InfrastructureName, @@ -64,6 +74,7 @@ func getTemplateValues(images *imagesReference, operatorConfig config.OperatorCo "globalCredsSecretName": globalCredsSecretName, "cloudproviderName": operatorConfig.GetPlatformNameString(), "featureGates": operatorConfig.FeatureGates, + "additionalLabels": additionalLabels, } _, err := govalidator.ValidateMap(values, templateValuesValidationMap) if err != nil { diff --git a/pkg/cloud/vsphere/vsphere_test.go b/pkg/cloud/vsphere/vsphere_test.go index 4f5bacbdd..0d0178bf0 100644 --- a/pkg/cloud/vsphere/vsphere_test.go +++ b/pkg/cloud/vsphere/vsphere_test.go @@ -41,6 +41,17 @@ func TestResourcesRenderingSmoke(t *testing.T) { PlatformStatus: &configv1.PlatformStatus{Type: configv1.VSpherePlatformType}, InfrastructureName: "infra", }, + }, { + name: "FeatureGate FeatureGateVSphereMixedNodeEnv=true results in node-labels generated without error", + config: config.OperatorConfig{ + ManagedNamespace: "my-cool-namespace", + ImagesReference: config.ImagesReference{ + CloudControllerManagerVSphere: "CloudControllerManagerVsphere", + }, + PlatformStatus: &configv1.PlatformStatus{Type: configv1.VSpherePlatformType}, + InfrastructureName: "infra", + FeatureGates: "FeatureGateVSphereMixedNodeEnv=true", + }, }, } diff --git a/pkg/config/config.go b/pkg/config/config.go index 45ac9cfac..82ba4dcdc 100644 --- a/pkg/config/config.go +++ b/pkg/config/config.go @@ -40,6 +40,7 @@ type OperatorConfig struct { PlatformStatus *configv1.PlatformStatus ClusterProxy *configv1.Proxy FeatureGates string + OCPFeatureGates featuregates.FeatureGate } func (cfg *OperatorConfig) GetPlatformNameString() string { @@ -97,11 +98,14 @@ func ComposeConfig(infrastructure *configv1.Infrastructure, clusterProxy *config klog.Errorf("Unable to get upstream feature gates: %s", err) return OperatorConfig{}, fmt.Errorf("unable to get upstream feature gates: %w", err) } + + var features featuregates.FeatureGate if featureGateAccessor != nil { - features, _ := featureGateAccessor.CurrentFeatureGates() + features, _ = featureGateAccessor.CurrentFeatureGates() enabled, _ := util.GetEnabledDisabledFeatures(features, upstreamGates) featureGatesString = util.BuildFeatureGateString(enabled, nil) } + fmt.Printf("Generated feature gates string: %s\n", featureGatesString) config := OperatorConfig{ PlatformStatus: infrastructure.Status.PlatformStatus.DeepCopy(), @@ -111,6 +115,7 @@ func ComposeConfig(infrastructure *configv1.Infrastructure, clusterProxy *config InfrastructureName: infrastructure.Status.InfrastructureName, IsSingleReplica: infrastructure.Status.ControlPlaneTopology == configv1.SingleReplicaTopologyMode, FeatureGates: featureGatesString, + OCPFeatureGates: features, } return config, nil diff --git a/vendor/github.com/openshift/api/.golangci.yaml b/vendor/github.com/openshift/api/.golangci.yaml index 19746532c..3d44daed3 100644 --- a/vendor/github.com/openshift/api/.golangci.yaml +++ b/vendor/github.com/openshift/api/.golangci.yaml @@ -1,22 +1,24 @@ linters-settings: custom: - kal: + kubeapilinter: type: "module" - description: KAL is the Kube-API-Linter and lints Kube like APIs based on API conventions and best practices. + description: kubeapilinter is the Kube-API-Linter and lints Kube like APIs based on API conventions and best practices. settings: linters: enable: - "maxlength" - "nobools" + - "nomaps" - "statussubresource" lintersConfig: conditions: isFirstField: Warn useProtobuf: Ignore + usePatchStrategy: Ignore linters: disable-all: true enable: - - kal + - kubeapilinter issues: # We have a lot of existing issues. # Want to make sure that those adding new fields have an diff --git a/vendor/github.com/openshift/api/Dockerfile.ocp b/vendor/github.com/openshift/api/Dockerfile.ocp index d485bed24..3b5d1736d 100644 --- a/vendor/github.com/openshift/api/Dockerfile.ocp +++ b/vendor/github.com/openshift/api/Dockerfile.ocp @@ -4,7 +4,7 @@ COPY . . ENV GO_PACKAGE github.com/openshift/api RUN make build --warn-undefined-variables -FROM registry.ci.openshift.org/ocp/4.18:base-rhel9 +FROM registry.ci.openshift.org/ocp/4.19:base-rhel9 # copy the built binaries to /usr/bin COPY --from=builder /go/src/github.com/openshift/api/render /usr/bin/ @@ -15,7 +15,7 @@ RUN mkdir -p /usr/share/bootkube/manifests/manifests COPY payload-manifests/crds/* /usr/share/bootkube/manifests/manifests # these are applied by the CVO -COPY manifests /manifests +RUN mkdir -p /manifests COPY payload-manifests/crds/* /manifests COPY payload-manifests/featuregates/* /manifests COPY payload-command/empty-resources /manifests diff --git a/vendor/github.com/openshift/api/Makefile b/vendor/github.com/openshift/api/Makefile index d9877caab..6982e4efe 100644 --- a/vendor/github.com/openshift/api/Makefile +++ b/vendor/github.com/openshift/api/Makefile @@ -71,7 +71,6 @@ verify-scripts: bash -x hack/verify-prerelease-lifecycle-gen.sh hack/verify-payload-crds.sh hack/verify-payload-featuregates.sh - hack/verify-promoted-features-pass-tests.sh .PHONY: verify verify: verify-scripts lint verify-crd-schema verify-codegen-crds diff --git a/vendor/github.com/openshift/api/OWNERS b/vendor/github.com/openshift/api/OWNERS index 2e956a47d..ff904b63a 100644 --- a/vendor/github.com/openshift/api/OWNERS +++ b/vendor/github.com/openshift/api/OWNERS @@ -1,19 +1,7 @@ reviewers: - deads2k - - derekwaynecarr - JoelSpeed - - knobunc - - sjenning - - mfojtik - - soltysh - - bparees + - everettraven approvers: - - bparees - deads2k - - derekwaynecarr - JoelSpeed - - knobunc - - mfojtik - - sjenning - - soltysh - - spadgett diff --git a/vendor/github.com/openshift/api/README.md b/vendor/github.com/openshift/api/README.md index 934bcd329..071da98c0 100644 --- a/vendor/github.com/openshift/api/README.md +++ b/vendor/github.com/openshift/api/README.md @@ -99,6 +99,8 @@ and then enforces the following rules. 3. Every test must be run on every TechPreview platform we have jobs for. (Ask for an exception if your feature doesn't support a variant.) 4. Every test must run at least 14 times on every platform/variant. 5. Every test must pass at least 95% of the time on every platform/variant. +6. Test results are taken from the last 7 days if the test was run at least 14 times during that period. Otherwise, data from the last 14 days is used. +7. Test flakes (even if the test eventually passes on a retry) are considered failures and negatively impact the pass rate. If your FeatureGate lacks automated testing, there is an exception process that allows QE to sign off on the promotion by commenting on the PR. diff --git a/vendor/github.com/openshift/api/apiserver/v1/types_apirequestcount.go b/vendor/github.com/openshift/api/apiserver/v1/types_apirequestcount.go index 645d796f7..3771fa21d 100644 --- a/vendor/github.com/openshift/api/apiserver/v1/types_apirequestcount.go +++ b/vendor/github.com/openshift/api/apiserver/v1/types_apirequestcount.go @@ -57,9 +57,10 @@ type APIRequestCountSpec struct { type APIRequestCountStatus struct { // conditions contains details of the current status of this API Resource. - // +patchMergeKey=type - // +patchStrategy=merge - Conditions []metav1.Condition `json:"conditions" patchStrategy:"merge" patchMergeKey:"type"` + // +listType=map + // +listMapKey=type + // +optional + Conditions []metav1.Condition `json:"conditions"` // removedInRelease is when the API will be removed. // +kubebuilder:validation:MinLength=0 diff --git a/vendor/github.com/openshift/api/apiserver/v1/zz_generated.deepcopy.go b/vendor/github.com/openshift/api/apiserver/v1/zz_generated.deepcopy.go index 79be37153..35c9d2d98 100644 --- a/vendor/github.com/openshift/api/apiserver/v1/zz_generated.deepcopy.go +++ b/vendor/github.com/openshift/api/apiserver/v1/zz_generated.deepcopy.go @@ -1,7 +1,7 @@ //go:build !ignore_autogenerated // +build !ignore_autogenerated -// Code generated by deepcopy-gen. DO NOT EDIT. +// Code generated by codegen. DO NOT EDIT. package v1 diff --git a/vendor/github.com/openshift/api/apps/v1/zz_generated.deepcopy.go b/vendor/github.com/openshift/api/apps/v1/zz_generated.deepcopy.go index 11c22a80f..3fd2e95d4 100644 --- a/vendor/github.com/openshift/api/apps/v1/zz_generated.deepcopy.go +++ b/vendor/github.com/openshift/api/apps/v1/zz_generated.deepcopy.go @@ -1,7 +1,7 @@ //go:build !ignore_autogenerated // +build !ignore_autogenerated -// Code generated by deepcopy-gen. DO NOT EDIT. +// Code generated by codegen. DO NOT EDIT. package v1 diff --git a/vendor/github.com/openshift/api/authorization/v1/zz_generated.deepcopy.go b/vendor/github.com/openshift/api/authorization/v1/zz_generated.deepcopy.go index 9b7d44f3b..208ae3467 100644 --- a/vendor/github.com/openshift/api/authorization/v1/zz_generated.deepcopy.go +++ b/vendor/github.com/openshift/api/authorization/v1/zz_generated.deepcopy.go @@ -1,7 +1,7 @@ //go:build !ignore_autogenerated // +build !ignore_autogenerated -// Code generated by deepcopy-gen. DO NOT EDIT. +// Code generated by codegen. DO NOT EDIT. package v1 diff --git a/vendor/github.com/openshift/api/build/v1/zz_generated.deepcopy.go b/vendor/github.com/openshift/api/build/v1/zz_generated.deepcopy.go index d36b28c82..03cb4a6a7 100644 --- a/vendor/github.com/openshift/api/build/v1/zz_generated.deepcopy.go +++ b/vendor/github.com/openshift/api/build/v1/zz_generated.deepcopy.go @@ -1,7 +1,7 @@ //go:build !ignore_autogenerated // +build !ignore_autogenerated -// Code generated by deepcopy-gen. DO NOT EDIT. +// Code generated by codegen. DO NOT EDIT. package v1 diff --git a/vendor/github.com/openshift/api/cloudnetwork/v1/generated.proto b/vendor/github.com/openshift/api/cloudnetwork/v1/generated.proto index 328de7c5a..aee82514e 100644 --- a/vendor/github.com/openshift/api/cloudnetwork/v1/generated.proto +++ b/vendor/github.com/openshift/api/cloudnetwork/v1/generated.proto @@ -79,6 +79,10 @@ message CloudPrivateIPConfigStatus { // condition is the assignment condition of the private IP and its status // +required + // +listType=map + // +listMapKey=type + // +patchMergeKey=type + // +patchStrategy=merge repeated .k8s.io.apimachinery.pkg.apis.meta.v1.Condition conditions = 2; } diff --git a/vendor/github.com/openshift/api/cloudnetwork/v1/types.go b/vendor/github.com/openshift/api/cloudnetwork/v1/types.go index de27f8eb6..7508e1505 100644 --- a/vendor/github.com/openshift/api/cloudnetwork/v1/types.go +++ b/vendor/github.com/openshift/api/cloudnetwork/v1/types.go @@ -56,7 +56,11 @@ type CloudPrivateIPConfigStatus struct { Node string `json:"node" protobuf:"bytes,1,opt,name=node"` // condition is the assignment condition of the private IP and its status // +required - Conditions []metav1.Condition `json:"conditions" protobuf:"bytes,2,rep,name=conditions"` + // +listType=map + // +listMapKey=type + // +patchMergeKey=type + // +patchStrategy=merge + Conditions []metav1.Condition `json:"conditions" patchStrategy:"merge" patchMergeKey:"type" protobuf:"bytes,2,rep,name=conditions"` } // CloudPrivateIPConfigConditionType specifies the current condition type of the CloudPrivateIPConfig diff --git a/vendor/github.com/openshift/api/cloudnetwork/v1/zz_generated.deepcopy.go b/vendor/github.com/openshift/api/cloudnetwork/v1/zz_generated.deepcopy.go index 092825f35..6392002aa 100644 --- a/vendor/github.com/openshift/api/cloudnetwork/v1/zz_generated.deepcopy.go +++ b/vendor/github.com/openshift/api/cloudnetwork/v1/zz_generated.deepcopy.go @@ -1,7 +1,7 @@ //go:build !ignore_autogenerated // +build !ignore_autogenerated -// Code generated by deepcopy-gen. DO NOT EDIT. +// Code generated by codegen. DO NOT EDIT. package v1 diff --git a/vendor/github.com/openshift/api/config/install.go b/vendor/github.com/openshift/api/config/install.go index 1c3c67747..851a6c3e1 100644 --- a/vendor/github.com/openshift/api/config/install.go +++ b/vendor/github.com/openshift/api/config/install.go @@ -6,6 +6,7 @@ import ( configv1 "github.com/openshift/api/config/v1" configv1alpha1 "github.com/openshift/api/config/v1alpha1" + configv1alpha2 "github.com/openshift/api/config/v1alpha2" ) const ( @@ -13,7 +14,7 @@ const ( ) var ( - schemeBuilder = runtime.NewSchemeBuilder(configv1.Install, configv1alpha1.Install) + schemeBuilder = runtime.NewSchemeBuilder(configv1.Install, configv1alpha1.Install, configv1alpha2.Install) // Install is a function which adds every version of this group to a scheme Install = schemeBuilder.AddToScheme ) diff --git a/vendor/github.com/openshift/api/config/v1/types_apiserver.go b/vendor/github.com/openshift/api/config/v1/types_apiserver.go index 75b647f74..327ce13da 100644 --- a/vendor/github.com/openshift/api/config/v1/types_apiserver.go +++ b/vendor/github.com/openshift/api/config/v1/types_apiserver.go @@ -51,6 +51,7 @@ type APIServerSpec struct { // server from JavaScript applications. // The values are regular expressions that correspond to the Golang regular expression language. // +optional + // +listType=atomic AdditionalCORSAllowedOrigins []string `json:"additionalCORSAllowedOrigins,omitempty"` // encryption allows the configuration of encryption of resources at the datastore layer. // +optional @@ -153,6 +154,8 @@ type APIServerServingCerts struct { // If no named certificates are provided, or no named certificates match the server name as understood by a client, // the defaultServingCertificate will be used. // +optional + // +listType=atomic + // +kubebuilder:validation:MaxItems=32 NamedCertificates []APIServerNamedServingCert `json:"namedCertificates,omitempty"` } @@ -162,6 +165,8 @@ type APIServerNamedServingCert struct { // serve secure traffic. If no names are provided, the implicit names will be extracted from the certificates. // Exact names trump over wildcard names. Explicit names defined here trump over extracted implicit names. // +optional + // +listType=atomic + // +kubebuilder:validation:MaxItems=64 Names []string `json:"names,omitempty"` // servingCertificate references a kubernetes.io/tls type secret containing the TLS cert info for serving secure traffic. // The secret must exist in the openshift-config namespace and contain the following required fields: @@ -170,6 +175,9 @@ type APIServerNamedServingCert struct { ServingCertificate SecretNameReference `json:"servingCertificate"` } +// APIServerEncryption is used to encrypt sensitive resources on the cluster. +// +openshift:validation:FeatureGateAwareXValidation:featureGate=KMSEncryptionProvider,rule="has(self.type) && self.type == 'KMS' ? has(self.kms) : !has(self.kms)",message="kms config is required when encryption type is KMS, and forbidden otherwise" +// +union type APIServerEncryption struct { // type defines what encryption type should be used to encrypt resources at the datastore layer. // When this field is unset (i.e. when it is set to the empty string), identity is implied. @@ -188,9 +196,23 @@ type APIServerEncryption struct { // +unionDiscriminator // +optional Type EncryptionType `json:"type,omitempty"` + + // kms defines the configuration for the external KMS instance that manages the encryption keys, + // when KMS encryption is enabled sensitive resources will be encrypted using keys managed by an + // externally configured KMS instance. + // + // The Key Management Service (KMS) instance provides symmetric encryption and is responsible for + // managing the lifecyle of the encryption keys outside of the control plane. + // This allows integration with an external provider to manage the data encryption keys securely. + // + // +openshift:enable:FeatureGate=KMSEncryptionProvider + // +unionMember + // +optional + KMS *KMSConfig `json:"kms,omitempty"` } -// +kubebuilder:validation:Enum="";identity;aescbc;aesgcm +// +openshift:validation:FeatureGateAwareEnum:featureGate="",enum="";identity;aescbc;aesgcm +// +openshift:validation:FeatureGateAwareEnum:featureGate=KMSEncryptionProvider,enum="";identity;aescbc;aesgcm;KMS type EncryptionType string const ( @@ -205,6 +227,11 @@ const ( // aesgcm refers to a type where AES-GCM with random nonce and a 32-byte key // is used to perform encryption at the datastore layer. EncryptionTypeAESGCM EncryptionType = "aesgcm" + + // kms refers to a type of encryption where the encryption keys are managed + // outside the control plane in a Key Management Service instance, + // encryption is still performed at the datastore layer. + EncryptionTypeKMS EncryptionType = "KMS" ) type APIServerStatus struct { diff --git a/vendor/github.com/openshift/api/config/v1/types_authentication.go b/vendor/github.com/openshift/api/config/v1/types_authentication.go index 65dffddb0..f91c9cbf0 100644 --- a/vendor/github.com/openshift/api/config/v1/types_authentication.go +++ b/vendor/github.com/openshift/api/config/v1/types_authentication.go @@ -5,7 +5,7 @@ import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" // +genclient // +genclient:nonNamespaced // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object -// +openshift:validation:FeatureGateAwareXValidation:featureGate=ExternalOIDC,rule="!has(self.spec.oidcProviders) || self.spec.oidcProviders.all(p, !has(p.oidcClients) || p.oidcClients.all(specC, self.status.oidcClients.exists(statusC, statusC.componentNamespace == specC.componentNamespace && statusC.componentName == specC.componentName) || (has(oldSelf.spec.oidcProviders) && oldSelf.spec.oidcProviders.exists(oldP, oldP.name == p.name && has(oldP.oidcClients) && oldP.oidcClients.exists(oldC, oldC.componentNamespace == specC.componentNamespace && oldC.componentName == specC.componentName)))))",message="all oidcClients in the oidcProviders must match their componentName and componentNamespace to either a previously configured oidcClient or they must exist in the status.oidcClients" +// +openshift:validation:FeatureGateAwareXValidation:featureGate=ExternalOIDC;ExternalOIDCWithUIDAndExtraClaimMappings,rule="!has(self.spec.oidcProviders) || self.spec.oidcProviders.all(p, !has(p.oidcClients) || p.oidcClients.all(specC, self.status.oidcClients.exists(statusC, statusC.componentNamespace == specC.componentNamespace && statusC.componentName == specC.componentName) || (has(oldSelf.spec.oidcProviders) && oldSelf.spec.oidcProviders.exists(oldP, oldP.name == p.name && has(oldP.oidcClients) && oldP.oidcClients.exists(oldC, oldC.componentNamespace == specC.componentNamespace && oldC.componentName == specC.componentName)))))",message="all oidcClients in the oidcProviders must match their componentName and componentNamespace to either a previously configured oidcClient or they must exist in the status.oidcClients" // Authentication specifies cluster-wide settings for authentication (like OAuth and // webhook token authenticators). The canonical name of an instance is `cluster`. @@ -90,6 +90,7 @@ type AuthenticationSpec struct { // +listMapKey=name // +kubebuilder:validation:MaxItems=1 // +openshift:enable:FeatureGate=ExternalOIDC + // +openshift:enable:FeatureGate=ExternalOIDCWithUIDAndExtraClaimMappings OIDCProviders []OIDCProvider `json:"oidcProviders,omitempty"` } @@ -117,6 +118,7 @@ type AuthenticationStatus struct { // +listMapKey=componentName // +kubebuilder:validation:MaxItems=20 // +openshift:enable:FeatureGate=ExternalOIDC + // +openshift:enable:FeatureGate=ExternalOIDCWithUIDAndExtraClaimMappings OIDCClients []OIDCClientStatus `json:"oidcClients"` } @@ -135,7 +137,7 @@ type AuthenticationList struct { } // +openshift:validation:FeatureGateAwareEnum:featureGate="",enum="";None;IntegratedOAuth -// +openshift:validation:FeatureGateAwareEnum:featureGate=ExternalOIDC,enum="";None;IntegratedOAuth;OIDC +// +openshift:validation:FeatureGateAwareEnum:featureGate=ExternalOIDC;ExternalOIDCWithUIDAndExtraClaimMappings,enum="";None;IntegratedOAuth;OIDC type AuthenticationType string const ( @@ -193,32 +195,50 @@ const ( ) type OIDCProvider struct { - // name of the OIDC provider + // name is a required field that configures the unique human-readable identifier + // associated with the identity provider. + // It is used to distinguish between multiple identity providers + // and has no impact on token validation or authentication mechanics. + // + // name must not be an empty string (""). // // +kubebuilder:validation:MinLength=1 // +required Name string `json:"name"` - // issuer describes atributes of the OIDC token issuer + + // issuer is a required field that configures how the platform interacts + // with the identity provider and how tokens issued from the identity provider + // are evaluated by the Kubernetes API server. // // +required Issuer TokenIssuer `json:"issuer"` - // oidcClients contains configuration for the platform's clients that - // need to request tokens from the issuer + // oidcClients is an optional field that configures how on-cluster, + // platform clients should request tokens from the identity provider. + // oidcClients must not exceed 20 entries and entries must have unique namespace/name pairs. // // +listType=map // +listMapKey=componentNamespace // +listMapKey=componentName // +kubebuilder:validation:MaxItems=20 + // +optional OIDCClients []OIDCClientConfig `json:"oidcClients"` - // claimMappings describes rules on how to transform information from an - // ID token into a cluster identity + // claimMappings is a required field that configures the rules to be used by + // the Kubernetes API server for translating claims in a JWT token, issued + // by the identity provider, to a cluster identity. + // + // +required ClaimMappings TokenClaimMappings `json:"claimMappings"` - // claimValidationRules are rules that are applied to validate token claims to authenticate users. + // claimValidationRules is an optional field that configures the rules to + // be used by the Kubernetes API server for validating the claims in a JWT + // token issued by the identity provider. + // + // Validation rules are joined via an AND operation. // // +listType=atomic + // +optional ClaimValidationRules []TokenClaimValidationRule `json:"claimValidationRules,omitempty"` } @@ -226,17 +246,22 @@ type OIDCProvider struct { type TokenAudience string type TokenIssuer struct { - // URL is the serving URL of the token issuer. - // Must use the https:// scheme. + // issuerURL is a required field that configures the URL used to issue tokens + // by the identity provider. + // The Kubernetes API server determines how authentication tokens should be handled + // by matching the 'iss' claim in the JWT to the issuerURL of configured identity providers. + // + // issuerURL must use the 'https' scheme. // // +kubebuilder:validation:Pattern=`^https:\/\/[^\s]` // +required URL string `json:"issuerURL"` - // audiences is an array of audiences that the token was issued for. - // Valid tokens must include at least one of these values in their - // "aud" claim. - // Must be set to exactly one value. + // audiences is a required field that configures the acceptable audiences + // the JWT token, issued by the identity provider, must be issued to. + // At least one of the entries must match the 'aud' claim in the JWT token. + // + // audiences must contain at least one entry and must not exceed ten entries. // // +listType=set // +kubebuilder:validation:MinItems=1 @@ -244,93 +269,293 @@ type TokenIssuer struct { // +required Audiences []TokenAudience `json:"audiences"` - // CertificateAuthority is a reference to a config map in the - // configuration namespace. The .data of the configMap must contain - // the "ca-bundle.crt" key. - // If unset, system trust is used instead. + // issuerCertificateAuthority is an optional field that configures the + // certificate authority, used by the Kubernetes API server, to validate + // the connection to the identity provider when fetching discovery information. + // + // When not specified, the system trust is used. + // + // When specified, it must reference a ConfigMap in the openshift-config + // namespace containing the PEM-encoded CA certificates under the 'ca-bundle.crt' + // key in the data field of the ConfigMap. + // + // +optional CertificateAuthority ConfigMapNameReference `json:"issuerCertificateAuthority"` } type TokenClaimMappings struct { - // username is a name of the claim that should be used to construct - // usernames for the cluster identity. + // username is a required field that configures how the username of a cluster identity + // should be constructed from the claims in a JWT token issued by the identity provider. // - // Default value: "sub" - Username UsernameClaimMapping `json:"username,omitempty"` + // +required + Username UsernameClaimMapping `json:"username"` - // groups is a name of the claim that should be used to construct - // groups for the cluster identity. - // The referenced claim must use array of strings values. + // groups is an optional field that configures how the groups of a cluster identity + // should be constructed from the claims in a JWT token issued + // by the identity provider. + // When referencing a claim, if the claim is present in the JWT + // token, its value must be a list of groups separated by a comma (','). + // For example - '"example"' and '"exampleOne", "exampleTwo", "exampleThree"' are valid claim values. + // + // +optional Groups PrefixedClaimMapping `json:"groups,omitempty"` + + // uid is an optional field for configuring the claim mapping + // used to construct the uid for the cluster identity. + // + // When using uid.claim to specify the claim it must be a single string value. + // When using uid.expression the expression must result in a single string value. + // + // When omitted, this means the user has no opinion and the platform + // is left to choose a default, which is subject to change over time. + // The current default is to use the 'sub' claim. + // + // +optional + // +openshift:enable:FeatureGate=ExternalOIDCWithUIDAndExtraClaimMappings + UID *TokenClaimOrExpressionMapping `json:"uid,omitempty"` + + // extra is an optional field for configuring the mappings + // used to construct the extra attribute for the cluster identity. + // When omitted, no extra attributes will be present on the cluster identity. + // key values for extra mappings must be unique. + // A maximum of 64 extra attribute mappings may be provided. + // + // +optional + // +kubebuilder:validation:MaxItems=64 + // +listType=map + // +listMapKey=key + // +openshift:enable:FeatureGate=ExternalOIDCWithUIDAndExtraClaimMappings + Extra []ExtraMapping `json:"extra,omitempty"` } +// TokenClaimMapping allows specifying a JWT token +// claim to be used when mapping claims from an +// authentication token to cluster identities. type TokenClaimMapping struct { - // claim is a JWT token claim to be used in the mapping + // claim is a required field that configures the JWT token + // claim whose value is assigned to the cluster identity + // field associated with this mapping. // // +required Claim string `json:"claim"` } +// TokenClaimOrExpressionMapping allows specifying either a JWT +// token claim or CEL expression to be used when mapping claims +// from an authentication token to cluster identities. +// +kubebuilder:validation:XValidation:rule="has(self.claim) ? !has(self.expression) : has(self.expression)",message="precisely one of claim or expression must be set" +type TokenClaimOrExpressionMapping struct { + // claim is an optional field for specifying the + // JWT token claim that is used in the mapping. + // The value of this claim will be assigned to + // the field in which this mapping is associated. + // + // Precisely one of claim or expression must be set. + // claim must not be specified when expression is set. + // When specified, claim must be at least 1 character in length + // and must not exceed 256 characters in length. + // + // +optional + // +kubebuilder:validation:MaxLength=256 + // +kubebuilder:validation:MinLength=1 + Claim string `json:"claim,omitempty"` + + // expression is an optional field for specifying a + // CEL expression that produces a string value from + // JWT token claims. + // + // CEL expressions have access to the token claims + // through a CEL variable, 'claims'. + // 'claims' is a map of claim names to claim values. + // For example, the 'sub' claim value can be accessed as 'claims.sub'. + // Nested claims can be accessed using dot notation ('claims.foo.bar'). + // + // Precisely one of claim or expression must be set. + // expression must not be specified when claim is set. + // When specified, expression must be at least 1 character in length + // and must not exceed 4096 characters in length. + // + // +optional + // +kubebuilder:validation:MaxLength=4096 + // +kubebuilder:validation:MinLength=1 + Expression string `json:"expression,omitempty"` +} + +// ExtraMapping allows specifying a key and CEL expression +// to evaluate the keys' value. It is used to create additional +// mappings and attributes added to a cluster identity from +// a provided authentication token. +type ExtraMapping struct { + // key is a required field that specifies the string + // to use as the extra attribute key. + // + // key must be a domain-prefix path (e.g 'example.org/foo'). + // key must not exceed 510 characters in length. + // key must contain the '/' character, separating the domain and path characters. + // key must not be empty. + // + // The domain portion of the key (string of characters prior to the '/') must be a valid RFC1123 subdomain. + // It must not exceed 253 characters in length. + // It must start and end with an alphanumeric character. + // It must only contain lower case alphanumeric characters and '-' or '.'. + // It must not use the reserved domains, or be subdomains of, "kubernetes.io", "k8s.io", and "openshift.io". + // + // The path portion of the key (string of characters after the '/') must not be empty and must consist of at least one + // alphanumeric character, percent-encoded octets, '-', '.', '_', '~', '!', '$', '&', ''', '(', ')', '*', '+', ',', ';', '=', and ':'. + // It must not exceed 256 characters in length. + // + // +required + // +kubebuilder:validation:MinLength=1 + // +kubebuilder:validation:MaxLength=510 + // +kubebuilder:validation:XValidation:rule="self.contains('/')",message="key must contain the '/' character" + // + // +kubebuilder:validation:XValidation:rule="self.split('/', 2)[0].matches(\"^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$\")",message="the domain of the key must consist of only lower case alphanumeric characters, '-' or '.', and must start and end with an alphanumeric character" + // +kubebuilder:validation:XValidation:rule="self.split('/', 2)[0].size() <= 253",message="the domain of the key must not exceed 253 characters in length" + // + // +kubebuilder:validation:XValidation:rule="self.split('/', 2)[0] != 'kubernetes.io'",message="the domain 'kubernetes.io' is reserved for Kubernetes use" + // +kubebuilder:validation:XValidation:rule="!self.split('/', 2)[0].endsWith('.kubernetes.io')",message="the subdomains '*.kubernetes.io' are reserved for Kubernetes use" + // +kubebuilder:validation:XValidation:rule="self.split('/', 2)[0] != 'k8s.io'",message="the domain 'k8s.io' is reserved for Kubernetes use" + // +kubebuilder:validation:XValidation:rule="!self.split('/', 2)[0].endsWith('.k8s.io')",message="the subdomains '*.k8s.io' are reserved for Kubernetes use" + // +kubebuilder:validation:XValidation:rule="self.split('/', 2)[0] != 'openshift.io'",message="the domain 'openshift.io' is reserved for OpenShift use" + // +kubebuilder:validation:XValidation:rule="!self.split('/', 2)[0].endsWith('.openshift.io')",message="the subdomains '*.openshift.io' are reserved for OpenShift use" + // + // +kubebuilder:validation:XValidation:rule="self.split('/', 2)[1].matches('[A-Za-z0-9/\\\\-._~%!$&\\'()*+;=:]+')",message="the path of the key must not be empty and must consist of at least one alphanumeric character, percent-encoded octets, apostrophe, '-', '.', '_', '~', '!', '$', '&', '(', ')', '*', '+', ',', ';', '=', and ':'" + // +kubebuilder:validation:XValidation:rule="self.split('/', 2)[1].size() <= 256",message="the path of the key must not exceed 256 characters in length" + Key string `json:"key"` + + // valueExpression is a required field to specify the CEL expression to extract + // the extra attribute value from a JWT token's claims. + // valueExpression must produce a string or string array value. + // "", [], and null are treated as the extra mapping not being present. + // Empty string values within an array are filtered out. + // + // CEL expressions have access to the token claims + // through a CEL variable, 'claims'. + // 'claims' is a map of claim names to claim values. + // For example, the 'sub' claim value can be accessed as 'claims.sub'. + // Nested claims can be accessed using dot notation ('claims.foo.bar'). + // + // valueExpression must not exceed 4096 characters in length. + // valueExpression must not be empty. + // + // +required + // +kubebuilder:validation:MinLength=1 + // +kubebuilder:validation:MaxLength=4096 + ValueExpression string `json:"valueExpression"` +} + +// OIDCClientConfig configures how platform clients +// interact with identity providers as an authentication +// method type OIDCClientConfig struct { - // componentName is the name of the component that is supposed to consume this - // client configuration + // componentName is a required field that specifies the name of the platform + // component being configured to use the identity provider as an authentication mode. + // It is used in combination with componentNamespace as a unique identifier. + // + // componentName must not be an empty string ("") and must not exceed 256 characters in length. // // +kubebuilder:validation:MinLength=1 // +kubebuilder:validation:MaxLength=256 // +required ComponentName string `json:"componentName"` - // componentNamespace is the namespace of the component that is supposed to consume this - // client configuration + // componentNamespace is a required field that specifies the namespace in which the + // platform component being configured to use the identity provider as an authentication + // mode is running. + // It is used in combination with componentName as a unique identifier. + // + // componentNamespace must not be an empty string ("") and must not exceed 63 characters in length. // // +kubebuilder:validation:MinLength=1 // +kubebuilder:validation:MaxLength=63 // +required ComponentNamespace string `json:"componentNamespace"` - // clientID is the identifier of the OIDC client from the OIDC provider + // clientID is a required field that configures the client identifier, from + // the identity provider, that the platform component uses for authentication + // requests made to the identity provider. + // The identity provider must accept this identifier for platform components + // to be able to use the identity provider as an authentication mode. + // + // clientID must not be an empty string (""). // // +kubebuilder:validation:MinLength=1 // +required ClientID string `json:"clientID"` - // clientSecret refers to a secret in the `openshift-config` namespace that - // contains the client secret in the `clientSecret` key of the `.data` field + // clientSecret is an optional field that configures the client secret used + // by the platform component when making authentication requests to the identity provider. + // + // When not specified, no client secret will be used when making authentication requests + // to the identity provider. + // + // When specified, clientSecret references a Secret in the 'openshift-config' + // namespace that contains the client secret in the 'clientSecret' key of the '.data' field. + // The client secret will be used when making authentication requests to the identity provider. + // + // Public clients do not require a client secret but private + // clients do require a client secret to work with the identity provider. + // + // +optional ClientSecret SecretNameReference `json:"clientSecret"` - // extraScopes is an optional set of scopes to request tokens with. + // extraScopes is an optional field that configures the extra scopes that should + // be requested by the platform component when making authentication requests to the + // identity provider. + // This is useful if you have configured claim mappings that requires specific + // scopes to be requested beyond the standard OIDC scopes. + // + // When omitted, no additional scopes are requested. // // +listType=set + // +optional ExtraScopes []string `json:"extraScopes"` } +// OIDCClientStatus represents the current state +// of platform components and how they interact with +// the configured identity providers. type OIDCClientStatus struct { - // componentName is the name of the component that will consume a client configuration. + // componentName is a required field that specifies the name of the platform + // component using the identity provider as an authentication mode. + // It is used in combination with componentNamespace as a unique identifier. + // + // componentName must not be an empty string ("") and must not exceed 256 characters in length. // // +kubebuilder:validation:MinLength=1 // +kubebuilder:validation:MaxLength=256 // +required ComponentName string `json:"componentName"` - // componentNamespace is the namespace of the component that will consume a client configuration. + // componentNamespace is a required field that specifies the namespace in which the + // platform component using the identity provider as an authentication + // mode is running. + // It is used in combination with componentName as a unique identifier. + // + // componentNamespace must not be an empty string ("") and must not exceed 63 characters in length. // // +kubebuilder:validation:MinLength=1 // +kubebuilder:validation:MaxLength=63 // +required ComponentNamespace string `json:"componentNamespace"` - // currentOIDCClients is a list of clients that the component is currently using. + // currentOIDCClients is an optional list of clients that the component is currently using. + // Entries must have unique issuerURL/clientID pairs. // // +listType=map // +listMapKey=issuerURL // +listMapKey=clientID + // +optional CurrentOIDCClients []OIDCClientReference `json:"currentOIDCClients"` - // consumingUsers is a slice of ServiceAccounts that need to have read - // permission on the `clientSecret` secret. + // consumingUsers is an optional list of ServiceAccounts requiring + // read permissions on the `clientSecret` secret. + // + // consumingUsers must not exceed 5 entries. // // +kubebuilder:validation:MaxItems=5 // +listType=set + // +optional ConsumingUsers []ConsumingUser `json:"consumingUsers"` // conditions are used to communicate the state of the `oidcClients` entry. @@ -343,24 +568,36 @@ type OIDCClientStatus struct { // // +listType=map // +listMapKey=type + // +optional Conditions []metav1.Condition `json:"conditions,omitempty"` } +// OIDCClientReference is a reference to a platform component +// client configuration. type OIDCClientReference struct { - // OIDCName refers to the `name` of the provider from `oidcProviders` + // oidcProviderName is a required reference to the 'name' of the identity provider + // configured in 'oidcProviders' that this client is associated with. + // + // oidcProviderName must not be an empty string (""). // // +kubebuilder:validation:MinLength=1 // +required OIDCProviderName string `json:"oidcProviderName"` - // URL is the serving URL of the token issuer. - // Must use the https:// scheme. + // issuerURL is a required field that specifies the URL of the identity + // provider that this client is configured to make requests against. + // + // issuerURL must use the 'https' scheme. // // +kubebuilder:validation:Pattern=`^https:\/\/[^\s]` // +required IssuerURL string `json:"issuerURL"` - // clientID is the identifier of the OIDC client from the OIDC provider + // clientID is a required field that specifies the client identifier, from + // the identity provider, that the platform component is using for authentication + // requests made to the identity provider. + // + // clientID must not be empty. // // +kubebuilder:validation:MinLength=1 // +required @@ -368,35 +605,61 @@ type OIDCClientReference struct { } // +kubebuilder:validation:XValidation:rule="has(self.prefixPolicy) && self.prefixPolicy == 'Prefix' ? (has(self.prefix) && size(self.prefix.prefixString) > 0) : !has(self.prefix)",message="prefix must be set if prefixPolicy is 'Prefix', but must remain unset otherwise" +// +union type UsernameClaimMapping struct { - TokenClaimMapping `json:",inline"` + // claim is a required field that configures the JWT token + // claim whose value is assigned to the cluster identity + // field associated with this mapping. + // + // claim must not be an empty string ("") and must not exceed 256 characters. + // + // +required + // +kubebuilder:validation:MinLength:=1 + // +kubebuilder:validation:MaxLength:=256 + Claim string `json:"claim"` - // prefixPolicy specifies how a prefix should apply. + // prefixPolicy is an optional field that configures how a prefix should be + // applied to the value of the JWT claim specified in the 'claim' field. + // + // Allowed values are 'Prefix', 'NoPrefix', and omitted (not provided or an empty string). // - // By default, claims other than `email` will be prefixed with the issuer URL to - // prevent naming clashes with other plugins. + // When set to 'Prefix', the value specified in the prefix field will be + // prepended to the value of the JWT claim. + // The prefix field must be set when prefixPolicy is 'Prefix'. // - // Set to "NoPrefix" to disable prefixing. + // When set to 'NoPrefix', no prefix will be prepended to the value + // of the JWT claim. // - // Example: - // (1) `prefix` is set to "myoidc:" and `claim` is set to "username". - // If the JWT claim `username` contains value `userA`, the resulting - // mapped value will be "myoidc:userA". - // (2) `prefix` is set to "myoidc:" and `claim` is set to "email". If the - // JWT `email` claim contains value "userA@myoidc.tld", the resulting - // mapped value will be "myoidc:userA@myoidc.tld". - // (3) `prefix` is unset, `issuerURL` is set to `https://myoidc.tld`, - // the JWT claims include "username":"userA" and "email":"userA@myoidc.tld", - // and `claim` is set to: - // (a) "username": the mapped value will be "https://myoidc.tld#userA" - // (b) "email": the mapped value will be "userA@myoidc.tld" + // When omitted, this means no opinion and the platform is left to choose + // any prefixes that are applied which is subject to change over time. + // Currently, the platform prepends `{issuerURL}#` to the value of the JWT claim + // when the claim is not 'email'. + // As an example, consider the following scenario: + // `prefix` is unset, `issuerURL` is set to `https://myoidc.tld`, + // the JWT claims include "username":"userA" and "email":"userA@myoidc.tld", + // and `claim` is set to: + // - "username": the mapped value will be "https://myoidc.tld#userA" + // - "email": the mapped value will be "userA@myoidc.tld" // // +kubebuilder:validation:Enum={"", "NoPrefix", "Prefix"} + // +optional + // +unionDiscriminator PrefixPolicy UsernamePrefixPolicy `json:"prefixPolicy"` + // prefix configures the prefix that should be prepended to the value + // of the JWT claim. + // + // prefix must be set when prefixPolicy is set to 'Prefix' and must be unset otherwise. + // + // +optional + // +unionMember Prefix *UsernamePrefix `json:"prefix"` } +// UsernamePrefixPolicy configures how prefixes should be applied +// to values extracted from the JWT claims during the process of mapping +// JWT claims to cluster identity attributes. +// +enum type UsernamePrefixPolicy string var ( @@ -411,26 +674,42 @@ var ( Prefix UsernamePrefixPolicy = "Prefix" ) +// UsernamePrefix configures the string that should +// be used as a prefix for username claim mappings. type UsernamePrefix struct { + // prefixString is a required field that configures the prefix that will + // be applied to cluster identity username attribute + // during the process of mapping JWT claims to cluster identity attributes. + // + // prefixString must not be an empty string (""). + // // +kubebuilder:validation:MinLength=1 // +required PrefixString string `json:"prefixString"` } +// PrefixedClaimMapping configures a claim mapping +// that allows for an optional prefix. type PrefixedClaimMapping struct { TokenClaimMapping `json:",inline"` - // prefix is a string to prefix the value from the token in the result of the - // claim mapping. + // prefix is an optional field that configures the prefix that will be + // applied to the cluster identity attribute during the process of mapping + // JWT claims to cluster identity attributes. // - // By default, no prefixing occurs. + // When omitted (""), no prefix is applied to the cluster identity attribute. // - // Example: if `prefix` is set to "myoidc:"" and the `claim` in JWT contains + // Example: if `prefix` is set to "myoidc:" and the `claim` in JWT contains // an array of strings "a", "b" and "c", the mapping will result in an // array of string "myoidc:a", "myoidc:b" and "myoidc:c". + // + // +optional Prefix string `json:"prefix"` } +// TokenValidationRuleType represents the different +// claim validation rule types that can be configured. +// +enum type TokenValidationRuleType string const ( @@ -438,26 +717,45 @@ const ( ) type TokenClaimValidationRule struct { - // type sets the type of the validation rule + // type is an optional field that configures the type of the validation rule. + // + // Allowed values are 'RequiredClaim' and omitted (not provided or an empty string). + // + // When set to 'RequiredClaim', the Kubernetes API server + // will be configured to validate that the incoming JWT + // contains the required claim and that its value matches + // the required value. + // + // Defaults to 'RequiredClaim'. // // +kubebuilder:validation:Enum={"RequiredClaim"} // +kubebuilder:default="RequiredClaim" Type TokenValidationRuleType `json:"type"` - // requiredClaim allows configuring a required claim name and its expected - // value + // requiredClaim is an optional field that configures the required claim + // and value that the Kubernetes API server will use to validate if an incoming + // JWT is valid for this identity provider. + // + // +optional RequiredClaim *TokenRequiredClaim `json:"requiredClaim"` } type TokenRequiredClaim struct { - // claim is a name of a required claim. Only claims with string values are - // supported. + // claim is a required field that configures the name of the required claim. + // When taken from the JWT claims, claim must be a string value. + // + // claim must not be an empty string (""). // // +kubebuilder:validation:MinLength=1 // +required Claim string `json:"claim"` - // requiredValue is the required value for the claim. + // requiredValue is a required field that configures the value that 'claim' must + // have when taken from the incoming JWT claims. + // If the value in the JWT claims does not match, the token + // will be rejected for authentication. + // + // requiredValue must not be an empty string (""). // // +kubebuilder:validation:MinLength=1 // +required diff --git a/vendor/github.com/openshift/api/config/v1/types_cluster_operator.go b/vendor/github.com/openshift/api/config/v1/types_cluster_operator.go index 4a6823640..a447adb9f 100644 --- a/vendor/github.com/openshift/api/config/v1/types_cluster_operator.go +++ b/vendor/github.com/openshift/api/config/v1/types_cluster_operator.go @@ -53,6 +53,8 @@ type ClusterOperatorStatus struct { // conditions describes the state of the operator's managed and monitored components. // +patchMergeKey=type // +patchStrategy=merge + // +listType=map + // +listMapKey=type // +optional Conditions []ClusterOperatorStatusCondition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type"` diff --git a/vendor/github.com/openshift/api/config/v1/types_cluster_version.go b/vendor/github.com/openshift/api/config/v1/types_cluster_version.go index 8994ca97c..b89d487ca 100644 --- a/vendor/github.com/openshift/api/config/v1/types_cluster_version.go +++ b/vendor/github.com/openshift/api/config/v1/types_cluster_version.go @@ -62,7 +62,7 @@ type ClusterVersionSpec struct { // // Some of the fields are inter-related with restrictions and meanings described here. // 1. image is specified, version is specified, architecture is specified. API validation error. - // 2. image is specified, version is specified, architecture is not specified. You should not do this. version is silently ignored and image is used. + // 2. image is specified, version is specified, architecture is not specified. The version extracted from the referenced image must match the specified version. // 3. image is specified, version is not specified, architecture is specified. API validation error. // 4. image is specified, version is not specified, architecture is not specified. image is used. // 5. image is not specified, version is specified, architecture is specified. version and desired architecture are used to select an image. @@ -83,8 +83,8 @@ type ClusterVersionSpec struct { // // +optional Upstream URL `json:"upstream,omitempty"` - // channel is an identifier for explicitly requesting that a non-default - // set of updates be applied to this cluster. The default channel will be + // channel is an identifier for explicitly requesting a non-default set + // of updates to be applied to this cluster. The default channel will // contain stable updates that are appropriate for production clusters. // // +optional @@ -702,16 +702,16 @@ type Update struct { Architecture ClusterVersionArchitecture `json:"architecture"` // version is a semantic version identifying the update version. - // version is ignored if image is specified and required if - // architecture is specified. + // version is required if architecture is specified. + // If both version and image are set, the version extracted from the referenced image must match the specified version. // // +optional Version string `json:"version"` // image is a container image location that contains the update. // image should be used when the desired version does not exist in availableUpdates or history. - // When image is set, version is ignored. When image is set, version should be empty. // When image is set, architecture cannot be specified. + // If both version and image are set, the version extracted from the referenced image must match the specified version. // // +optional Image string `json:"image"` @@ -796,11 +796,10 @@ type ConditionalUpdate struct { // conditions represents the observations of the conditional update's // current status. Known types are: // * Recommended, for whether the update is recommended for the current cluster. - // +patchMergeKey=type - // +patchStrategy=merge // +listType=map // +listMapKey=type - Conditions []metav1.Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type" protobuf:"bytes,1,rep,name=conditions"` + // +optional + Conditions []metav1.Condition `json:"conditions,omitempty"` } // ConditionalUpdateRisk represents a reason and cluster-state diff --git a/vendor/github.com/openshift/api/config/v1/types_feature.go b/vendor/github.com/openshift/api/config/v1/types_feature.go index 81bc14f2c..0709a75ae 100644 --- a/vendor/github.com/openshift/api/config/v1/types_feature.go +++ b/vendor/github.com/openshift/api/config/v1/types_feature.go @@ -99,6 +99,7 @@ type FeatureGateStatus struct { // Known .status.conditions.type are: "DeterminationDegraded" // +listType=map // +listMapKey=type + // +optional Conditions []metav1.Condition `json:"conditions,omitempty"` // featureGates contains a list of enabled and disabled featureGates that are keyed by payloadVersion. diff --git a/vendor/github.com/openshift/api/config/v1/types_image.go b/vendor/github.com/openshift/api/config/v1/types_image.go index 3db935c7f..82f46c8b6 100644 --- a/vendor/github.com/openshift/api/config/v1/types_image.go +++ b/vendor/github.com/openshift/api/config/v1/types_image.go @@ -161,6 +161,8 @@ type RegistryLocation struct { } // RegistrySources holds cluster-wide information about how to handle the registries config. +// +// +kubebuilder:validation:XValidation:rule="has(self.blockedRegistries) ? !has(self.allowedRegistries) : true",message="Only one of blockedRegistries or allowedRegistries may be set" type RegistrySources struct { // insecureRegistries are registries which do not have a valid TLS certificates or only support HTTP connections. // +optional diff --git a/vendor/github.com/openshift/api/config/v1/types_infrastructure.go b/vendor/github.com/openshift/api/config/v1/types_infrastructure.go index 0293603d7..ffb0f3f60 100644 --- a/vendor/github.com/openshift/api/config/v1/types_infrastructure.go +++ b/vendor/github.com/openshift/api/config/v1/types_infrastructure.go @@ -100,6 +100,8 @@ type InfrastructureStatus struct { // +kubebuilder:default=HighlyAvailable // +openshift:validation:FeatureGateAwareEnum:featureGate="",enum=HighlyAvailable;SingleReplica;External // +openshift:validation:FeatureGateAwareEnum:featureGate=HighlyAvailableArbiter,enum=HighlyAvailable;HighlyAvailableArbiter;SingleReplica;External + // +openshift:validation:FeatureGateAwareEnum:featureGate=DualReplica,enum=HighlyAvailable;SingleReplica;DualReplica;External + // +openshift:validation:FeatureGateAwareEnum:requiredFeatureGate=HighlyAvailableArbiter;DualReplica,enum=HighlyAvailable;HighlyAvailableArbiter;SingleReplica;DualReplica;External ControlPlaneTopology TopologyMode `json:"controlPlaneTopology"` // infrastructureTopology expresses the expectations for infrastructure services that do not run on control @@ -142,6 +144,9 @@ const ( // "SingleReplica" is for operators to avoid spending resources for high-availability purpose. SingleReplicaTopologyMode TopologyMode = "SingleReplica" + // "DualReplica" is for operators to configure for two node topology. + DualReplicaTopologyMode TopologyMode = "DualReplica" + // "External" indicates that the component is running externally to the cluster. When specified // as the control plane topology, operators should avoid scheduling workloads to masters or assume // that any of the control plane components such as kubernetes API server or etcd are visible within @@ -528,18 +533,22 @@ type AWSPlatformStatus struct { // AWSResourceTag is a tag to apply to AWS resources created for the cluster. type AWSResourceTag struct { - // key is the key of the tag + // key sets the key of the AWS resource tag key-value pair. Key is required when defining an AWS resource tag. + // Key should consist of between 1 and 128 characters, and may + // contain only the set of alphanumeric characters, space (' '), '_', '.', '/', '=', '+', '-', ':', and '@'. // +kubebuilder:validation:MinLength=1 // +kubebuilder:validation:MaxLength=128 - // +kubebuilder:validation:Pattern=`^[0-9A-Za-z_.:/=+-@]+$` + // +kubebuilder:validation:XValidation:rule=`self.matches('^[0-9A-Za-z_.:/=+-@ ]+$')`,message="invalid AWS resource tag key. The string can contain only the set of alphanumeric characters, space (' '), '_', '.', '/', '=', '+', '-', ':', '@'" // +required Key string `json:"key"` - // value is the value of the tag. + // value sets the value of the AWS resource tag key-value pair. Value is required when defining an AWS resource tag. + // Value should consist of between 1 and 256 characters, and may + // contain only the set of alphanumeric characters, space (' '), '_', '.', '/', '=', '+', '-', ':', and '@'. // Some AWS service do not support empty values. Since tags are added to resources in many services, the // length of the tag value must meet the requirements of all services. // +kubebuilder:validation:MinLength=1 // +kubebuilder:validation:MaxLength=256 - // +kubebuilder:validation:Pattern=`^[0-9A-Za-z_.:/=+-@]+$` + // +kubebuilder:validation:XValidation:rule=`self.matches('^[0-9A-Za-z_.:/=+-@ ]+$')`,message="invalid AWS resource tag value. The string can contain only the set of alphanumeric characters, space (' '), '_', '.', '/', '=', '+', '-', ':', '@'" // +required Value string `json:"value"` } @@ -620,6 +629,66 @@ const ( AzureStackCloud AzureCloudEnvironment = "AzureStackCloud" ) +// GCPServiceEndpointName is the name of the GCP Service Endpoint. +// +kubebuilder:validation:Enum=Compute;Container;CloudResourceManager;DNS;File;IAM;ServiceUsage;Storage +type GCPServiceEndpointName string + +const ( + // GCPServiceEndpointNameCompute is the name used for the GCP Compute Service endpoint. + GCPServiceEndpointNameCompute GCPServiceEndpointName = "Compute" + + // GCPServiceEndpointNameContainer is the name used for the GCP Container Service endpoint. + GCPServiceEndpointNameContainer GCPServiceEndpointName = "Container" + + // GCPServiceEndpointNameCloudResource is the name used for the GCP Resource Manager Service endpoint. + GCPServiceEndpointNameCloudResource GCPServiceEndpointName = "CloudResourceManager" + + // GCPServiceEndpointNameDNS is the name used for the GCP DNS Service endpoint. + GCPServiceEndpointNameDNS GCPServiceEndpointName = "DNS" + + // GCPServiceEndpointNameFile is the name used for the GCP File Service endpoint. + GCPServiceEndpointNameFile GCPServiceEndpointName = "File" + + // GCPServiceEndpointNameIAM is the name used for the GCP IAM Service endpoint. + GCPServiceEndpointNameIAM GCPServiceEndpointName = "IAM" + + // GCPServiceEndpointNameServiceUsage is the name used for the GCP Service Usage Service endpoint. + GCPServiceEndpointNameServiceUsage GCPServiceEndpointName = "ServiceUsage" + + // GCPServiceEndpointNameStorage is the name used for the GCP Storage Service endpoint. + GCPServiceEndpointNameStorage GCPServiceEndpointName = "Storage" +) + +// GCPServiceEndpoint store the configuration of a custom url to +// override existing defaults of GCP Services. +type GCPServiceEndpoint struct { + // name is the name of the GCP service whose endpoint is being overridden. + // This must be provided and cannot be empty. + // + // Allowed values are Compute, Container, CloudResourceManager, DNS, File, IAM, ServiceUsage, + // Storage, and TagManager. + // + // As an example, when setting the name to Compute all requests made by the caller to the GCP Compute + // Service will be directed to the endpoint specified in the url field. + // + // +required + Name GCPServiceEndpointName `json:"name"` + + // url is a fully qualified URI that overrides the default endpoint for a client using the GCP service specified + // in the name field. + // url is required, must use the scheme https, must not be more than 253 characters in length, + // and must be a valid URL according to Go's net/url package (https://pkg.go.dev/net/url#URL) + // + // An example of a valid endpoint that overrides the Compute Service: "https://compute-myendpoint1.p.googleapis.com" + // + // +required + // +kubebuilder:validation:MaxLength=253 + // +kubebuilder:validation:XValidation:rule="isURL(self)",message="must be a valid URL" + // +kubebuilder:validation:XValidation:rule="isURL(self) ? (url(self).getScheme() == \"https\") : true",message="scheme must be https" + // +kubebuilder:validation:XValidation:rule="url(self).getEscapedPath() == \"\" || url(self).getEscapedPath() == \"/\"",message="url must consist only of a scheme and domain. The url path must be empty." + URL string `json:"url"` +} + // GCPPlatformSpec holds the desired state of the Google Cloud Platform infrastructure provider. // This only includes fields that can be modified in the cluster. type GCPPlatformSpec struct{} @@ -675,6 +744,19 @@ type GCPPlatformStatus struct { // +optional // +nullable CloudLoadBalancerConfig *CloudLoadBalancerConfig `json:"cloudLoadBalancerConfig,omitempty"` + + // serviceEndpoints specifies endpoints that override the default endpoints + // used when creating clients to interact with GCP services. + // When not specified, the default endpoint for the GCP region will be used. + // Only 1 endpoint override is permitted for each GCP service. + // The maximum number of endpoint overrides allowed is 9. + // +listType=map + // +listMapKey=name + // +kubebuilder:validation:MaxItems=8 + // +kubebuilder:validation:XValidation:rule="self.all(x, self.exists_one(y, x.name == y.name))",message="only 1 endpoint override is permitted per GCP service name" + // +optional + // +openshift:enable:FeatureGate=GCPCustomAPIEndpoints + ServiceEndpoints []GCPServiceEndpoint `json:"serviceEndpoints,omitempty"` } // GCPResourceLabel is a label to apply to GCP resources created for the cluster. @@ -923,7 +1005,6 @@ type BareMetalPlatformStatus struct { // loadBalancer defines how the load balancer used by the cluster is configured. // +default={"type": "OpenShiftManagedDefault"} // +kubebuilder:default={"type": "OpenShiftManagedDefault"} - // +openshift:enable:FeatureGate=BareMetalLoadBalancer // +optional LoadBalancer *BareMetalPlatformLoadBalancer `json:"loadBalancer,omitempty"` @@ -1137,7 +1218,6 @@ type OvirtPlatformStatus struct { // loadBalancer defines how the load balancer used by the cluster is configured. // +default={"type": "OpenShiftManagedDefault"} // +kubebuilder:default={"type": "OpenShiftManagedDefault"} - // +openshift:enable:FeatureGate=BareMetalLoadBalancer // +optional LoadBalancer *OvirtPlatformLoadBalancer `json:"loadBalancer,omitempty"` } @@ -1307,7 +1387,6 @@ type VSpherePlatformTopology struct { // VSpherePlatformFailureDomainSpec. // For example, for zone=zonea, region=region1, and infrastructure name=test, // the template path would be calculated as //vm/test-rhcos-region1-zonea. - // +openshift:enable:FeatureGate=VSphereControlPlaneMachineSet // +kubebuilder:validation:MinLength=1 // +kubebuilder:validation:MaxLength=2048 // +kubebuilder:validation:Pattern=`^/.*?/vm/.*?` @@ -1475,8 +1554,7 @@ type VSpherePlatformSpec struct { // + If VCenters is not defined use the existing cloud-config configmap defined // + in openshift-config. // +kubebuilder:validation:MinItems=0 - // +openshift:validation:FeatureGateAwareMaxItems:featureGate="",maxItems=1 - // +openshift:validation:FeatureGateAwareMaxItems:featureGate=VSphereMultiVCenters,maxItems=3 + // +kubebuilder:validation:MaxItems=3 // +kubebuilder:validation:XValidation:rule="size(self) != size(oldSelf) ? size(oldSelf) == 0 && size(self) < 2 : true",message="vcenters cannot be added or removed once set" // +listType=atomic // +optional @@ -1588,7 +1666,6 @@ type VSpherePlatformStatus struct { // loadBalancer defines how the load balancer used by the cluster is configured. // +default={"type": "OpenShiftManagedDefault"} // +kubebuilder:default={"type": "OpenShiftManagedDefault"} - // +openshift:enable:FeatureGate=BareMetalLoadBalancer // +optional LoadBalancer *VSpherePlatformLoadBalancer `json:"loadBalancer,omitempty"` @@ -1615,17 +1692,35 @@ type IBMCloudServiceEndpoint struct { // url is fully qualified URI with scheme https, that overrides the default generated // endpoint for a client. - // This must be provided and cannot be empty. + // This must be provided and cannot be empty. The path must follow the pattern + // /v[0,9]+ or /api/v[0,9]+ // // +required // +kubebuilder:validation:Type=string + // +kubebuilder:validation:MaxLength=300 // +kubebuilder:validation:XValidation:rule="isURL(self)",message="url must be a valid absolute URL" + // +openshift:validation:FeatureGateAwareXValidation:featureGate=DyanmicServiceEndpointIBMCloud,rule="url(self).getScheme() == \"https\"",message="url must use https scheme" + // +openshift:validation:FeatureGateAwareXValidation:featureGate=DyanmicServiceEndpointIBMCloud,rule=`matches((url(self).getEscapedPath()), '^/(api/)?v[0-9]+/{0,1}$')`,message="url path must match /v[0,9]+ or /api/v[0,9]+" URL string `json:"url"` } // IBMCloudPlatformSpec holds the desired state of the IBMCloud infrastructure provider. // This only includes fields that can be modified in the cluster. -type IBMCloudPlatformSpec struct{} +type IBMCloudPlatformSpec struct { + // serviceEndpoints is a list of custom endpoints which will override the default + // service endpoints of an IBM service. These endpoints are used by components + // within the cluster when trying to reach the IBM Cloud Services that have been + // overriden. The CCCMO reads in the IBMCloudPlatformSpec and validates each + // endpoint is resolvable. Once validated, the cloud config and IBMCloudPlatformStatus + // are updated to reflect the same custom endpoints. + // A maximum of 13 service endpoints overrides are supported. + // +kubebuilder:validation:MaxItems=13 + // +listType=map + // +listMapKey=name + // +optional + // +openshift:enable:FeatureGate=DyanmicServiceEndpointIBMCloud + ServiceEndpoints []IBMCloudServiceEndpoint `json:"serviceEndpoints,omitempty"` +} // IBMCloudPlatformStatus holds the current status of the IBMCloud infrastructure provider. type IBMCloudPlatformStatus struct { @@ -1647,8 +1742,12 @@ type IBMCloudPlatformStatus struct { DNSInstanceCRN string `json:"dnsInstanceCRN,omitempty"` // serviceEndpoints is a list of custom endpoints which will override the default - // service endpoints of an IBM Cloud service. These endpoints are consumed by - // components within the cluster to reach the respective IBM Cloud Services. + // service endpoints of an IBM service. These endpoints are used by components + // within the cluster when trying to reach the IBM Cloud Services that have been + // overriden. The CCCMO reads in the IBMCloudPlatformSpec and validates each + // endpoint is resolvable. Once validated, the cloud config and IBMCloudPlatformStatus + // are updated to reflect the same custom endpoints. + // +openshift:validation:FeatureGateAwareMaxItems:featureGate=DyanmicServiceEndpointIBMCloud,maxItems=13 // +listType=map // +listMapKey=name // +optional @@ -1984,7 +2083,6 @@ type NutanixPlatformStatus struct { // loadBalancer defines how the load balancer used by the cluster is configured. // +default={"type": "OpenShiftManagedDefault"} // +kubebuilder:default={"type": "OpenShiftManagedDefault"} - // +openshift:enable:FeatureGate=BareMetalLoadBalancer // +optional LoadBalancer *NutanixPlatformLoadBalancer `json:"loadBalancer,omitempty"` } diff --git a/vendor/github.com/openshift/api/config/v1/types_network.go b/vendor/github.com/openshift/api/config/v1/types_network.go index 95e55a7ff..41dc2eb97 100644 --- a/vendor/github.com/openshift/api/config/v1/types_network.go +++ b/vendor/github.com/openshift/api/config/v1/types_network.go @@ -112,12 +112,10 @@ type NetworkStatus struct { // conditions represents the observations of a network.config current state. // Known .status.conditions.type are: "NetworkDiagnosticsAvailable" // +optional - // +patchMergeKey=type - // +patchStrategy=merge // +listType=map // +listMapKey=type // +openshift:enable:FeatureGate=NetworkDiagnosticsConfig - Conditions []metav1.Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type"` + Conditions []metav1.Condition `json:"conditions,omitempty"` } // ClusterNetworkEntry is a contiguous block of IP addresses from which pod IPs diff --git a/vendor/github.com/openshift/api/config/v1/types_node.go b/vendor/github.com/openshift/api/config/v1/types_node.go index 3fc7bc0c3..1282f3315 100644 --- a/vendor/github.com/openshift/api/config/v1/types_node.go +++ b/vendor/github.com/openshift/api/config/v1/types_node.go @@ -68,22 +68,20 @@ type NodeSpec struct { type NodeStatus struct { // conditions contain the details and the current state of the nodes.config object - // +patchMergeKey=type - // +patchStrategy=merge // +listType=map // +listMapKey=type // +optional - Conditions []metav1.Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type"` + Conditions []metav1.Condition `json:"conditions,omitempty"` } -// +kubebuilder:validation:Enum=v1;v2;"" +// +kubebuilder:validation:Enum=v2;"" type CgroupMode string const ( CgroupModeEmpty CgroupMode = "" // Empty string indicates to honor user set value on the system that should not be overridden by OpenShift CgroupModeV1 CgroupMode = "v1" CgroupModeV2 CgroupMode = "v2" - CgroupModeDefault CgroupMode = CgroupModeV1 + CgroupModeDefault CgroupMode = CgroupModeV2 ) // +kubebuilder:validation:Enum=Default;MediumUpdateAverageReaction;LowUpdateSlowReaction diff --git a/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_00_cluster-version-operator_01_clusteroperators.crd.yaml b/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_00_cluster-version-operator_01_clusteroperators.crd.yaml index 1cc395e74..7ab62874a 100644 --- a/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_00_cluster-version-operator_01_clusteroperators.crd.yaml +++ b/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_00_cluster-version-operator_01_clusteroperators.crd.yaml @@ -108,6 +108,9 @@ spec: - type type: object type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map extension: description: |- extension contains any additional status information specific to the diff --git a/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_00_cluster-version-operator_01_clusterversions-CustomNoUpgrade.crd.yaml b/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_00_cluster-version-operator_01_clusterversions-CustomNoUpgrade.crd.yaml index 5061a69c6..087b62dda 100644 --- a/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_00_cluster-version-operator_01_clusterversions-CustomNoUpgrade.crd.yaml +++ b/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_00_cluster-version-operator_01_clusterversions-CustomNoUpgrade.crd.yaml @@ -120,8 +120,8 @@ spec: type: object channel: description: |- - channel is an identifier for explicitly requesting that a non-default - set of updates be applied to this cluster. The default channel will be + channel is an identifier for explicitly requesting a non-default set + of updates to be applied to this cluster. The default channel will contain stable updates that are appropriate for production clusters. type: string clusterID: @@ -141,7 +141,7 @@ spec: Some of the fields are inter-related with restrictions and meanings described here. 1. image is specified, version is specified, architecture is specified. API validation error. - 2. image is specified, version is specified, architecture is not specified. You should not do this. version is silently ignored and image is used. + 2. image is specified, version is specified, architecture is not specified. The version extracted from the referenced image must match the specified version. 3. image is specified, version is not specified, architecture is specified. API validation error. 4. image is specified, version is not specified, architecture is not specified. image is used. 5. image is not specified, version is specified, architecture is specified. version and desired architecture are used to select an image. @@ -181,14 +181,14 @@ spec: description: |- image is a container image location that contains the update. image should be used when the desired version does not exist in availableUpdates or history. - When image is set, version is ignored. When image is set, version should be empty. When image is set, architecture cannot be specified. + If both version and image are set, the version extracted from the referenced image must match the specified version. type: string version: description: |- version is a semantic version identifying the update version. - version is ignored if image is specified and required if - architecture is specified. + version is required if architecture is specified. + If both version and image are set, the version extracted from the referenced image must match the specified version. type: string type: object x-kubernetes-validations: diff --git a/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_00_cluster-version-operator_01_clusterversions-Default.crd.yaml b/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_00_cluster-version-operator_01_clusterversions-Default.crd.yaml index caeeb9064..f93da1e2e 100644 --- a/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_00_cluster-version-operator_01_clusterversions-Default.crd.yaml +++ b/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_00_cluster-version-operator_01_clusterversions-Default.crd.yaml @@ -120,8 +120,8 @@ spec: type: object channel: description: |- - channel is an identifier for explicitly requesting that a non-default - set of updates be applied to this cluster. The default channel will be + channel is an identifier for explicitly requesting a non-default set + of updates to be applied to this cluster. The default channel will contain stable updates that are appropriate for production clusters. type: string clusterID: @@ -141,7 +141,7 @@ spec: Some of the fields are inter-related with restrictions and meanings described here. 1. image is specified, version is specified, architecture is specified. API validation error. - 2. image is specified, version is specified, architecture is not specified. You should not do this. version is silently ignored and image is used. + 2. image is specified, version is specified, architecture is not specified. The version extracted from the referenced image must match the specified version. 3. image is specified, version is not specified, architecture is specified. API validation error. 4. image is specified, version is not specified, architecture is not specified. image is used. 5. image is not specified, version is specified, architecture is specified. version and desired architecture are used to select an image. @@ -181,14 +181,14 @@ spec: description: |- image is a container image location that contains the update. image should be used when the desired version does not exist in availableUpdates or history. - When image is set, version is ignored. When image is set, version should be empty. When image is set, architecture cannot be specified. + If both version and image are set, the version extracted from the referenced image must match the specified version. type: string version: description: |- version is a semantic version identifying the update version. - version is ignored if image is specified and required if - architecture is specified. + version is required if architecture is specified. + If both version and image are set, the version extracted from the referenced image must match the specified version. type: string type: object x-kubernetes-validations: diff --git a/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_00_cluster-version-operator_01_clusterversions-DevPreviewNoUpgrade.crd.yaml b/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_00_cluster-version-operator_01_clusterversions-DevPreviewNoUpgrade.crd.yaml index d7319febe..300d94a71 100644 --- a/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_00_cluster-version-operator_01_clusterversions-DevPreviewNoUpgrade.crd.yaml +++ b/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_00_cluster-version-operator_01_clusterversions-DevPreviewNoUpgrade.crd.yaml @@ -120,8 +120,8 @@ spec: type: object channel: description: |- - channel is an identifier for explicitly requesting that a non-default - set of updates be applied to this cluster. The default channel will be + channel is an identifier for explicitly requesting a non-default set + of updates to be applied to this cluster. The default channel will contain stable updates that are appropriate for production clusters. type: string clusterID: @@ -141,7 +141,7 @@ spec: Some of the fields are inter-related with restrictions and meanings described here. 1. image is specified, version is specified, architecture is specified. API validation error. - 2. image is specified, version is specified, architecture is not specified. You should not do this. version is silently ignored and image is used. + 2. image is specified, version is specified, architecture is not specified. The version extracted from the referenced image must match the specified version. 3. image is specified, version is not specified, architecture is specified. API validation error. 4. image is specified, version is not specified, architecture is not specified. image is used. 5. image is not specified, version is specified, architecture is specified. version and desired architecture are used to select an image. @@ -181,14 +181,14 @@ spec: description: |- image is a container image location that contains the update. image should be used when the desired version does not exist in availableUpdates or history. - When image is set, version is ignored. When image is set, version should be empty. When image is set, architecture cannot be specified. + If both version and image are set, the version extracted from the referenced image must match the specified version. type: string version: description: |- version is a semantic version identifying the update version. - version is ignored if image is specified and required if - architecture is specified. + version is required if architecture is specified. + If both version and image are set, the version extracted from the referenced image must match the specified version. type: string type: object x-kubernetes-validations: diff --git a/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_00_cluster-version-operator_01_clusterversions-TechPreviewNoUpgrade.crd.yaml b/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_00_cluster-version-operator_01_clusterversions-TechPreviewNoUpgrade.crd.yaml index 438024887..6fc2cb0d9 100644 --- a/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_00_cluster-version-operator_01_clusterversions-TechPreviewNoUpgrade.crd.yaml +++ b/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_00_cluster-version-operator_01_clusterversions-TechPreviewNoUpgrade.crd.yaml @@ -120,8 +120,8 @@ spec: type: object channel: description: |- - channel is an identifier for explicitly requesting that a non-default - set of updates be applied to this cluster. The default channel will be + channel is an identifier for explicitly requesting a non-default set + of updates to be applied to this cluster. The default channel will contain stable updates that are appropriate for production clusters. type: string clusterID: @@ -141,7 +141,7 @@ spec: Some of the fields are inter-related with restrictions and meanings described here. 1. image is specified, version is specified, architecture is specified. API validation error. - 2. image is specified, version is specified, architecture is not specified. You should not do this. version is silently ignored and image is used. + 2. image is specified, version is specified, architecture is not specified. The version extracted from the referenced image must match the specified version. 3. image is specified, version is not specified, architecture is specified. API validation error. 4. image is specified, version is not specified, architecture is not specified. image is used. 5. image is not specified, version is specified, architecture is specified. version and desired architecture are used to select an image. @@ -181,14 +181,14 @@ spec: description: |- image is a container image location that contains the update. image should be used when the desired version does not exist in availableUpdates or history. - When image is set, version is ignored. When image is set, version should be empty. When image is set, architecture cannot be specified. + If both version and image are set, the version extracted from the referenced image must match the specified version. type: string version: description: |- version is a semantic version identifying the update version. - version is ignored if image is specified and required if - architecture is specified. + version is required if architecture is specified. + If both version and image are set, the version extracted from the referenced image must match the specified version. type: string type: object x-kubernetes-validations: diff --git a/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers.crd.yaml b/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers.crd.yaml deleted file mode 100644 index 8dd63a328..000000000 --- a/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers.crd.yaml +++ /dev/null @@ -1,432 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - api-approved.openshift.io: https://github.com/openshift/api/pull/470 - api.openshift.io/merged-by-featuregates: "true" - include.release.openshift.io/ibm-cloud-managed: "true" - include.release.openshift.io/self-managed-high-availability: "true" - release.openshift.io/bootstrap-required: "true" - name: apiservers.config.openshift.io -spec: - group: config.openshift.io - names: - kind: APIServer - listKind: APIServerList - plural: apiservers - singular: apiserver - scope: Cluster - versions: - - name: v1 - schema: - openAPIV3Schema: - description: |- - APIServer holds configuration (like serving certificates, client CA and CORS domains) - shared by all API servers in the system, among them especially kube-apiserver - and openshift-apiserver. The canonical name of an instance is 'cluster'. - - Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer). - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: spec holds user settable values for configuration - properties: - additionalCORSAllowedOrigins: - description: |- - additionalCORSAllowedOrigins lists additional, user-defined regular expressions describing hosts for which the - API server allows access using the CORS headers. This may be needed to access the API and the integrated OAuth - server from JavaScript applications. - The values are regular expressions that correspond to the Golang regular expression language. - items: - type: string - type: array - audit: - default: - profile: Default - description: |- - audit specifies the settings for audit configuration to be applied to all OpenShift-provided - API servers in the cluster. - properties: - customRules: - description: |- - customRules specify profiles per group. These profile take precedence over the - top-level profile field if they apply. They are evaluation from top to bottom and - the first one that matches, applies. - items: - description: |- - AuditCustomRule describes a custom rule for an audit profile that takes precedence over - the top-level profile. - properties: - group: - description: group is a name of group a request user must - be member of in order to this profile to apply. - minLength: 1 - type: string - profile: - description: |- - profile specifies the name of the desired audit policy configuration to be deployed to - all OpenShift-provided API servers in the cluster. - - The following profiles are provided: - - Default: the existing default policy. - - WriteRequestBodies: like 'Default', but logs request and response HTTP payloads for - write requests (create, update, patch). - - AllRequestBodies: like 'WriteRequestBodies', but also logs request and response - HTTP payloads for read requests (get, list). - - None: no requests are logged at all, not even oauthaccesstokens and oauthauthorizetokens. - - If unset, the 'Default' profile is used as the default. - enum: - - Default - - WriteRequestBodies - - AllRequestBodies - - None - type: string - required: - - group - - profile - type: object - type: array - x-kubernetes-list-map-keys: - - group - x-kubernetes-list-type: map - profile: - default: Default - description: |- - profile specifies the name of the desired top-level audit profile to be applied to all requests - sent to any of the OpenShift-provided API servers in the cluster (kube-apiserver, - openshift-apiserver and oauth-apiserver), with the exception of those requests that match - one or more of the customRules. - - The following profiles are provided: - - Default: default policy which means MetaData level logging with the exception of events - (not logged at all), oauthaccesstokens and oauthauthorizetokens (both logged at RequestBody - level). - - WriteRequestBodies: like 'Default', but logs request and response HTTP payloads for - write requests (create, update, patch). - - AllRequestBodies: like 'WriteRequestBodies', but also logs request and response - HTTP payloads for read requests (get, list). - - None: no requests are logged at all, not even oauthaccesstokens and oauthauthorizetokens. - - Warning: It is not recommended to disable audit logging by using the `None` profile unless you - are fully aware of the risks of not logging data that can be beneficial when troubleshooting issues. - If you disable audit logging and a support situation arises, you might need to enable audit logging - and reproduce the issue in order to troubleshoot properly. - - If unset, the 'Default' profile is used as the default. - enum: - - Default - - WriteRequestBodies - - AllRequestBodies - - None - type: string - type: object - clientCA: - description: |- - clientCA references a ConfigMap containing a certificate bundle for the signers that will be recognized for - incoming client certificates in addition to the operator managed signers. If this is empty, then only operator managed signers are valid. - You usually only have to set this if you have your own PKI you wish to honor client certificates from. - The ConfigMap must exist in the openshift-config namespace and contain the following required fields: - - ConfigMap.Data["ca-bundle.crt"] - CA bundle. - properties: - name: - description: name is the metadata.name of the referenced config - map - type: string - required: - - name - type: object - encryption: - description: encryption allows the configuration of encryption of - resources at the datastore layer. - properties: - type: - description: |- - type defines what encryption type should be used to encrypt resources at the datastore layer. - When this field is unset (i.e. when it is set to the empty string), identity is implied. - The behavior of unset can and will change over time. Even if encryption is enabled by default, - the meaning of unset may change to a different encryption type based on changes in best practices. - - When encryption is enabled, all sensitive resources shipped with the platform are encrypted. - This list of sensitive resources can and will change over time. The current authoritative list is: - - 1. secrets - 2. configmaps - 3. routes.route.openshift.io - 4. oauthaccesstokens.oauth.openshift.io - 5. oauthauthorizetokens.oauth.openshift.io - enum: - - "" - - identity - - aescbc - - aesgcm - type: string - type: object - servingCerts: - description: |- - servingCert is the TLS cert info for serving secure traffic. If not specified, operator managed certificates - will be used for serving secure traffic. - properties: - namedCertificates: - description: |- - namedCertificates references secrets containing the TLS cert info for serving secure traffic to specific hostnames. - If no named certificates are provided, or no named certificates match the server name as understood by a client, - the defaultServingCertificate will be used. - items: - description: APIServerNamedServingCert maps a server DNS name, - as understood by a client, to a certificate. - properties: - names: - description: |- - names is a optional list of explicit DNS names (leading wildcards allowed) that should use this certificate to - serve secure traffic. If no names are provided, the implicit names will be extracted from the certificates. - Exact names trump over wildcard names. Explicit names defined here trump over extracted implicit names. - items: - type: string - type: array - servingCertificate: - description: |- - servingCertificate references a kubernetes.io/tls type secret containing the TLS cert info for serving secure traffic. - The secret must exist in the openshift-config namespace and contain the following required fields: - - Secret.Data["tls.key"] - TLS private key. - - Secret.Data["tls.crt"] - TLS certificate. - properties: - name: - description: name is the metadata.name of the referenced - secret - type: string - required: - - name - type: object - type: object - type: array - type: object - tlsSecurityProfile: - description: |- - tlsSecurityProfile specifies settings for TLS connections for externally exposed servers. - - If unset, a default (which may change between releases) is chosen. Note that only Old, - Intermediate and Custom profiles are currently supported, and the maximum available - minTLSVersion is VersionTLS12. - properties: - custom: - description: |- - custom is a user-defined TLS security profile. Be extremely careful using a custom - profile as invalid configurations can be catastrophic. An example custom profile - looks like this: - - ciphers: - - - ECDHE-ECDSA-CHACHA20-POLY1305 - - - ECDHE-RSA-CHACHA20-POLY1305 - - - ECDHE-RSA-AES128-GCM-SHA256 - - - ECDHE-ECDSA-AES128-GCM-SHA256 - - minTLSVersion: VersionTLS11 - nullable: true - properties: - ciphers: - description: |- - ciphers is used to specify the cipher algorithms that are negotiated - during the TLS handshake. Operators may remove entries their operands - do not support. For example, to use DES-CBC3-SHA (yaml): - - ciphers: - - DES-CBC3-SHA - items: - type: string - type: array - x-kubernetes-list-type: atomic - minTLSVersion: - description: |- - minTLSVersion is used to specify the minimal version of the TLS protocol - that is negotiated during the TLS handshake. For example, to use TLS - versions 1.1, 1.2 and 1.3 (yaml): - - minTLSVersion: VersionTLS11 - - NOTE: currently the highest minTLSVersion allowed is VersionTLS12 - enum: - - VersionTLS10 - - VersionTLS11 - - VersionTLS12 - - VersionTLS13 - type: string - type: object - intermediate: - description: |- - intermediate is a TLS security profile based on: - - https://wiki.mozilla.org/Security/Server_Side_TLS#Intermediate_compatibility_.28recommended.29 - - and looks like this (yaml): - - ciphers: - - - TLS_AES_128_GCM_SHA256 - - - TLS_AES_256_GCM_SHA384 - - - TLS_CHACHA20_POLY1305_SHA256 - - - ECDHE-ECDSA-AES128-GCM-SHA256 - - - ECDHE-RSA-AES128-GCM-SHA256 - - - ECDHE-ECDSA-AES256-GCM-SHA384 - - - ECDHE-RSA-AES256-GCM-SHA384 - - - ECDHE-ECDSA-CHACHA20-POLY1305 - - - ECDHE-RSA-CHACHA20-POLY1305 - - - DHE-RSA-AES128-GCM-SHA256 - - - DHE-RSA-AES256-GCM-SHA384 - - minTLSVersion: VersionTLS12 - nullable: true - type: object - modern: - description: |- - modern is a TLS security profile based on: - - https://wiki.mozilla.org/Security/Server_Side_TLS#Modern_compatibility - - and looks like this (yaml): - - ciphers: - - - TLS_AES_128_GCM_SHA256 - - - TLS_AES_256_GCM_SHA384 - - - TLS_CHACHA20_POLY1305_SHA256 - - minTLSVersion: VersionTLS13 - nullable: true - type: object - old: - description: |- - old is a TLS security profile based on: - - https://wiki.mozilla.org/Security/Server_Side_TLS#Old_backward_compatibility - - and looks like this (yaml): - - ciphers: - - - TLS_AES_128_GCM_SHA256 - - - TLS_AES_256_GCM_SHA384 - - - TLS_CHACHA20_POLY1305_SHA256 - - - ECDHE-ECDSA-AES128-GCM-SHA256 - - - ECDHE-RSA-AES128-GCM-SHA256 - - - ECDHE-ECDSA-AES256-GCM-SHA384 - - - ECDHE-RSA-AES256-GCM-SHA384 - - - ECDHE-ECDSA-CHACHA20-POLY1305 - - - ECDHE-RSA-CHACHA20-POLY1305 - - - DHE-RSA-AES128-GCM-SHA256 - - - DHE-RSA-AES256-GCM-SHA384 - - - DHE-RSA-CHACHA20-POLY1305 - - - ECDHE-ECDSA-AES128-SHA256 - - - ECDHE-RSA-AES128-SHA256 - - - ECDHE-ECDSA-AES128-SHA - - - ECDHE-RSA-AES128-SHA - - - ECDHE-ECDSA-AES256-SHA384 - - - ECDHE-RSA-AES256-SHA384 - - - ECDHE-ECDSA-AES256-SHA - - - ECDHE-RSA-AES256-SHA - - - DHE-RSA-AES128-SHA256 - - - DHE-RSA-AES256-SHA256 - - - AES128-GCM-SHA256 - - - AES256-GCM-SHA384 - - - AES128-SHA256 - - - AES256-SHA256 - - - AES128-SHA - - - AES256-SHA - - - DES-CBC3-SHA - - minTLSVersion: VersionTLS10 - nullable: true - type: object - type: - description: |- - type is one of Old, Intermediate, Modern or Custom. Custom provides - the ability to specify individual TLS security profile parameters. - Old, Intermediate and Modern are TLS security profiles based on: - - https://wiki.mozilla.org/Security/Server_Side_TLS#Recommended_configurations - - The profiles are intent based, so they may change over time as new ciphers are developed and existing ciphers - are found to be insecure. Depending on precisely which ciphers are available to a process, the list may be - reduced. - - Note that the Modern profile is currently not supported because it is not - yet well adopted by common software libraries. - enum: - - Old - - Intermediate - - Modern - - Custom - type: string - type: object - type: object - status: - description: status holds observed values from the cluster. They may not - be overridden. - type: object - required: - - spec - type: object - served: true - storage: true - subresources: - status: {} diff --git a/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-Hypershift.crd.yaml b/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-Hypershift.crd.yaml deleted file mode 100644 index 93b2b0062..000000000 --- a/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-Hypershift.crd.yaml +++ /dev/null @@ -1,574 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - api-approved.openshift.io: https://github.com/openshift/api/pull/470 - api.openshift.io/merged-by-featuregates: "true" - include.release.openshift.io/ibm-cloud-managed: "true" - release.openshift.io/bootstrap-required: "true" - name: authentications.config.openshift.io -spec: - group: config.openshift.io - names: - kind: Authentication - listKind: AuthenticationList - plural: authentications - singular: authentication - scope: Cluster - versions: - - name: v1 - schema: - openAPIV3Schema: - description: |- - Authentication specifies cluster-wide settings for authentication (like OAuth and - webhook token authenticators). The canonical name of an instance is `cluster`. - - Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer). - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: spec holds user settable values for configuration - properties: - oauthMetadata: - description: |- - oauthMetadata contains the discovery endpoint data for OAuth 2.0 - Authorization Server Metadata for an external OAuth server. - This discovery document can be viewed from its served location: - oc get --raw '/.well-known/oauth-authorization-server' - For further details, see the IETF Draft: - https://tools.ietf.org/html/draft-ietf-oauth-discovery-04#section-2 - If oauthMetadata.name is non-empty, this value has precedence - over any metadata reference stored in status. - The key "oauthMetadata" is used to locate the data. - If specified and the config map or expected key is not found, no metadata is served. - If the specified metadata is not valid, no metadata is served. - The namespace for this config map is openshift-config. - properties: - name: - description: name is the metadata.name of the referenced config - map - type: string - required: - - name - type: object - oidcProviders: - description: |- - oidcProviders are OIDC identity providers that can issue tokens - for this cluster - Can only be set if "Type" is set to "OIDC". - - At most one provider can be configured. - items: - properties: - claimMappings: - description: |- - claimMappings describes rules on how to transform information from an - ID token into a cluster identity - properties: - groups: - description: |- - groups is a name of the claim that should be used to construct - groups for the cluster identity. - The referenced claim must use array of strings values. - properties: - claim: - description: claim is a JWT token claim to be used in - the mapping - type: string - prefix: - description: |- - prefix is a string to prefix the value from the token in the result of the - claim mapping. - - By default, no prefixing occurs. - - Example: if `prefix` is set to "myoidc:"" and the `claim` in JWT contains - an array of strings "a", "b" and "c", the mapping will result in an - array of string "myoidc:a", "myoidc:b" and "myoidc:c". - type: string - required: - - claim - type: object - username: - description: |- - username is a name of the claim that should be used to construct - usernames for the cluster identity. - - Default value: "sub" - properties: - claim: - description: claim is a JWT token claim to be used in - the mapping - type: string - prefix: - properties: - prefixString: - minLength: 1 - type: string - required: - - prefixString - type: object - prefixPolicy: - description: |- - prefixPolicy specifies how a prefix should apply. - - By default, claims other than `email` will be prefixed with the issuer URL to - prevent naming clashes with other plugins. - - Set to "NoPrefix" to disable prefixing. - - Example: - (1) `prefix` is set to "myoidc:" and `claim` is set to "username". - If the JWT claim `username` contains value `userA`, the resulting - mapped value will be "myoidc:userA". - (2) `prefix` is set to "myoidc:" and `claim` is set to "email". If the - JWT `email` claim contains value "userA@myoidc.tld", the resulting - mapped value will be "myoidc:userA@myoidc.tld". - (3) `prefix` is unset, `issuerURL` is set to `https://myoidc.tld`, - the JWT claims include "username":"userA" and "email":"userA@myoidc.tld", - and `claim` is set to: - (a) "username": the mapped value will be "https://myoidc.tld#userA" - (b) "email": the mapped value will be "userA@myoidc.tld" - enum: - - "" - - NoPrefix - - Prefix - type: string - required: - - claim - type: object - x-kubernetes-validations: - - message: prefix must be set if prefixPolicy is 'Prefix', - but must remain unset otherwise - rule: 'has(self.prefixPolicy) && self.prefixPolicy == - ''Prefix'' ? (has(self.prefix) && size(self.prefix.prefixString) - > 0) : !has(self.prefix)' - type: object - claimValidationRules: - description: claimValidationRules are rules that are applied - to validate token claims to authenticate users. - items: - properties: - requiredClaim: - description: |- - requiredClaim allows configuring a required claim name and its expected - value - properties: - claim: - description: |- - claim is a name of a required claim. Only claims with string values are - supported. - minLength: 1 - type: string - requiredValue: - description: requiredValue is the required value for - the claim. - minLength: 1 - type: string - required: - - claim - - requiredValue - type: object - type: - default: RequiredClaim - description: type sets the type of the validation rule - enum: - - RequiredClaim - type: string - type: object - type: array - x-kubernetes-list-type: atomic - issuer: - description: issuer describes atributes of the OIDC token issuer - properties: - audiences: - description: |- - audiences is an array of audiences that the token was issued for. - Valid tokens must include at least one of these values in their - "aud" claim. - Must be set to exactly one value. - items: - minLength: 1 - type: string - maxItems: 10 - minItems: 1 - type: array - x-kubernetes-list-type: set - issuerCertificateAuthority: - description: |- - CertificateAuthority is a reference to a config map in the - configuration namespace. The .data of the configMap must contain - the "ca-bundle.crt" key. - If unset, system trust is used instead. - properties: - name: - description: name is the metadata.name of the referenced - config map - type: string - required: - - name - type: object - issuerURL: - description: |- - URL is the serving URL of the token issuer. - Must use the https:// scheme. - pattern: ^https:\/\/[^\s] - type: string - required: - - audiences - - issuerURL - type: object - name: - description: name of the OIDC provider - minLength: 1 - type: string - oidcClients: - description: |- - oidcClients contains configuration for the platform's clients that - need to request tokens from the issuer - items: - properties: - clientID: - description: clientID is the identifier of the OIDC client - from the OIDC provider - minLength: 1 - type: string - clientSecret: - description: |- - clientSecret refers to a secret in the `openshift-config` namespace that - contains the client secret in the `clientSecret` key of the `.data` field - properties: - name: - description: name is the metadata.name of the referenced - secret - type: string - required: - - name - type: object - componentName: - description: |- - componentName is the name of the component that is supposed to consume this - client configuration - maxLength: 256 - minLength: 1 - type: string - componentNamespace: - description: |- - componentNamespace is the namespace of the component that is supposed to consume this - client configuration - maxLength: 63 - minLength: 1 - type: string - extraScopes: - description: extraScopes is an optional set of scopes - to request tokens with. - items: - type: string - type: array - x-kubernetes-list-type: set - required: - - clientID - - componentName - - componentNamespace - type: object - maxItems: 20 - type: array - x-kubernetes-list-map-keys: - - componentNamespace - - componentName - x-kubernetes-list-type: map - required: - - issuer - - name - type: object - maxItems: 1 - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - serviceAccountIssuer: - description: |- - serviceAccountIssuer is the identifier of the bound service account token - issuer. - The default is https://kubernetes.default.svc - WARNING: Updating this field will not result in immediate invalidation of all bound tokens with the - previous issuer value. Instead, the tokens issued by previous service account issuer will continue to - be trusted for a time period chosen by the platform (currently set to 24h). - This time period is subject to change over time. - This allows internal components to transition to use new service account issuer without service distruption. - type: string - type: - description: |- - type identifies the cluster managed, user facing authentication mode in use. - Specifically, it manages the component that responds to login attempts. - The default is IntegratedOAuth. - enum: - - "" - - None - - IntegratedOAuth - - OIDC - type: string - webhookTokenAuthenticator: - description: |- - webhookTokenAuthenticator configures a remote token reviewer. - These remote authentication webhooks can be used to verify bearer tokens - via the tokenreviews.authentication.k8s.io REST API. This is required to - honor bearer tokens that are provisioned by an external authentication service. - - Can only be set if "Type" is set to "None". - properties: - kubeConfig: - description: |- - kubeConfig references a secret that contains kube config file data which - describes how to access the remote webhook service. - The namespace for the referenced secret is openshift-config. - - For further details, see: - - https://kubernetes.io/docs/reference/access-authn-authz/authentication/#webhook-token-authentication - - The key "kubeConfig" is used to locate the data. - If the secret or expected key is not found, the webhook is not honored. - If the specified kube config data is not valid, the webhook is not honored. - properties: - name: - description: name is the metadata.name of the referenced secret - type: string - required: - - name - type: object - required: - - kubeConfig - type: object - webhookTokenAuthenticators: - description: webhookTokenAuthenticators is DEPRECATED, setting it - has no effect. - items: - description: |- - deprecatedWebhookTokenAuthenticator holds the necessary configuration options for a remote token authenticator. - It's the same as WebhookTokenAuthenticator but it's missing the 'required' validation on KubeConfig field. - properties: - kubeConfig: - description: |- - kubeConfig contains kube config file data which describes how to access the remote webhook service. - For further details, see: - https://kubernetes.io/docs/reference/access-authn-authz/authentication/#webhook-token-authentication - The key "kubeConfig" is used to locate the data. - If the secret or expected key is not found, the webhook is not honored. - If the specified kube config data is not valid, the webhook is not honored. - The namespace for this secret is determined by the point of use. - properties: - name: - description: name is the metadata.name of the referenced - secret - type: string - required: - - name - type: object - type: object - type: array - x-kubernetes-list-type: atomic - type: object - status: - description: status holds observed values from the cluster. They may not - be overridden. - properties: - integratedOAuthMetadata: - description: |- - integratedOAuthMetadata contains the discovery endpoint data for OAuth 2.0 - Authorization Server Metadata for the in-cluster integrated OAuth server. - This discovery document can be viewed from its served location: - oc get --raw '/.well-known/oauth-authorization-server' - For further details, see the IETF Draft: - https://tools.ietf.org/html/draft-ietf-oauth-discovery-04#section-2 - This contains the observed value based on cluster state. - An explicitly set value in spec.oauthMetadata has precedence over this field. - This field has no meaning if authentication spec.type is not set to IntegratedOAuth. - The key "oauthMetadata" is used to locate the data. - If the config map or expected key is not found, no metadata is served. - If the specified metadata is not valid, no metadata is served. - The namespace for this config map is openshift-config-managed. - properties: - name: - description: name is the metadata.name of the referenced config - map - type: string - required: - - name - type: object - oidcClients: - description: |- - oidcClients is where participating operators place the current OIDC client status - for OIDC clients that can be customized by the cluster-admin. - items: - properties: - componentName: - description: componentName is the name of the component that - will consume a client configuration. - maxLength: 256 - minLength: 1 - type: string - componentNamespace: - description: componentNamespace is the namespace of the component - that will consume a client configuration. - maxLength: 63 - minLength: 1 - type: string - conditions: - description: |- - conditions are used to communicate the state of the `oidcClients` entry. - - Supported conditions include Available, Degraded and Progressing. - - If Available is true, the component is successfully using the configured client. - If Degraded is true, that means something has gone wrong trying to handle the client configuration. - If Progressing is true, that means the component is taking some action related to the `oidcClients` entry. - items: - description: Condition contains details for one aspect of - the current state of this API Resource. - properties: - lastTransitionTime: - description: |- - lastTransitionTime is the last time the condition transitioned from one status to another. - This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: |- - message is a human readable message indicating details about the transition. - This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: - description: |- - observedGeneration represents the .metadata.generation that the condition was set based upon. - For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date - with respect to the current state of the instance. - format: int64 - minimum: 0 - type: integer - reason: - description: |- - reason contains a programmatic identifier indicating the reason for the condition's last transition. - Producers of specific condition types may define expected values and meanings for this field, - and whether the values are considered a guaranteed API. - The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, False, - Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - message - - reason - - status - - type - type: object - type: array - x-kubernetes-list-map-keys: - - type - x-kubernetes-list-type: map - consumingUsers: - description: |- - consumingUsers is a slice of ServiceAccounts that need to have read - permission on the `clientSecret` secret. - items: - description: ConsumingUser is an alias for string which we - add validation to. Currently only service accounts are supported. - maxLength: 512 - minLength: 1 - pattern: ^system:serviceaccount:[a-z0-9]([-a-z0-9]*[a-z0-9])?:[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - maxItems: 5 - type: array - x-kubernetes-list-type: set - currentOIDCClients: - description: currentOIDCClients is a list of clients that the - component is currently using. - items: - properties: - clientID: - description: clientID is the identifier of the OIDC client - from the OIDC provider - minLength: 1 - type: string - issuerURL: - description: |- - URL is the serving URL of the token issuer. - Must use the https:// scheme. - pattern: ^https:\/\/[^\s] - type: string - oidcProviderName: - description: OIDCName refers to the `name` of the provider - from `oidcProviders` - minLength: 1 - type: string - required: - - clientID - - issuerURL - - oidcProviderName - type: object - type: array - x-kubernetes-list-map-keys: - - issuerURL - - clientID - x-kubernetes-list-type: map - required: - - componentName - - componentNamespace - type: object - maxItems: 20 - type: array - x-kubernetes-list-map-keys: - - componentNamespace - - componentName - x-kubernetes-list-type: map - type: object - required: - - spec - type: object - x-kubernetes-validations: - - message: all oidcClients in the oidcProviders must match their componentName - and componentNamespace to either a previously configured oidcClient or - they must exist in the status.oidcClients - rule: '!has(self.spec.oidcProviders) || self.spec.oidcProviders.all(p, !has(p.oidcClients) - || p.oidcClients.all(specC, self.status.oidcClients.exists(statusC, statusC.componentNamespace - == specC.componentNamespace && statusC.componentName == specC.componentName) - || (has(oldSelf.spec.oidcProviders) && oldSelf.spec.oidcProviders.exists(oldP, - oldP.name == p.name && has(oldP.oidcClients) && oldP.oidcClients.exists(oldC, - oldC.componentNamespace == specC.componentNamespace && oldC.componentName - == specC.componentName)))))' - served: true - storage: true - subresources: - status: {} diff --git a/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-SelfManagedHA-CustomNoUpgrade.crd.yaml b/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-SelfManagedHA-CustomNoUpgrade.crd.yaml index 07c2f49d2..be25dac52 100644 --- a/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-SelfManagedHA-CustomNoUpgrade.crd.yaml +++ b/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-SelfManagedHA-CustomNoUpgrade.crd.yaml @@ -79,47 +79,220 @@ spec: properties: claimMappings: description: |- - claimMappings describes rules on how to transform information from an - ID token into a cluster identity + claimMappings is a required field that configures the rules to be used by + the Kubernetes API server for translating claims in a JWT token, issued + by the identity provider, to a cluster identity. properties: + extra: + description: |- + extra is an optional field for configuring the mappings + used to construct the extra attribute for the cluster identity. + When omitted, no extra attributes will be present on the cluster identity. + key values for extra mappings must be unique. + A maximum of 64 extra attribute mappings may be provided. + items: + description: |- + ExtraMapping allows specifying a key and CEL expression + to evaluate the keys' value. It is used to create additional + mappings and attributes added to a cluster identity from + a provided authentication token. + properties: + key: + description: |- + key is a required field that specifies the string + to use as the extra attribute key. + + key must be a domain-prefix path (e.g 'example.org/foo'). + key must not exceed 510 characters in length. + key must contain the '/' character, separating the domain and path characters. + key must not be empty. + + The domain portion of the key (string of characters prior to the '/') must be a valid RFC1123 subdomain. + It must not exceed 253 characters in length. + It must start and end with an alphanumeric character. + It must only contain lower case alphanumeric characters and '-' or '.'. + It must not use the reserved domains, or be subdomains of, "kubernetes.io", "k8s.io", and "openshift.io". + + The path portion of the key (string of characters after the '/') must not be empty and must consist of at least one + alphanumeric character, percent-encoded octets, '-', '.', '_', '~', '!', '$', '&', ''', '(', ')', '*', '+', ',', ';', '=', and ':'. + It must not exceed 256 characters in length. + maxLength: 510 + minLength: 1 + type: string + x-kubernetes-validations: + - message: key must contain the '/' character + rule: self.contains('/') + - message: the domain of the key must consist of only + lower case alphanumeric characters, '-' or '.', + and must start and end with an alphanumeric character + rule: self.split('/', 2)[0].matches("^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$") + - message: the domain of the key must not exceed 253 + characters in length + rule: self.split('/', 2)[0].size() <= 253 + - message: the domain 'kubernetes.io' is reserved + for Kubernetes use + rule: self.split('/', 2)[0] != 'kubernetes.io' + - message: the subdomains '*.kubernetes.io' are reserved + for Kubernetes use + rule: '!self.split(''/'', 2)[0].endsWith(''.kubernetes.io'')' + - message: the domain 'k8s.io' is reserved for Kubernetes + use + rule: self.split('/', 2)[0] != 'k8s.io' + - message: the subdomains '*.k8s.io' are reserved + for Kubernetes use + rule: '!self.split(''/'', 2)[0].endsWith(''.k8s.io'')' + - message: the domain 'openshift.io' is reserved for + OpenShift use + rule: self.split('/', 2)[0] != 'openshift.io' + - message: the subdomains '*.openshift.io' are reserved + for OpenShift use + rule: '!self.split(''/'', 2)[0].endsWith(''.openshift.io'')' + - message: the path of the key must not be empty and + must consist of at least one alphanumeric character, + percent-encoded octets, apostrophe, '-', '.', + '_', '~', '!', '$', '&', '(', ')', '*', '+', ',', + ';', '=', and ':' + rule: self.split('/', 2)[1].matches('[A-Za-z0-9/\\-._~%!$&\'()*+;=:]+') + - message: the path of the key must not exceed 256 + characters in length + rule: self.split('/', 2)[1].size() <= 256 + valueExpression: + description: |- + valueExpression is a required field to specify the CEL expression to extract + the extra attribute value from a JWT token's claims. + valueExpression must produce a string or string array value. + "", [], and null are treated as the extra mapping not being present. + Empty string values within an array are filtered out. + + CEL expressions have access to the token claims + through a CEL variable, 'claims'. + 'claims' is a map of claim names to claim values. + For example, the 'sub' claim value can be accessed as 'claims.sub'. + Nested claims can be accessed using dot notation ('claims.foo.bar'). + + valueExpression must not exceed 4096 characters in length. + valueExpression must not be empty. + maxLength: 4096 + minLength: 1 + type: string + required: + - key + - valueExpression + type: object + maxItems: 64 + type: array + x-kubernetes-list-map-keys: + - key + x-kubernetes-list-type: map groups: description: |- - groups is a name of the claim that should be used to construct - groups for the cluster identity. - The referenced claim must use array of strings values. + groups is an optional field that configures how the groups of a cluster identity + should be constructed from the claims in a JWT token issued + by the identity provider. + When referencing a claim, if the claim is present in the JWT + token, its value must be a list of groups separated by a comma (','). + For example - '"example"' and '"exampleOne", "exampleTwo", "exampleThree"' are valid claim values. properties: claim: - description: claim is a JWT token claim to be used in - the mapping + description: |- + claim is a required field that configures the JWT token + claim whose value is assigned to the cluster identity + field associated with this mapping. type: string prefix: description: |- - prefix is a string to prefix the value from the token in the result of the - claim mapping. + prefix is an optional field that configures the prefix that will be + applied to the cluster identity attribute during the process of mapping + JWT claims to cluster identity attributes. - By default, no prefixing occurs. + When omitted (""), no prefix is applied to the cluster identity attribute. - Example: if `prefix` is set to "myoidc:"" and the `claim` in JWT contains + Example: if `prefix` is set to "myoidc:" and the `claim` in JWT contains an array of strings "a", "b" and "c", the mapping will result in an array of string "myoidc:a", "myoidc:b" and "myoidc:c". type: string required: - claim type: object - username: + uid: description: |- - username is a name of the claim that should be used to construct - usernames for the cluster identity. + uid is an optional field for configuring the claim mapping + used to construct the uid for the cluster identity. + + When using uid.claim to specify the claim it must be a single string value. + When using uid.expression the expression must result in a single string value. - Default value: "sub" + When omitted, this means the user has no opinion and the platform + is left to choose a default, which is subject to change over time. + The current default is to use the 'sub' claim. properties: claim: - description: claim is a JWT token claim to be used in - the mapping + description: |- + claim is an optional field for specifying the + JWT token claim that is used in the mapping. + The value of this claim will be assigned to + the field in which this mapping is associated. + + Precisely one of claim or expression must be set. + claim must not be specified when expression is set. + When specified, claim must be at least 1 character in length + and must not exceed 256 characters in length. + maxLength: 256 + minLength: 1 + type: string + expression: + description: |- + expression is an optional field for specifying a + CEL expression that produces a string value from + JWT token claims. + + CEL expressions have access to the token claims + through a CEL variable, 'claims'. + 'claims' is a map of claim names to claim values. + For example, the 'sub' claim value can be accessed as 'claims.sub'. + Nested claims can be accessed using dot notation ('claims.foo.bar'). + + Precisely one of claim or expression must be set. + expression must not be specified when claim is set. + When specified, expression must be at least 1 character in length + and must not exceed 4096 characters in length. + maxLength: 4096 + minLength: 1 + type: string + type: object + x-kubernetes-validations: + - message: precisely one of claim or expression must be + set + rule: 'has(self.claim) ? !has(self.expression) : has(self.expression)' + username: + description: |- + username is a required field that configures how the username of a cluster identity + should be constructed from the claims in a JWT token issued by the identity provider. + properties: + claim: + description: |- + claim is a required field that configures the JWT token + claim whose value is assigned to the cluster identity + field associated with this mapping. + + claim must not be an empty string ("") and must not exceed 256 characters. + maxLength: 256 + minLength: 1 type: string prefix: + description: |- + prefix configures the prefix that should be prepended to the value + of the JWT claim. + + prefix must be set when prefixPolicy is set to 'Prefix' and must be unset otherwise. properties: prefixString: + description: |- + prefixString is a required field that configures the prefix that will + be applied to cluster identity username attribute + during the process of mapping JWT claims to cluster identity attributes. + + prefixString must not be an empty string (""). minLength: 1 type: string required: @@ -127,25 +300,28 @@ spec: type: object prefixPolicy: description: |- - prefixPolicy specifies how a prefix should apply. - - By default, claims other than `email` will be prefixed with the issuer URL to - prevent naming clashes with other plugins. - - Set to "NoPrefix" to disable prefixing. - - Example: - (1) `prefix` is set to "myoidc:" and `claim` is set to "username". - If the JWT claim `username` contains value `userA`, the resulting - mapped value will be "myoidc:userA". - (2) `prefix` is set to "myoidc:" and `claim` is set to "email". If the - JWT `email` claim contains value "userA@myoidc.tld", the resulting - mapped value will be "myoidc:userA@myoidc.tld". - (3) `prefix` is unset, `issuerURL` is set to `https://myoidc.tld`, - the JWT claims include "username":"userA" and "email":"userA@myoidc.tld", - and `claim` is set to: - (a) "username": the mapped value will be "https://myoidc.tld#userA" - (b) "email": the mapped value will be "userA@myoidc.tld" + prefixPolicy is an optional field that configures how a prefix should be + applied to the value of the JWT claim specified in the 'claim' field. + + Allowed values are 'Prefix', 'NoPrefix', and omitted (not provided or an empty string). + + When set to 'Prefix', the value specified in the prefix field will be + prepended to the value of the JWT claim. + The prefix field must be set when prefixPolicy is 'Prefix'. + + When set to 'NoPrefix', no prefix will be prepended to the value + of the JWT claim. + + When omitted, this means no opinion and the platform is left to choose + any prefixes that are applied which is subject to change over time. + Currently, the platform prepends `{issuerURL}#` to the value of the JWT claim + when the claim is not 'email'. + As an example, consider the following scenario: + `prefix` is unset, `issuerURL` is set to `https://myoidc.tld`, + the JWT claims include "username":"userA" and "email":"userA@myoidc.tld", + and `claim` is set to: + - "username": the mapped value will be "https://myoidc.tld#userA" + - "email": the mapped value will be "userA@myoidc.tld" enum: - "" - NoPrefix @@ -160,26 +336,40 @@ spec: rule: 'has(self.prefixPolicy) && self.prefixPolicy == ''Prefix'' ? (has(self.prefix) && size(self.prefix.prefixString) > 0) : !has(self.prefix)' + required: + - username type: object claimValidationRules: - description: claimValidationRules are rules that are applied - to validate token claims to authenticate users. + description: |- + claimValidationRules is an optional field that configures the rules to + be used by the Kubernetes API server for validating the claims in a JWT + token issued by the identity provider. + + Validation rules are joined via an AND operation. items: properties: requiredClaim: description: |- - requiredClaim allows configuring a required claim name and its expected - value + requiredClaim is an optional field that configures the required claim + and value that the Kubernetes API server will use to validate if an incoming + JWT is valid for this identity provider. properties: claim: description: |- - claim is a name of a required claim. Only claims with string values are - supported. + claim is a required field that configures the name of the required claim. + When taken from the JWT claims, claim must be a string value. + + claim must not be an empty string (""). minLength: 1 type: string requiredValue: - description: requiredValue is the required value for - the claim. + description: |- + requiredValue is a required field that configures the value that 'claim' must + have when taken from the incoming JWT claims. + If the value in the JWT claims does not match, the token + will be rejected for authentication. + + requiredValue must not be an empty string (""). minLength: 1 type: string required: @@ -188,7 +378,17 @@ spec: type: object type: default: RequiredClaim - description: type sets the type of the validation rule + description: |- + type is an optional field that configures the type of the validation rule. + + Allowed values are 'RequiredClaim' and omitted (not provided or an empty string). + + When set to 'RequiredClaim', the Kubernetes API server + will be configured to validate that the incoming JWT + contains the required claim and that its value matches + the required value. + + Defaults to 'RequiredClaim'. enum: - RequiredClaim type: string @@ -196,14 +396,18 @@ spec: type: array x-kubernetes-list-type: atomic issuer: - description: issuer describes atributes of the OIDC token issuer + description: |- + issuer is a required field that configures how the platform interacts + with the identity provider and how tokens issued from the identity provider + are evaluated by the Kubernetes API server. properties: audiences: description: |- - audiences is an array of audiences that the token was issued for. - Valid tokens must include at least one of these values in their - "aud" claim. - Must be set to exactly one value. + audiences is a required field that configures the acceptable audiences + the JWT token, issued by the identity provider, must be issued to. + At least one of the entries must match the 'aud' claim in the JWT token. + + audiences must contain at least one entry and must not exceed ten entries. items: minLength: 1 type: string @@ -213,10 +417,15 @@ spec: x-kubernetes-list-type: set issuerCertificateAuthority: description: |- - CertificateAuthority is a reference to a config map in the - configuration namespace. The .data of the configMap must contain - the "ca-bundle.crt" key. - If unset, system trust is used instead. + issuerCertificateAuthority is an optional field that configures the + certificate authority, used by the Kubernetes API server, to validate + the connection to the identity provider when fetching discovery information. + + When not specified, the system trust is used. + + When specified, it must reference a ConfigMap in the openshift-config + namespace containing the PEM-encoded CA certificates under the 'ca-bundle.crt' + key in the data field of the ConfigMap. properties: name: description: name is the metadata.name of the referenced @@ -227,8 +436,12 @@ spec: type: object issuerURL: description: |- - URL is the serving URL of the token issuer. - Must use the https:// scheme. + issuerURL is a required field that configures the URL used to issue tokens + by the identity provider. + The Kubernetes API server determines how authentication tokens should be handled + by matching the 'iss' claim in the JWT to the issuerURL of configured identity providers. + + issuerURL must use the 'https' scheme. pattern: ^https:\/\/[^\s] type: string required: @@ -236,24 +449,51 @@ spec: - issuerURL type: object name: - description: name of the OIDC provider + description: |- + name is a required field that configures the unique human-readable identifier + associated with the identity provider. + It is used to distinguish between multiple identity providers + and has no impact on token validation or authentication mechanics. + + name must not be an empty string (""). minLength: 1 type: string oidcClients: description: |- - oidcClients contains configuration for the platform's clients that - need to request tokens from the issuer + oidcClients is an optional field that configures how on-cluster, + platform clients should request tokens from the identity provider. + oidcClients must not exceed 20 entries and entries must have unique namespace/name pairs. items: + description: |- + OIDCClientConfig configures how platform clients + interact with identity providers as an authentication + method properties: clientID: - description: clientID is the identifier of the OIDC client - from the OIDC provider + description: |- + clientID is a required field that configures the client identifier, from + the identity provider, that the platform component uses for authentication + requests made to the identity provider. + The identity provider must accept this identifier for platform components + to be able to use the identity provider as an authentication mode. + + clientID must not be an empty string (""). minLength: 1 type: string clientSecret: description: |- - clientSecret refers to a secret in the `openshift-config` namespace that - contains the client secret in the `clientSecret` key of the `.data` field + clientSecret is an optional field that configures the client secret used + by the platform component when making authentication requests to the identity provider. + + When not specified, no client secret will be used when making authentication requests + to the identity provider. + + When specified, clientSecret references a Secret in the 'openshift-config' + namespace that contains the client secret in the 'clientSecret' key of the '.data' field. + The client secret will be used when making authentication requests to the identity provider. + + Public clients do not require a client secret but private + clients do require a client secret to work with the identity provider. properties: name: description: name is the metadata.name of the referenced @@ -264,21 +504,34 @@ spec: type: object componentName: description: |- - componentName is the name of the component that is supposed to consume this - client configuration + componentName is a required field that specifies the name of the platform + component being configured to use the identity provider as an authentication mode. + It is used in combination with componentNamespace as a unique identifier. + + componentName must not be an empty string ("") and must not exceed 256 characters in length. maxLength: 256 minLength: 1 type: string componentNamespace: description: |- - componentNamespace is the namespace of the component that is supposed to consume this - client configuration + componentNamespace is a required field that specifies the namespace in which the + platform component being configured to use the identity provider as an authentication + mode is running. + It is used in combination with componentName as a unique identifier. + + componentNamespace must not be an empty string ("") and must not exceed 63 characters in length. maxLength: 63 minLength: 1 type: string extraScopes: - description: extraScopes is an optional set of scopes - to request tokens with. + description: |- + extraScopes is an optional field that configures the extra scopes that should + be requested by the platform component when making authentication requests to the + identity provider. + This is useful if you have configured claim mappings that requires specific + scopes to be requested beyond the standard OIDC scopes. + + When omitted, no additional scopes are requested. items: type: string type: array @@ -295,6 +548,7 @@ spec: - componentName x-kubernetes-list-type: map required: + - claimMappings - issuer - name type: object @@ -418,16 +672,29 @@ spec: oidcClients is where participating operators place the current OIDC client status for OIDC clients that can be customized by the cluster-admin. items: + description: |- + OIDCClientStatus represents the current state + of platform components and how they interact with + the configured identity providers. properties: componentName: - description: componentName is the name of the component that - will consume a client configuration. + description: |- + componentName is a required field that specifies the name of the platform + component using the identity provider as an authentication mode. + It is used in combination with componentNamespace as a unique identifier. + + componentName must not be an empty string ("") and must not exceed 256 characters in length. maxLength: 256 minLength: 1 type: string componentNamespace: - description: componentNamespace is the namespace of the component - that will consume a client configuration. + description: |- + componentNamespace is a required field that specifies the namespace in which the + platform component using the identity provider as an authentication + mode is running. + It is used in combination with componentName as a unique identifier. + + componentNamespace must not be an empty string ("") and must not exceed 63 characters in length. maxLength: 63 minLength: 1 type: string @@ -501,8 +768,10 @@ spec: x-kubernetes-list-type: map consumingUsers: description: |- - consumingUsers is a slice of ServiceAccounts that need to have read - permission on the `clientSecret` secret. + consumingUsers is an optional list of ServiceAccounts requiring + read permissions on the `clientSecret` secret. + + consumingUsers must not exceed 5 entries. items: description: ConsumingUser is an alias for string which we add validation to. Currently only service accounts are supported. @@ -514,24 +783,37 @@ spec: type: array x-kubernetes-list-type: set currentOIDCClients: - description: currentOIDCClients is a list of clients that the - component is currently using. + description: |- + currentOIDCClients is an optional list of clients that the component is currently using. + Entries must have unique issuerURL/clientID pairs. items: + description: |- + OIDCClientReference is a reference to a platform component + client configuration. properties: clientID: - description: clientID is the identifier of the OIDC client - from the OIDC provider + description: |- + clientID is a required field that specifies the client identifier, from + the identity provider, that the platform component is using for authentication + requests made to the identity provider. + + clientID must not be empty. minLength: 1 type: string issuerURL: description: |- - URL is the serving URL of the token issuer. - Must use the https:// scheme. + issuerURL is a required field that specifies the URL of the identity + provider that this client is configured to make requests against. + + issuerURL must use the 'https' scheme. pattern: ^https:\/\/[^\s] type: string oidcProviderName: - description: OIDCName refers to the `name` of the provider - from `oidcProviders` + description: |- + oidcProviderName is a required reference to the 'name' of the identity provider + configured in 'oidcProviders' that this client is associated with. + + oidcProviderName must not be an empty string (""). minLength: 1 type: string required: diff --git a/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-SelfManagedHA-DevPreviewNoUpgrade.crd.yaml b/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-SelfManagedHA-DevPreviewNoUpgrade.crd.yaml index 718aeff5d..5b604bbd2 100644 --- a/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-SelfManagedHA-DevPreviewNoUpgrade.crd.yaml +++ b/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-SelfManagedHA-DevPreviewNoUpgrade.crd.yaml @@ -79,47 +79,220 @@ spec: properties: claimMappings: description: |- - claimMappings describes rules on how to transform information from an - ID token into a cluster identity + claimMappings is a required field that configures the rules to be used by + the Kubernetes API server for translating claims in a JWT token, issued + by the identity provider, to a cluster identity. properties: + extra: + description: |- + extra is an optional field for configuring the mappings + used to construct the extra attribute for the cluster identity. + When omitted, no extra attributes will be present on the cluster identity. + key values for extra mappings must be unique. + A maximum of 64 extra attribute mappings may be provided. + items: + description: |- + ExtraMapping allows specifying a key and CEL expression + to evaluate the keys' value. It is used to create additional + mappings and attributes added to a cluster identity from + a provided authentication token. + properties: + key: + description: |- + key is a required field that specifies the string + to use as the extra attribute key. + + key must be a domain-prefix path (e.g 'example.org/foo'). + key must not exceed 510 characters in length. + key must contain the '/' character, separating the domain and path characters. + key must not be empty. + + The domain portion of the key (string of characters prior to the '/') must be a valid RFC1123 subdomain. + It must not exceed 253 characters in length. + It must start and end with an alphanumeric character. + It must only contain lower case alphanumeric characters and '-' or '.'. + It must not use the reserved domains, or be subdomains of, "kubernetes.io", "k8s.io", and "openshift.io". + + The path portion of the key (string of characters after the '/') must not be empty and must consist of at least one + alphanumeric character, percent-encoded octets, '-', '.', '_', '~', '!', '$', '&', ''', '(', ')', '*', '+', ',', ';', '=', and ':'. + It must not exceed 256 characters in length. + maxLength: 510 + minLength: 1 + type: string + x-kubernetes-validations: + - message: key must contain the '/' character + rule: self.contains('/') + - message: the domain of the key must consist of only + lower case alphanumeric characters, '-' or '.', + and must start and end with an alphanumeric character + rule: self.split('/', 2)[0].matches("^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$") + - message: the domain of the key must not exceed 253 + characters in length + rule: self.split('/', 2)[0].size() <= 253 + - message: the domain 'kubernetes.io' is reserved + for Kubernetes use + rule: self.split('/', 2)[0] != 'kubernetes.io' + - message: the subdomains '*.kubernetes.io' are reserved + for Kubernetes use + rule: '!self.split(''/'', 2)[0].endsWith(''.kubernetes.io'')' + - message: the domain 'k8s.io' is reserved for Kubernetes + use + rule: self.split('/', 2)[0] != 'k8s.io' + - message: the subdomains '*.k8s.io' are reserved + for Kubernetes use + rule: '!self.split(''/'', 2)[0].endsWith(''.k8s.io'')' + - message: the domain 'openshift.io' is reserved for + OpenShift use + rule: self.split('/', 2)[0] != 'openshift.io' + - message: the subdomains '*.openshift.io' are reserved + for OpenShift use + rule: '!self.split(''/'', 2)[0].endsWith(''.openshift.io'')' + - message: the path of the key must not be empty and + must consist of at least one alphanumeric character, + percent-encoded octets, apostrophe, '-', '.', + '_', '~', '!', '$', '&', '(', ')', '*', '+', ',', + ';', '=', and ':' + rule: self.split('/', 2)[1].matches('[A-Za-z0-9/\\-._~%!$&\'()*+;=:]+') + - message: the path of the key must not exceed 256 + characters in length + rule: self.split('/', 2)[1].size() <= 256 + valueExpression: + description: |- + valueExpression is a required field to specify the CEL expression to extract + the extra attribute value from a JWT token's claims. + valueExpression must produce a string or string array value. + "", [], and null are treated as the extra mapping not being present. + Empty string values within an array are filtered out. + + CEL expressions have access to the token claims + through a CEL variable, 'claims'. + 'claims' is a map of claim names to claim values. + For example, the 'sub' claim value can be accessed as 'claims.sub'. + Nested claims can be accessed using dot notation ('claims.foo.bar'). + + valueExpression must not exceed 4096 characters in length. + valueExpression must not be empty. + maxLength: 4096 + minLength: 1 + type: string + required: + - key + - valueExpression + type: object + maxItems: 64 + type: array + x-kubernetes-list-map-keys: + - key + x-kubernetes-list-type: map groups: description: |- - groups is a name of the claim that should be used to construct - groups for the cluster identity. - The referenced claim must use array of strings values. + groups is an optional field that configures how the groups of a cluster identity + should be constructed from the claims in a JWT token issued + by the identity provider. + When referencing a claim, if the claim is present in the JWT + token, its value must be a list of groups separated by a comma (','). + For example - '"example"' and '"exampleOne", "exampleTwo", "exampleThree"' are valid claim values. properties: claim: - description: claim is a JWT token claim to be used in - the mapping + description: |- + claim is a required field that configures the JWT token + claim whose value is assigned to the cluster identity + field associated with this mapping. type: string prefix: description: |- - prefix is a string to prefix the value from the token in the result of the - claim mapping. + prefix is an optional field that configures the prefix that will be + applied to the cluster identity attribute during the process of mapping + JWT claims to cluster identity attributes. - By default, no prefixing occurs. + When omitted (""), no prefix is applied to the cluster identity attribute. - Example: if `prefix` is set to "myoidc:"" and the `claim` in JWT contains + Example: if `prefix` is set to "myoidc:" and the `claim` in JWT contains an array of strings "a", "b" and "c", the mapping will result in an array of string "myoidc:a", "myoidc:b" and "myoidc:c". type: string required: - claim type: object - username: + uid: description: |- - username is a name of the claim that should be used to construct - usernames for the cluster identity. + uid is an optional field for configuring the claim mapping + used to construct the uid for the cluster identity. + + When using uid.claim to specify the claim it must be a single string value. + When using uid.expression the expression must result in a single string value. - Default value: "sub" + When omitted, this means the user has no opinion and the platform + is left to choose a default, which is subject to change over time. + The current default is to use the 'sub' claim. properties: claim: - description: claim is a JWT token claim to be used in - the mapping + description: |- + claim is an optional field for specifying the + JWT token claim that is used in the mapping. + The value of this claim will be assigned to + the field in which this mapping is associated. + + Precisely one of claim or expression must be set. + claim must not be specified when expression is set. + When specified, claim must be at least 1 character in length + and must not exceed 256 characters in length. + maxLength: 256 + minLength: 1 + type: string + expression: + description: |- + expression is an optional field for specifying a + CEL expression that produces a string value from + JWT token claims. + + CEL expressions have access to the token claims + through a CEL variable, 'claims'. + 'claims' is a map of claim names to claim values. + For example, the 'sub' claim value can be accessed as 'claims.sub'. + Nested claims can be accessed using dot notation ('claims.foo.bar'). + + Precisely one of claim or expression must be set. + expression must not be specified when claim is set. + When specified, expression must be at least 1 character in length + and must not exceed 4096 characters in length. + maxLength: 4096 + minLength: 1 + type: string + type: object + x-kubernetes-validations: + - message: precisely one of claim or expression must be + set + rule: 'has(self.claim) ? !has(self.expression) : has(self.expression)' + username: + description: |- + username is a required field that configures how the username of a cluster identity + should be constructed from the claims in a JWT token issued by the identity provider. + properties: + claim: + description: |- + claim is a required field that configures the JWT token + claim whose value is assigned to the cluster identity + field associated with this mapping. + + claim must not be an empty string ("") and must not exceed 256 characters. + maxLength: 256 + minLength: 1 type: string prefix: + description: |- + prefix configures the prefix that should be prepended to the value + of the JWT claim. + + prefix must be set when prefixPolicy is set to 'Prefix' and must be unset otherwise. properties: prefixString: + description: |- + prefixString is a required field that configures the prefix that will + be applied to cluster identity username attribute + during the process of mapping JWT claims to cluster identity attributes. + + prefixString must not be an empty string (""). minLength: 1 type: string required: @@ -127,25 +300,28 @@ spec: type: object prefixPolicy: description: |- - prefixPolicy specifies how a prefix should apply. - - By default, claims other than `email` will be prefixed with the issuer URL to - prevent naming clashes with other plugins. - - Set to "NoPrefix" to disable prefixing. - - Example: - (1) `prefix` is set to "myoidc:" and `claim` is set to "username". - If the JWT claim `username` contains value `userA`, the resulting - mapped value will be "myoidc:userA". - (2) `prefix` is set to "myoidc:" and `claim` is set to "email". If the - JWT `email` claim contains value "userA@myoidc.tld", the resulting - mapped value will be "myoidc:userA@myoidc.tld". - (3) `prefix` is unset, `issuerURL` is set to `https://myoidc.tld`, - the JWT claims include "username":"userA" and "email":"userA@myoidc.tld", - and `claim` is set to: - (a) "username": the mapped value will be "https://myoidc.tld#userA" - (b) "email": the mapped value will be "userA@myoidc.tld" + prefixPolicy is an optional field that configures how a prefix should be + applied to the value of the JWT claim specified in the 'claim' field. + + Allowed values are 'Prefix', 'NoPrefix', and omitted (not provided or an empty string). + + When set to 'Prefix', the value specified in the prefix field will be + prepended to the value of the JWT claim. + The prefix field must be set when prefixPolicy is 'Prefix'. + + When set to 'NoPrefix', no prefix will be prepended to the value + of the JWT claim. + + When omitted, this means no opinion and the platform is left to choose + any prefixes that are applied which is subject to change over time. + Currently, the platform prepends `{issuerURL}#` to the value of the JWT claim + when the claim is not 'email'. + As an example, consider the following scenario: + `prefix` is unset, `issuerURL` is set to `https://myoidc.tld`, + the JWT claims include "username":"userA" and "email":"userA@myoidc.tld", + and `claim` is set to: + - "username": the mapped value will be "https://myoidc.tld#userA" + - "email": the mapped value will be "userA@myoidc.tld" enum: - "" - NoPrefix @@ -160,26 +336,40 @@ spec: rule: 'has(self.prefixPolicy) && self.prefixPolicy == ''Prefix'' ? (has(self.prefix) && size(self.prefix.prefixString) > 0) : !has(self.prefix)' + required: + - username type: object claimValidationRules: - description: claimValidationRules are rules that are applied - to validate token claims to authenticate users. + description: |- + claimValidationRules is an optional field that configures the rules to + be used by the Kubernetes API server for validating the claims in a JWT + token issued by the identity provider. + + Validation rules are joined via an AND operation. items: properties: requiredClaim: description: |- - requiredClaim allows configuring a required claim name and its expected - value + requiredClaim is an optional field that configures the required claim + and value that the Kubernetes API server will use to validate if an incoming + JWT is valid for this identity provider. properties: claim: description: |- - claim is a name of a required claim. Only claims with string values are - supported. + claim is a required field that configures the name of the required claim. + When taken from the JWT claims, claim must be a string value. + + claim must not be an empty string (""). minLength: 1 type: string requiredValue: - description: requiredValue is the required value for - the claim. + description: |- + requiredValue is a required field that configures the value that 'claim' must + have when taken from the incoming JWT claims. + If the value in the JWT claims does not match, the token + will be rejected for authentication. + + requiredValue must not be an empty string (""). minLength: 1 type: string required: @@ -188,7 +378,17 @@ spec: type: object type: default: RequiredClaim - description: type sets the type of the validation rule + description: |- + type is an optional field that configures the type of the validation rule. + + Allowed values are 'RequiredClaim' and omitted (not provided or an empty string). + + When set to 'RequiredClaim', the Kubernetes API server + will be configured to validate that the incoming JWT + contains the required claim and that its value matches + the required value. + + Defaults to 'RequiredClaim'. enum: - RequiredClaim type: string @@ -196,14 +396,18 @@ spec: type: array x-kubernetes-list-type: atomic issuer: - description: issuer describes atributes of the OIDC token issuer + description: |- + issuer is a required field that configures how the platform interacts + with the identity provider and how tokens issued from the identity provider + are evaluated by the Kubernetes API server. properties: audiences: description: |- - audiences is an array of audiences that the token was issued for. - Valid tokens must include at least one of these values in their - "aud" claim. - Must be set to exactly one value. + audiences is a required field that configures the acceptable audiences + the JWT token, issued by the identity provider, must be issued to. + At least one of the entries must match the 'aud' claim in the JWT token. + + audiences must contain at least one entry and must not exceed ten entries. items: minLength: 1 type: string @@ -213,10 +417,15 @@ spec: x-kubernetes-list-type: set issuerCertificateAuthority: description: |- - CertificateAuthority is a reference to a config map in the - configuration namespace. The .data of the configMap must contain - the "ca-bundle.crt" key. - If unset, system trust is used instead. + issuerCertificateAuthority is an optional field that configures the + certificate authority, used by the Kubernetes API server, to validate + the connection to the identity provider when fetching discovery information. + + When not specified, the system trust is used. + + When specified, it must reference a ConfigMap in the openshift-config + namespace containing the PEM-encoded CA certificates under the 'ca-bundle.crt' + key in the data field of the ConfigMap. properties: name: description: name is the metadata.name of the referenced @@ -227,8 +436,12 @@ spec: type: object issuerURL: description: |- - URL is the serving URL of the token issuer. - Must use the https:// scheme. + issuerURL is a required field that configures the URL used to issue tokens + by the identity provider. + The Kubernetes API server determines how authentication tokens should be handled + by matching the 'iss' claim in the JWT to the issuerURL of configured identity providers. + + issuerURL must use the 'https' scheme. pattern: ^https:\/\/[^\s] type: string required: @@ -236,24 +449,51 @@ spec: - issuerURL type: object name: - description: name of the OIDC provider + description: |- + name is a required field that configures the unique human-readable identifier + associated with the identity provider. + It is used to distinguish between multiple identity providers + and has no impact on token validation or authentication mechanics. + + name must not be an empty string (""). minLength: 1 type: string oidcClients: description: |- - oidcClients contains configuration for the platform's clients that - need to request tokens from the issuer + oidcClients is an optional field that configures how on-cluster, + platform clients should request tokens from the identity provider. + oidcClients must not exceed 20 entries and entries must have unique namespace/name pairs. items: + description: |- + OIDCClientConfig configures how platform clients + interact with identity providers as an authentication + method properties: clientID: - description: clientID is the identifier of the OIDC client - from the OIDC provider + description: |- + clientID is a required field that configures the client identifier, from + the identity provider, that the platform component uses for authentication + requests made to the identity provider. + The identity provider must accept this identifier for platform components + to be able to use the identity provider as an authentication mode. + + clientID must not be an empty string (""). minLength: 1 type: string clientSecret: description: |- - clientSecret refers to a secret in the `openshift-config` namespace that - contains the client secret in the `clientSecret` key of the `.data` field + clientSecret is an optional field that configures the client secret used + by the platform component when making authentication requests to the identity provider. + + When not specified, no client secret will be used when making authentication requests + to the identity provider. + + When specified, clientSecret references a Secret in the 'openshift-config' + namespace that contains the client secret in the 'clientSecret' key of the '.data' field. + The client secret will be used when making authentication requests to the identity provider. + + Public clients do not require a client secret but private + clients do require a client secret to work with the identity provider. properties: name: description: name is the metadata.name of the referenced @@ -264,21 +504,34 @@ spec: type: object componentName: description: |- - componentName is the name of the component that is supposed to consume this - client configuration + componentName is a required field that specifies the name of the platform + component being configured to use the identity provider as an authentication mode. + It is used in combination with componentNamespace as a unique identifier. + + componentName must not be an empty string ("") and must not exceed 256 characters in length. maxLength: 256 minLength: 1 type: string componentNamespace: description: |- - componentNamespace is the namespace of the component that is supposed to consume this - client configuration + componentNamespace is a required field that specifies the namespace in which the + platform component being configured to use the identity provider as an authentication + mode is running. + It is used in combination with componentName as a unique identifier. + + componentNamespace must not be an empty string ("") and must not exceed 63 characters in length. maxLength: 63 minLength: 1 type: string extraScopes: - description: extraScopes is an optional set of scopes - to request tokens with. + description: |- + extraScopes is an optional field that configures the extra scopes that should + be requested by the platform component when making authentication requests to the + identity provider. + This is useful if you have configured claim mappings that requires specific + scopes to be requested beyond the standard OIDC scopes. + + When omitted, no additional scopes are requested. items: type: string type: array @@ -295,6 +548,7 @@ spec: - componentName x-kubernetes-list-type: map required: + - claimMappings - issuer - name type: object @@ -418,16 +672,29 @@ spec: oidcClients is where participating operators place the current OIDC client status for OIDC clients that can be customized by the cluster-admin. items: + description: |- + OIDCClientStatus represents the current state + of platform components and how they interact with + the configured identity providers. properties: componentName: - description: componentName is the name of the component that - will consume a client configuration. + description: |- + componentName is a required field that specifies the name of the platform + component using the identity provider as an authentication mode. + It is used in combination with componentNamespace as a unique identifier. + + componentName must not be an empty string ("") and must not exceed 256 characters in length. maxLength: 256 minLength: 1 type: string componentNamespace: - description: componentNamespace is the namespace of the component - that will consume a client configuration. + description: |- + componentNamespace is a required field that specifies the namespace in which the + platform component using the identity provider as an authentication + mode is running. + It is used in combination with componentName as a unique identifier. + + componentNamespace must not be an empty string ("") and must not exceed 63 characters in length. maxLength: 63 minLength: 1 type: string @@ -501,8 +768,10 @@ spec: x-kubernetes-list-type: map consumingUsers: description: |- - consumingUsers is a slice of ServiceAccounts that need to have read - permission on the `clientSecret` secret. + consumingUsers is an optional list of ServiceAccounts requiring + read permissions on the `clientSecret` secret. + + consumingUsers must not exceed 5 entries. items: description: ConsumingUser is an alias for string which we add validation to. Currently only service accounts are supported. @@ -514,24 +783,37 @@ spec: type: array x-kubernetes-list-type: set currentOIDCClients: - description: currentOIDCClients is a list of clients that the - component is currently using. + description: |- + currentOIDCClients is an optional list of clients that the component is currently using. + Entries must have unique issuerURL/clientID pairs. items: + description: |- + OIDCClientReference is a reference to a platform component + client configuration. properties: clientID: - description: clientID is the identifier of the OIDC client - from the OIDC provider + description: |- + clientID is a required field that specifies the client identifier, from + the identity provider, that the platform component is using for authentication + requests made to the identity provider. + + clientID must not be empty. minLength: 1 type: string issuerURL: description: |- - URL is the serving URL of the token issuer. - Must use the https:// scheme. + issuerURL is a required field that specifies the URL of the identity + provider that this client is configured to make requests against. + + issuerURL must use the 'https' scheme. pattern: ^https:\/\/[^\s] type: string oidcProviderName: - description: OIDCName refers to the `name` of the provider - from `oidcProviders` + description: |- + oidcProviderName is a required reference to the 'name' of the identity provider + configured in 'oidcProviders' that this client is associated with. + + oidcProviderName must not be an empty string (""). minLength: 1 type: string required: diff --git a/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-SelfManagedHA-TechPreviewNoUpgrade.crd.yaml b/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-SelfManagedHA-TechPreviewNoUpgrade.crd.yaml index 875290968..9ea5ab87b 100644 --- a/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-SelfManagedHA-TechPreviewNoUpgrade.crd.yaml +++ b/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-SelfManagedHA-TechPreviewNoUpgrade.crd.yaml @@ -79,47 +79,220 @@ spec: properties: claimMappings: description: |- - claimMappings describes rules on how to transform information from an - ID token into a cluster identity + claimMappings is a required field that configures the rules to be used by + the Kubernetes API server for translating claims in a JWT token, issued + by the identity provider, to a cluster identity. properties: + extra: + description: |- + extra is an optional field for configuring the mappings + used to construct the extra attribute for the cluster identity. + When omitted, no extra attributes will be present on the cluster identity. + key values for extra mappings must be unique. + A maximum of 64 extra attribute mappings may be provided. + items: + description: |- + ExtraMapping allows specifying a key and CEL expression + to evaluate the keys' value. It is used to create additional + mappings and attributes added to a cluster identity from + a provided authentication token. + properties: + key: + description: |- + key is a required field that specifies the string + to use as the extra attribute key. + + key must be a domain-prefix path (e.g 'example.org/foo'). + key must not exceed 510 characters in length. + key must contain the '/' character, separating the domain and path characters. + key must not be empty. + + The domain portion of the key (string of characters prior to the '/') must be a valid RFC1123 subdomain. + It must not exceed 253 characters in length. + It must start and end with an alphanumeric character. + It must only contain lower case alphanumeric characters and '-' or '.'. + It must not use the reserved domains, or be subdomains of, "kubernetes.io", "k8s.io", and "openshift.io". + + The path portion of the key (string of characters after the '/') must not be empty and must consist of at least one + alphanumeric character, percent-encoded octets, '-', '.', '_', '~', '!', '$', '&', ''', '(', ')', '*', '+', ',', ';', '=', and ':'. + It must not exceed 256 characters in length. + maxLength: 510 + minLength: 1 + type: string + x-kubernetes-validations: + - message: key must contain the '/' character + rule: self.contains('/') + - message: the domain of the key must consist of only + lower case alphanumeric characters, '-' or '.', + and must start and end with an alphanumeric character + rule: self.split('/', 2)[0].matches("^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$") + - message: the domain of the key must not exceed 253 + characters in length + rule: self.split('/', 2)[0].size() <= 253 + - message: the domain 'kubernetes.io' is reserved + for Kubernetes use + rule: self.split('/', 2)[0] != 'kubernetes.io' + - message: the subdomains '*.kubernetes.io' are reserved + for Kubernetes use + rule: '!self.split(''/'', 2)[0].endsWith(''.kubernetes.io'')' + - message: the domain 'k8s.io' is reserved for Kubernetes + use + rule: self.split('/', 2)[0] != 'k8s.io' + - message: the subdomains '*.k8s.io' are reserved + for Kubernetes use + rule: '!self.split(''/'', 2)[0].endsWith(''.k8s.io'')' + - message: the domain 'openshift.io' is reserved for + OpenShift use + rule: self.split('/', 2)[0] != 'openshift.io' + - message: the subdomains '*.openshift.io' are reserved + for OpenShift use + rule: '!self.split(''/'', 2)[0].endsWith(''.openshift.io'')' + - message: the path of the key must not be empty and + must consist of at least one alphanumeric character, + percent-encoded octets, apostrophe, '-', '.', + '_', '~', '!', '$', '&', '(', ')', '*', '+', ',', + ';', '=', and ':' + rule: self.split('/', 2)[1].matches('[A-Za-z0-9/\\-._~%!$&\'()*+;=:]+') + - message: the path of the key must not exceed 256 + characters in length + rule: self.split('/', 2)[1].size() <= 256 + valueExpression: + description: |- + valueExpression is a required field to specify the CEL expression to extract + the extra attribute value from a JWT token's claims. + valueExpression must produce a string or string array value. + "", [], and null are treated as the extra mapping not being present. + Empty string values within an array are filtered out. + + CEL expressions have access to the token claims + through a CEL variable, 'claims'. + 'claims' is a map of claim names to claim values. + For example, the 'sub' claim value can be accessed as 'claims.sub'. + Nested claims can be accessed using dot notation ('claims.foo.bar'). + + valueExpression must not exceed 4096 characters in length. + valueExpression must not be empty. + maxLength: 4096 + minLength: 1 + type: string + required: + - key + - valueExpression + type: object + maxItems: 64 + type: array + x-kubernetes-list-map-keys: + - key + x-kubernetes-list-type: map groups: description: |- - groups is a name of the claim that should be used to construct - groups for the cluster identity. - The referenced claim must use array of strings values. + groups is an optional field that configures how the groups of a cluster identity + should be constructed from the claims in a JWT token issued + by the identity provider. + When referencing a claim, if the claim is present in the JWT + token, its value must be a list of groups separated by a comma (','). + For example - '"example"' and '"exampleOne", "exampleTwo", "exampleThree"' are valid claim values. properties: claim: - description: claim is a JWT token claim to be used in - the mapping + description: |- + claim is a required field that configures the JWT token + claim whose value is assigned to the cluster identity + field associated with this mapping. type: string prefix: description: |- - prefix is a string to prefix the value from the token in the result of the - claim mapping. + prefix is an optional field that configures the prefix that will be + applied to the cluster identity attribute during the process of mapping + JWT claims to cluster identity attributes. - By default, no prefixing occurs. + When omitted (""), no prefix is applied to the cluster identity attribute. - Example: if `prefix` is set to "myoidc:"" and the `claim` in JWT contains + Example: if `prefix` is set to "myoidc:" and the `claim` in JWT contains an array of strings "a", "b" and "c", the mapping will result in an array of string "myoidc:a", "myoidc:b" and "myoidc:c". type: string required: - claim type: object - username: + uid: description: |- - username is a name of the claim that should be used to construct - usernames for the cluster identity. + uid is an optional field for configuring the claim mapping + used to construct the uid for the cluster identity. + + When using uid.claim to specify the claim it must be a single string value. + When using uid.expression the expression must result in a single string value. - Default value: "sub" + When omitted, this means the user has no opinion and the platform + is left to choose a default, which is subject to change over time. + The current default is to use the 'sub' claim. properties: claim: - description: claim is a JWT token claim to be used in - the mapping + description: |- + claim is an optional field for specifying the + JWT token claim that is used in the mapping. + The value of this claim will be assigned to + the field in which this mapping is associated. + + Precisely one of claim or expression must be set. + claim must not be specified when expression is set. + When specified, claim must be at least 1 character in length + and must not exceed 256 characters in length. + maxLength: 256 + minLength: 1 + type: string + expression: + description: |- + expression is an optional field for specifying a + CEL expression that produces a string value from + JWT token claims. + + CEL expressions have access to the token claims + through a CEL variable, 'claims'. + 'claims' is a map of claim names to claim values. + For example, the 'sub' claim value can be accessed as 'claims.sub'. + Nested claims can be accessed using dot notation ('claims.foo.bar'). + + Precisely one of claim or expression must be set. + expression must not be specified when claim is set. + When specified, expression must be at least 1 character in length + and must not exceed 4096 characters in length. + maxLength: 4096 + minLength: 1 + type: string + type: object + x-kubernetes-validations: + - message: precisely one of claim or expression must be + set + rule: 'has(self.claim) ? !has(self.expression) : has(self.expression)' + username: + description: |- + username is a required field that configures how the username of a cluster identity + should be constructed from the claims in a JWT token issued by the identity provider. + properties: + claim: + description: |- + claim is a required field that configures the JWT token + claim whose value is assigned to the cluster identity + field associated with this mapping. + + claim must not be an empty string ("") and must not exceed 256 characters. + maxLength: 256 + minLength: 1 type: string prefix: + description: |- + prefix configures the prefix that should be prepended to the value + of the JWT claim. + + prefix must be set when prefixPolicy is set to 'Prefix' and must be unset otherwise. properties: prefixString: + description: |- + prefixString is a required field that configures the prefix that will + be applied to cluster identity username attribute + during the process of mapping JWT claims to cluster identity attributes. + + prefixString must not be an empty string (""). minLength: 1 type: string required: @@ -127,25 +300,28 @@ spec: type: object prefixPolicy: description: |- - prefixPolicy specifies how a prefix should apply. - - By default, claims other than `email` will be prefixed with the issuer URL to - prevent naming clashes with other plugins. - - Set to "NoPrefix" to disable prefixing. - - Example: - (1) `prefix` is set to "myoidc:" and `claim` is set to "username". - If the JWT claim `username` contains value `userA`, the resulting - mapped value will be "myoidc:userA". - (2) `prefix` is set to "myoidc:" and `claim` is set to "email". If the - JWT `email` claim contains value "userA@myoidc.tld", the resulting - mapped value will be "myoidc:userA@myoidc.tld". - (3) `prefix` is unset, `issuerURL` is set to `https://myoidc.tld`, - the JWT claims include "username":"userA" and "email":"userA@myoidc.tld", - and `claim` is set to: - (a) "username": the mapped value will be "https://myoidc.tld#userA" - (b) "email": the mapped value will be "userA@myoidc.tld" + prefixPolicy is an optional field that configures how a prefix should be + applied to the value of the JWT claim specified in the 'claim' field. + + Allowed values are 'Prefix', 'NoPrefix', and omitted (not provided or an empty string). + + When set to 'Prefix', the value specified in the prefix field will be + prepended to the value of the JWT claim. + The prefix field must be set when prefixPolicy is 'Prefix'. + + When set to 'NoPrefix', no prefix will be prepended to the value + of the JWT claim. + + When omitted, this means no opinion and the platform is left to choose + any prefixes that are applied which is subject to change over time. + Currently, the platform prepends `{issuerURL}#` to the value of the JWT claim + when the claim is not 'email'. + As an example, consider the following scenario: + `prefix` is unset, `issuerURL` is set to `https://myoidc.tld`, + the JWT claims include "username":"userA" and "email":"userA@myoidc.tld", + and `claim` is set to: + - "username": the mapped value will be "https://myoidc.tld#userA" + - "email": the mapped value will be "userA@myoidc.tld" enum: - "" - NoPrefix @@ -160,26 +336,40 @@ spec: rule: 'has(self.prefixPolicy) && self.prefixPolicy == ''Prefix'' ? (has(self.prefix) && size(self.prefix.prefixString) > 0) : !has(self.prefix)' + required: + - username type: object claimValidationRules: - description: claimValidationRules are rules that are applied - to validate token claims to authenticate users. + description: |- + claimValidationRules is an optional field that configures the rules to + be used by the Kubernetes API server for validating the claims in a JWT + token issued by the identity provider. + + Validation rules are joined via an AND operation. items: properties: requiredClaim: description: |- - requiredClaim allows configuring a required claim name and its expected - value + requiredClaim is an optional field that configures the required claim + and value that the Kubernetes API server will use to validate if an incoming + JWT is valid for this identity provider. properties: claim: description: |- - claim is a name of a required claim. Only claims with string values are - supported. + claim is a required field that configures the name of the required claim. + When taken from the JWT claims, claim must be a string value. + + claim must not be an empty string (""). minLength: 1 type: string requiredValue: - description: requiredValue is the required value for - the claim. + description: |- + requiredValue is a required field that configures the value that 'claim' must + have when taken from the incoming JWT claims. + If the value in the JWT claims does not match, the token + will be rejected for authentication. + + requiredValue must not be an empty string (""). minLength: 1 type: string required: @@ -188,7 +378,17 @@ spec: type: object type: default: RequiredClaim - description: type sets the type of the validation rule + description: |- + type is an optional field that configures the type of the validation rule. + + Allowed values are 'RequiredClaim' and omitted (not provided or an empty string). + + When set to 'RequiredClaim', the Kubernetes API server + will be configured to validate that the incoming JWT + contains the required claim and that its value matches + the required value. + + Defaults to 'RequiredClaim'. enum: - RequiredClaim type: string @@ -196,14 +396,18 @@ spec: type: array x-kubernetes-list-type: atomic issuer: - description: issuer describes atributes of the OIDC token issuer + description: |- + issuer is a required field that configures how the platform interacts + with the identity provider and how tokens issued from the identity provider + are evaluated by the Kubernetes API server. properties: audiences: description: |- - audiences is an array of audiences that the token was issued for. - Valid tokens must include at least one of these values in their - "aud" claim. - Must be set to exactly one value. + audiences is a required field that configures the acceptable audiences + the JWT token, issued by the identity provider, must be issued to. + At least one of the entries must match the 'aud' claim in the JWT token. + + audiences must contain at least one entry and must not exceed ten entries. items: minLength: 1 type: string @@ -213,10 +417,15 @@ spec: x-kubernetes-list-type: set issuerCertificateAuthority: description: |- - CertificateAuthority is a reference to a config map in the - configuration namespace. The .data of the configMap must contain - the "ca-bundle.crt" key. - If unset, system trust is used instead. + issuerCertificateAuthority is an optional field that configures the + certificate authority, used by the Kubernetes API server, to validate + the connection to the identity provider when fetching discovery information. + + When not specified, the system trust is used. + + When specified, it must reference a ConfigMap in the openshift-config + namespace containing the PEM-encoded CA certificates under the 'ca-bundle.crt' + key in the data field of the ConfigMap. properties: name: description: name is the metadata.name of the referenced @@ -227,8 +436,12 @@ spec: type: object issuerURL: description: |- - URL is the serving URL of the token issuer. - Must use the https:// scheme. + issuerURL is a required field that configures the URL used to issue tokens + by the identity provider. + The Kubernetes API server determines how authentication tokens should be handled + by matching the 'iss' claim in the JWT to the issuerURL of configured identity providers. + + issuerURL must use the 'https' scheme. pattern: ^https:\/\/[^\s] type: string required: @@ -236,24 +449,51 @@ spec: - issuerURL type: object name: - description: name of the OIDC provider + description: |- + name is a required field that configures the unique human-readable identifier + associated with the identity provider. + It is used to distinguish between multiple identity providers + and has no impact on token validation or authentication mechanics. + + name must not be an empty string (""). minLength: 1 type: string oidcClients: description: |- - oidcClients contains configuration for the platform's clients that - need to request tokens from the issuer + oidcClients is an optional field that configures how on-cluster, + platform clients should request tokens from the identity provider. + oidcClients must not exceed 20 entries and entries must have unique namespace/name pairs. items: + description: |- + OIDCClientConfig configures how platform clients + interact with identity providers as an authentication + method properties: clientID: - description: clientID is the identifier of the OIDC client - from the OIDC provider + description: |- + clientID is a required field that configures the client identifier, from + the identity provider, that the platform component uses for authentication + requests made to the identity provider. + The identity provider must accept this identifier for platform components + to be able to use the identity provider as an authentication mode. + + clientID must not be an empty string (""). minLength: 1 type: string clientSecret: description: |- - clientSecret refers to a secret in the `openshift-config` namespace that - contains the client secret in the `clientSecret` key of the `.data` field + clientSecret is an optional field that configures the client secret used + by the platform component when making authentication requests to the identity provider. + + When not specified, no client secret will be used when making authentication requests + to the identity provider. + + When specified, clientSecret references a Secret in the 'openshift-config' + namespace that contains the client secret in the 'clientSecret' key of the '.data' field. + The client secret will be used when making authentication requests to the identity provider. + + Public clients do not require a client secret but private + clients do require a client secret to work with the identity provider. properties: name: description: name is the metadata.name of the referenced @@ -264,21 +504,34 @@ spec: type: object componentName: description: |- - componentName is the name of the component that is supposed to consume this - client configuration + componentName is a required field that specifies the name of the platform + component being configured to use the identity provider as an authentication mode. + It is used in combination with componentNamespace as a unique identifier. + + componentName must not be an empty string ("") and must not exceed 256 characters in length. maxLength: 256 minLength: 1 type: string componentNamespace: description: |- - componentNamespace is the namespace of the component that is supposed to consume this - client configuration + componentNamespace is a required field that specifies the namespace in which the + platform component being configured to use the identity provider as an authentication + mode is running. + It is used in combination with componentName as a unique identifier. + + componentNamespace must not be an empty string ("") and must not exceed 63 characters in length. maxLength: 63 minLength: 1 type: string extraScopes: - description: extraScopes is an optional set of scopes - to request tokens with. + description: |- + extraScopes is an optional field that configures the extra scopes that should + be requested by the platform component when making authentication requests to the + identity provider. + This is useful if you have configured claim mappings that requires specific + scopes to be requested beyond the standard OIDC scopes. + + When omitted, no additional scopes are requested. items: type: string type: array @@ -295,6 +548,7 @@ spec: - componentName x-kubernetes-list-type: map required: + - claimMappings - issuer - name type: object @@ -418,16 +672,29 @@ spec: oidcClients is where participating operators place the current OIDC client status for OIDC clients that can be customized by the cluster-admin. items: + description: |- + OIDCClientStatus represents the current state + of platform components and how they interact with + the configured identity providers. properties: componentName: - description: componentName is the name of the component that - will consume a client configuration. + description: |- + componentName is a required field that specifies the name of the platform + component using the identity provider as an authentication mode. + It is used in combination with componentNamespace as a unique identifier. + + componentName must not be an empty string ("") and must not exceed 256 characters in length. maxLength: 256 minLength: 1 type: string componentNamespace: - description: componentNamespace is the namespace of the component - that will consume a client configuration. + description: |- + componentNamespace is a required field that specifies the namespace in which the + platform component using the identity provider as an authentication + mode is running. + It is used in combination with componentName as a unique identifier. + + componentNamespace must not be an empty string ("") and must not exceed 63 characters in length. maxLength: 63 minLength: 1 type: string @@ -501,8 +768,10 @@ spec: x-kubernetes-list-type: map consumingUsers: description: |- - consumingUsers is a slice of ServiceAccounts that need to have read - permission on the `clientSecret` secret. + consumingUsers is an optional list of ServiceAccounts requiring + read permissions on the `clientSecret` secret. + + consumingUsers must not exceed 5 entries. items: description: ConsumingUser is an alias for string which we add validation to. Currently only service accounts are supported. @@ -514,24 +783,37 @@ spec: type: array x-kubernetes-list-type: set currentOIDCClients: - description: currentOIDCClients is a list of clients that the - component is currently using. + description: |- + currentOIDCClients is an optional list of clients that the component is currently using. + Entries must have unique issuerURL/clientID pairs. items: + description: |- + OIDCClientReference is a reference to a platform component + client configuration. properties: clientID: - description: clientID is the identifier of the OIDC client - from the OIDC provider + description: |- + clientID is a required field that specifies the client identifier, from + the identity provider, that the platform component is using for authentication + requests made to the identity provider. + + clientID must not be empty. minLength: 1 type: string issuerURL: description: |- - URL is the serving URL of the token issuer. - Must use the https:// scheme. + issuerURL is a required field that specifies the URL of the identity + provider that this client is configured to make requests against. + + issuerURL must use the 'https' scheme. pattern: ^https:\/\/[^\s] type: string oidcProviderName: - description: OIDCName refers to the `name` of the provider - from `oidcProviders` + description: |- + oidcProviderName is a required reference to the 'name' of the identity provider + configured in 'oidcProviders' that this client is associated with. + + oidcProviderName must not be an empty string (""). minLength: 1 type: string required: diff --git a/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_images-CustomNoUpgrade.crd.yaml b/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_images-CustomNoUpgrade.crd.yaml index 67e097af3..0477bd983 100644 --- a/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_images-CustomNoUpgrade.crd.yaml +++ b/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_images-CustomNoUpgrade.crd.yaml @@ -164,6 +164,11 @@ spec: type: array x-kubernetes-list-type: atomic type: object + x-kubernetes-validations: + - message: Only one of blockedRegistries or allowedRegistries may + be set + rule: 'has(self.blockedRegistries) ? !has(self.allowedRegistries) + : true' type: object status: description: status holds observed values from the cluster. They may not diff --git a/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_images-Default.crd.yaml b/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_images-Default.crd.yaml index a622c7d37..34c6dbeff 100644 --- a/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_images-Default.crd.yaml +++ b/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_images-Default.crd.yaml @@ -146,6 +146,11 @@ spec: type: array x-kubernetes-list-type: atomic type: object + x-kubernetes-validations: + - message: Only one of blockedRegistries or allowedRegistries may + be set + rule: 'has(self.blockedRegistries) ? !has(self.allowedRegistries) + : true' type: object status: description: status holds observed values from the cluster. They may not diff --git a/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_images-DevPreviewNoUpgrade.crd.yaml b/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_images-DevPreviewNoUpgrade.crd.yaml index 89ad329c7..8ff715e26 100644 --- a/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_images-DevPreviewNoUpgrade.crd.yaml +++ b/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_images-DevPreviewNoUpgrade.crd.yaml @@ -164,6 +164,11 @@ spec: type: array x-kubernetes-list-type: atomic type: object + x-kubernetes-validations: + - message: Only one of blockedRegistries or allowedRegistries may + be set + rule: 'has(self.blockedRegistries) ? !has(self.allowedRegistries) + : true' type: object status: description: status holds observed values from the cluster. They may not diff --git a/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_images-TechPreviewNoUpgrade.crd.yaml b/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_images-TechPreviewNoUpgrade.crd.yaml index 66bebe4aa..ccc1c72e5 100644 --- a/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_images-TechPreviewNoUpgrade.crd.yaml +++ b/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_images-TechPreviewNoUpgrade.crd.yaml @@ -164,6 +164,11 @@ spec: type: array x-kubernetes-list-type: atomic type: object + x-kubernetes-validations: + - message: Only one of blockedRegistries or allowedRegistries may + be set + rule: 'has(self.blockedRegistries) ? !has(self.allowedRegistries) + : true' type: object status: description: status holds observed values from the cluster. They may not diff --git a/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_infrastructures-CustomNoUpgrade.crd.yaml b/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_infrastructures-CustomNoUpgrade.crd.yaml index 299a6d52a..02ae2dcb4 100644 --- a/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_infrastructures-CustomNoUpgrade.crd.yaml +++ b/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_infrastructures-CustomNoUpgrade.crd.yaml @@ -223,6 +223,68 @@ spec: ibmcloud: description: ibmcloud contains settings specific to the IBMCloud infrastructure provider. + properties: + serviceEndpoints: + description: |- + serviceEndpoints is a list of custom endpoints which will override the default + service endpoints of an IBM service. These endpoints are used by components + within the cluster when trying to reach the IBM Cloud Services that have been + overriden. The CCCMO reads in the IBMCloudPlatformSpec and validates each + endpoint is resolvable. Once validated, the cloud config and IBMCloudPlatformStatus + are updated to reflect the same custom endpoints. + A maximum of 13 service endpoints overrides are supported. + items: + description: |- + IBMCloudServiceEndpoint stores the configuration of a custom url to + override existing defaults of IBM Cloud Services. + properties: + name: + description: |- + name is the name of the IBM Cloud service. + Possible values are: CIS, COS, COSConfig, DNSServices, GlobalCatalog, GlobalSearch, GlobalTagging, HyperProtect, IAM, KeyProtect, ResourceController, ResourceManager, or VPC. + For example, the IBM Cloud Private IAM service could be configured with the + service `name` of `IAM` and `url` of `https://private.iam.cloud.ibm.com` + Whereas the IBM Cloud Private VPC service for US South (Dallas) could be configured + with the service `name` of `VPC` and `url` of `https://us.south.private.iaas.cloud.ibm.com` + enum: + - CIS + - COS + - COSConfig + - DNSServices + - GlobalCatalog + - GlobalSearch + - GlobalTagging + - HyperProtect + - IAM + - KeyProtect + - ResourceController + - ResourceManager + - VPC + type: string + url: + description: |- + url is fully qualified URI with scheme https, that overrides the default generated + endpoint for a client. + This must be provided and cannot be empty. The path must follow the pattern + /v[0,9]+ or /api/v[0,9]+ + maxLength: 300 + type: string + x-kubernetes-validations: + - message: url must use https scheme + rule: url(self).getScheme() == "https" + - message: url path must match /v[0,9]+ or /api/v[0,9]+ + rule: matches((url(self).getEscapedPath()), '^/(api/)?v[0-9]+/{0,1}$') + - message: url must be a valid absolute URL + rule: isURL(self) + required: + - name + - url + type: object + maxItems: 13 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map type: object kubevirt: description: kubevirt contains settings specific to the kubevirt @@ -1068,6 +1130,7 @@ spec: - HighlyAvailable - HighlyAvailableArbiter - SingleReplica + - DualReplica - External type: string cpuPartitioning: @@ -1305,20 +1368,35 @@ spec: created for the cluster. properties: key: - description: key is the key of the tag + description: |- + key sets the key of the AWS resource tag key-value pair. Key is required when defining an AWS resource tag. + Key should consist of between 1 and 128 characters, and may + contain only the set of alphanumeric characters, space (' '), '_', '.', '/', '=', '+', '-', ':', and '@'. maxLength: 128 minLength: 1 - pattern: ^[0-9A-Za-z_.:/=+-@]+$ type: string + x-kubernetes-validations: + - message: invalid AWS resource tag key. The string + can contain only the set of alphanumeric characters, + space (' '), '_', '.', '/', '=', '+', '-', ':', + '@' + rule: self.matches('^[0-9A-Za-z_.:/=+-@ ]+$') value: description: |- - value is the value of the tag. + value sets the value of the AWS resource tag key-value pair. Value is required when defining an AWS resource tag. + Value should consist of between 1 and 256 characters, and may + contain only the set of alphanumeric characters, space (' '), '_', '.', '/', '=', '+', '-', ':', and '@'. Some AWS service do not support empty values. Since tags are added to resources in many services, the length of the tag value must meet the requirements of all services. maxLength: 256 minLength: 1 - pattern: ^[0-9A-Za-z_.:/=+-@]+$ type: string + x-kubernetes-validations: + - message: invalid AWS resource tag value. The string + can contain only the set of alphanumeric characters, + space (' '), '_', '.', '/', '=', '+', '-', ':', + '@' + rule: self.matches('^[0-9A-Za-z_.:/=+-@ ]+$') required: - key - value @@ -1808,6 +1886,71 @@ spec: - message: resourceTags are immutable and may only be configured during installation rule: self.all(x, x in oldSelf) && oldSelf.all(x, x in self) + serviceEndpoints: + description: |- + serviceEndpoints specifies endpoints that override the default endpoints + used when creating clients to interact with GCP services. + When not specified, the default endpoint for the GCP region will be used. + Only 1 endpoint override is permitted for each GCP service. + The maximum number of endpoint overrides allowed is 9. + items: + description: |- + GCPServiceEndpoint store the configuration of a custom url to + override existing defaults of GCP Services. + properties: + name: + description: |- + name is the name of the GCP service whose endpoint is being overridden. + This must be provided and cannot be empty. + + Allowed values are Compute, Container, CloudResourceManager, DNS, File, IAM, ServiceUsage, + Storage, and TagManager. + + As an example, when setting the name to Compute all requests made by the caller to the GCP Compute + Service will be directed to the endpoint specified in the url field. + enum: + - Compute + - Container + - CloudResourceManager + - DNS + - File + - IAM + - ServiceUsage + - Storage + type: string + url: + description: |- + url is a fully qualified URI that overrides the default endpoint for a client using the GCP service specified + in the name field. + url is required, must use the scheme https, must not be more than 253 characters in length, + and must be a valid URL according to Go's net/url package (https://pkg.go.dev/net/url#URL) + + An example of a valid endpoint that overrides the Compute Service: "https://compute-myendpoint1.p.googleapis.com" + maxLength: 253 + type: string + x-kubernetes-validations: + - message: must be a valid URL + rule: isURL(self) + - message: scheme must be https + rule: 'isURL(self) ? (url(self).getScheme() == "https") + : true' + - message: url must consist only of a scheme and domain. + The url path must be empty. + rule: url(self).getEscapedPath() == "" || url(self).getEscapedPath() + == "/" + required: + - name + - url + type: object + maxItems: 8 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + x-kubernetes-validations: + - message: only 1 endpoint override is permitted per GCP service + name + rule: self.all(x, self.exists_one(y, x.name == y.name)) type: object x-kubernetes-validations: - message: resourceLabels may only be configured during installation @@ -1844,8 +1987,11 @@ spec: serviceEndpoints: description: |- serviceEndpoints is a list of custom endpoints which will override the default - service endpoints of an IBM Cloud service. These endpoints are consumed by - components within the cluster to reach the respective IBM Cloud Services. + service endpoints of an IBM service. These endpoints are used by components + within the cluster when trying to reach the IBM Cloud Services that have been + overriden. The CCCMO reads in the IBMCloudPlatformSpec and validates each + endpoint is resolvable. Once validated, the cloud config and IBMCloudPlatformStatus + are updated to reflect the same custom endpoints. items: description: |- IBMCloudServiceEndpoint stores the configuration of a custom url to @@ -1878,7 +2024,9 @@ spec: description: |- url is fully qualified URI with scheme https, that overrides the default generated endpoint for a client. - This must be provided and cannot be empty. + This must be provided and cannot be empty. The path must follow the pattern + /v[0,9]+ or /api/v[0,9]+ + maxLength: 300 type: string x-kubernetes-validations: - message: url must be a valid absolute URL @@ -1887,6 +2035,7 @@ spec: - name - url type: object + maxItems: 13 type: array x-kubernetes-list-map-keys: - name diff --git a/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_infrastructures-Default.crd.yaml b/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_infrastructures-Default.crd.yaml index 55ec17de5..6dcc0cfb6 100644 --- a/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_infrastructures-Default.crd.yaml +++ b/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_infrastructures-Default.crd.yaml @@ -718,7 +718,7 @@ spec: //network/. items: type: string - maxItems: 1 + maxItems: 10 minItems: 1 type: array x-kubernetes-list-type: atomic @@ -1185,20 +1185,35 @@ spec: created for the cluster. properties: key: - description: key is the key of the tag + description: |- + key sets the key of the AWS resource tag key-value pair. Key is required when defining an AWS resource tag. + Key should consist of between 1 and 128 characters, and may + contain only the set of alphanumeric characters, space (' '), '_', '.', '/', '=', '+', '-', ':', and '@'. maxLength: 128 minLength: 1 - pattern: ^[0-9A-Za-z_.:/=+-@]+$ type: string + x-kubernetes-validations: + - message: invalid AWS resource tag key. The string + can contain only the set of alphanumeric characters, + space (' '), '_', '.', '/', '=', '+', '-', ':', + '@' + rule: self.matches('^[0-9A-Za-z_.:/=+-@ ]+$') value: description: |- - value is the value of the tag. + value sets the value of the AWS resource tag key-value pair. Value is required when defining an AWS resource tag. + Value should consist of between 1 and 256 characters, and may + contain only the set of alphanumeric characters, space (' '), '_', '.', '/', '=', '+', '-', ':', and '@'. Some AWS service do not support empty values. Since tags are added to resources in many services, the length of the tag value must meet the requirements of all services. maxLength: 256 minLength: 1 - pattern: ^[0-9A-Za-z_.:/=+-@]+$ type: string + x-kubernetes-validations: + - message: invalid AWS resource tag value. The string + can contain only the set of alphanumeric characters, + space (' '), '_', '.', '/', '=', '+', '-', ':', + '@' + rule: self.matches('^[0-9A-Za-z_.:/=+-@ ]+$') required: - key - value @@ -1620,8 +1635,11 @@ spec: serviceEndpoints: description: |- serviceEndpoints is a list of custom endpoints which will override the default - service endpoints of an IBM Cloud service. These endpoints are consumed by - components within the cluster to reach the respective IBM Cloud Services. + service endpoints of an IBM service. These endpoints are used by components + within the cluster when trying to reach the IBM Cloud Services that have been + overriden. The CCCMO reads in the IBMCloudPlatformSpec and validates each + endpoint is resolvable. Once validated, the cloud config and IBMCloudPlatformStatus + are updated to reflect the same custom endpoints. items: description: |- IBMCloudServiceEndpoint stores the configuration of a custom url to @@ -1654,7 +1672,9 @@ spec: description: |- url is fully qualified URI with scheme https, that overrides the default generated endpoint for a client. - This must be provided and cannot be empty. + This must be provided and cannot be empty. The path must follow the pattern + /v[0,9]+ or /api/v[0,9]+ + maxLength: 300 type: string x-kubernetes-validations: - message: url must be a valid absolute URL diff --git a/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_infrastructures-DevPreviewNoUpgrade.crd.yaml b/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_infrastructures-DevPreviewNoUpgrade.crd.yaml index 9b6a6716a..f0e96f9fa 100644 --- a/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_infrastructures-DevPreviewNoUpgrade.crd.yaml +++ b/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_infrastructures-DevPreviewNoUpgrade.crd.yaml @@ -223,6 +223,68 @@ spec: ibmcloud: description: ibmcloud contains settings specific to the IBMCloud infrastructure provider. + properties: + serviceEndpoints: + description: |- + serviceEndpoints is a list of custom endpoints which will override the default + service endpoints of an IBM service. These endpoints are used by components + within the cluster when trying to reach the IBM Cloud Services that have been + overriden. The CCCMO reads in the IBMCloudPlatformSpec and validates each + endpoint is resolvable. Once validated, the cloud config and IBMCloudPlatformStatus + are updated to reflect the same custom endpoints. + A maximum of 13 service endpoints overrides are supported. + items: + description: |- + IBMCloudServiceEndpoint stores the configuration of a custom url to + override existing defaults of IBM Cloud Services. + properties: + name: + description: |- + name is the name of the IBM Cloud service. + Possible values are: CIS, COS, COSConfig, DNSServices, GlobalCatalog, GlobalSearch, GlobalTagging, HyperProtect, IAM, KeyProtect, ResourceController, ResourceManager, or VPC. + For example, the IBM Cloud Private IAM service could be configured with the + service `name` of `IAM` and `url` of `https://private.iam.cloud.ibm.com` + Whereas the IBM Cloud Private VPC service for US South (Dallas) could be configured + with the service `name` of `VPC` and `url` of `https://us.south.private.iaas.cloud.ibm.com` + enum: + - CIS + - COS + - COSConfig + - DNSServices + - GlobalCatalog + - GlobalSearch + - GlobalTagging + - HyperProtect + - IAM + - KeyProtect + - ResourceController + - ResourceManager + - VPC + type: string + url: + description: |- + url is fully qualified URI with scheme https, that overrides the default generated + endpoint for a client. + This must be provided and cannot be empty. The path must follow the pattern + /v[0,9]+ or /api/v[0,9]+ + maxLength: 300 + type: string + x-kubernetes-validations: + - message: url must use https scheme + rule: url(self).getScheme() == "https" + - message: url path must match /v[0,9]+ or /api/v[0,9]+ + rule: matches((url(self).getEscapedPath()), '^/(api/)?v[0-9]+/{0,1}$') + - message: url must be a valid absolute URL + rule: isURL(self) + required: + - name + - url + type: object + maxItems: 13 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map type: object kubevirt: description: kubevirt contains settings specific to the kubevirt @@ -1068,6 +1130,7 @@ spec: - HighlyAvailable - HighlyAvailableArbiter - SingleReplica + - DualReplica - External type: string cpuPartitioning: @@ -1305,20 +1368,35 @@ spec: created for the cluster. properties: key: - description: key is the key of the tag + description: |- + key sets the key of the AWS resource tag key-value pair. Key is required when defining an AWS resource tag. + Key should consist of between 1 and 128 characters, and may + contain only the set of alphanumeric characters, space (' '), '_', '.', '/', '=', '+', '-', ':', and '@'. maxLength: 128 minLength: 1 - pattern: ^[0-9A-Za-z_.:/=+-@]+$ type: string + x-kubernetes-validations: + - message: invalid AWS resource tag key. The string + can contain only the set of alphanumeric characters, + space (' '), '_', '.', '/', '=', '+', '-', ':', + '@' + rule: self.matches('^[0-9A-Za-z_.:/=+-@ ]+$') value: description: |- - value is the value of the tag. + value sets the value of the AWS resource tag key-value pair. Value is required when defining an AWS resource tag. + Value should consist of between 1 and 256 characters, and may + contain only the set of alphanumeric characters, space (' '), '_', '.', '/', '=', '+', '-', ':', and '@'. Some AWS service do not support empty values. Since tags are added to resources in many services, the length of the tag value must meet the requirements of all services. maxLength: 256 minLength: 1 - pattern: ^[0-9A-Za-z_.:/=+-@]+$ type: string + x-kubernetes-validations: + - message: invalid AWS resource tag value. The string + can contain only the set of alphanumeric characters, + space (' '), '_', '.', '/', '=', '+', '-', ':', + '@' + rule: self.matches('^[0-9A-Za-z_.:/=+-@ ]+$') required: - key - value @@ -1808,6 +1886,71 @@ spec: - message: resourceTags are immutable and may only be configured during installation rule: self.all(x, x in oldSelf) && oldSelf.all(x, x in self) + serviceEndpoints: + description: |- + serviceEndpoints specifies endpoints that override the default endpoints + used when creating clients to interact with GCP services. + When not specified, the default endpoint for the GCP region will be used. + Only 1 endpoint override is permitted for each GCP service. + The maximum number of endpoint overrides allowed is 9. + items: + description: |- + GCPServiceEndpoint store the configuration of a custom url to + override existing defaults of GCP Services. + properties: + name: + description: |- + name is the name of the GCP service whose endpoint is being overridden. + This must be provided and cannot be empty. + + Allowed values are Compute, Container, CloudResourceManager, DNS, File, IAM, ServiceUsage, + Storage, and TagManager. + + As an example, when setting the name to Compute all requests made by the caller to the GCP Compute + Service will be directed to the endpoint specified in the url field. + enum: + - Compute + - Container + - CloudResourceManager + - DNS + - File + - IAM + - ServiceUsage + - Storage + type: string + url: + description: |- + url is a fully qualified URI that overrides the default endpoint for a client using the GCP service specified + in the name field. + url is required, must use the scheme https, must not be more than 253 characters in length, + and must be a valid URL according to Go's net/url package (https://pkg.go.dev/net/url#URL) + + An example of a valid endpoint that overrides the Compute Service: "https://compute-myendpoint1.p.googleapis.com" + maxLength: 253 + type: string + x-kubernetes-validations: + - message: must be a valid URL + rule: isURL(self) + - message: scheme must be https + rule: 'isURL(self) ? (url(self).getScheme() == "https") + : true' + - message: url must consist only of a scheme and domain. + The url path must be empty. + rule: url(self).getEscapedPath() == "" || url(self).getEscapedPath() + == "/" + required: + - name + - url + type: object + maxItems: 8 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + x-kubernetes-validations: + - message: only 1 endpoint override is permitted per GCP service + name + rule: self.all(x, self.exists_one(y, x.name == y.name)) type: object x-kubernetes-validations: - message: resourceLabels may only be configured during installation @@ -1844,8 +1987,11 @@ spec: serviceEndpoints: description: |- serviceEndpoints is a list of custom endpoints which will override the default - service endpoints of an IBM Cloud service. These endpoints are consumed by - components within the cluster to reach the respective IBM Cloud Services. + service endpoints of an IBM service. These endpoints are used by components + within the cluster when trying to reach the IBM Cloud Services that have been + overriden. The CCCMO reads in the IBMCloudPlatformSpec and validates each + endpoint is resolvable. Once validated, the cloud config and IBMCloudPlatformStatus + are updated to reflect the same custom endpoints. items: description: |- IBMCloudServiceEndpoint stores the configuration of a custom url to @@ -1878,7 +2024,9 @@ spec: description: |- url is fully qualified URI with scheme https, that overrides the default generated endpoint for a client. - This must be provided and cannot be empty. + This must be provided and cannot be empty. The path must follow the pattern + /v[0,9]+ or /api/v[0,9]+ + maxLength: 300 type: string x-kubernetes-validations: - message: url must be a valid absolute URL @@ -1887,6 +2035,7 @@ spec: - name - url type: object + maxItems: 13 type: array x-kubernetes-list-map-keys: - name diff --git a/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_infrastructures-TechPreviewNoUpgrade.crd.yaml b/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_infrastructures-TechPreviewNoUpgrade.crd.yaml index b0c12e2eb..0391eb184 100644 --- a/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_infrastructures-TechPreviewNoUpgrade.crd.yaml +++ b/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_infrastructures-TechPreviewNoUpgrade.crd.yaml @@ -223,6 +223,68 @@ spec: ibmcloud: description: ibmcloud contains settings specific to the IBMCloud infrastructure provider. + properties: + serviceEndpoints: + description: |- + serviceEndpoints is a list of custom endpoints which will override the default + service endpoints of an IBM service. These endpoints are used by components + within the cluster when trying to reach the IBM Cloud Services that have been + overriden. The CCCMO reads in the IBMCloudPlatformSpec and validates each + endpoint is resolvable. Once validated, the cloud config and IBMCloudPlatformStatus + are updated to reflect the same custom endpoints. + A maximum of 13 service endpoints overrides are supported. + items: + description: |- + IBMCloudServiceEndpoint stores the configuration of a custom url to + override existing defaults of IBM Cloud Services. + properties: + name: + description: |- + name is the name of the IBM Cloud service. + Possible values are: CIS, COS, COSConfig, DNSServices, GlobalCatalog, GlobalSearch, GlobalTagging, HyperProtect, IAM, KeyProtect, ResourceController, ResourceManager, or VPC. + For example, the IBM Cloud Private IAM service could be configured with the + service `name` of `IAM` and `url` of `https://private.iam.cloud.ibm.com` + Whereas the IBM Cloud Private VPC service for US South (Dallas) could be configured + with the service `name` of `VPC` and `url` of `https://us.south.private.iaas.cloud.ibm.com` + enum: + - CIS + - COS + - COSConfig + - DNSServices + - GlobalCatalog + - GlobalSearch + - GlobalTagging + - HyperProtect + - IAM + - KeyProtect + - ResourceController + - ResourceManager + - VPC + type: string + url: + description: |- + url is fully qualified URI with scheme https, that overrides the default generated + endpoint for a client. + This must be provided and cannot be empty. The path must follow the pattern + /v[0,9]+ or /api/v[0,9]+ + maxLength: 300 + type: string + x-kubernetes-validations: + - message: url must use https scheme + rule: url(self).getScheme() == "https" + - message: url path must match /v[0,9]+ or /api/v[0,9]+ + rule: matches((url(self).getEscapedPath()), '^/(api/)?v[0-9]+/{0,1}$') + - message: url must be a valid absolute URL + rule: isURL(self) + required: + - name + - url + type: object + maxItems: 13 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map type: object kubevirt: description: kubevirt contains settings specific to the kubevirt @@ -1305,20 +1367,35 @@ spec: created for the cluster. properties: key: - description: key is the key of the tag + description: |- + key sets the key of the AWS resource tag key-value pair. Key is required when defining an AWS resource tag. + Key should consist of between 1 and 128 characters, and may + contain only the set of alphanumeric characters, space (' '), '_', '.', '/', '=', '+', '-', ':', and '@'. maxLength: 128 minLength: 1 - pattern: ^[0-9A-Za-z_.:/=+-@]+$ type: string + x-kubernetes-validations: + - message: invalid AWS resource tag key. The string + can contain only the set of alphanumeric characters, + space (' '), '_', '.', '/', '=', '+', '-', ':', + '@' + rule: self.matches('^[0-9A-Za-z_.:/=+-@ ]+$') value: description: |- - value is the value of the tag. + value sets the value of the AWS resource tag key-value pair. Value is required when defining an AWS resource tag. + Value should consist of between 1 and 256 characters, and may + contain only the set of alphanumeric characters, space (' '), '_', '.', '/', '=', '+', '-', ':', and '@'. Some AWS service do not support empty values. Since tags are added to resources in many services, the length of the tag value must meet the requirements of all services. maxLength: 256 minLength: 1 - pattern: ^[0-9A-Za-z_.:/=+-@]+$ type: string + x-kubernetes-validations: + - message: invalid AWS resource tag value. The string + can contain only the set of alphanumeric characters, + space (' '), '_', '.', '/', '=', '+', '-', ':', + '@' + rule: self.matches('^[0-9A-Za-z_.:/=+-@ ]+$') required: - key - value @@ -1808,6 +1885,71 @@ spec: - message: resourceTags are immutable and may only be configured during installation rule: self.all(x, x in oldSelf) && oldSelf.all(x, x in self) + serviceEndpoints: + description: |- + serviceEndpoints specifies endpoints that override the default endpoints + used when creating clients to interact with GCP services. + When not specified, the default endpoint for the GCP region will be used. + Only 1 endpoint override is permitted for each GCP service. + The maximum number of endpoint overrides allowed is 9. + items: + description: |- + GCPServiceEndpoint store the configuration of a custom url to + override existing defaults of GCP Services. + properties: + name: + description: |- + name is the name of the GCP service whose endpoint is being overridden. + This must be provided and cannot be empty. + + Allowed values are Compute, Container, CloudResourceManager, DNS, File, IAM, ServiceUsage, + Storage, and TagManager. + + As an example, when setting the name to Compute all requests made by the caller to the GCP Compute + Service will be directed to the endpoint specified in the url field. + enum: + - Compute + - Container + - CloudResourceManager + - DNS + - File + - IAM + - ServiceUsage + - Storage + type: string + url: + description: |- + url is a fully qualified URI that overrides the default endpoint for a client using the GCP service specified + in the name field. + url is required, must use the scheme https, must not be more than 253 characters in length, + and must be a valid URL according to Go's net/url package (https://pkg.go.dev/net/url#URL) + + An example of a valid endpoint that overrides the Compute Service: "https://compute-myendpoint1.p.googleapis.com" + maxLength: 253 + type: string + x-kubernetes-validations: + - message: must be a valid URL + rule: isURL(self) + - message: scheme must be https + rule: 'isURL(self) ? (url(self).getScheme() == "https") + : true' + - message: url must consist only of a scheme and domain. + The url path must be empty. + rule: url(self).getEscapedPath() == "" || url(self).getEscapedPath() + == "/" + required: + - name + - url + type: object + maxItems: 8 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + x-kubernetes-validations: + - message: only 1 endpoint override is permitted per GCP service + name + rule: self.all(x, self.exists_one(y, x.name == y.name)) type: object x-kubernetes-validations: - message: resourceLabels may only be configured during installation @@ -1844,8 +1986,11 @@ spec: serviceEndpoints: description: |- serviceEndpoints is a list of custom endpoints which will override the default - service endpoints of an IBM Cloud service. These endpoints are consumed by - components within the cluster to reach the respective IBM Cloud Services. + service endpoints of an IBM service. These endpoints are used by components + within the cluster when trying to reach the IBM Cloud Services that have been + overriden. The CCCMO reads in the IBMCloudPlatformSpec and validates each + endpoint is resolvable. Once validated, the cloud config and IBMCloudPlatformStatus + are updated to reflect the same custom endpoints. items: description: |- IBMCloudServiceEndpoint stores the configuration of a custom url to @@ -1878,7 +2023,9 @@ spec: description: |- url is fully qualified URI with scheme https, that overrides the default generated endpoint for a client. - This must be provided and cannot be empty. + This must be provided and cannot be empty. The path must follow the pattern + /v[0,9]+ or /api/v[0,9]+ + maxLength: 300 type: string x-kubernetes-validations: - message: url must be a valid absolute URL @@ -1887,6 +2034,7 @@ spec: - name - url type: object + maxItems: 13 type: array x-kubernetes-list-map-keys: - name diff --git a/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_nodes-CustomNoUpgrade.crd.yaml b/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_nodes-CustomNoUpgrade.crd.yaml index 776be2eeb..1274ac4d5 100644 --- a/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_nodes-CustomNoUpgrade.crd.yaml +++ b/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_nodes-CustomNoUpgrade.crd.yaml @@ -49,7 +49,6 @@ spec: cgroupMode: description: cgroupMode determines the cgroups version on the node enum: - - v1 - v2 - "" type: string diff --git a/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_nodes-Default.crd.yaml b/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_nodes-Default.crd.yaml index a4d69857d..bc50d3702 100644 --- a/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_nodes-Default.crd.yaml +++ b/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_nodes-Default.crd.yaml @@ -49,7 +49,6 @@ spec: cgroupMode: description: cgroupMode determines the cgroups version on the node enum: - - v1 - v2 - "" type: string diff --git a/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_nodes-DevPreviewNoUpgrade.crd.yaml b/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_nodes-DevPreviewNoUpgrade.crd.yaml index 00413af2e..0cd65142f 100644 --- a/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_nodes-DevPreviewNoUpgrade.crd.yaml +++ b/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_nodes-DevPreviewNoUpgrade.crd.yaml @@ -49,7 +49,6 @@ spec: cgroupMode: description: cgroupMode determines the cgroups version on the node enum: - - v1 - v2 - "" type: string diff --git a/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_nodes-TechPreviewNoUpgrade.crd.yaml b/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_nodes-TechPreviewNoUpgrade.crd.yaml index 8504be1e3..13d3adce9 100644 --- a/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_nodes-TechPreviewNoUpgrade.crd.yaml +++ b/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_nodes-TechPreviewNoUpgrade.crd.yaml @@ -49,7 +49,6 @@ spec: cgroupMode: description: cgroupMode determines the cgroups version on the node enum: - - v1 - v2 - "" type: string diff --git a/vendor/github.com/openshift/api/config/v1/zz_generated.deepcopy.go b/vendor/github.com/openshift/api/config/v1/zz_generated.deepcopy.go index b013d4595..70edc1769 100644 --- a/vendor/github.com/openshift/api/config/v1/zz_generated.deepcopy.go +++ b/vendor/github.com/openshift/api/config/v1/zz_generated.deepcopy.go @@ -1,7 +1,7 @@ //go:build !ignore_autogenerated // +build !ignore_autogenerated -// Code generated by deepcopy-gen. DO NOT EDIT. +// Code generated by codegen. DO NOT EDIT. package v1 @@ -42,6 +42,11 @@ func (in *APIServer) DeepCopyObject() runtime.Object { // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *APIServerEncryption) DeepCopyInto(out *APIServerEncryption) { *out = *in + if in.KMS != nil { + in, out := &in.KMS, &out.KMS + *out = new(KMSConfig) + (*in).DeepCopyInto(*out) + } return } @@ -143,7 +148,7 @@ func (in *APIServerSpec) DeepCopyInto(out *APIServerSpec) { *out = make([]string, len(*in)) copy(*out, *in) } - out.Encryption = in.Encryption + in.Encryption.DeepCopyInto(&out.Encryption) if in.TLSSecurityProfile != nil { in, out := &in.TLSSecurityProfile, &out.TLSSecurityProfile *out = new(TLSSecurityProfile) @@ -211,6 +216,22 @@ func (in *AWSIngressSpec) DeepCopy() *AWSIngressSpec { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *AWSKMSConfig) DeepCopyInto(out *AWSKMSConfig) { + *out = *in + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AWSKMSConfig. +func (in *AWSKMSConfig) DeepCopy() *AWSKMSConfig { + if in == nil { + return nil + } + out := new(AWSKMSConfig) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *AWSPlatformSpec) DeepCopyInto(out *AWSPlatformSpec) { *out = *in @@ -1003,6 +1024,112 @@ func (in *ClusterCondition) DeepCopy() *ClusterCondition { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *ClusterImagePolicy) DeepCopyInto(out *ClusterImagePolicy) { + *out = *in + out.TypeMeta = in.TypeMeta + in.ObjectMeta.DeepCopyInto(&out.ObjectMeta) + in.Spec.DeepCopyInto(&out.Spec) + in.Status.DeepCopyInto(&out.Status) + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ClusterImagePolicy. +func (in *ClusterImagePolicy) DeepCopy() *ClusterImagePolicy { + if in == nil { + return nil + } + out := new(ClusterImagePolicy) + in.DeepCopyInto(out) + return out +} + +// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. +func (in *ClusterImagePolicy) DeepCopyObject() runtime.Object { + if c := in.DeepCopy(); c != nil { + return c + } + return nil +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *ClusterImagePolicyList) DeepCopyInto(out *ClusterImagePolicyList) { + *out = *in + out.TypeMeta = in.TypeMeta + in.ListMeta.DeepCopyInto(&out.ListMeta) + if in.Items != nil { + in, out := &in.Items, &out.Items + *out = make([]ClusterImagePolicy, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ClusterImagePolicyList. +func (in *ClusterImagePolicyList) DeepCopy() *ClusterImagePolicyList { + if in == nil { + return nil + } + out := new(ClusterImagePolicyList) + in.DeepCopyInto(out) + return out +} + +// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. +func (in *ClusterImagePolicyList) DeepCopyObject() runtime.Object { + if c := in.DeepCopy(); c != nil { + return c + } + return nil +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *ClusterImagePolicySpec) DeepCopyInto(out *ClusterImagePolicySpec) { + *out = *in + if in.Scopes != nil { + in, out := &in.Scopes, &out.Scopes + *out = make([]ImageScope, len(*in)) + copy(*out, *in) + } + in.Policy.DeepCopyInto(&out.Policy) + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ClusterImagePolicySpec. +func (in *ClusterImagePolicySpec) DeepCopy() *ClusterImagePolicySpec { + if in == nil { + return nil + } + out := new(ClusterImagePolicySpec) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *ClusterImagePolicyStatus) DeepCopyInto(out *ClusterImagePolicyStatus) { + *out = *in + if in.Conditions != nil { + in, out := &in.Conditions, &out.Conditions + *out = make([]metav1.Condition, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ClusterImagePolicyStatus. +func (in *ClusterImagePolicyStatus) DeepCopy() *ClusterImagePolicyStatus { + if in == nil { + return nil + } + out := new(ClusterImagePolicyStatus) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *ClusterNetworkEntry) DeepCopyInto(out *ClusterNetworkEntry) { *out = *in @@ -2000,6 +2127,22 @@ func (in *ExternalPlatformStatus) DeepCopy() *ExternalPlatformStatus { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *ExtraMapping) DeepCopyInto(out *ExtraMapping) { + *out = *in + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ExtraMapping. +func (in *ExtraMapping) DeepCopy() *ExtraMapping { + if in == nil { + return nil + } + out := new(ExtraMapping) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *FeatureGate) DeepCopyInto(out *FeatureGate) { *out = *in @@ -2192,6 +2335,33 @@ func (in *FeatureGateTests) DeepCopy() *FeatureGateTests { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *FulcioCAWithRekor) DeepCopyInto(out *FulcioCAWithRekor) { + *out = *in + if in.FulcioCAData != nil { + in, out := &in.FulcioCAData, &out.FulcioCAData + *out = make([]byte, len(*in)) + copy(*out, *in) + } + if in.RekorKeyData != nil { + in, out := &in.RekorKeyData, &out.RekorKeyData + *out = make([]byte, len(*in)) + copy(*out, *in) + } + out.FulcioSubject = in.FulcioSubject + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FulcioCAWithRekor. +func (in *FulcioCAWithRekor) DeepCopy() *FulcioCAWithRekor { + if in == nil { + return nil + } + out := new(FulcioCAWithRekor) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *GCPPlatformSpec) DeepCopyInto(out *GCPPlatformSpec) { *out = *in @@ -2226,6 +2396,11 @@ func (in *GCPPlatformStatus) DeepCopyInto(out *GCPPlatformStatus) { *out = new(CloudLoadBalancerConfig) (*in).DeepCopyInto(*out) } + if in.ServiceEndpoints != nil { + in, out := &in.ServiceEndpoints, &out.ServiceEndpoints + *out = make([]GCPServiceEndpoint, len(*in)) + copy(*out, *in) + } return } @@ -2271,6 +2446,22 @@ func (in *GCPResourceTag) DeepCopy() *GCPResourceTag { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *GCPServiceEndpoint) DeepCopyInto(out *GCPServiceEndpoint) { + *out = *in + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GCPServiceEndpoint. +func (in *GCPServiceEndpoint) DeepCopy() *GCPServiceEndpoint { + if in == nil { + return nil + } + out := new(GCPServiceEndpoint) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *GenericAPIServerConfig) DeepCopyInto(out *GenericAPIServerConfig) { *out = *in @@ -2450,6 +2641,11 @@ func (in *HubSourceStatus) DeepCopy() *HubSourceStatus { // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *IBMCloudPlatformSpec) DeepCopyInto(out *IBMCloudPlatformSpec) { *out = *in + if in.ServiceEndpoints != nil { + in, out := &in.ServiceEndpoints, &out.ServiceEndpoints + *out = make([]IBMCloudServiceEndpoint, len(*in)) + copy(*out, *in) + } return } @@ -2859,6 +3055,112 @@ func (in *ImageList) DeepCopyObject() runtime.Object { return nil } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *ImagePolicy) DeepCopyInto(out *ImagePolicy) { + *out = *in + out.TypeMeta = in.TypeMeta + in.ObjectMeta.DeepCopyInto(&out.ObjectMeta) + in.Spec.DeepCopyInto(&out.Spec) + in.Status.DeepCopyInto(&out.Status) + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ImagePolicy. +func (in *ImagePolicy) DeepCopy() *ImagePolicy { + if in == nil { + return nil + } + out := new(ImagePolicy) + in.DeepCopyInto(out) + return out +} + +// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. +func (in *ImagePolicy) DeepCopyObject() runtime.Object { + if c := in.DeepCopy(); c != nil { + return c + } + return nil +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *ImagePolicyList) DeepCopyInto(out *ImagePolicyList) { + *out = *in + out.TypeMeta = in.TypeMeta + in.ListMeta.DeepCopyInto(&out.ListMeta) + if in.Items != nil { + in, out := &in.Items, &out.Items + *out = make([]ImagePolicy, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ImagePolicyList. +func (in *ImagePolicyList) DeepCopy() *ImagePolicyList { + if in == nil { + return nil + } + out := new(ImagePolicyList) + in.DeepCopyInto(out) + return out +} + +// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. +func (in *ImagePolicyList) DeepCopyObject() runtime.Object { + if c := in.DeepCopy(); c != nil { + return c + } + return nil +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *ImagePolicySpec) DeepCopyInto(out *ImagePolicySpec) { + *out = *in + if in.Scopes != nil { + in, out := &in.Scopes, &out.Scopes + *out = make([]ImageScope, len(*in)) + copy(*out, *in) + } + in.Policy.DeepCopyInto(&out.Policy) + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ImagePolicySpec. +func (in *ImagePolicySpec) DeepCopy() *ImagePolicySpec { + if in == nil { + return nil + } + out := new(ImagePolicySpec) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *ImagePolicyStatus) DeepCopyInto(out *ImagePolicyStatus) { + *out = *in + if in.Conditions != nil { + in, out := &in.Conditions, &out.Conditions + *out = make([]metav1.Condition, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ImagePolicyStatus. +func (in *ImagePolicyStatus) DeepCopy() *ImagePolicyStatus { + if in == nil { + return nil + } + out := new(ImagePolicyStatus) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *ImageSpec) DeepCopyInto(out *ImageSpec) { *out = *in @@ -3279,6 +3581,27 @@ func (in *IntermediateTLSProfile) DeepCopy() *IntermediateTLSProfile { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *KMSConfig) DeepCopyInto(out *KMSConfig) { + *out = *in + if in.AWS != nil { + in, out := &in.AWS, &out.AWS + *out = new(AWSKMSConfig) + **out = **in + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new KMSConfig. +func (in *KMSConfig) DeepCopy() *KMSConfig { + if in == nil { + return nil + } + out := new(KMSConfig) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *KeystoneIdentityProvider) DeepCopyInto(out *KeystoneIdentityProvider) { *out = *in @@ -4648,6 +4971,49 @@ func (in *OvirtPlatformStatus) DeepCopy() *OvirtPlatformStatus { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *PKI) DeepCopyInto(out *PKI) { + *out = *in + if in.CertificateAuthorityRootsData != nil { + in, out := &in.CertificateAuthorityRootsData, &out.CertificateAuthorityRootsData + *out = make([]byte, len(*in)) + copy(*out, *in) + } + if in.CertificateAuthorityIntermediatesData != nil { + in, out := &in.CertificateAuthorityIntermediatesData, &out.CertificateAuthorityIntermediatesData + *out = make([]byte, len(*in)) + copy(*out, *in) + } + out.PKICertificateSubject = in.PKICertificateSubject + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PKI. +func (in *PKI) DeepCopy() *PKI { + if in == nil { + return nil + } + out := new(PKI) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *PKICertificateSubject) DeepCopyInto(out *PKICertificateSubject) { + *out = *in + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PKICertificateSubject. +func (in *PKICertificateSubject) DeepCopy() *PKICertificateSubject { + if in == nil { + return nil + } + out := new(PKICertificateSubject) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *PlatformSpec) DeepCopyInto(out *PlatformSpec) { *out = *in @@ -4689,7 +5055,7 @@ func (in *PlatformSpec) DeepCopyInto(out *PlatformSpec) { if in.IBMCloud != nil { in, out := &in.IBMCloud, &out.IBMCloud *out = new(IBMCloudPlatformSpec) - **out = **in + (*in).DeepCopyInto(*out) } if in.Kubevirt != nil { in, out := &in.Kubevirt, &out.Kubevirt @@ -4820,6 +5186,133 @@ func (in *PlatformStatus) DeepCopy() *PlatformStatus { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *Policy) DeepCopyInto(out *Policy) { + *out = *in + in.RootOfTrust.DeepCopyInto(&out.RootOfTrust) + if in.SignedIdentity != nil { + in, out := &in.SignedIdentity, &out.SignedIdentity + *out = new(PolicyIdentity) + (*in).DeepCopyInto(*out) + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Policy. +func (in *Policy) DeepCopy() *Policy { + if in == nil { + return nil + } + out := new(Policy) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *PolicyFulcioSubject) DeepCopyInto(out *PolicyFulcioSubject) { + *out = *in + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PolicyFulcioSubject. +func (in *PolicyFulcioSubject) DeepCopy() *PolicyFulcioSubject { + if in == nil { + return nil + } + out := new(PolicyFulcioSubject) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *PolicyIdentity) DeepCopyInto(out *PolicyIdentity) { + *out = *in + if in.PolicyMatchExactRepository != nil { + in, out := &in.PolicyMatchExactRepository, &out.PolicyMatchExactRepository + *out = new(PolicyMatchExactRepository) + **out = **in + } + if in.PolicyMatchRemapIdentity != nil { + in, out := &in.PolicyMatchRemapIdentity, &out.PolicyMatchRemapIdentity + *out = new(PolicyMatchRemapIdentity) + **out = **in + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PolicyIdentity. +func (in *PolicyIdentity) DeepCopy() *PolicyIdentity { + if in == nil { + return nil + } + out := new(PolicyIdentity) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *PolicyMatchExactRepository) DeepCopyInto(out *PolicyMatchExactRepository) { + *out = *in + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PolicyMatchExactRepository. +func (in *PolicyMatchExactRepository) DeepCopy() *PolicyMatchExactRepository { + if in == nil { + return nil + } + out := new(PolicyMatchExactRepository) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *PolicyMatchRemapIdentity) DeepCopyInto(out *PolicyMatchRemapIdentity) { + *out = *in + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PolicyMatchRemapIdentity. +func (in *PolicyMatchRemapIdentity) DeepCopy() *PolicyMatchRemapIdentity { + if in == nil { + return nil + } + out := new(PolicyMatchRemapIdentity) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *PolicyRootOfTrust) DeepCopyInto(out *PolicyRootOfTrust) { + *out = *in + if in.PublicKey != nil { + in, out := &in.PublicKey, &out.PublicKey + *out = new(PublicKey) + (*in).DeepCopyInto(*out) + } + if in.FulcioCAWithRekor != nil { + in, out := &in.FulcioCAWithRekor, &out.FulcioCAWithRekor + *out = new(FulcioCAWithRekor) + (*in).DeepCopyInto(*out) + } + if in.PKI != nil { + in, out := &in.PKI, &out.PKI + *out = new(PKI) + (*in).DeepCopyInto(*out) + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PolicyRootOfTrust. +func (in *PolicyRootOfTrust) DeepCopy() *PolicyRootOfTrust { + if in == nil { + return nil + } + out := new(PolicyRootOfTrust) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *PowerVSPlatformSpec) DeepCopyInto(out *PowerVSPlatformSpec) { *out = *in @@ -5120,6 +5613,32 @@ func (in *ProxyStatus) DeepCopy() *ProxyStatus { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *PublicKey) DeepCopyInto(out *PublicKey) { + *out = *in + if in.KeyData != nil { + in, out := &in.KeyData, &out.KeyData + *out = make([]byte, len(*in)) + copy(*out, *in) + } + if in.RekorKeyData != nil { + in, out := &in.RekorKeyData, &out.RekorKeyData + *out = make([]byte, len(*in)) + copy(*out, *in) + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PublicKey. +func (in *PublicKey) DeepCopy() *PublicKey { + if in == nil { + return nil + } + out := new(PublicKey) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *RegistryLocation) DeepCopyInto(out *RegistryLocation) { *out = *in @@ -5659,6 +6178,16 @@ func (in *TokenClaimMappings) DeepCopyInto(out *TokenClaimMappings) { *out = *in in.Username.DeepCopyInto(&out.Username) out.Groups = in.Groups + if in.UID != nil { + in, out := &in.UID, &out.UID + *out = new(TokenClaimOrExpressionMapping) + **out = **in + } + if in.Extra != nil { + in, out := &in.Extra, &out.Extra + *out = make([]ExtraMapping, len(*in)) + copy(*out, *in) + } return } @@ -5672,6 +6201,22 @@ func (in *TokenClaimMappings) DeepCopy() *TokenClaimMappings { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *TokenClaimOrExpressionMapping) DeepCopyInto(out *TokenClaimOrExpressionMapping) { + *out = *in + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TokenClaimOrExpressionMapping. +func (in *TokenClaimOrExpressionMapping) DeepCopy() *TokenClaimOrExpressionMapping { + if in == nil { + return nil + } + out := new(TokenClaimOrExpressionMapping) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *TokenClaimValidationRule) DeepCopyInto(out *TokenClaimValidationRule) { *out = *in @@ -5792,7 +6337,6 @@ func (in *UpdateHistory) DeepCopy() *UpdateHistory { // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *UsernameClaimMapping) DeepCopyInto(out *UsernameClaimMapping) { *out = *in - out.TokenClaimMapping = in.TokenClaimMapping if in.Prefix != nil { in, out := &in.Prefix, &out.Prefix *out = new(UsernamePrefix) diff --git a/vendor/github.com/openshift/api/config/v1/zz_generated.featuregated-crd-manifests.yaml b/vendor/github.com/openshift/api/config/v1/zz_generated.featuregated-crd-manifests.yaml index 78fd36f3f..19a304c17 100644 --- a/vendor/github.com/openshift/api/config/v1/zz_generated.featuregated-crd-manifests.yaml +++ b/vendor/github.com/openshift/api/config/v1/zz_generated.featuregated-crd-manifests.yaml @@ -5,7 +5,8 @@ apiservers.config.openshift.io: CRDName: apiservers.config.openshift.io Capability: "" Category: "" - FeatureGates: [] + FeatureGates: + - KMSEncryptionProvider FilenameOperatorName: config-operator FilenameOperatorOrdering: "01" FilenameRunLevel: "0000_10" @@ -29,6 +30,7 @@ authentications.config.openshift.io: Category: "" FeatureGates: - ExternalOIDC + - ExternalOIDCWithUIDAndExtraClaimMappings FilenameOperatorName: config-operator FilenameOperatorOrdering: "01" FilenameRunLevel: "0000_10" @@ -64,6 +66,30 @@ builds.config.openshift.io: TopLevelFeatureGates: [] Version: v1 +clusterimagepolicies.config.openshift.io: + Annotations: {} + ApprovedPRNumber: https://github.com/openshift/api/pull/2310 + CRDName: clusterimagepolicies.config.openshift.io + Capability: "" + Category: "" + FeatureGates: + - SigstoreImageVerification + - SigstoreImageVerificationPKI + FilenameOperatorName: config-operator + FilenameOperatorOrdering: "01" + FilenameRunLevel: "0000_10" + GroupName: config.openshift.io + HasStatus: true + KindName: ClusterImagePolicy + Labels: {} + PluralName: clusterimagepolicies + PrinterColumns: [] + Scope: Cluster + ShortNames: null + TopLevelFeatureGates: + - SigstoreImageVerification + Version: v1 + clusteroperators.config.openshift.io: Annotations: include.release.openshift.io/self-managed-high-availability: "true" @@ -280,6 +306,30 @@ imagedigestmirrorsets.config.openshift.io: TopLevelFeatureGates: [] Version: v1 +imagepolicies.config.openshift.io: + Annotations: {} + ApprovedPRNumber: https://github.com/openshift/api/pull/2310 + CRDName: imagepolicies.config.openshift.io + Capability: "" + Category: "" + FeatureGates: + - SigstoreImageVerification + - SigstoreImageVerificationPKI + FilenameOperatorName: config-operator + FilenameOperatorOrdering: "01" + FilenameRunLevel: "0000_10" + GroupName: config.openshift.io + HasStatus: true + KindName: ImagePolicy + Labels: {} + PluralName: imagepolicies + PrinterColumns: [] + Scope: Namespaced + ShortNames: null + TopLevelFeatureGates: + - SigstoreImageVerification + Version: v1 + imagetagmirrorsets.config.openshift.io: Annotations: release.openshift.io/bootstrap-required: "true" @@ -312,15 +362,16 @@ infrastructures.config.openshift.io: Category: "" FeatureGates: - AWSClusterHostedDNS - - BareMetalLoadBalancer + - DualReplica + - DyanmicServiceEndpointIBMCloud - GCPClusterHostedDNS + - GCPCustomAPIEndpoints - GCPLabelsTags - HighlyAvailableArbiter + - HighlyAvailableArbiter+DualReplica - NutanixMultiSubnets - - VSphereControlPlaneMachineSet - VSphereHostVMGroupZonal - VSphereMultiNetworks - - VSphereMultiVCenters FilenameOperatorName: config-operator FilenameOperatorOrdering: "01" FilenameRunLevel: "0000_10" diff --git a/vendor/github.com/openshift/api/config/v1/zz_generated.swagger_doc_generated.go b/vendor/github.com/openshift/api/config/v1/zz_generated.swagger_doc_generated.go index 0ac9c7ccd..eb78ad7ca 100644 --- a/vendor/github.com/openshift/api/config/v1/zz_generated.swagger_doc_generated.go +++ b/vendor/github.com/openshift/api/config/v1/zz_generated.swagger_doc_generated.go @@ -277,7 +277,9 @@ func (APIServer) SwaggerDoc() map[string]string { } var map_APIServerEncryption = map[string]string{ + "": "APIServerEncryption is used to encrypt sensitive resources on the cluster.", "type": "type defines what encryption type should be used to encrypt resources at the datastore layer. When this field is unset (i.e. when it is set to the empty string), identity is implied. The behavior of unset can and will change over time. Even if encryption is enabled by default, the meaning of unset may change to a different encryption type based on changes in best practices.\n\nWhen encryption is enabled, all sensitive resources shipped with the platform are encrypted. This list of sensitive resources can and will change over time. The current authoritative list is:\n\n 1. secrets\n 2. configmaps\n 3. routes.route.openshift.io\n 4. oauthaccesstokens.oauth.openshift.io\n 5. oauthauthorizetokens.oauth.openshift.io", + "kms": "kms defines the configuration for the external KMS instance that manages the encryption keys, when KMS encryption is enabled sensitive resources will be encrypted using keys managed by an externally configured KMS instance.\n\nThe Key Management Service (KMS) instance provides symmetric encryption and is responsible for managing the lifecyle of the encryption keys outside of the control plane. This allows integration with an external provider to manage the data encryption keys securely.", } func (APIServerEncryption) SwaggerDoc() map[string]string { @@ -394,12 +396,23 @@ func (DeprecatedWebhookTokenAuthenticator) SwaggerDoc() map[string]string { return map_DeprecatedWebhookTokenAuthenticator } +var map_ExtraMapping = map[string]string{ + "": "ExtraMapping allows specifying a key and CEL expression to evaluate the keys' value. It is used to create additional mappings and attributes added to a cluster identity from a provided authentication token.", + "key": "key is a required field that specifies the string to use as the extra attribute key.\n\nkey must be a domain-prefix path (e.g 'example.org/foo'). key must not exceed 510 characters in length. key must contain the '/' character, separating the domain and path characters. key must not be empty.\n\nThe domain portion of the key (string of characters prior to the '/') must be a valid RFC1123 subdomain. It must not exceed 253 characters in length. It must start and end with an alphanumeric character. It must only contain lower case alphanumeric characters and '-' or '.'. It must not use the reserved domains, or be subdomains of, \"kubernetes.io\", \"k8s.io\", and \"openshift.io\".\n\nThe path portion of the key (string of characters after the '/') must not be empty and must consist of at least one alphanumeric character, percent-encoded octets, '-', '.', '_', '~', '!', '$', '&', ''', '(', ')', '*', '+', ',', ';', '=', and ':'. It must not exceed 256 characters in length.", + "valueExpression": "valueExpression is a required field to specify the CEL expression to extract the extra attribute value from a JWT token's claims. valueExpression must produce a string or string array value. \"\", [], and null are treated as the extra mapping not being present. Empty string values within an array are filtered out.\n\nCEL expressions have access to the token claims through a CEL variable, 'claims'. 'claims' is a map of claim names to claim values. For example, the 'sub' claim value can be accessed as 'claims.sub'. Nested claims can be accessed using dot notation ('claims.foo.bar').\n\nvalueExpression must not exceed 4096 characters in length. valueExpression must not be empty.", +} + +func (ExtraMapping) SwaggerDoc() map[string]string { + return map_ExtraMapping +} + var map_OIDCClientConfig = map[string]string{ - "componentName": "componentName is the name of the component that is supposed to consume this client configuration", - "componentNamespace": "componentNamespace is the namespace of the component that is supposed to consume this client configuration", - "clientID": "clientID is the identifier of the OIDC client from the OIDC provider", - "clientSecret": "clientSecret refers to a secret in the `openshift-config` namespace that contains the client secret in the `clientSecret` key of the `.data` field", - "extraScopes": "extraScopes is an optional set of scopes to request tokens with.", + "": "OIDCClientConfig configures how platform clients interact with identity providers as an authentication method", + "componentName": "componentName is a required field that specifies the name of the platform component being configured to use the identity provider as an authentication mode. It is used in combination with componentNamespace as a unique identifier.\n\ncomponentName must not be an empty string (\"\") and must not exceed 256 characters in length.", + "componentNamespace": "componentNamespace is a required field that specifies the namespace in which the platform component being configured to use the identity provider as an authentication mode is running. It is used in combination with componentName as a unique identifier.\n\ncomponentNamespace must not be an empty string (\"\") and must not exceed 63 characters in length.", + "clientID": "clientID is a required field that configures the client identifier, from the identity provider, that the platform component uses for authentication requests made to the identity provider. The identity provider must accept this identifier for platform components to be able to use the identity provider as an authentication mode.\n\nclientID must not be an empty string (\"\").", + "clientSecret": "clientSecret is an optional field that configures the client secret used by the platform component when making authentication requests to the identity provider.\n\nWhen not specified, no client secret will be used when making authentication requests to the identity provider.\n\nWhen specified, clientSecret references a Secret in the 'openshift-config' namespace that contains the client secret in the 'clientSecret' key of the '.data' field. The client secret will be used when making authentication requests to the identity provider.\n\nPublic clients do not require a client secret but private clients do require a client secret to work with the identity provider.", + "extraScopes": "extraScopes is an optional field that configures the extra scopes that should be requested by the platform component when making authentication requests to the identity provider. This is useful if you have configured claim mappings that requires specific scopes to be requested beyond the standard OIDC scopes.\n\nWhen omitted, no additional scopes are requested.", } func (OIDCClientConfig) SwaggerDoc() map[string]string { @@ -407,9 +420,10 @@ func (OIDCClientConfig) SwaggerDoc() map[string]string { } var map_OIDCClientReference = map[string]string{ - "oidcProviderName": "OIDCName refers to the `name` of the provider from `oidcProviders`", - "issuerURL": "URL is the serving URL of the token issuer. Must use the https:// scheme.", - "clientID": "clientID is the identifier of the OIDC client from the OIDC provider", + "": "OIDCClientReference is a reference to a platform component client configuration.", + "oidcProviderName": "oidcProviderName is a required reference to the 'name' of the identity provider configured in 'oidcProviders' that this client is associated with.\n\noidcProviderName must not be an empty string (\"\").", + "issuerURL": "issuerURL is a required field that specifies the URL of the identity provider that this client is configured to make requests against.\n\nissuerURL must use the 'https' scheme.", + "clientID": "clientID is a required field that specifies the client identifier, from the identity provider, that the platform component is using for authentication requests made to the identity provider.\n\nclientID must not be empty.", } func (OIDCClientReference) SwaggerDoc() map[string]string { @@ -417,10 +431,11 @@ func (OIDCClientReference) SwaggerDoc() map[string]string { } var map_OIDCClientStatus = map[string]string{ - "componentName": "componentName is the name of the component that will consume a client configuration.", - "componentNamespace": "componentNamespace is the namespace of the component that will consume a client configuration.", - "currentOIDCClients": "currentOIDCClients is a list of clients that the component is currently using.", - "consumingUsers": "consumingUsers is a slice of ServiceAccounts that need to have read permission on the `clientSecret` secret.", + "": "OIDCClientStatus represents the current state of platform components and how they interact with the configured identity providers.", + "componentName": "componentName is a required field that specifies the name of the platform component using the identity provider as an authentication mode. It is used in combination with componentNamespace as a unique identifier.\n\ncomponentName must not be an empty string (\"\") and must not exceed 256 characters in length.", + "componentNamespace": "componentNamespace is a required field that specifies the namespace in which the platform component using the identity provider as an authentication mode is running. It is used in combination with componentName as a unique identifier.\n\ncomponentNamespace must not be an empty string (\"\") and must not exceed 63 characters in length.", + "currentOIDCClients": "currentOIDCClients is an optional list of clients that the component is currently using. Entries must have unique issuerURL/clientID pairs.", + "consumingUsers": "consumingUsers is an optional list of ServiceAccounts requiring read permissions on the `clientSecret` secret.\n\nconsumingUsers must not exceed 5 entries.", "conditions": "conditions are used to communicate the state of the `oidcClients` entry.\n\nSupported conditions include Available, Degraded and Progressing.\n\nIf Available is true, the component is successfully using the configured client. If Degraded is true, that means something has gone wrong trying to handle the client configuration. If Progressing is true, that means the component is taking some action related to the `oidcClients` entry.", } @@ -429,11 +444,11 @@ func (OIDCClientStatus) SwaggerDoc() map[string]string { } var map_OIDCProvider = map[string]string{ - "name": "name of the OIDC provider", - "issuer": "issuer describes atributes of the OIDC token issuer", - "oidcClients": "oidcClients contains configuration for the platform's clients that need to request tokens from the issuer", - "claimMappings": "claimMappings describes rules on how to transform information from an ID token into a cluster identity", - "claimValidationRules": "claimValidationRules are rules that are applied to validate token claims to authenticate users.", + "name": "name is a required field that configures the unique human-readable identifier associated with the identity provider. It is used to distinguish between multiple identity providers and has no impact on token validation or authentication mechanics.\n\nname must not be an empty string (\"\").", + "issuer": "issuer is a required field that configures how the platform interacts with the identity provider and how tokens issued from the identity provider are evaluated by the Kubernetes API server.", + "oidcClients": "oidcClients is an optional field that configures how on-cluster, platform clients should request tokens from the identity provider. oidcClients must not exceed 20 entries and entries must have unique namespace/name pairs.", + "claimMappings": "claimMappings is a required field that configures the rules to be used by the Kubernetes API server for translating claims in a JWT token, issued by the identity provider, to a cluster identity.", + "claimValidationRules": "claimValidationRules is an optional field that configures the rules to be used by the Kubernetes API server for validating the claims in a JWT token issued by the identity provider.\n\nValidation rules are joined via an AND operation.", } func (OIDCProvider) SwaggerDoc() map[string]string { @@ -441,7 +456,8 @@ func (OIDCProvider) SwaggerDoc() map[string]string { } var map_PrefixedClaimMapping = map[string]string{ - "prefix": "prefix is a string to prefix the value from the token in the result of the claim mapping.\n\nBy default, no prefixing occurs.\n\nExample: if `prefix` is set to \"myoidc:\"\" and the `claim` in JWT contains an array of strings \"a\", \"b\" and \"c\", the mapping will result in an array of string \"myoidc:a\", \"myoidc:b\" and \"myoidc:c\".", + "": "PrefixedClaimMapping configures a claim mapping that allows for an optional prefix.", + "prefix": "prefix is an optional field that configures the prefix that will be applied to the cluster identity attribute during the process of mapping JWT claims to cluster identity attributes.\n\nWhen omitted (\"\"), no prefix is applied to the cluster identity attribute.\n\nExample: if `prefix` is set to \"myoidc:\" and the `claim` in JWT contains an array of strings \"a\", \"b\" and \"c\", the mapping will result in an array of string \"myoidc:a\", \"myoidc:b\" and \"myoidc:c\".", } func (PrefixedClaimMapping) SwaggerDoc() map[string]string { @@ -449,7 +465,8 @@ func (PrefixedClaimMapping) SwaggerDoc() map[string]string { } var map_TokenClaimMapping = map[string]string{ - "claim": "claim is a JWT token claim to be used in the mapping", + "": "TokenClaimMapping allows specifying a JWT token claim to be used when mapping claims from an authentication token to cluster identities.", + "claim": "claim is a required field that configures the JWT token claim whose value is assigned to the cluster identity field associated with this mapping.", } func (TokenClaimMapping) SwaggerDoc() map[string]string { @@ -457,17 +474,29 @@ func (TokenClaimMapping) SwaggerDoc() map[string]string { } var map_TokenClaimMappings = map[string]string{ - "username": "username is a name of the claim that should be used to construct usernames for the cluster identity.\n\nDefault value: \"sub\"", - "groups": "groups is a name of the claim that should be used to construct groups for the cluster identity. The referenced claim must use array of strings values.", + "username": "username is a required field that configures how the username of a cluster identity should be constructed from the claims in a JWT token issued by the identity provider.", + "groups": "groups is an optional field that configures how the groups of a cluster identity should be constructed from the claims in a JWT token issued by the identity provider. When referencing a claim, if the claim is present in the JWT token, its value must be a list of groups separated by a comma (','). For example - '\"example\"' and '\"exampleOne\", \"exampleTwo\", \"exampleThree\"' are valid claim values.", + "uid": "uid is an optional field for configuring the claim mapping used to construct the uid for the cluster identity.\n\nWhen using uid.claim to specify the claim it must be a single string value. When using uid.expression the expression must result in a single string value.\n\nWhen omitted, this means the user has no opinion and the platform is left to choose a default, which is subject to change over time. The current default is to use the 'sub' claim.", + "extra": "extra is an optional field for configuring the mappings used to construct the extra attribute for the cluster identity. When omitted, no extra attributes will be present on the cluster identity. key values for extra mappings must be unique. A maximum of 64 extra attribute mappings may be provided.", } func (TokenClaimMappings) SwaggerDoc() map[string]string { return map_TokenClaimMappings } +var map_TokenClaimOrExpressionMapping = map[string]string{ + "": "TokenClaimOrExpressionMapping allows specifying either a JWT token claim or CEL expression to be used when mapping claims from an authentication token to cluster identities.", + "claim": "claim is an optional field for specifying the JWT token claim that is used in the mapping. The value of this claim will be assigned to the field in which this mapping is associated.\n\nPrecisely one of claim or expression must be set. claim must not be specified when expression is set. When specified, claim must be at least 1 character in length and must not exceed 256 characters in length.", + "expression": "expression is an optional field for specifying a CEL expression that produces a string value from JWT token claims.\n\nCEL expressions have access to the token claims through a CEL variable, 'claims'. 'claims' is a map of claim names to claim values. For example, the 'sub' claim value can be accessed as 'claims.sub'. Nested claims can be accessed using dot notation ('claims.foo.bar').\n\nPrecisely one of claim or expression must be set. expression must not be specified when claim is set. When specified, expression must be at least 1 character in length and must not exceed 4096 characters in length.", +} + +func (TokenClaimOrExpressionMapping) SwaggerDoc() map[string]string { + return map_TokenClaimOrExpressionMapping +} + var map_TokenClaimValidationRule = map[string]string{ - "type": "type sets the type of the validation rule", - "requiredClaim": "requiredClaim allows configuring a required claim name and its expected value", + "type": "type is an optional field that configures the type of the validation rule.\n\nAllowed values are 'RequiredClaim' and omitted (not provided or an empty string).\n\nWhen set to 'RequiredClaim', the Kubernetes API server will be configured to validate that the incoming JWT contains the required claim and that its value matches the required value.\n\nDefaults to 'RequiredClaim'.", + "requiredClaim": "requiredClaim is an optional field that configures the required claim and value that the Kubernetes API server will use to validate if an incoming JWT is valid for this identity provider.", } func (TokenClaimValidationRule) SwaggerDoc() map[string]string { @@ -475,9 +504,9 @@ func (TokenClaimValidationRule) SwaggerDoc() map[string]string { } var map_TokenIssuer = map[string]string{ - "issuerURL": "URL is the serving URL of the token issuer. Must use the https:// scheme.", - "audiences": "audiences is an array of audiences that the token was issued for. Valid tokens must include at least one of these values in their \"aud\" claim. Must be set to exactly one value.", - "issuerCertificateAuthority": "CertificateAuthority is a reference to a config map in the configuration namespace. The .data of the configMap must contain the \"ca-bundle.crt\" key. If unset, system trust is used instead.", + "issuerURL": "issuerURL is a required field that configures the URL used to issue tokens by the identity provider. The Kubernetes API server determines how authentication tokens should be handled by matching the 'iss' claim in the JWT to the issuerURL of configured identity providers.\n\nissuerURL must use the 'https' scheme.", + "audiences": "audiences is a required field that configures the acceptable audiences the JWT token, issued by the identity provider, must be issued to. At least one of the entries must match the 'aud' claim in the JWT token.\n\naudiences must contain at least one entry and must not exceed ten entries.", + "issuerCertificateAuthority": "issuerCertificateAuthority is an optional field that configures the certificate authority, used by the Kubernetes API server, to validate the connection to the identity provider when fetching discovery information.\n\nWhen not specified, the system trust is used.\n\nWhen specified, it must reference a ConfigMap in the openshift-config namespace containing the PEM-encoded CA certificates under the 'ca-bundle.crt' key in the data field of the ConfigMap.", } func (TokenIssuer) SwaggerDoc() map[string]string { @@ -485,8 +514,8 @@ func (TokenIssuer) SwaggerDoc() map[string]string { } var map_TokenRequiredClaim = map[string]string{ - "claim": "claim is a name of a required claim. Only claims with string values are supported.", - "requiredValue": "requiredValue is the required value for the claim.", + "claim": "claim is a required field that configures the name of the required claim. When taken from the JWT claims, claim must be a string value.\n\nclaim must not be an empty string (\"\").", + "requiredValue": "requiredValue is a required field that configures the value that 'claim' must have when taken from the incoming JWT claims. If the value in the JWT claims does not match, the token will be rejected for authentication.\n\nrequiredValue must not be an empty string (\"\").", } func (TokenRequiredClaim) SwaggerDoc() map[string]string { @@ -494,13 +523,24 @@ func (TokenRequiredClaim) SwaggerDoc() map[string]string { } var map_UsernameClaimMapping = map[string]string{ - "prefixPolicy": "prefixPolicy specifies how a prefix should apply.\n\nBy default, claims other than `email` will be prefixed with the issuer URL to prevent naming clashes with other plugins.\n\nSet to \"NoPrefix\" to disable prefixing.\n\nExample:\n (1) `prefix` is set to \"myoidc:\" and `claim` is set to \"username\".\n If the JWT claim `username` contains value `userA`, the resulting\n mapped value will be \"myoidc:userA\".\n (2) `prefix` is set to \"myoidc:\" and `claim` is set to \"email\". If the\n JWT `email` claim contains value \"userA@myoidc.tld\", the resulting\n mapped value will be \"myoidc:userA@myoidc.tld\".\n (3) `prefix` is unset, `issuerURL` is set to `https://myoidc.tld`,\n the JWT claims include \"username\":\"userA\" and \"email\":\"userA@myoidc.tld\",\n and `claim` is set to:\n (a) \"username\": the mapped value will be \"https://myoidc.tld#userA\"\n (b) \"email\": the mapped value will be \"userA@myoidc.tld\"", + "claim": "claim is a required field that configures the JWT token claim whose value is assigned to the cluster identity field associated with this mapping.\n\nclaim must not be an empty string (\"\") and must not exceed 256 characters.", + "prefixPolicy": "prefixPolicy is an optional field that configures how a prefix should be applied to the value of the JWT claim specified in the 'claim' field.\n\nAllowed values are 'Prefix', 'NoPrefix', and omitted (not provided or an empty string).\n\nWhen set to 'Prefix', the value specified in the prefix field will be prepended to the value of the JWT claim. The prefix field must be set when prefixPolicy is 'Prefix'.\n\nWhen set to 'NoPrefix', no prefix will be prepended to the value of the JWT claim.\n\nWhen omitted, this means no opinion and the platform is left to choose any prefixes that are applied which is subject to change over time. Currently, the platform prepends `{issuerURL}#` to the value of the JWT claim when the claim is not 'email'. As an example, consider the following scenario:\n `prefix` is unset, `issuerURL` is set to `https://myoidc.tld`,\n the JWT claims include \"username\":\"userA\" and \"email\":\"userA@myoidc.tld\",\n and `claim` is set to:\n - \"username\": the mapped value will be \"https://myoidc.tld#userA\"\n - \"email\": the mapped value will be \"userA@myoidc.tld\"", + "prefix": "prefix configures the prefix that should be prepended to the value of the JWT claim.\n\nprefix must be set when prefixPolicy is set to 'Prefix' and must be unset otherwise.", } func (UsernameClaimMapping) SwaggerDoc() map[string]string { return map_UsernameClaimMapping } +var map_UsernamePrefix = map[string]string{ + "": "UsernamePrefix configures the string that should be used as a prefix for username claim mappings.", + "prefixString": "prefixString is a required field that configures the prefix that will be applied to cluster identity username attribute during the process of mapping JWT claims to cluster identity attributes.\n\nprefixString must not be an empty string (\"\").", +} + +func (UsernamePrefix) SwaggerDoc() map[string]string { + return map_UsernamePrefix +} + var map_WebhookTokenAuthenticator = map[string]string{ "": "webhookTokenAuthenticator holds the necessary configuration options for a remote token authenticator", "kubeConfig": "kubeConfig references a secret that contains kube config file data which describes how to access the remote webhook service. The namespace for the referenced secret is openshift-config.\n\nFor further details, see:\n\nhttps://kubernetes.io/docs/reference/access-authn-authz/authentication/#webhook-token-authentication\n\nThe key \"kubeConfig\" is used to locate the data. If the secret or expected key is not found, the webhook is not honored. If the specified kube config data is not valid, the webhook is not honored.", @@ -571,6 +611,45 @@ func (ImageLabel) SwaggerDoc() map[string]string { return map_ImageLabel } +var map_ClusterImagePolicy = map[string]string{ + "": "ClusterImagePolicy holds cluster-wide configuration for image signature verification\n\nCompatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).", + "metadata": "metadata is the standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata", + "spec": "spec contains the configuration for the cluster image policy.", + "status": "status contains the observed state of the resource.", +} + +func (ClusterImagePolicy) SwaggerDoc() map[string]string { + return map_ClusterImagePolicy +} + +var map_ClusterImagePolicyList = map[string]string{ + "": "ClusterImagePolicyList is a list of ClusterImagePolicy resources\n\nCompatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).", + "metadata": "metadata is the standard list's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata", + "items": "items is a list of ClusterImagePolices", +} + +func (ClusterImagePolicyList) SwaggerDoc() map[string]string { + return map_ClusterImagePolicyList +} + +var map_ClusterImagePolicySpec = map[string]string{ + "": "CLusterImagePolicySpec is the specification of the ClusterImagePolicy custom resource.", + "scopes": "scopes is a required field that defines the list of image identities assigned to a policy. Each item refers to a scope in a registry implementing the \"Docker Registry HTTP API V2\". Scopes matching individual images are named Docker references in the fully expanded form, either using a tag or digest. For example, docker.io/library/busybox:latest (not busybox:latest). More general scopes are prefixes of individual-image scopes, and specify a repository (by omitting the tag or digest), a repository namespace, or a registry host (by only specifying the host name and possibly a port number) or a wildcard expression starting with `*.`, for matching all subdomains (not including a port number). Wildcards are only supported for subdomain matching, and may not be used in the middle of the host, i.e. *.example.com is a valid case, but example*.*.com is not. This support no more than 256 scopes in one object. If multiple scopes match a given image, only the policy requirements for the most specific scope apply. The policy requirements for more general scopes are ignored. In addition to setting a policy appropriate for your own deployed applications, make sure that a policy on the OpenShift image repositories quay.io/openshift-release-dev/ocp-release, quay.io/openshift-release-dev/ocp-v4.0-art-dev (or on a more general scope) allows deployment of the OpenShift images required for cluster operation. If a scope is configured in both the ClusterImagePolicy and the ImagePolicy, or if the scope in ImagePolicy is nested under one of the scopes from the ClusterImagePolicy, only the policy from the ClusterImagePolicy will be applied. For additional details about the format, please refer to the document explaining the docker transport field, which can be found at: https://github.com/containers/image/blob/main/docs/containers-policy.json.5.md#docker", + "policy": "policy is a required field that contains configuration to allow scopes to be verified, and defines how images not matching the verification policy will be treated.", +} + +func (ClusterImagePolicySpec) SwaggerDoc() map[string]string { + return map_ClusterImagePolicySpec +} + +var map_ClusterImagePolicyStatus = map[string]string{ + "conditions": "conditions provide details on the status of this API Resource.", +} + +func (ClusterImagePolicyStatus) SwaggerDoc() map[string]string { + return map_ClusterImagePolicyStatus +} + var map_ClusterOperator = map[string]string{ "": "ClusterOperator is the Custom Resource object which holds the current state of an operator. This object is used by operators to convey their state to the rest of the cluster.\n\nCompatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).", "metadata": "metadata is the standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata", @@ -698,9 +777,9 @@ func (ClusterVersionList) SwaggerDoc() map[string]string { var map_ClusterVersionSpec = map[string]string{ "": "ClusterVersionSpec is the desired version state of the cluster. It includes the version the cluster should be at, how the cluster is identified, and where the cluster should look for version updates.", "clusterID": "clusterID uniquely identifies this cluster. This is expected to be an RFC4122 UUID value (xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx in hexadecimal values). This is a required field.", - "desiredUpdate": "desiredUpdate is an optional field that indicates the desired value of the cluster version. Setting this value will trigger an upgrade (if the current version does not match the desired version). The set of recommended update values is listed as part of available updates in status, and setting values outside that range may cause the upgrade to fail.\n\nSome of the fields are inter-related with restrictions and meanings described here. 1. image is specified, version is specified, architecture is specified. API validation error. 2. image is specified, version is specified, architecture is not specified. You should not do this. version is silently ignored and image is used. 3. image is specified, version is not specified, architecture is specified. API validation error. 4. image is specified, version is not specified, architecture is not specified. image is used. 5. image is not specified, version is specified, architecture is specified. version and desired architecture are used to select an image. 6. image is not specified, version is specified, architecture is not specified. version and current architecture are used to select an image. 7. image is not specified, version is not specified, architecture is specified. API validation error. 8. image is not specified, version is not specified, architecture is not specified. API validation error.\n\nIf an upgrade fails the operator will halt and report status about the failing component. Setting the desired update value back to the previous version will cause a rollback to be attempted. Not all rollbacks will succeed.", + "desiredUpdate": "desiredUpdate is an optional field that indicates the desired value of the cluster version. Setting this value will trigger an upgrade (if the current version does not match the desired version). The set of recommended update values is listed as part of available updates in status, and setting values outside that range may cause the upgrade to fail.\n\nSome of the fields are inter-related with restrictions and meanings described here. 1. image is specified, version is specified, architecture is specified. API validation error. 2. image is specified, version is specified, architecture is not specified. The version extracted from the referenced image must match the specified version. 3. image is specified, version is not specified, architecture is specified. API validation error. 4. image is specified, version is not specified, architecture is not specified. image is used. 5. image is not specified, version is specified, architecture is specified. version and desired architecture are used to select an image. 6. image is not specified, version is specified, architecture is not specified. version and current architecture are used to select an image. 7. image is not specified, version is not specified, architecture is specified. API validation error. 8. image is not specified, version is not specified, architecture is not specified. API validation error.\n\nIf an upgrade fails the operator will halt and report status about the failing component. Setting the desired update value back to the previous version will cause a rollback to be attempted. Not all rollbacks will succeed.", "upstream": "upstream may be used to specify the preferred update server. By default it will use the appropriate update server for the cluster and region.", - "channel": "channel is an identifier for explicitly requesting that a non-default set of updates be applied to this cluster. The default channel will be contain stable updates that are appropriate for production clusters.", + "channel": "channel is an identifier for explicitly requesting a non-default set of updates to be applied to this cluster. The default channel will contain stable updates that are appropriate for production clusters.", "capabilities": "capabilities configures the installation of optional, core cluster components. A null value here is identical to an empty object; see the child properties for default semantics.", "signatureStores": "signatureStores contains the upstream URIs to verify release signatures and optional reference to a config map by name containing the PEM-encoded CA bundle.\n\nBy default, CVO will use existing signature stores if this property is empty. The CVO will check the release signatures in the local ConfigMaps first. It will search for a valid signature in these stores in parallel only when local ConfigMaps did not include a valid signature. Validation will fail if none of the signature stores reply with valid signature before timeout. Setting signatureStores will replace the default signature stores with custom signature stores. Default stores can be used with custom signature stores by adding them manually.\n\nA maximum of 32 signature stores may be configured.", "overrides": "overrides is list of overides for components that are managed by cluster version operator. Marking a component unmanaged will prevent the operator from creating or updating the object.", @@ -797,8 +876,8 @@ func (SignatureStore) SwaggerDoc() map[string]string { var map_Update = map[string]string{ "": "Update represents an administrator update request.", "architecture": "architecture is an optional field that indicates the desired value of the cluster architecture. In this context cluster architecture means either a single architecture or a multi architecture. architecture can only be set to Multi thereby only allowing updates from single to multi architecture. If architecture is set, image cannot be set and version must be set. Valid values are 'Multi' and empty.", - "version": "version is a semantic version identifying the update version. version is ignored if image is specified and required if architecture is specified.", - "image": "image is a container image location that contains the update. image should be used when the desired version does not exist in availableUpdates or history. When image is set, version is ignored. When image is set, version should be empty. When image is set, architecture cannot be specified.", + "version": "version is a semantic version identifying the update version. version is required if architecture is specified. If both version and image are set, the version extracted from the referenced image must match the specified version.", + "image": "image is a container image location that contains the update. image should be used when the desired version does not exist in availableUpdates or history. When image is set, architecture cannot be specified. If both version and image are set, the version extracted from the referenced image must match the specified version.", "force": "force allows an administrator to update to an image that has failed verification or upgradeable checks. This option should only be used when the authenticity of the provided image has been verified out of band because the provided image will run with full administrative access to the cluster. Do not use this flag with images that comes from unknown or potentially malicious sources.", } @@ -1135,6 +1214,147 @@ func (ImageDigestMirrors) SwaggerDoc() map[string]string { return map_ImageDigestMirrors } +var map_FulcioCAWithRekor = map[string]string{ + "": "FulcioCAWithRekor defines the root of trust based on the Fulcio certificate and the Rekor public key.", + "fulcioCAData": "fulcioCAData is a required field contains inline base64-encoded data for the PEM format fulcio CA. fulcioCAData must be at most 8192 characters. ", + "rekorKeyData": "rekorKeyData is a required field contains inline base64-encoded data for the PEM format from the Rekor public key. rekorKeyData must be at most 8192 characters. ", + "fulcioSubject": "fulcioSubject is a required field specifies OIDC issuer and the email of the Fulcio authentication configuration.", +} + +func (FulcioCAWithRekor) SwaggerDoc() map[string]string { + return map_FulcioCAWithRekor +} + +var map_ImagePolicy = map[string]string{ + "": "ImagePolicy holds namespace-wide configuration for image signature verification\n\nCompatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).", + "metadata": "metadata is the standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata", + "spec": "spec holds user settable values for configuration", + "status": "status contains the observed state of the resource.", +} + +func (ImagePolicy) SwaggerDoc() map[string]string { + return map_ImagePolicy +} + +var map_ImagePolicyList = map[string]string{ + "": "ImagePolicyList is a list of ImagePolicy resources\n\nCompatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).", + "metadata": "metadata is the standard list's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata", + "items": "items is a list of ImagePolicies", +} + +func (ImagePolicyList) SwaggerDoc() map[string]string { + return map_ImagePolicyList +} + +var map_ImagePolicySpec = map[string]string{ + "": "ImagePolicySpec is the specification of the ImagePolicy CRD.", + "scopes": "scopes is a required field that defines the list of image identities assigned to a policy. Each item refers to a scope in a registry implementing the \"Docker Registry HTTP API V2\". Scopes matching individual images are named Docker references in the fully expanded form, either using a tag or digest. For example, docker.io/library/busybox:latest (not busybox:latest). More general scopes are prefixes of individual-image scopes, and specify a repository (by omitting the tag or digest), a repository namespace, or a registry host (by only specifying the host name and possibly a port number) or a wildcard expression starting with `*.`, for matching all subdomains (not including a port number). Wildcards are only supported for subdomain matching, and may not be used in the middle of the host, i.e. *.example.com is a valid case, but example*.*.com is not. This support no more than 256 scopes in one object. If multiple scopes match a given image, only the policy requirements for the most specific scope apply. The policy requirements for more general scopes are ignored. In addition to setting a policy appropriate for your own deployed applications, make sure that a policy on the OpenShift image repositories quay.io/openshift-release-dev/ocp-release, quay.io/openshift-release-dev/ocp-v4.0-art-dev (or on a more general scope) allows deployment of the OpenShift images required for cluster operation. If a scope is configured in both the ClusterImagePolicy and the ImagePolicy, or if the scope in ImagePolicy is nested under one of the scopes from the ClusterImagePolicy, only the policy from the ClusterImagePolicy will be applied. For additional details about the format, please refer to the document explaining the docker transport field, which can be found at: https://github.com/containers/image/blob/main/docs/containers-policy.json.5.md#docker", + "policy": "policy is a required field that contains configuration to allow scopes to be verified, and defines how images not matching the verification policy will be treated.", +} + +func (ImagePolicySpec) SwaggerDoc() map[string]string { + return map_ImagePolicySpec +} + +var map_ImagePolicyStatus = map[string]string{ + "conditions": "conditions provide details on the status of this API Resource. condition type 'Pending' indicates that the customer resource contains a policy that cannot take effect. It is either overwritten by a global policy or the image scope is not valid.", +} + +func (ImagePolicyStatus) SwaggerDoc() map[string]string { + return map_ImagePolicyStatus +} + +var map_PKI = map[string]string{ + "": "PKI defines the root of trust based on Root CA(s) and corresponding intermediate certificates.", + "caRootsData": "caRootsData contains base64-encoded data of a certificate bundle PEM file, which contains one or more CA roots in the PEM format. The total length of the data must not exceed 8192 characters. ", + "caIntermediatesData": "caIntermediatesData contains base64-encoded data of a certificate bundle PEM file, which contains one or more intermediate certificates in the PEM format. The total length of the data must not exceed 8192 characters. caIntermediatesData requires caRootsData to be set. ", + "pkiCertificateSubject": "pkiCertificateSubject defines the requirements imposed on the subject to which the certificate was issued.", +} + +func (PKI) SwaggerDoc() map[string]string { + return map_PKI +} + +var map_PKICertificateSubject = map[string]string{ + "": "PKICertificateSubject defines the requirements imposed on the subject to which the certificate was issued.", + "email": "email specifies the expected email address imposed on the subject to which the certificate was issued, and must match the email address listed in the Subject Alternative Name (SAN) field of the certificate. The email must be a valid email address and at most 320 characters in length.", + "hostname": "hostname specifies the expected hostname imposed on the subject to which the certificate was issued, and it must match the hostname listed in the Subject Alternative Name (SAN) DNS field of the certificate. The hostname must be a valid dns 1123 subdomain name, optionally prefixed by '*.', and at most 253 characters in length. It must consist only of lowercase alphanumeric characters, hyphens, periods and the optional preceding asterisk.", +} + +func (PKICertificateSubject) SwaggerDoc() map[string]string { + return map_PKICertificateSubject +} + +var map_Policy = map[string]string{ + "": "Policy defines the verification policy for the items in the scopes list.", + "rootOfTrust": "rootOfTrust is a required field that defines the root of trust for verifying image signatures during retrieval. This allows image consumers to specify policyType and corresponding configuration of the policy, matching how the policy was generated.", + "signedIdentity": "signedIdentity is an optional field specifies what image identity the signature claims about the image. This is useful when the image identity in the signature differs from the original image spec, such as when mirror registry is configured for the image scope, the signature from the mirror registry contains the image identity of the mirror instead of the original scope. The required matchPolicy field specifies the approach used in the verification process to verify the identity in the signature and the actual image identity, the default matchPolicy is \"MatchRepoDigestOrExact\".", +} + +func (Policy) SwaggerDoc() map[string]string { + return map_Policy +} + +var map_PolicyFulcioSubject = map[string]string{ + "": "PolicyFulcioSubject defines the OIDC issuer and the email of the Fulcio authentication configuration.", + "oidcIssuer": "oidcIssuer is a required filed contains the expected OIDC issuer. The oidcIssuer must be a valid URL and at most 2048 characters in length. It will be verified that the Fulcio-issued certificate contains a (Fulcio-defined) certificate extension pointing at this OIDC issuer URL. When Fulcio issues certificates, it includes a value based on an URL inside the client-provided ID token. Example: \"https://expected.OIDC.issuer/\"", + "signedEmail": "signedEmail is a required field holds the email address that the Fulcio certificate is issued for. The signedEmail must be a valid email address and at most 320 characters in length. Example: \"expected-signing-user@example.com\"", +} + +func (PolicyFulcioSubject) SwaggerDoc() map[string]string { + return map_PolicyFulcioSubject +} + +var map_PolicyIdentity = map[string]string{ + "": "PolicyIdentity defines image identity the signature claims about the image. When omitted, the default matchPolicy is \"MatchRepoDigestOrExact\".", + "matchPolicy": "matchPolicy is a required filed specifies matching strategy to verify the image identity in the signature against the image scope. Allowed values are \"MatchRepoDigestOrExact\", \"MatchRepository\", \"ExactRepository\", \"RemapIdentity\". When omitted, the default value is \"MatchRepoDigestOrExact\". When set to \"MatchRepoDigestOrExact\", the identity in the signature must be in the same repository as the image identity if the image identity is referenced by a digest. Otherwise, the identity in the signature must be the same as the image identity. When set to \"MatchRepository\", the identity in the signature must be in the same repository as the image identity. When set to \"ExactRepository\", the exactRepository must be specified. The identity in the signature must be in the same repository as a specific identity specified by \"repository\". When set to \"RemapIdentity\", the remapIdentity must be specified. The signature must be in the same as the remapped image identity. Remapped image identity is obtained by replacing the \"prefix\" with the specified “signedPrefix” if the the image identity matches the specified remapPrefix.", + "exactRepository": "exactRepository specifies the repository that must be exactly matched by the identity in the signature. exactRepository is required if matchPolicy is set to \"ExactRepository\". It is used to verify that the signature claims an identity matching this exact repository, rather than the original image identity.", + "remapIdentity": "remapIdentity specifies the prefix remapping rule for verifying image identity. remapIdentity is required if matchPolicy is set to \"RemapIdentity\". It is used to verify that the signature claims a different registry/repository prefix than the original image.", +} + +func (PolicyIdentity) SwaggerDoc() map[string]string { + return map_PolicyIdentity +} + +var map_PolicyMatchExactRepository = map[string]string{ + "repository": "repository is the reference of the image identity to be matched. repository is required if matchPolicy is set to \"ExactRepository\". The value should be a repository name (by omitting the tag or digest) in a registry implementing the \"Docker Registry HTTP API V2\". For example, docker.io/library/busybox", +} + +func (PolicyMatchExactRepository) SwaggerDoc() map[string]string { + return map_PolicyMatchExactRepository +} + +var map_PolicyMatchRemapIdentity = map[string]string{ + "prefix": "prefix is required if matchPolicy is set to \"RemapIdentity\". prefix is the prefix of the image identity to be matched. If the image identity matches the specified prefix, that prefix is replaced by the specified “signedPrefix” (otherwise it is used as unchanged and no remapping takes place). This is useful when verifying signatures for a mirror of some other repository namespace that preserves the vendor’s repository structure. The prefix and signedPrefix values can be either host[:port] values (matching exactly the same host[:port], string), repository namespaces, or repositories (i.e. they must not contain tags/digests), and match as prefixes of the fully expanded form. For example, docker.io/library/busybox (not busybox) to specify that single repository, or docker.io/library (not an empty string) to specify the parent namespace of docker.io/library/busybox.", + "signedPrefix": "signedPrefix is required if matchPolicy is set to \"RemapIdentity\". signedPrefix is the prefix of the image identity to be matched in the signature. The format is the same as \"prefix\". The values can be either host[:port] values (matching exactly the same host[:port], string), repository namespaces, or repositories (i.e. they must not contain tags/digests), and match as prefixes of the fully expanded form. For example, docker.io/library/busybox (not busybox) to specify that single repository, or docker.io/library (not an empty string) to specify the parent namespace of docker.io/library/busybox.", +} + +func (PolicyMatchRemapIdentity) SwaggerDoc() map[string]string { + return map_PolicyMatchRemapIdentity +} + +var map_PolicyRootOfTrust = map[string]string{ + "": "PolicyRootOfTrust defines the root of trust based on the selected policyType.", + "policyType": "policyType is a required field specifies the type of the policy for verification. This field must correspond to how the policy was generated. Allowed values are \"PublicKey\", \"FulcioCAWithRekor\", and \"PKI\". When set to \"PublicKey\", the policy relies on a sigstore publicKey and may optionally use a Rekor verification. When set to \"FulcioCAWithRekor\", the policy is based on the Fulcio certification and incorporates a Rekor verification. When set to \"PKI\", the policy is based on the certificates from Bring Your Own Public Key Infrastructure (BYOPKI). This value is enabled by turning on the SigstoreImageVerificationPKI feature gate.", + "publicKey": "publicKey defines the root of trust configuration based on a sigstore public key. Optionally include a Rekor public key for Rekor verification. publicKey is required when policyType is PublicKey, and forbidden otherwise.", + "fulcioCAWithRekor": "fulcioCAWithRekor defines the root of trust configuration based on the Fulcio certificate and the Rekor public key. fulcioCAWithRekor is required when policyType is FulcioCAWithRekor, and forbidden otherwise For more information about Fulcio and Rekor, please refer to the document at: https://github.com/sigstore/fulcio and https://github.com/sigstore/rekor", + "pki": "pki defines the root of trust configuration based on Bring Your Own Public Key Infrastructure (BYOPKI) Root CA(s) and corresponding intermediate certificates. pki is required when policyType is PKI, and forbidden otherwise.", +} + +func (PolicyRootOfTrust) SwaggerDoc() map[string]string { + return map_PolicyRootOfTrust +} + +var map_PublicKey = map[string]string{ + "": "PublicKey defines the root of trust based on a sigstore public key.", + "keyData": "keyData is a required field contains inline base64-encoded data for the PEM format public key. keyData must be at most 8192 characters. ", + "rekorKeyData": "rekorKeyData is an optional field contains inline base64-encoded data for the PEM format from the Rekor public key. rekorKeyData must be at most 8192 characters. ", +} + +func (PublicKey) SwaggerDoc() map[string]string { + return map_PublicKey +} + var map_ImageTagMirrorSet = map[string]string{ "": "ImageTagMirrorSet holds cluster-wide information about how to handle registry mirror rules on using tag pull specification. When multiple policies are defined, the outcome of the behavior is defined on each field.\n\nCompatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).", "metadata": "metadata is the standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata", @@ -1198,8 +1418,8 @@ func (AWSPlatformStatus) SwaggerDoc() map[string]string { var map_AWSResourceTag = map[string]string{ "": "AWSResourceTag is a tag to apply to AWS resources created for the cluster.", - "key": "key is the key of the tag", - "value": "value is the value of the tag. Some AWS service do not support empty values. Since tags are added to resources in many services, the length of the tag value must meet the requirements of all services.", + "key": "key sets the key of the AWS resource tag key-value pair. Key is required when defining an AWS resource tag. Key should consist of between 1 and 128 characters, and may contain only the set of alphanumeric characters, space (' '), '_', '.', '/', '=', '+', '-', ':', and '@'.", + "value": "value sets the value of the AWS resource tag key-value pair. Value is required when defining an AWS resource tag. Value should consist of between 1 and 256 characters, and may contain only the set of alphanumeric characters, space (' '), '_', '.', '/', '=', '+', '-', ':', and '@'. Some AWS service do not support empty values. Since tags are added to resources in many services, the length of the tag value must meet the requirements of all services.", } func (AWSResourceTag) SwaggerDoc() map[string]string { @@ -1392,6 +1612,7 @@ var map_GCPPlatformStatus = map[string]string{ "resourceLabels": "resourceLabels is a list of additional labels to apply to GCP resources created for the cluster. See https://cloud.google.com/compute/docs/labeling-resources for information on labeling GCP resources. GCP supports a maximum of 64 labels per resource. OpenShift reserves 32 labels for internal use, allowing 32 labels for user configuration.", "resourceTags": "resourceTags is a list of additional tags to apply to GCP resources created for the cluster. See https://cloud.google.com/resource-manager/docs/tags/tags-overview for information on tagging GCP resources. GCP supports a maximum of 50 tags per resource.", "cloudLoadBalancerConfig": "cloudLoadBalancerConfig holds configuration related to DNS and cloud load balancers. It allows configuration of in-cluster DNS as an alternative to the platform default DNS implementation. When using the ClusterHosted DNS type, Load Balancer IP addresses must be provided for the API and internal API load balancers as well as the ingress load balancer.", + "serviceEndpoints": "serviceEndpoints specifies endpoints that override the default endpoints used when creating clients to interact with GCP services. When not specified, the default endpoint for the GCP region will be used. Only 1 endpoint override is permitted for each GCP service. The maximum number of endpoint overrides allowed is 9.", } func (GCPPlatformStatus) SwaggerDoc() map[string]string { @@ -1419,8 +1640,19 @@ func (GCPResourceTag) SwaggerDoc() map[string]string { return map_GCPResourceTag } +var map_GCPServiceEndpoint = map[string]string{ + "": "GCPServiceEndpoint store the configuration of a custom url to override existing defaults of GCP Services.", + "name": "name is the name of the GCP service whose endpoint is being overridden. This must be provided and cannot be empty.\n\nAllowed values are Compute, Container, CloudResourceManager, DNS, File, IAM, ServiceUsage, Storage, and TagManager.\n\nAs an example, when setting the name to Compute all requests made by the caller to the GCP Compute Service will be directed to the endpoint specified in the url field.", + "url": "url is a fully qualified URI that overrides the default endpoint for a client using the GCP service specified in the name field. url is required, must use the scheme https, must not be more than 253 characters in length, and must be a valid URL according to Go's net/url package (https://pkg.go.dev/net/url#URL)\n\nAn example of a valid endpoint that overrides the Compute Service: \"https://compute-myendpoint1.p.googleapis.com\"", +} + +func (GCPServiceEndpoint) SwaggerDoc() map[string]string { + return map_GCPServiceEndpoint +} + var map_IBMCloudPlatformSpec = map[string]string{ - "": "IBMCloudPlatformSpec holds the desired state of the IBMCloud infrastructure provider. This only includes fields that can be modified in the cluster.", + "": "IBMCloudPlatformSpec holds the desired state of the IBMCloud infrastructure provider. This only includes fields that can be modified in the cluster.", + "serviceEndpoints": "serviceEndpoints is a list of custom endpoints which will override the default service endpoints of an IBM service. These endpoints are used by components within the cluster when trying to reach the IBM Cloud Services that have been overriden. The CCCMO reads in the IBMCloudPlatformSpec and validates each endpoint is resolvable. Once validated, the cloud config and IBMCloudPlatformStatus are updated to reflect the same custom endpoints. A maximum of 13 service endpoints overrides are supported.", } func (IBMCloudPlatformSpec) SwaggerDoc() map[string]string { @@ -1434,7 +1666,7 @@ var map_IBMCloudPlatformStatus = map[string]string{ "providerType": "providerType indicates the type of cluster that was created", "cisInstanceCRN": "cisInstanceCRN is the CRN of the Cloud Internet Services instance managing the DNS zone for the cluster's base domain", "dnsInstanceCRN": "dnsInstanceCRN is the CRN of the DNS Services instance managing the DNS zone for the cluster's base domain", - "serviceEndpoints": "serviceEndpoints is a list of custom endpoints which will override the default service endpoints of an IBM Cloud service. These endpoints are consumed by components within the cluster to reach the respective IBM Cloud Services.", + "serviceEndpoints": "serviceEndpoints is a list of custom endpoints which will override the default service endpoints of an IBM service. These endpoints are used by components within the cluster when trying to reach the IBM Cloud Services that have been overriden. The CCCMO reads in the IBMCloudPlatformSpec and validates each endpoint is resolvable. Once validated, the cloud config and IBMCloudPlatformStatus are updated to reflect the same custom endpoints.", } func (IBMCloudPlatformStatus) SwaggerDoc() map[string]string { @@ -1444,7 +1676,7 @@ func (IBMCloudPlatformStatus) SwaggerDoc() map[string]string { var map_IBMCloudServiceEndpoint = map[string]string{ "": "IBMCloudServiceEndpoint stores the configuration of a custom url to override existing defaults of IBM Cloud Services.", "name": "name is the name of the IBM Cloud service. Possible values are: CIS, COS, COSConfig, DNSServices, GlobalCatalog, GlobalSearch, GlobalTagging, HyperProtect, IAM, KeyProtect, ResourceController, ResourceManager, or VPC. For example, the IBM Cloud Private IAM service could be configured with the service `name` of `IAM` and `url` of `https://private.iam.cloud.ibm.com` Whereas the IBM Cloud Private VPC service for US South (Dallas) could be configured with the service `name` of `VPC` and `url` of `https://us.south.private.iaas.cloud.ibm.com`", - "url": "url is fully qualified URI with scheme https, that overrides the default generated endpoint for a client. This must be provided and cannot be empty.", + "url": "url is fully qualified URI with scheme https, that overrides the default generated endpoint for a client. This must be provided and cannot be empty. The path must follow the pattern /v[0,9]+ or /api/v[0,9]+", } func (IBMCloudServiceEndpoint) SwaggerDoc() map[string]string { @@ -1962,6 +2194,26 @@ func (LoadBalancer) SwaggerDoc() map[string]string { return map_LoadBalancer } +var map_AWSKMSConfig = map[string]string{ + "": "AWSKMSConfig defines the KMS config specific to AWS KMS provider", + "keyARN": "keyARN specifies the Amazon Resource Name (ARN) of the AWS KMS key used for encryption. The value must adhere to the format `arn:aws:kms:::key/`, where: - `` is the AWS region consisting of lowercase letters and hyphens followed by a number. - `` is a 12-digit numeric identifier for the AWS account. - `` is a unique identifier for the KMS key, consisting of lowercase hexadecimal characters and hyphens.", + "region": "region specifies the AWS region where the KMS instance exists, and follows the format `--`, e.g.: `us-east-1`. Only lowercase letters and hyphens followed by numbers are allowed.", +} + +func (AWSKMSConfig) SwaggerDoc() map[string]string { + return map_AWSKMSConfig +} + +var map_KMSConfig = map[string]string{ + "": "KMSConfig defines the configuration for the KMS instance that will be used with KMSEncryptionProvider encryption", + "type": "type defines the kind of platform for the KMS provider. Available provider types are AWS only.", + "aws": "aws defines the key config for using an AWS KMS instance for the encryption. The AWS KMS instance is managed by the user outside the purview of the control plane.", +} + +func (KMSConfig) SwaggerDoc() map[string]string { + return map_KMSConfig +} + var map_ClusterNetworkEntry = map[string]string{ "": "ClusterNetworkEntry is a contiguous block of IP addresses from which pod IPs are allocated.", "cidr": "The complete block for pod IPs.", diff --git a/vendor/github.com/openshift/api/config/v1alpha1/types_cluster_image_policy.go b/vendor/github.com/openshift/api/config/v1alpha1/types_cluster_image_policy.go index 5eaeeea73..107b9e29a 100644 --- a/vendor/github.com/openshift/api/config/v1alpha1/types_cluster_image_policy.go +++ b/vendor/github.com/openshift/api/config/v1alpha1/types_cluster_image_policy.go @@ -59,6 +59,7 @@ type ClusterImagePolicyStatus struct { // conditions provide details on the status of this API Resource. // +listType=map // +listMapKey=type + // +optional Conditions []metav1.Condition `json:"conditions,omitempty"` } diff --git a/vendor/github.com/openshift/api/config/v1alpha1/types_image_policy.go b/vendor/github.com/openshift/api/config/v1alpha1/types_image_policy.go index 7f57d88f9..5ffeac40d 100644 --- a/vendor/github.com/openshift/api/config/v1alpha1/types_image_policy.go +++ b/vendor/github.com/openshift/api/config/v1alpha1/types_image_policy.go @@ -73,10 +73,12 @@ type Policy struct { // +union // +kubebuilder:validation:XValidation:rule="has(self.policyType) && self.policyType == 'PublicKey' ? has(self.publicKey) : !has(self.publicKey)",message="publicKey is required when policyType is PublicKey, and forbidden otherwise" // +kubebuilder:validation:XValidation:rule="has(self.policyType) && self.policyType == 'FulcioCAWithRekor' ? has(self.fulcioCAWithRekor) : !has(self.fulcioCAWithRekor)",message="fulcioCAWithRekor is required when policyType is FulcioCAWithRekor, and forbidden otherwise" +// +openshift:validation:FeatureGateAwareXValidation:featureGate=SigstoreImageVerificationPKI,rule="has(self.policyType) && self.policyType == 'PKI' ? has(self.pki) : !has(self.pki)",message="pki is required when policyType is PKI, and forbidden otherwise" type PolicyRootOfTrust struct { // policyType serves as the union's discriminator. Users are required to assign a value to this field, choosing one of the policy types that define the root of trust. // "PublicKey" indicates that the policy relies on a sigstore publicKey and may optionally use a Rekor verification. // "FulcioCAWithRekor" indicates that the policy is based on the Fulcio certification and incorporates a Rekor verification. + // "PKI" indicates that the policy is based on the certificates from Bring Your Own Public Key Infrastructure (BYOPKI). This value is enabled by turning on the SigstoreImageVerificationPKI feature gate. // +unionDiscriminator // +required PolicyType PolicyType `json:"policyType"` @@ -88,14 +90,20 @@ type PolicyRootOfTrust struct { // https://github.com/sigstore/fulcio and https://github.com/sigstore/rekor // +optional FulcioCAWithRekor *FulcioCAWithRekor `json:"fulcioCAWithRekor,omitempty"` + // pki defines the root of trust based on Bring Your Own Public Key Infrastructure (BYOPKI) Root CA(s) and corresponding intermediate certificates. + // +optional + // +openshift:enable:FeatureGate=SigstoreImageVerificationPKI + PKI *PKI `json:"pki,omitempty"` } -// +kubebuilder:validation:Enum=PublicKey;FulcioCAWithRekor +// +openshift:validation:FeatureGateAwareEnum:featureGate="",enum=PublicKey;FulcioCAWithRekor +// +openshift:validation:FeatureGateAwareEnum:featureGate=SigstoreImageVerificationPKI,enum=PublicKey;FulcioCAWithRekor;PKI type PolicyType string const ( PublicKeyRootOfTrust PolicyType = "PublicKey" FulcioCAWithRekorRootOfTrust PolicyType = "FulcioCAWithRekor" + PKIRootOfTrust PolicyType = "PKI" ) // PublicKey defines the root of trust based on a sigstore public key. @@ -143,6 +151,48 @@ type PolicyFulcioSubject struct { SignedEmail string `json:"signedEmail"` } +// PKI defines the root of trust based on Root CA(s) and corresponding intermediate certificates. +type PKI struct { + // caRootsData contains base64-encoded data of a certificate bundle PEM file, which contains one or more CA roots in the PEM format. The total length of the data must not exceed 8192 characters. + // +required + // +kubebuilder:validation:MaxLength=8192 + // +kubebuilder:validation:XValidation:rule="string(self).startsWith('-----BEGIN CERTIFICATE-----')",message="the caRootsData must start with base64 encoding of '-----BEGIN CERTIFICATE-----'." + // +kubebuilder:validation:XValidation:rule="string(self).endsWith('-----END CERTIFICATE-----\\n') || string(self).endsWith('-----END CERTIFICATE-----')",message="the caRootsData must end with base64 encoding of '-----END CERTIFICATE-----'." + // +kubebuilder:validation:XValidation:rule="string(self).findAll('-----BEGIN CERTIFICATE-----').size() == string(self).findAll('-----END CERTIFICATE-----').size()",message="caRootsData must be base64 encoding of valid PEM format data contain the same number of '-----BEGIN CERTIFICATE-----' and '-----END CERTIFICATE-----' markers." + CertificateAuthorityRootsData []byte `json:"caRootsData"` + // caIntermediatesData contains base64-encoded data of a certificate bundle PEM file, which contains one or more intermediate certificates in the PEM format. The total length of the data must not exceed 8192 characters. + // caIntermediatesData requires caRootsData to be set. + // +optional + // +kubebuilder:validation:XValidation:rule="string(self).startsWith('-----BEGIN CERTIFICATE-----')",message="the caIntermediatesData must start with base64 encoding of '-----BEGIN CERTIFICATE-----'." + // +kubebuilder:validation:XValidation:rule="string(self).endsWith('-----END CERTIFICATE-----\\n') || string(self).endsWith('-----END CERTIFICATE-----')",message="the caIntermediatesData must end with base64 encoding of '-----END CERTIFICATE-----'." + // +kubebuilder:validation:XValidation:rule="string(self).findAll('-----BEGIN CERTIFICATE-----').size() == string(self).findAll('-----END CERTIFICATE-----').size()",message="caIntermediatesData must be base64 encoding of valid PEM format data contain the same number of '-----BEGIN CERTIFICATE-----' and '-----END CERTIFICATE-----' markers." + // +kubebuilder:validation:MaxLength=8192 + CertificateAuthorityIntermediatesData []byte `json:"caIntermediatesData,omitempty"` + + // pkiCertificateSubject defines the requirements imposed on the subject to which the certificate was issued. + // +required + PKICertificateSubject PKICertificateSubject `json:"pkiCertificateSubject"` +} + +// PKICertificateSubject defines the requirements imposed on the subject to which the certificate was issued. +// +kubebuilder:validation:XValidation:rule="has(self.email) || has(self.hostname)", message="at least one of email or hostname must be set in pkiCertificateSubject" +// +openshift:enable:FeatureGate=SigstoreImageVerificationPKI +type PKICertificateSubject struct { + // email specifies the expected email address imposed on the subject to which the certificate was issued, and must match the email address listed in the Subject Alternative Name (SAN) field of the certificate. + // The email should be a valid email address and at most 320 characters in length. + // +optional + // +kubebuilder:validation:MaxLength:=320 + // +kubebuilder:validation:XValidation:rule=`self.matches('^\\S+@\\S+$')`,message="invalid email address in pkiCertificateSubject" + Email string `json:"email,omitempty"` + // hostname specifies the expected hostname imposed on the subject to which the certificate was issued, and it must match the hostname listed in the Subject Alternative Name (SAN) DNS field of the certificate. + // The hostname should be a valid dns 1123 subdomain name, optionally prefixed by '*.', and at most 253 characters in length. + // It should consist only of lowercase alphanumeric characters, hyphens, periods and the optional preceding asterisk. + // +optional + // +kubebuilder:validation:MaxLength:=253 + // +kubebuilder:validation:XValidation:rule="self.startsWith('*.') ? !format.dns1123Subdomain().validate(self.replace('*.', '', 1)).hasValue() : !format.dns1123Subdomain().validate(self).hasValue()",message="hostname should be a valid dns 1123 subdomain name, optionally prefixed by '*.'. It should consist only of lowercase alphanumeric characters, hyphens, periods and the optional preceding asterisk." + Hostname string `json:"hostname,omitempty"` +} + // PolicyIdentity defines image identity the signature claims about the image. When omitted, the default matchPolicy is "MatchRepoDigestOrExact". // +kubebuilder:validation:XValidation:rule="(has(self.matchPolicy) && self.matchPolicy == 'ExactRepository') ? has(self.exactRepository) : !has(self.exactRepository)",message="exactRepository is required when matchPolicy is ExactRepository, and forbidden otherwise" // +kubebuilder:validation:XValidation:rule="(has(self.matchPolicy) && self.matchPolicy == 'RemapIdentity') ? has(self.remapIdentity) : !has(self.remapIdentity)",message="remapIdentity is required when matchPolicy is RemapIdentity, and forbidden otherwise" diff --git a/vendor/github.com/openshift/api/config/v1alpha1/types_insights.go b/vendor/github.com/openshift/api/config/v1alpha1/types_insights.go index 3ae4de157..46666ae3b 100644 --- a/vendor/github.com/openshift/api/config/v1alpha1/types_insights.go +++ b/vendor/github.com/openshift/api/config/v1alpha1/types_insights.go @@ -32,33 +32,97 @@ type InsightsDataGather struct { } type InsightsDataGatherSpec struct { - // gatherConfig spec attribute includes all the configuration options related to - // gathering of the Insights data and its uploading to the ingress. + // gatherConfig spec attribute includes all the configuration options related to gathering of the Insights data and its uploading to the ingress. // +optional GatherConfig GatherConfig `json:"gatherConfig,omitempty"` } -type InsightsDataGatherStatus struct { -} +type InsightsDataGatherStatus struct{} // gatherConfig provides data gathering configuration options. type GatherConfig struct { - // dataPolicy allows user to enable additional global obfuscation of the IP addresses and base domain - // in the Insights archive data. Valid values are "None" and "ObfuscateNetworking". + // dataPolicy allows user to enable additional global obfuscation of the IP addresses and base domain in the Insights archive data. + // Valid values are "None" and "ObfuscateNetworking". // When set to None the data is not obfuscated. // When set to ObfuscateNetworking the IP addresses and the cluster domain name are obfuscated. // When omitted, this means no opinion and the platform is left to choose a reasonable default, which is subject to change over time. - // The current default is None. // +optional DataPolicy DataPolicy `json:"dataPolicy,omitempty"` // disabledGatherers is a list of gatherers to be excluded from the gathering. All the gatherers can be disabled by providing "all" value. // If all the gatherers are disabled, the Insights operator does not gather any data. + // The format for the disabledGatherer should be: {gatherer}/{function} where the function is optional. + // Gatherer consists of a lowercase letters only that may include underscores (_). + // Function consists of a lowercase letters only that may include underscores (_) and is separated from the gatherer by a forward slash (/). // The particular gatherers IDs can be found at https://github.com/openshift/insights-operator/blob/master/docs/gathered-data.md. // Run the following command to get the names of last active gatherers: // "oc get insightsoperators.operator.openshift.io cluster -o json | jq '.status.gatherStatus.gatherers[].name'" // An example of disabling gatherers looks like this: `disabledGatherers: ["clusterconfig/machine_configs", "workloads/workload_info"]` + // +kubebuilder:validation:MaxItems=100 + // +optional + DisabledGatherers []DisabledGatherer `json:"disabledGatherers"` + // storage is an optional field that allows user to define persistent storage for gathering jobs to store the Insights data archive. + // If omitted, the gathering job will use ephemeral storage. + // +optional + StorageSpec *Storage `json:"storage,omitempty"` +} + +// disabledGatherer is a string that represents a gatherer that should be disabled +// +kubebuilder:validation:MaxLength=256 +// +kubebuilder:validation:XValidation:rule=`self.matches("^[a-z]+[_a-z]*[a-z]([/a-z][_a-z]*)?[a-z]$")`,message=`disabledGatherer must be in the format of {gatherer}/{function} where the gatherer and function are lowercase letters only that may include underscores (_) and are separated by a forward slash (/) if the function is provided` +type DisabledGatherer string + +// storage provides persistent storage configuration options for gathering jobs. +// If the type is set to PersistentVolume, then the PersistentVolume must be defined. +// If the type is set to Ephemeral, then the PersistentVolume must not be defined. +// +kubebuilder:validation:XValidation:rule="has(self.type) && self.type == 'PersistentVolume' ? has(self.persistentVolume) : !has(self.persistentVolume)",message="persistentVolume is required when type is PersistentVolume, and forbidden otherwise" +type Storage struct { + // type is a required field that specifies the type of storage that will be used to store the Insights data archive. + // Valid values are "PersistentVolume" and "Ephemeral". + // When set to Ephemeral, the Insights data archive is stored in the ephemeral storage of the gathering job. + // When set to PersistentVolume, the Insights data archive is stored in the PersistentVolume that is defined by the persistentVolume field. + // +required + Type StorageType `json:"type"` + // persistentVolume is an optional field that specifies the PersistentVolume that will be used to store the Insights data archive. + // The PersistentVolume must be created in the openshift-insights namespace. // +optional - DisabledGatherers []string `json:"disabledGatherers"` + PersistentVolume *PersistentVolumeConfig `json:"persistentVolume,omitempty"` +} + +// storageType declares valid storage types +// +kubebuilder:validation:Enum=PersistentVolume;Ephemeral +type StorageType string + +const ( + // StorageTypePersistentVolume storage type + StorageTypePersistentVolume StorageType = "PersistentVolume" + // StorageTypeEphemeral storage type + StorageTypeEphemeral StorageType = "Ephemeral" +) + +// persistentVolumeConfig provides configuration options for PersistentVolume storage. +type PersistentVolumeConfig struct { + // claim is a required field that specifies the configuration of the PersistentVolumeClaim that will be used to store the Insights data archive. + // The PersistentVolumeClaim must be created in the openshift-insights namespace. + // +required + Claim PersistentVolumeClaimReference `json:"claim"` + // mountPath is an optional field specifying the directory where the PVC will be mounted inside the Insights data gathering Pod. + // When omitted, this means no opinion and the platform is left to choose a reasonable default, which is subject to change over time. + // The current default mount path is /var/lib/insights-operator + // The path may not exceed 1024 characters and must not contain a colon. + // +kubebuilder:validation:MaxLength=1024 + // +kubebuilder:validation:XValidation:rule="!self.contains(':')",message="mountPath must not contain a colon" + // +optional + MountPath string `json:"mountPath,omitempty"` +} + +// persistentVolumeClaimReference is a reference to a PersistentVolumeClaim. +type PersistentVolumeClaimReference struct { + // name is a string that follows the DNS1123 subdomain format. + // It must be at most 253 characters in length, and must consist only of lower case alphanumeric characters, '-' and '.', and must start and end with an alphanumeric character. + // +kubebuilder:validation:XValidation:rule="!format.dns1123Subdomain().validate(self).hasValue()",message="a lowercase RFC 1123 subdomain must consist of lower case alphanumeric characters, '-' or '.', and must start and end with an alphanumeric character." + // +kubebuilder:validation:MaxLength:=253 + // +required + Name string `json:"name"` } const ( diff --git a/vendor/github.com/openshift/api/config/v1alpha1/zz_generated.deepcopy.go b/vendor/github.com/openshift/api/config/v1alpha1/zz_generated.deepcopy.go index 8e22e2d27..b605ffcf4 100644 --- a/vendor/github.com/openshift/api/config/v1alpha1/zz_generated.deepcopy.go +++ b/vendor/github.com/openshift/api/config/v1alpha1/zz_generated.deepcopy.go @@ -1,7 +1,7 @@ //go:build !ignore_autogenerated // +build !ignore_autogenerated -// Code generated by deepcopy-gen. DO NOT EDIT. +// Code generated by codegen. DO NOT EDIT. package v1alpha1 @@ -353,9 +353,14 @@ func (in *GatherConfig) DeepCopyInto(out *GatherConfig) { *out = *in if in.DisabledGatherers != nil { in, out := &in.DisabledGatherers, &out.DisabledGatherers - *out = make([]string, len(*in)) + *out = make([]DisabledGatherer, len(*in)) copy(*out, *in) } + if in.StorageSpec != nil { + in, out := &in.StorageSpec, &out.StorageSpec + *out = new(Storage) + (*in).DeepCopyInto(*out) + } return } @@ -569,6 +574,82 @@ func (in *InsightsDataGatherStatus) DeepCopy() *InsightsDataGatherStatus { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *PKI) DeepCopyInto(out *PKI) { + *out = *in + if in.CertificateAuthorityRootsData != nil { + in, out := &in.CertificateAuthorityRootsData, &out.CertificateAuthorityRootsData + *out = make([]byte, len(*in)) + copy(*out, *in) + } + if in.CertificateAuthorityIntermediatesData != nil { + in, out := &in.CertificateAuthorityIntermediatesData, &out.CertificateAuthorityIntermediatesData + *out = make([]byte, len(*in)) + copy(*out, *in) + } + out.PKICertificateSubject = in.PKICertificateSubject + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PKI. +func (in *PKI) DeepCopy() *PKI { + if in == nil { + return nil + } + out := new(PKI) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *PKICertificateSubject) DeepCopyInto(out *PKICertificateSubject) { + *out = *in + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PKICertificateSubject. +func (in *PKICertificateSubject) DeepCopy() *PKICertificateSubject { + if in == nil { + return nil + } + out := new(PKICertificateSubject) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *PersistentVolumeClaimReference) DeepCopyInto(out *PersistentVolumeClaimReference) { + *out = *in + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PersistentVolumeClaimReference. +func (in *PersistentVolumeClaimReference) DeepCopy() *PersistentVolumeClaimReference { + if in == nil { + return nil + } + out := new(PersistentVolumeClaimReference) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *PersistentVolumeConfig) DeepCopyInto(out *PersistentVolumeConfig) { + *out = *in + out.Claim = in.Claim + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PersistentVolumeConfig. +func (in *PersistentVolumeConfig) DeepCopy() *PersistentVolumeConfig { + if in == nil { + return nil + } + out := new(PersistentVolumeConfig) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *Policy) DeepCopyInto(out *Policy) { *out = *in @@ -674,6 +755,11 @@ func (in *PolicyRootOfTrust) DeepCopyInto(out *PolicyRootOfTrust) { *out = new(FulcioCAWithRekor) (*in).DeepCopyInto(*out) } + if in.PKI != nil { + in, out := &in.PKI, &out.PKI + *out = new(PKI) + (*in).DeepCopyInto(*out) + } return } @@ -771,6 +857,27 @@ func (in *RetentionSizeConfig) DeepCopy() *RetentionSizeConfig { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *Storage) DeepCopyInto(out *Storage) { + *out = *in + if in.PersistentVolume != nil { + in, out := &in.PersistentVolume, &out.PersistentVolume + *out = new(PersistentVolumeConfig) + **out = **in + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Storage. +func (in *Storage) DeepCopy() *Storage { + if in == nil { + return nil + } + out := new(Storage) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *UserDefinedMonitoring) DeepCopyInto(out *UserDefinedMonitoring) { *out = *in diff --git a/vendor/github.com/openshift/api/config/v1alpha1/zz_generated.featuregated-crd-manifests.yaml b/vendor/github.com/openshift/api/config/v1alpha1/zz_generated.featuregated-crd-manifests.yaml index 1d4a88d50..b9dca71a9 100644 --- a/vendor/github.com/openshift/api/config/v1alpha1/zz_generated.featuregated-crd-manifests.yaml +++ b/vendor/github.com/openshift/api/config/v1alpha1/zz_generated.featuregated-crd-manifests.yaml @@ -29,6 +29,7 @@ clusterimagepolicies.config.openshift.io: Category: "" FeatureGates: - SigstoreImageVerification + - SigstoreImageVerificationPKI FilenameOperatorName: config-operator FilenameOperatorOrdering: "01" FilenameRunLevel: "0000_10" @@ -76,6 +77,7 @@ imagepolicies.config.openshift.io: Category: "" FeatureGates: - SigstoreImageVerification + - SigstoreImageVerificationPKI FilenameOperatorName: config-operator FilenameOperatorOrdering: "01" FilenameRunLevel: "0000_10" diff --git a/vendor/github.com/openshift/api/config/v1alpha1/zz_generated.swagger_doc_generated.go b/vendor/github.com/openshift/api/config/v1alpha1/zz_generated.swagger_doc_generated.go index 92ae6cc72..3b145db6c 100644 --- a/vendor/github.com/openshift/api/config/v1alpha1/zz_generated.swagger_doc_generated.go +++ b/vendor/github.com/openshift/api/config/v1alpha1/zz_generated.swagger_doc_generated.go @@ -214,6 +214,27 @@ func (ImagePolicyStatus) SwaggerDoc() map[string]string { return map_ImagePolicyStatus } +var map_PKI = map[string]string{ + "": "PKI defines the root of trust based on Root CA(s) and corresponding intermediate certificates.", + "caRootsData": "caRootsData contains base64-encoded data of a certificate bundle PEM file, which contains one or more CA roots in the PEM format. The total length of the data must not exceed 8192 characters. ", + "caIntermediatesData": "caIntermediatesData contains base64-encoded data of a certificate bundle PEM file, which contains one or more intermediate certificates in the PEM format. The total length of the data must not exceed 8192 characters. caIntermediatesData requires caRootsData to be set. ", + "pkiCertificateSubject": "pkiCertificateSubject defines the requirements imposed on the subject to which the certificate was issued.", +} + +func (PKI) SwaggerDoc() map[string]string { + return map_PKI +} + +var map_PKICertificateSubject = map[string]string{ + "": "PKICertificateSubject defines the requirements imposed on the subject to which the certificate was issued.", + "email": "email specifies the expected email address imposed on the subject to which the certificate was issued, and must match the email address listed in the Subject Alternative Name (SAN) field of the certificate. The email should be a valid email address and at most 320 characters in length.", + "hostname": "hostname specifies the expected hostname imposed on the subject to which the certificate was issued, and it must match the hostname listed in the Subject Alternative Name (SAN) DNS field of the certificate. The hostname should be a valid dns 1123 subdomain name, optionally prefixed by '*.', and at most 253 characters in length. It should consist only of lowercase alphanumeric characters, hyphens, periods and the optional preceding asterisk.", +} + +func (PKICertificateSubject) SwaggerDoc() map[string]string { + return map_PKICertificateSubject +} + var map_Policy = map[string]string{ "": "Policy defines the verification policy for the items in the scopes list.", "rootOfTrust": "rootOfTrust specifies the root of trust for the policy.", @@ -264,9 +285,10 @@ func (PolicyMatchRemapIdentity) SwaggerDoc() map[string]string { var map_PolicyRootOfTrust = map[string]string{ "": "PolicyRootOfTrust defines the root of trust based on the selected policyType.", - "policyType": "policyType serves as the union's discriminator. Users are required to assign a value to this field, choosing one of the policy types that define the root of trust. \"PublicKey\" indicates that the policy relies on a sigstore publicKey and may optionally use a Rekor verification. \"FulcioCAWithRekor\" indicates that the policy is based on the Fulcio certification and incorporates a Rekor verification.", + "policyType": "policyType serves as the union's discriminator. Users are required to assign a value to this field, choosing one of the policy types that define the root of trust. \"PublicKey\" indicates that the policy relies on a sigstore publicKey and may optionally use a Rekor verification. \"FulcioCAWithRekor\" indicates that the policy is based on the Fulcio certification and incorporates a Rekor verification. \"PKI\" indicates that the policy is based on the certificates from Bring Your Own Public Key Infrastructure (BYOPKI). This value is enabled by turning on the SigstoreImageVerificationPKI feature gate.", "publicKey": "publicKey defines the root of trust based on a sigstore public key.", "fulcioCAWithRekor": "fulcioCAWithRekor defines the root of trust based on the Fulcio certificate and the Rekor public key. For more information about Fulcio and Rekor, please refer to the document at: https://github.com/sigstore/fulcio and https://github.com/sigstore/rekor", + "pki": "pki defines the root of trust based on Bring Your Own Public Key Infrastructure (BYOPKI) Root CA(s) and corresponding intermediate certificates.", } func (PolicyRootOfTrust) SwaggerDoc() map[string]string { @@ -285,8 +307,9 @@ func (PublicKey) SwaggerDoc() map[string]string { var map_GatherConfig = map[string]string{ "": "gatherConfig provides data gathering configuration options.", - "dataPolicy": "dataPolicy allows user to enable additional global obfuscation of the IP addresses and base domain in the Insights archive data. Valid values are \"None\" and \"ObfuscateNetworking\". When set to None the data is not obfuscated. When set to ObfuscateNetworking the IP addresses and the cluster domain name are obfuscated. When omitted, this means no opinion and the platform is left to choose a reasonable default, which is subject to change over time. The current default is None.", - "disabledGatherers": "disabledGatherers is a list of gatherers to be excluded from the gathering. All the gatherers can be disabled by providing \"all\" value. If all the gatherers are disabled, the Insights operator does not gather any data. The particular gatherers IDs can be found at https://github.com/openshift/insights-operator/blob/master/docs/gathered-data.md. Run the following command to get the names of last active gatherers: \"oc get insightsoperators.operator.openshift.io cluster -o json | jq '.status.gatherStatus.gatherers[].name'\" An example of disabling gatherers looks like this: `disabledGatherers: [\"clusterconfig/machine_configs\", \"workloads/workload_info\"]`", + "dataPolicy": "dataPolicy allows user to enable additional global obfuscation of the IP addresses and base domain in the Insights archive data. Valid values are \"None\" and \"ObfuscateNetworking\". When set to None the data is not obfuscated. When set to ObfuscateNetworking the IP addresses and the cluster domain name are obfuscated. When omitted, this means no opinion and the platform is left to choose a reasonable default, which is subject to change over time.", + "disabledGatherers": "disabledGatherers is a list of gatherers to be excluded from the gathering. All the gatherers can be disabled by providing \"all\" value. If all the gatherers are disabled, the Insights operator does not gather any data. The format for the disabledGatherer should be: {gatherer}/{function} where the function is optional. Gatherer consists of a lowercase letters only that may include underscores (_). Function consists of a lowercase letters only that may include underscores (_) and is separated from the gatherer by a forward slash (/). The particular gatherers IDs can be found at https://github.com/openshift/insights-operator/blob/master/docs/gathered-data.md. Run the following command to get the names of last active gatherers: \"oc get insightsoperators.operator.openshift.io cluster -o json | jq '.status.gatherStatus.gatherers[].name'\" An example of disabling gatherers looks like this: `disabledGatherers: [\"clusterconfig/machine_configs\", \"workloads/workload_info\"]`", + "storage": "storage is an optional field that allows user to define persistent storage for gathering jobs to store the Insights data archive. If omitted, the gathering job will use ephemeral storage.", } func (GatherConfig) SwaggerDoc() map[string]string { @@ -321,4 +344,33 @@ func (InsightsDataGatherSpec) SwaggerDoc() map[string]string { return map_InsightsDataGatherSpec } +var map_PersistentVolumeClaimReference = map[string]string{ + "": "persistentVolumeClaimReference is a reference to a PersistentVolumeClaim.", + "name": "name is a string that follows the DNS1123 subdomain format. It must be at most 253 characters in length, and must consist only of lower case alphanumeric characters, '-' and '.', and must start and end with an alphanumeric character.", +} + +func (PersistentVolumeClaimReference) SwaggerDoc() map[string]string { + return map_PersistentVolumeClaimReference +} + +var map_PersistentVolumeConfig = map[string]string{ + "": "persistentVolumeConfig provides configuration options for PersistentVolume storage.", + "claim": "claim is a required field that specifies the configuration of the PersistentVolumeClaim that will be used to store the Insights data archive. The PersistentVolumeClaim must be created in the openshift-insights namespace.", + "mountPath": "mountPath is an optional field specifying the directory where the PVC will be mounted inside the Insights data gathering Pod. When omitted, this means no opinion and the platform is left to choose a reasonable default, which is subject to change over time. The current default mount path is /var/lib/insights-operator The path may not exceed 1024 characters and must not contain a colon.", +} + +func (PersistentVolumeConfig) SwaggerDoc() map[string]string { + return map_PersistentVolumeConfig +} + +var map_Storage = map[string]string{ + "": "storage provides persistent storage configuration options for gathering jobs. If the type is set to PersistentVolume, then the PersistentVolume must be defined. If the type is set to Ephemeral, then the PersistentVolume must not be defined.", + "type": "type is a required field that specifies the type of storage that will be used to store the Insights data archive. Valid values are \"PersistentVolume\" and \"Ephemeral\". When set to Ephemeral, the Insights data archive is stored in the ephemeral storage of the gathering job. When set to PersistentVolume, the Insights data archive is stored in the PersistentVolume that is defined by the persistentVolume field.", + "persistentVolume": "persistentVolume is an optional field that specifies the PersistentVolume that will be used to store the Insights data archive. The PersistentVolume must be created in the openshift-insights namespace.", +} + +func (Storage) SwaggerDoc() map[string]string { + return map_Storage +} + // AUTO-GENERATED FUNCTIONS END HERE diff --git a/vendor/github.com/openshift/api/console/v1/types_console_plugin.go b/vendor/github.com/openshift/api/console/v1/types_console_plugin.go index 569f20fe1..bf5e3cb99 100644 --- a/vendor/github.com/openshift/api/console/v1/types_console_plugin.go +++ b/vendor/github.com/openshift/api/console/v1/types_console_plugin.go @@ -61,7 +61,7 @@ type ConsolePluginSpec struct { // from a cluster service. // CSP violation reports can be viewed in the browser's console logs during development and // testing of the plugin in the OpenShift web console. - // Available directive types are DefaultSrc, ScriptSrc, StyleSrc, ImgSrc, FontSrc, ObjectSrc and ConnectSrc. + // Available directive types are DefaultSrc, ScriptSrc, StyleSrc, ImgSrc, FontSrc and ConnectSrc. // Each of the available directives may be defined only once in the list. // The value 'self' is automatically included in all fetch directives by the OpenShift web // console's backend. @@ -101,7 +101,7 @@ type ConsolePluginSpec struct { // DirectiveType is an enumeration of OpenShift web console supported CSP directives. // LoadType is an enumeration of i18n loading types. -// +kubebuilder:validation:Enum:="DefaultSrc";"ScriptSrc";"StyleSrc";"ImgSrc";"FontSrc";"ObjectSrc";"ConnectSrc" +// +kubebuilder:validation:Enum:="DefaultSrc";"ScriptSrc";"StyleSrc";"ImgSrc";"FontSrc";"ConnectSrc" // +enum type DirectiveType string @@ -126,10 +126,6 @@ const ( // For more information about the FontSrc directive, see: // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/font-src FontSrc DirectiveType = "FontSrc" - // ObjectSrc directive specifies valid sources for the and elements. - // For more information about the ObjectSrc directive, see: - // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/object-src - ObjectSrc DirectiveType = "ObjectSrc" // ConnectSrc directive restricts the URLs which can be loaded using script interfaces. // For more information about the ConnectSrc directive, see: // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/connect-src @@ -151,7 +147,7 @@ type CSPDirectiveValue string // ConsolePluginCSP holds configuration for a specific CSP directive type ConsolePluginCSP struct { // directive specifies which Content-Security-Policy directive to configure. - // Available directive types are DefaultSrc, ScriptSrc, StyleSrc, ImgSrc, FontSrc, ObjectSrc and ConnectSrc. + // Available directive types are DefaultSrc, ScriptSrc, StyleSrc, ImgSrc, FontSrc and ConnectSrc. // DefaultSrc directive serves as a fallback for the other CSP fetch directives. // For more information about the DefaultSrc directive, see: // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/default-src @@ -167,9 +163,6 @@ type ConsolePluginCSP struct { // FontSrc directive specifies valid sources for fonts loaded using @font-face. // For more information about the FontSrc directive, see: // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/font-src - // ObjectSrc directive specifies valid sources for the and elements. - // For more information about the ObjectSrc directive, see: - // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/object-src // ConnectSrc directive restricts the URLs which can be loaded using script interfaces. // For more information about the ConnectSrc directive, see: // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/connect-src diff --git a/vendor/github.com/openshift/api/console/v1/zz_generated.deepcopy.go b/vendor/github.com/openshift/api/console/v1/zz_generated.deepcopy.go index d4fefaa37..7bb91394e 100644 --- a/vendor/github.com/openshift/api/console/v1/zz_generated.deepcopy.go +++ b/vendor/github.com/openshift/api/console/v1/zz_generated.deepcopy.go @@ -1,7 +1,7 @@ //go:build !ignore_autogenerated // +build !ignore_autogenerated -// Code generated by deepcopy-gen. DO NOT EDIT. +// Code generated by codegen. DO NOT EDIT. package v1 diff --git a/vendor/github.com/openshift/api/console/v1/zz_generated.swagger_doc_generated.go b/vendor/github.com/openshift/api/console/v1/zz_generated.swagger_doc_generated.go index 408db0d7c..a02cbf7c1 100644 --- a/vendor/github.com/openshift/api/console/v1/zz_generated.swagger_doc_generated.go +++ b/vendor/github.com/openshift/api/console/v1/zz_generated.swagger_doc_generated.go @@ -190,7 +190,7 @@ func (ConsolePluginBackend) SwaggerDoc() map[string]string { var map_ConsolePluginCSP = map[string]string{ "": "ConsolePluginCSP holds configuration for a specific CSP directive", - "directive": "directive specifies which Content-Security-Policy directive to configure. Available directive types are DefaultSrc, ScriptSrc, StyleSrc, ImgSrc, FontSrc, ObjectSrc and ConnectSrc. DefaultSrc directive serves as a fallback for the other CSP fetch directives. For more information about the DefaultSrc directive, see: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/default-src ScriptSrc directive specifies valid sources for JavaScript. For more information about the ScriptSrc directive, see: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src StyleSrc directive specifies valid sources for stylesheets. For more information about the StyleSrc directive, see: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/style-src ImgSrc directive specifies a valid sources of images and favicons. For more information about the ImgSrc directive, see: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/img-src FontSrc directive specifies valid sources for fonts loaded using @font-face. For more information about the FontSrc directive, see: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/font-src ObjectSrc directive specifies valid sources for the and elements. For more information about the ObjectSrc directive, see: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/object-src ConnectSrc directive restricts the URLs which can be loaded using script interfaces. For more information about the ConnectSrc directive, see: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/connect-src", + "directive": "directive specifies which Content-Security-Policy directive to configure. Available directive types are DefaultSrc, ScriptSrc, StyleSrc, ImgSrc, FontSrc and ConnectSrc. DefaultSrc directive serves as a fallback for the other CSP fetch directives. For more information about the DefaultSrc directive, see: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/default-src ScriptSrc directive specifies valid sources for JavaScript. For more information about the ScriptSrc directive, see: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src StyleSrc directive specifies valid sources for stylesheets. For more information about the StyleSrc directive, see: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/style-src ImgSrc directive specifies a valid sources of images and favicons. For more information about the ImgSrc directive, see: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/img-src FontSrc directive specifies valid sources for fonts loaded using @font-face. For more information about the FontSrc directive, see: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/font-src ConnectSrc directive restricts the URLs which can be loaded using script interfaces. For more information about the ConnectSrc directive, see: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/connect-src", "values": "values defines an array of values to append to the console defaults for this directive. Each ConsolePlugin may define their own directives with their values. These will be set by the OpenShift web console's backend, as part of its Content-Security-Policy header. The array can contain at most 16 values. Each directive value must have a maximum length of 1024 characters and must not contain whitespace, commas (,), semicolons (;) or single quotes ('). The value '*' is not permitted. Each value in the array must be unique.", } @@ -267,7 +267,7 @@ var map_ConsolePluginSpec = map[string]string{ "backend": "backend holds the configuration of backend which is serving console's plugin .", "proxy": "proxy is a list of proxies that describe various service type to which the plugin needs to connect to.", "i18n": "i18n is the configuration of plugin's localization resources.", - "contentSecurityPolicy": "contentSecurityPolicy is a list of Content-Security-Policy (CSP) directives for the plugin. Each directive specifies a list of values, appropriate for the given directive type, for example a list of remote endpoints for fetch directives such as ScriptSrc. Console web application uses CSP to detect and mitigate certain types of attacks, such as cross-site scripting (XSS) and data injection attacks. Dynamic plugins should specify this field if need to load assets from outside the cluster or if violation reports are observed. Dynamic plugins should always prefer loading their assets from within the cluster, either by vendoring them, or fetching from a cluster service. CSP violation reports can be viewed in the browser's console logs during development and testing of the plugin in the OpenShift web console. Available directive types are DefaultSrc, ScriptSrc, StyleSrc, ImgSrc, FontSrc, ObjectSrc and ConnectSrc. Each of the available directives may be defined only once in the list. The value 'self' is automatically included in all fetch directives by the OpenShift web console's backend. For more information about the CSP directives, see: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy\n\nThe OpenShift web console server aggregates the CSP directives and values across its own default values and all enabled ConsolePlugin CRs, merging them into a single policy string that is sent to the browser via `Content-Security-Policy` HTTP response header.\n\nExample:\n ConsolePlugin A directives:\n script-src: https://script1.com/, https://script2.com/\n font-src: https://font1.com/\n\n ConsolePlugin B directives:\n script-src: https://script2.com/, https://script3.com/\n font-src: https://font2.com/\n img-src: https://img1.com/\n\n Unified set of CSP directives, passed to the OpenShift web console server:\n script-src: https://script1.com/, https://script2.com/, https://script3.com/\n font-src: https://font1.com/, https://font2.com/\n img-src: https://img1.com/\n\n OpenShift web console server CSP response header:\n Content-Security-Policy: default-src 'self'; base-uri 'self'; script-src 'self' https://script1.com/ https://script2.com/ https://script3.com/; font-src 'self' https://font1.com/ https://font2.com/; img-src 'self' https://img1.com/; style-src 'self'; frame-src 'none'; object-src 'none'", + "contentSecurityPolicy": "contentSecurityPolicy is a list of Content-Security-Policy (CSP) directives for the plugin. Each directive specifies a list of values, appropriate for the given directive type, for example a list of remote endpoints for fetch directives such as ScriptSrc. Console web application uses CSP to detect and mitigate certain types of attacks, such as cross-site scripting (XSS) and data injection attacks. Dynamic plugins should specify this field if need to load assets from outside the cluster or if violation reports are observed. Dynamic plugins should always prefer loading their assets from within the cluster, either by vendoring them, or fetching from a cluster service. CSP violation reports can be viewed in the browser's console logs during development and testing of the plugin in the OpenShift web console. Available directive types are DefaultSrc, ScriptSrc, StyleSrc, ImgSrc, FontSrc and ConnectSrc. Each of the available directives may be defined only once in the list. The value 'self' is automatically included in all fetch directives by the OpenShift web console's backend. For more information about the CSP directives, see: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy\n\nThe OpenShift web console server aggregates the CSP directives and values across its own default values and all enabled ConsolePlugin CRs, merging them into a single policy string that is sent to the browser via `Content-Security-Policy` HTTP response header.\n\nExample:\n ConsolePlugin A directives:\n script-src: https://script1.com/, https://script2.com/\n font-src: https://font1.com/\n\n ConsolePlugin B directives:\n script-src: https://script2.com/, https://script3.com/\n font-src: https://font2.com/\n img-src: https://img1.com/\n\n Unified set of CSP directives, passed to the OpenShift web console server:\n script-src: https://script1.com/, https://script2.com/, https://script3.com/\n font-src: https://font1.com/, https://font2.com/\n img-src: https://img1.com/\n\n OpenShift web console server CSP response header:\n Content-Security-Policy: default-src 'self'; base-uri 'self'; script-src 'self' https://script1.com/ https://script2.com/ https://script3.com/; font-src 'self' https://font1.com/ https://font2.com/; img-src 'self' https://img1.com/; style-src 'self'; frame-src 'none'; object-src 'none'", } func (ConsolePluginSpec) SwaggerDoc() map[string]string { diff --git a/vendor/github.com/openshift/api/envtest-releases.yaml b/vendor/github.com/openshift/api/envtest-releases.yaml index a0e3f0ebd..e3a8c94cf 100644 --- a/vendor/github.com/openshift/api/envtest-releases.yaml +++ b/vendor/github.com/openshift/api/envtest-releases.yaml @@ -38,3 +38,16 @@ releases: envtest-v1.31.2-linux-arm64.tar.gz: hash: f6ad42b701537ddfd6873e9700f8e73927763878eaf36a5437d71fb62bffda91ce7f502e13f9ef4b508d37973ccddd3d847eba0d7150f7acb5495fd82558fbad selfLink: https://storage.googleapis.com/openshift-kubebuilder-tools/envtest-v1.31.2-linux-arm64.tar.gz + v1.32.1: + envtest-v1.32.1-darwin-amd64.tar.gz: + hash: e81d0b8e9d58bcefc8e741e298698670a39bf77923623fb8554b1a4b201a033678d2949e18dcf6933722c69f954b0de93c8f7136ff0641f69e5128a5a3fb6b26 + selfLink: https://storage.googleapis.com/openshift-kubebuilder-tools/envtest-v1.32.1-darwin-amd64.tar.gz + envtest-v1.32.1-darwin-arm64.tar.gz: + hash: 57be0af5cbf72b659c14f955205fa9a95da9af9213bc9b6a5a1090394a0cd5f98c57127b3d8a69dc349bc33112f52505a6f030369bb09a27f9fb2c13a66475d1 + selfLink: https://storage.googleapis.com/openshift-kubebuilder-tools/envtest-v1.32.1-darwin-arm64.tar.gz + envtest-v1.32.1-linux-amd64.tar.gz: + hash: 711c6d6d9443dce6b465403149837d636f440091b77ec45753d9c60fea0d6ba7811b0045ebf16f7b74504d1f47fcf1da90d7c810a18be31311c90f068d9fd1fd + selfLink: https://storage.googleapis.com/openshift-kubebuilder-tools/envtest-v1.32.1-linux-amd64.tar.gz + envtest-v1.32.1-linux-arm64.tar.gz: + hash: 0bc52e6344ae0753715bc39c2878696c72a3129356df484835586165238361c109ad3e1ebd354af8ecdf1026c3a2b98ed225ad0c6dd348cb3ff128a7cfdcc2f8 + selfLink: https://storage.googleapis.com/openshift-kubebuilder-tools/envtest-v1.32.1-linux-arm64.tar.gz diff --git a/vendor/github.com/openshift/api/features.md b/vendor/github.com/openshift/api/features.md index 8b42f6b01..e8c5a1930 100644 --- a/vendor/github.com/openshift/api/features.md +++ b/vendor/github.com/openshift/api/features.md @@ -1,27 +1,41 @@ | FeatureGate | Default on Hypershift | Default on SelfManagedHA | DevPreviewNoUpgrade on Hypershift | DevPreviewNoUpgrade on SelfManagedHA | TechPreviewNoUpgrade on Hypershift | TechPreviewNoUpgrade on SelfManagedHA | | ------ | --- | --- | --- | --- | --- | --- | | ClusterAPIInstall| | | | | | | -| ClusterAPIInstallIBMCloud| | | | | | | | EventedPLEG| | | | | | | -| MachineAPIMigration| | | | | | | | MachineAPIOperatorDisableMachineHealthCheckController| | | | | | | | MultiArchInstallAzure| | | | | | | +| MutatingAdmissionPolicy| | | | | | | +| ShortCertRotation| | | | | | | +| BootImageSkewEnforcement| | | Enabled | Enabled | | | | ClusterVersionOperatorConfiguration| | | Enabled | Enabled | | | +| DualReplica| | | Enabled | Enabled | | | | Example2| | | Enabled | Enabled | | | -| GatewayAPI| | | Enabled | Enabled | | | +| NewOLMCatalogdAPIV1Metas| | | | Enabled | | Enabled | +| NewOLMOwnSingleNamespace| | | | Enabled | | Enabled | +| NewOLMPreflightPermissionChecks| | | | Enabled | | Enabled | +| NewOLMWebhookProviderOpenshiftServiceCA| | | | Enabled | | Enabled | +| SELinuxMount| | | Enabled | Enabled | | | +| VSphereMixedNodeEnv| | | Enabled | Enabled | | | | NewOLM| | Enabled | | Enabled | | Enabled | | AWSClusterHostedDNS| | | Enabled | Enabled | Enabled | Enabled | +| AWSDedicatedHosts| | | Enabled | Enabled | Enabled | Enabled | +| AWSServiceLBNetworkSecurityGroup| | | Enabled | Enabled | Enabled | Enabled | | AutomatedEtcdBackup| | | Enabled | Enabled | Enabled | Enabled | +| AzureDedicatedHosts| | | Enabled | Enabled | Enabled | Enabled | +| AzureMultiDisk| | | Enabled | Enabled | Enabled | Enabled | | BootcNodeManagement| | | Enabled | Enabled | Enabled | Enabled | -| CPMSMachineNamePrefix| | | Enabled | Enabled | Enabled | Enabled | +| ClusterAPIInstallIBMCloud| | | Enabled | Enabled | Enabled | Enabled | | ClusterMonitoringConfig| | | Enabled | Enabled | Enabled | Enabled | -| ConsolePluginContentSecurityPolicy| | | Enabled | Enabled | Enabled | Enabled | | DNSNameResolver| | | Enabled | Enabled | Enabled | Enabled | +| DyanmicServiceEndpointIBMCloud| | | Enabled | Enabled | Enabled | Enabled | | DynamicResourceAllocation| | | Enabled | Enabled | Enabled | Enabled | | EtcdBackendQuota| | | Enabled | Enabled | Enabled | Enabled | | Example| | | Enabled | Enabled | Enabled | Enabled | +| ExternalOIDCWithUIDAndExtraClaimMappings| | | Enabled | Enabled | Enabled | Enabled | | GCPClusterHostedDNS| | | Enabled | Enabled | Enabled | Enabled | +| GCPCustomAPIEndpoints| | | Enabled | Enabled | Enabled | Enabled | | HighlyAvailableArbiter| | | Enabled | Enabled | Enabled | Enabled | +| ImageModeStatusReporting| | | Enabled | Enabled | Enabled | Enabled | | ImageStreamImportMode| | | Enabled | Enabled | Enabled | Enabled | | IngressControllerDynamicConfigurationManager| | | Enabled | Enabled | Enabled | Enabled | | InsightsConfig| | | Enabled | Enabled | Enabled | Enabled | @@ -29,32 +43,24 @@ | InsightsOnDemandDataGather| | | Enabled | Enabled | Enabled | Enabled | | InsightsRuntimeExtractor| | | Enabled | Enabled | Enabled | Enabled | | KMSEncryptionProvider| | | Enabled | Enabled | Enabled | Enabled | -| MachineAPIProviderOpenStack| | | Enabled | Enabled | Enabled | Enabled | -| MachineConfigNodes| | | Enabled | Enabled | Enabled | Enabled | +| MachineAPIMigration| | | Enabled | Enabled | Enabled | Enabled | +| ManagedBootImagesAzure| | | Enabled | Enabled | Enabled | Enabled | +| ManagedBootImagesvSphere| | | Enabled | Enabled | Enabled | Enabled | | MaxUnavailableStatefulSet| | | Enabled | Enabled | Enabled | Enabled | -| MetricsCollectionProfiles| | | Enabled | Enabled | Enabled | Enabled | | MinimumKubeletVersion| | | Enabled | Enabled | Enabled | Enabled | | MixedCPUsAllocation| | | Enabled | Enabled | Enabled | Enabled | -| NetworkSegmentation| | | Enabled | Enabled | Enabled | Enabled | | NodeSwap| | | Enabled | Enabled | Enabled | Enabled | | NutanixMultiSubnets| | | Enabled | Enabled | Enabled | Enabled | | OVNObservability| | | Enabled | Enabled | Enabled | Enabled | -| OnClusterBuild| | | Enabled | Enabled | Enabled | Enabled | -| PinnedImages| | | Enabled | Enabled | Enabled | Enabled | -| PlatformOperators| | | Enabled | Enabled | Enabled | Enabled | -| ProcMountType| | | Enabled | Enabled | Enabled | Enabled | -| RouteAdvertisements| | | Enabled | Enabled | Enabled | Enabled | -| RouteExternalCertificate| | | Enabled | Enabled | Enabled | Enabled | -| ServiceAccountTokenNodeBinding| | | Enabled | Enabled | Enabled | Enabled | +| PreconfiguredUDNAddresses| | | Enabled | Enabled | Enabled | Enabled | | SignatureStores| | | Enabled | Enabled | Enabled | Enabled | | SigstoreImageVerification| | | Enabled | Enabled | Enabled | Enabled | +| SigstoreImageVerificationPKI| | | Enabled | Enabled | Enabled | Enabled | | TranslateStreamCloseWebsocketRequests| | | Enabled | Enabled | Enabled | Enabled | | UpgradeStatus| | | Enabled | Enabled | Enabled | Enabled | -| UserNamespacesPodSecurityStandards| | | Enabled | Enabled | Enabled | Enabled | -| UserNamespacesSupport| | | Enabled | Enabled | Enabled | Enabled | +| VSphereConfigurableMaxAllowedBlockVolumesPerNode| | | Enabled | Enabled | Enabled | Enabled | | VSphereHostVMGroupZonal| | | Enabled | Enabled | Enabled | Enabled | | VSphereMultiDisk| | | Enabled | Enabled | Enabled | Enabled | -| VSphereMultiNetworks| | | Enabled | Enabled | Enabled | Enabled | | VolumeAttributesClass| | | Enabled | Enabled | Enabled | Enabled | | VolumeGroupSnapshot| | | Enabled | Enabled | Enabled | Enabled | | ExternalOIDC| Enabled | | Enabled | Enabled | Enabled | Enabled | @@ -63,28 +69,33 @@ | AdminNetworkPolicy| Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | | AlibabaPlatform| Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | | AzureWorkloadIdentity| Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | -| BareMetalLoadBalancer| Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | | BuildCSIVolumes| Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | +| CPMSMachineNamePrefix| Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | | ChunkSizeMiB| Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | -| CloudDualStackNodeIPs| Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | -| DisableKubeletCloudCredentialProviders| Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | +| ConsolePluginContentSecurityPolicy| Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | | GCPLabelsTags| Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | +| GatewayAPI| Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | +| GatewayAPIController| Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | | HardwareSpeed| Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | | IngressControllerLBSubnetsAWS| Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | | KMSv1| Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | +| MachineConfigNodes| Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | | ManagedBootImages| Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | | ManagedBootImagesAWS| Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | -| MultiArchInstallAWS| Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | -| MultiArchInstallGCP| Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | +| MetricsCollectionProfiles| Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | | NetworkDiagnosticsConfig| Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | | NetworkLiveMigration| Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | -| NodeDisruptionPolicy| Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | +| NetworkSegmentation| Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | +| OnClusterBuild| Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | | OpenShiftPodSecurityAdmission| Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | | PersistentIPsForVirtualization| Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | -| PrivateHostedZoneAWS| Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | +| PinnedImages| Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | +| ProcMountType| Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | +| RouteAdvertisements| Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | +| RouteExternalCertificate| Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | +| ServiceAccountTokenNodeBinding| Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | | SetEIPForNLBIngressController| Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | -| VSphereControlPlaneMachineSet| Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | -| VSphereDriverConfiguration| Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | -| VSphereMultiVCenters| Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | -| VSphereStaticIPs| Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | +| UserNamespacesPodSecurityStandards| Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | +| UserNamespacesSupport| Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | +| VSphereMultiNetworks| Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | | ValidatingAdmissionPolicy| Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | diff --git a/vendor/github.com/openshift/api/helm/v1beta1/types_helm_chart_repository.go b/vendor/github.com/openshift/api/helm/v1beta1/types_helm_chart_repository.go index 4700f9114..793cb1938 100644 --- a/vendor/github.com/openshift/api/helm/v1beta1/types_helm_chart_repository.go +++ b/vendor/github.com/openshift/api/helm/v1beta1/types_helm_chart_repository.go @@ -99,5 +99,7 @@ type HelmChartRepositoryStatus struct { // conditions is a list of conditions and their statuses // +optional + // +listType=map + // +listMapKey=type Conditions []metav1.Condition `json:"conditions,omitempty"` } diff --git a/vendor/github.com/openshift/api/helm/v1beta1/zz_generated.deepcopy.go b/vendor/github.com/openshift/api/helm/v1beta1/zz_generated.deepcopy.go index da33cc3ef..278e68110 100644 --- a/vendor/github.com/openshift/api/helm/v1beta1/zz_generated.deepcopy.go +++ b/vendor/github.com/openshift/api/helm/v1beta1/zz_generated.deepcopy.go @@ -1,7 +1,7 @@ //go:build !ignore_autogenerated // +build !ignore_autogenerated -// Code generated by deepcopy-gen. DO NOT EDIT. +// Code generated by codegen. DO NOT EDIT. package v1beta1 diff --git a/vendor/github.com/openshift/api/image/docker10/zz_generated.deepcopy.go b/vendor/github.com/openshift/api/image/docker10/zz_generated.deepcopy.go index 2ce8330b2..be828dbe4 100644 --- a/vendor/github.com/openshift/api/image/docker10/zz_generated.deepcopy.go +++ b/vendor/github.com/openshift/api/image/docker10/zz_generated.deepcopy.go @@ -1,7 +1,7 @@ //go:build !ignore_autogenerated // +build !ignore_autogenerated -// Code generated by deepcopy-gen. DO NOT EDIT. +// Code generated by codegen. DO NOT EDIT. package docker10 diff --git a/vendor/github.com/openshift/api/image/dockerpre012/zz_generated.deepcopy.go b/vendor/github.com/openshift/api/image/dockerpre012/zz_generated.deepcopy.go index 0e8ecb20d..c3c9b29d2 100644 --- a/vendor/github.com/openshift/api/image/dockerpre012/zz_generated.deepcopy.go +++ b/vendor/github.com/openshift/api/image/dockerpre012/zz_generated.deepcopy.go @@ -1,7 +1,7 @@ //go:build !ignore_autogenerated // +build !ignore_autogenerated -// Code generated by deepcopy-gen. DO NOT EDIT. +// Code generated by codegen. DO NOT EDIT. package dockerpre012 diff --git a/vendor/github.com/openshift/api/image/v1/generated.proto b/vendor/github.com/openshift/api/image/v1/generated.proto index dabdc6d84..75ca44f47 100644 --- a/vendor/github.com/openshift/api/image/v1/generated.proto +++ b/vendor/github.com/openshift/api/image/v1/generated.proto @@ -31,11 +31,11 @@ message DockerImageReference { optional string iD = 5; } -// Image is an immutable representation of a container image and metadata at a point in time. +// Image is an immutable representation of a container image and its metadata at a point in time. // Images are named by taking a hash of their contents (metadata and content) and any change // in format, content, or metadata results in a new name. The images resource is primarily // for use by cluster administrators and integrations like the cluster image registry - end -// users instead access images via the imagestreamtags or imagestreamimages resources. While +// users, instead, access images via the imagestreamtags or imagestreamimages resources. While // image metadata is stored in the API, any integration that implements the container image // registry API must provide its own storage for the raw manifest data, image config, and // layer contents. @@ -504,7 +504,7 @@ message ImageStreamTagList { // the status history, and the currently referenced image (if any) of the provided // tag. This type replaces the ImageStreamTag by providing a full view of the tag. // ImageTags are returned for every spec or status tag present on the image stream. -// If no tag exists in either form a not found error will be returned by the API. +// If no tag exists in either form, a not found error will be returned by the API. // A create operation will succeed if no spec tag has already been defined and the // spec field is set. Delete will remove both spec and status elements from the // image stream. diff --git a/vendor/github.com/openshift/api/image/v1/types.go b/vendor/github.com/openshift/api/image/v1/types.go index d4ee4bff6..ffde2d124 100644 --- a/vendor/github.com/openshift/api/image/v1/types.go +++ b/vendor/github.com/openshift/api/image/v1/types.go @@ -27,11 +27,11 @@ type ImageList struct { // +genclient:nonNamespaced // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object -// Image is an immutable representation of a container image and metadata at a point in time. +// Image is an immutable representation of a container image and its metadata at a point in time. // Images are named by taking a hash of their contents (metadata and content) and any change // in format, content, or metadata results in a new name. The images resource is primarily // for use by cluster administrators and integrations like the cluster image registry - end -// users instead access images via the imagestreamtags or imagestreamimages resources. While +// users, instead, access images via the imagestreamtags or imagestreamimages resources. While // image metadata is stored in the API, any integration that implements the container image // registry API must provide its own storage for the raw manifest data, image config, and // layer contents. @@ -512,7 +512,7 @@ type ImageStreamTagList struct { // the status history, and the currently referenced image (if any) of the provided // tag. This type replaces the ImageStreamTag by providing a full view of the tag. // ImageTags are returned for every spec or status tag present on the image stream. -// If no tag exists in either form a not found error will be returned by the API. +// If no tag exists in either form, a not found error will be returned by the API. // A create operation will succeed if no spec tag has already been defined and the // spec field is set. Delete will remove both spec and status elements from the // image stream. diff --git a/vendor/github.com/openshift/api/image/v1/zz_generated.deepcopy.go b/vendor/github.com/openshift/api/image/v1/zz_generated.deepcopy.go index 953f70263..af6eee05c 100644 --- a/vendor/github.com/openshift/api/image/v1/zz_generated.deepcopy.go +++ b/vendor/github.com/openshift/api/image/v1/zz_generated.deepcopy.go @@ -1,7 +1,7 @@ //go:build !ignore_autogenerated // +build !ignore_autogenerated -// Code generated by deepcopy-gen. DO NOT EDIT. +// Code generated by codegen. DO NOT EDIT. package v1 diff --git a/vendor/github.com/openshift/api/image/v1/zz_generated.swagger_doc_generated.go b/vendor/github.com/openshift/api/image/v1/zz_generated.swagger_doc_generated.go index e0720bec7..9671768f6 100644 --- a/vendor/github.com/openshift/api/image/v1/zz_generated.swagger_doc_generated.go +++ b/vendor/github.com/openshift/api/image/v1/zz_generated.swagger_doc_generated.go @@ -25,7 +25,7 @@ func (DockerImageReference) SwaggerDoc() map[string]string { } var map_Image = map[string]string{ - "": "Image is an immutable representation of a container image and metadata at a point in time. Images are named by taking a hash of their contents (metadata and content) and any change in format, content, or metadata results in a new name. The images resource is primarily for use by cluster administrators and integrations like the cluster image registry - end users instead access images via the imagestreamtags or imagestreamimages resources. While image metadata is stored in the API, any integration that implements the container image registry API must provide its own storage for the raw manifest data, image config, and layer contents.\n\nCompatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).", + "": "Image is an immutable representation of a container image and its metadata at a point in time. Images are named by taking a hash of their contents (metadata and content) and any change in format, content, or metadata results in a new name. The images resource is primarily for use by cluster administrators and integrations like the cluster image registry - end users, instead, access images via the imagestreamtags or imagestreamimages resources. While image metadata is stored in the API, any integration that implements the container image registry API must provide its own storage for the raw manifest data, image config, and layer contents.\n\nCompatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).", "metadata": "metadata is the standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata", "dockerImageReference": "dockerImageReference is the string that can be used to pull this image.", "dockerImageMetadata": "dockerImageMetadata contains metadata about this image", @@ -284,7 +284,7 @@ func (ImageStreamTagList) SwaggerDoc() map[string]string { } var map_ImageTag = map[string]string{ - "": "ImageTag represents a single tag within an image stream and includes the spec, the status history, and the currently referenced image (if any) of the provided tag. This type replaces the ImageStreamTag by providing a full view of the tag. ImageTags are returned for every spec or status tag present on the image stream. If no tag exists in either form a not found error will be returned by the API. A create operation will succeed if no spec tag has already been defined and the spec field is set. Delete will remove both spec and status elements from the image stream.\n\nCompatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).", + "": "ImageTag represents a single tag within an image stream and includes the spec, the status history, and the currently referenced image (if any) of the provided tag. This type replaces the ImageStreamTag by providing a full view of the tag. ImageTags are returned for every spec or status tag present on the image stream. If no tag exists in either form, a not found error will be returned by the API. A create operation will succeed if no spec tag has already been defined and the spec field is set. Delete will remove both spec and status elements from the image stream.\n\nCompatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).", "metadata": "metadata is the standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata", "spec": "spec is the spec tag associated with this image stream tag, and it may be null if only pushes have occurred to this image stream.", "status": "status is the status tag details associated with this image stream tag, and it may be null if no push or import has been performed.", diff --git a/vendor/github.com/openshift/api/imageregistry/v1/zz_generated.deepcopy.go b/vendor/github.com/openshift/api/imageregistry/v1/zz_generated.deepcopy.go index 63f25fc19..335bd2421 100644 --- a/vendor/github.com/openshift/api/imageregistry/v1/zz_generated.deepcopy.go +++ b/vendor/github.com/openshift/api/imageregistry/v1/zz_generated.deepcopy.go @@ -1,7 +1,7 @@ //go:build !ignore_autogenerated // +build !ignore_autogenerated -// Code generated by deepcopy-gen. DO NOT EDIT. +// Code generated by codegen. DO NOT EDIT. package v1 diff --git a/vendor/github.com/openshift/api/kubecontrolplane/v1/zz_generated.deepcopy.go b/vendor/github.com/openshift/api/kubecontrolplane/v1/zz_generated.deepcopy.go index e4378aa52..2502e1fe3 100644 --- a/vendor/github.com/openshift/api/kubecontrolplane/v1/zz_generated.deepcopy.go +++ b/vendor/github.com/openshift/api/kubecontrolplane/v1/zz_generated.deepcopy.go @@ -1,7 +1,7 @@ //go:build !ignore_autogenerated // +build !ignore_autogenerated -// Code generated by deepcopy-gen. DO NOT EDIT. +// Code generated by codegen. DO NOT EDIT. package v1 diff --git a/vendor/github.com/openshift/api/legacyconfig/v1/zz_generated.deepcopy.go b/vendor/github.com/openshift/api/legacyconfig/v1/zz_generated.deepcopy.go index 17d717ea4..842210c24 100644 --- a/vendor/github.com/openshift/api/legacyconfig/v1/zz_generated.deepcopy.go +++ b/vendor/github.com/openshift/api/legacyconfig/v1/zz_generated.deepcopy.go @@ -1,7 +1,7 @@ //go:build !ignore_autogenerated // +build !ignore_autogenerated -// Code generated by deepcopy-gen. DO NOT EDIT. +// Code generated by codegen. DO NOT EDIT. package v1 diff --git a/vendor/github.com/openshift/api/machine/v1/types_alibabaprovider.go b/vendor/github.com/openshift/api/machine/v1/types_alibabaprovider.go index d1396fbfb..12a819672 100644 --- a/vendor/github.com/openshift/api/machine/v1/types_alibabaprovider.go +++ b/vendor/github.com/openshift/api/machine/v1/types_alibabaprovider.go @@ -224,6 +224,8 @@ type AlibabaCloudMachineProviderStatus struct { // conditions is a set of conditions associated with the Machine to indicate // errors or other status // +optional + // +listType=map + // +listMapKey=type Conditions []metav1.Condition `json:"conditions,omitempty"` } diff --git a/vendor/github.com/openshift/api/machine/v1/types_controlplanemachineset.go b/vendor/github.com/openshift/api/machine/v1/types_controlplanemachineset.go index cc9c04ca2..ead8b2077 100644 --- a/vendor/github.com/openshift/api/machine/v1/types_controlplanemachineset.go +++ b/vendor/github.com/openshift/api/machine/v1/types_controlplanemachineset.go @@ -428,12 +428,10 @@ type RootVolume struct { type ControlPlaneMachineSetStatus struct { // conditions represents the observations of the ControlPlaneMachineSet's current state. // Known .status.conditions.type are: Available, Degraded and Progressing. - // +patchMergeKey=type - // +patchStrategy=merge // +listType=map // +listMapKey=type // +optional - Conditions []metav1.Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type"` + Conditions []metav1.Condition `json:"conditions,omitempty"` // observedGeneration is the most recent generation observed for this // ControlPlaneMachineSet. It corresponds to the ControlPlaneMachineSets's generation, diff --git a/vendor/github.com/openshift/api/machine/v1/types_nutanixprovider.go b/vendor/github.com/openshift/api/machine/v1/types_nutanixprovider.go index cc1a355b5..e2ddde2ad 100644 --- a/vendor/github.com/openshift/api/machine/v1/types_nutanixprovider.go +++ b/vendor/github.com/openshift/api/machine/v1/types_nutanixprovider.go @@ -331,6 +331,8 @@ type NutanixMachineProviderStatus struct { // conditions is a set of conditions associated with the Machine to indicate // errors or other status // +optional + // +listType=map + // +listMapKey=type Conditions []metav1.Condition `json:"conditions,omitempty"` // vmUUID is the Machine associated VM's UUID diff --git a/vendor/github.com/openshift/api/machine/v1/types_powervsprovider.go b/vendor/github.com/openshift/api/machine/v1/types_powervsprovider.go index b676a8d5f..d3a4c6ec8 100644 --- a/vendor/github.com/openshift/api/machine/v1/types_powervsprovider.go +++ b/vendor/github.com/openshift/api/machine/v1/types_powervsprovider.go @@ -170,12 +170,10 @@ type PowerVSMachineProviderStatus struct { // conditions is a set of conditions associated with the Machine to indicate // errors or other status - // +patchMergeKey=type - // +patchStrategy=merge // +listType=map // +listMapKey=type // +optional - Conditions []metav1.Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type"` + Conditions []metav1.Condition `json:"conditions,omitempty"` // instanceId is the instance ID of the machine created in PowerVS // instanceId uniquely identifies a Power VS server instance(VM) under a Power VS service. diff --git a/vendor/github.com/openshift/api/machine/v1/zz_generated.deepcopy.go b/vendor/github.com/openshift/api/machine/v1/zz_generated.deepcopy.go index f30514381..61294ef58 100644 --- a/vendor/github.com/openshift/api/machine/v1/zz_generated.deepcopy.go +++ b/vendor/github.com/openshift/api/machine/v1/zz_generated.deepcopy.go @@ -1,7 +1,7 @@ //go:build !ignore_autogenerated // +build !ignore_autogenerated -// Code generated by deepcopy-gen. DO NOT EDIT. +// Code generated by codegen. DO NOT EDIT. package v1 diff --git a/vendor/github.com/openshift/api/machine/v1alpha1/types_openstack.go b/vendor/github.com/openshift/api/machine/v1alpha1/types_openstack.go index 5e4f2cb38..7b7f80810 100644 --- a/vendor/github.com/openshift/api/machine/v1alpha1/types_openstack.go +++ b/vendor/github.com/openshift/api/machine/v1alpha1/types_openstack.go @@ -368,7 +368,7 @@ type RootVolume struct { // volumeType specifies a volume type to use when creating the root // volume. If not specified the default volume type will be used. VolumeType string `json:"volumeType,omitempty"` - // diskSize specifies the size, in GB, of the created root volume. + // diskSize specifies the size, in GiB, of the created root volume. Size int `json:"diskSize,omitempty"` // availabilityZone specifies the Cinder availability where the root volume will be created. Zone string `json:"availabilityZone,omitempty"` diff --git a/vendor/github.com/openshift/api/machine/v1alpha1/zz_generated.deepcopy.go b/vendor/github.com/openshift/api/machine/v1alpha1/zz_generated.deepcopy.go index f61b35ab4..179a34778 100644 --- a/vendor/github.com/openshift/api/machine/v1alpha1/zz_generated.deepcopy.go +++ b/vendor/github.com/openshift/api/machine/v1alpha1/zz_generated.deepcopy.go @@ -1,7 +1,7 @@ //go:build !ignore_autogenerated // +build !ignore_autogenerated -// Code generated by deepcopy-gen. DO NOT EDIT. +// Code generated by codegen. DO NOT EDIT. package v1alpha1 diff --git a/vendor/github.com/openshift/api/machine/v1alpha1/zz_generated.swagger_doc_generated.go b/vendor/github.com/openshift/api/machine/v1alpha1/zz_generated.swagger_doc_generated.go index d7e5c1d97..1062bc6de 100644 --- a/vendor/github.com/openshift/api/machine/v1alpha1/zz_generated.swagger_doc_generated.go +++ b/vendor/github.com/openshift/api/machine/v1alpha1/zz_generated.swagger_doc_generated.go @@ -146,7 +146,7 @@ func (PortOpts) SwaggerDoc() map[string]string { var map_RootVolume = map[string]string{ "sourceUUID": "sourceUUID specifies the UUID of a glance image used to populate the root volume. Deprecated: set image in the platform spec instead. This will be ignored if image is set in the platform spec.", "volumeType": "volumeType specifies a volume type to use when creating the root volume. If not specified the default volume type will be used.", - "diskSize": "diskSize specifies the size, in GB, of the created root volume.", + "diskSize": "diskSize specifies the size, in GiB, of the created root volume.", "availabilityZone": "availabilityZone specifies the Cinder availability where the root volume will be created.", "sourceType": "Deprecated: sourceType will be silently ignored. There is no replacement.", "deviceType": "Deprecated: deviceType will be silently ignored. There is no replacement.", diff --git a/vendor/github.com/openshift/api/machine/v1beta1/types_awsprovider.go b/vendor/github.com/openshift/api/machine/v1beta1/types_awsprovider.go index b34a87886..db15df2cc 100644 --- a/vendor/github.com/openshift/api/machine/v1beta1/types_awsprovider.go +++ b/vendor/github.com/openshift/api/machine/v1beta1/types_awsprovider.go @@ -95,6 +95,18 @@ type AWSMachineProviderConfig struct { // The field size should be greater than 0 and the field input must start with cr-*** // +optional CapacityReservationID string `json:"capacityReservationId"` + // marketType specifies the type of market for the EC2 instance. + // Valid values are OnDemand, Spot, CapacityBlock and omitted. + // + // Defaults to OnDemand. + // When SpotMarketOptions is provided, the marketType defaults to "Spot". + // + // When set to OnDemand the instance runs as a standard OnDemand instance. + // When set to Spot the instance runs as a Spot instance. + // When set to CapacityBlock the instance utilizes pre-purchased compute capacity (capacity blocks) with AWS Capacity Reservations. + // If this value is selected, capacityReservationID must be specified to identify the target reservation. + // +optional + MarketType MarketType `json:"marketType,omitempty"` } // BlockDeviceMappingSpec describes a block device mapping @@ -128,8 +140,10 @@ type BlockDeviceMappingSpec struct { // https://docs.aws.amazon.com/goto/WebAPI/ec2-2016-11-15/EbsBlockDevice type EBSBlockDeviceSpec struct { // Indicates whether the EBS volume is deleted on machine termination. + // + // Deprecated: setting this field has no effect. // +optional - DeleteOnTermination *bool `json:"deleteOnTermination,omitempty"` + DeprecatedDeleteOnTermination *bool `json:"deleteOnTermination,omitempty"` // Indicates whether the EBS volume is encrypted. Encrypted Amazon EBS volumes // may only be attached to machines that support Amazon EBS encryption. // +optional @@ -318,5 +332,26 @@ type AWSMachineProviderStatus struct { // conditions is a set of conditions associated with the Machine to indicate // errors or other status // +optional + // +listType=map + // +listMapKey=type Conditions []metav1.Condition `json:"conditions,omitempty"` } + +// MarketType describes the market type of an EC2 Instance +// +kubebuilder:validation:Enum:=OnDemand;Spot;CapacityBlock +type MarketType string + +const ( + + // MarketTypeOnDemand is a MarketType enum value + // When set to OnDemand the instance runs as a standard OnDemand instance. + MarketTypeOnDemand MarketType = "OnDemand" + + // MarketTypeSpot is a MarketType enum value + // When set to Spot the instance runs as a Spot instance. + MarketTypeSpot MarketType = "Spot" + + // MarketTypeCapacityBlock is a MarketType enum value + // When set to CapacityBlock the instance utilizes pre-purchased compute capacity (capacity blocks) with AWS Capacity Reservations. + MarketTypeCapacityBlock MarketType = "CapacityBlock" +) diff --git a/vendor/github.com/openshift/api/machine/v1beta1/types_azureprovider.go b/vendor/github.com/openshift/api/machine/v1beta1/types_azureprovider.go index db84fa2c9..760360bd5 100644 --- a/vendor/github.com/openshift/api/machine/v1beta1/types_azureprovider.go +++ b/vendor/github.com/openshift/api/machine/v1beta1/types_azureprovider.go @@ -234,6 +234,8 @@ type AzureMachineProviderStatus struct { // conditions is a set of conditions associated with the Machine to indicate // errors or other status. // +optional + // +listType=map + // +listMapKey=type Conditions []metav1.Condition `json:"conditions,omitempty"` } diff --git a/vendor/github.com/openshift/api/machine/v1beta1/types_gcpprovider.go b/vendor/github.com/openshift/api/machine/v1beta1/types_gcpprovider.go index fc09a0c47..72a31b5bd 100644 --- a/vendor/github.com/openshift/api/machine/v1beta1/types_gcpprovider.go +++ b/vendor/github.com/openshift/api/machine/v1beta1/types_gcpprovider.go @@ -63,6 +63,12 @@ const ( ConfidentialComputePolicyEnabled ConfidentialComputePolicy = "Enabled" // ConfidentialComputePolicyDisabled disables confidential compute for the GCP machine. ConfidentialComputePolicyDisabled ConfidentialComputePolicy = "Disabled" + // ConfidentialComputePolicySEV sets AMD SEV as the VM instance's confidential computing technology of choice. + ConfidentialComputePolicySEV ConfidentialComputePolicy = "AMDEncryptedVirtualization" + // ConfidentialComputePolicySEVSNP sets AMD SEV-SNP as the VM instance's confidential computing technology of choice. + ConfidentialComputePolicySEVSNP ConfidentialComputePolicy = "AMDEncryptedVirtualizationNestedPaging" + // ConfidentialComputePolicyTDX sets Intel TDX as the VM instance's confidential computing technology of choice. + ConfidentialComputePolicyTDX ConfidentialComputePolicy = "IntelTrustedDomainExtensions" ) // GCPMachineProviderSpec is the type that will be embedded in a Machine.Spec.ProviderSpec field @@ -143,10 +149,21 @@ type GCPMachineProviderSpec struct { // +optional ShieldedInstanceConfig GCPShieldedInstanceConfig `json:"shieldedInstanceConfig,omitempty"` - // confidentialCompute Defines whether the instance should have confidential compute enabled. - // If enabled OnHostMaintenance is required to be set to "Terminate". - // If omitted, the platform chooses a default, which is subject to change over time, currently that default is false. - // +kubebuilder:validation:Enum=Enabled;Disabled + // confidentialCompute is an optional field defining whether the instance should have confidential compute enabled or not, and the confidential computing technology of choice. + // Allowed values are omitted, Disabled, Enabled, AMDEncryptedVirtualization, AMDEncryptedVirtualizationNestedPaging, and IntelTrustedDomainExtensions + // When set to Disabled, the machine will not be configured to be a confidential computing instance. + // When set to Enabled, the machine will be configured as a confidential computing instance with no preference on the confidential compute policy used. In this mode, the platform chooses a default that is subject to change over time. Currently, the default is to use AMD Secure Encrypted Virtualization. + // When set to AMDEncryptedVirtualization, the machine will be configured as a confidential computing instance with AMD Secure Encrypted Virtualization (AMD SEV) as the confidential computing technology. + // When set to AMDEncryptedVirtualizationNestedPaging, the machine will be configured as a confidential computing instance with AMD Secure Encrypted Virtualization Secure Nested Paging (AMD SEV-SNP) as the confidential computing technology. + // When set to IntelTrustedDomainExtensions, the machine will be configured as a confidential computing instance with Intel Trusted Domain Extensions (Intel TDX) as the confidential computing technology. + // If any value other than Disabled is set the selected machine type must support that specific confidential computing technology. The machine series supporting confidential computing technologies can be checked at https://cloud.google.com/confidential-computing/confidential-vm/docs/supported-configurations#all-confidential-vm-instances + // Currently, AMDEncryptedVirtualization is supported in c2d, n2d, and c3d machines. + // AMDEncryptedVirtualizationNestedPaging is supported in n2d machines. + // IntelTrustedDomainExtensions is supported in c3 machines. + // If any value other than Disabled is set, the selected region must support that specific confidential computing technology. The list of regions supporting confidential computing technologies can be checked at https://cloud.google.com/confidential-computing/confidential-vm/docs/supported-configurations#supported-zones + // If any value other than Disabled is set onHostMaintenance is required to be set to "Terminate". + // If omitted, the platform chooses a default, which is subject to change over time, currently that default is Disabled. + // +kubebuilder:validation:Enum="";Enabled;Disabled;AMDEncryptedVirtualization;AMDEncryptedVirtualizationNestedPaging;IntelTrustedDomainExtensions // +optional ConfidentialCompute ConfidentialComputePolicy `json:"confidentialCompute,omitempty"` @@ -296,6 +313,8 @@ type GCPMachineProviderStatus struct { // conditions is a set of conditions associated with the Machine to indicate // errors or other status // +optional + // +listType=map + // +listMapKey=type Conditions []metav1.Condition `json:"conditions,omitempty"` } diff --git a/vendor/github.com/openshift/api/machine/v1beta1/types_vsphereprovider.go b/vendor/github.com/openshift/api/machine/v1beta1/types_vsphereprovider.go index 3b83d10f6..fe6626f72 100644 --- a/vendor/github.com/openshift/api/machine/v1beta1/types_vsphereprovider.go +++ b/vendor/github.com/openshift/api/machine/v1beta1/types_vsphereprovider.go @@ -198,8 +198,34 @@ type VSphereDisk struct { // +kubebuilder:validation:Maximum=16384 // +required SizeGiB int32 `json:"sizeGiB"` + // provisioningMode is an optional field that specifies the provisioning type to be used by this vSphere data disk. + // Allowed values are "Thin", "Thick", "EagerlyZeroed", and omitted. + // When set to Thin, the disk will be made using thin provisioning allocating the bare minimum space. + // When set to Thick, the full disk size will be allocated when disk is created. + // When set to EagerlyZeroed, the disk will be created using eager zero provisioning. An eager zeroed thick disk has all space allocated and wiped clean of any previous contents on the physical media at creation time. Such disks may take longer time during creation compared to other disk formats. + // When omitted, no setting will be applied to the data disk and the provisioning mode for the disk will be determined by the default storage policy configured for the datastore in vSphere. + // +optional + ProvisioningMode ProvisioningMode `json:"provisioningMode,omitempty"` } +// provisioningMode represents the various provisioning types available to a VMs disk. +// +kubebuilder:validation:Enum=Thin;Thick;EagerlyZeroed +type ProvisioningMode string + +const ( + // ProvisioningModeThin creates the disk using thin provisioning. This means a sparse (allocate on demand) + // format with additional space optimizations. + ProvisioningModeThin ProvisioningMode = "Thin" + + // ProvisioningModeThick creates the disk with all space allocated. + ProvisioningModeThick ProvisioningMode = "Thick" + + // ProvisioningModeEagerlyZeroed creates the disk using eager zero provisioning. An eager zeroed thick disk + // has all space allocated and wiped clean of any previous contents on the physical media at + // creation time. Such disks may take longer time during creation compared to other disk formats. + ProvisioningModeEagerlyZeroed ProvisioningMode = "EagerlyZeroed" +) + // WorkspaceConfig defines a workspace configuration for the vSphere cloud // provider. type Workspace struct { @@ -239,6 +265,9 @@ type VSphereMachineProviderStatus struct { InstanceState *string `json:"instanceState,omitempty"` // conditions is a set of conditions associated with the Machine to indicate // errors or other status + // +listType=map + // +listMapKey=type + // +optional Conditions []metav1.Condition `json:"conditions,omitempty"` // taskRef is a managed object reference to a Task related to the machine. // This value is set automatically at runtime and should not be set or diff --git a/vendor/github.com/openshift/api/machine/v1beta1/zz_generated.deepcopy.go b/vendor/github.com/openshift/api/machine/v1beta1/zz_generated.deepcopy.go index ba9aae81e..7763435a9 100644 --- a/vendor/github.com/openshift/api/machine/v1beta1/zz_generated.deepcopy.go +++ b/vendor/github.com/openshift/api/machine/v1beta1/zz_generated.deepcopy.go @@ -1,7 +1,7 @@ //go:build !ignore_autogenerated // +build !ignore_autogenerated -// Code generated by deepcopy-gen. DO NOT EDIT. +// Code generated by codegen. DO NOT EDIT. package v1beta1 @@ -518,8 +518,8 @@ func (in *DiskSettings) DeepCopy() *DiskSettings { // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *EBSBlockDeviceSpec) DeepCopyInto(out *EBSBlockDeviceSpec) { *out = *in - if in.DeleteOnTermination != nil { - in, out := &in.DeleteOnTermination, &out.DeleteOnTermination + if in.DeprecatedDeleteOnTermination != nil { + in, out := &in.DeprecatedDeleteOnTermination, &out.DeprecatedDeleteOnTermination *out = new(bool) **out = **in } diff --git a/vendor/github.com/openshift/api/machine/v1beta1/zz_generated.swagger_doc_generated.go b/vendor/github.com/openshift/api/machine/v1beta1/zz_generated.swagger_doc_generated.go index 4c52b6651..2667a0aa2 100644 --- a/vendor/github.com/openshift/api/machine/v1beta1/zz_generated.swagger_doc_generated.go +++ b/vendor/github.com/openshift/api/machine/v1beta1/zz_generated.swagger_doc_generated.go @@ -33,6 +33,7 @@ var map_AWSMachineProviderConfig = map[string]string{ "placementGroupName": "placementGroupName specifies the name of the placement group in which to launch the instance. The placement group must already be created and may use any placement strategy. When omitted, no placement group is used when creating the EC2 instance.", "placementGroupPartition": "placementGroupPartition is the partition number within the placement group in which to launch the instance. This must be an integer value between 1 and 7. It is only valid if the placement group, referred in `PlacementGroupName` was created with strategy set to partition.", "capacityReservationId": "capacityReservationId specifies the target Capacity Reservation into which the instance should be launched. The field size should be greater than 0 and the field input must start with cr-***", + "marketType": "marketType specifies the type of market for the EC2 instance. Valid values are OnDemand, Spot, CapacityBlock and omitted.\n\nDefaults to OnDemand. When SpotMarketOptions is provided, the marketType defaults to \"Spot\".\n\nWhen set to OnDemand the instance runs as a standard OnDemand instance. When set to Spot the instance runs as a Spot instance. When set to CapacityBlock the instance utilizes pre-purchased compute capacity (capacity blocks) with AWS Capacity Reservations. If this value is selected, capacityReservationID must be specified to identify the target reservation.", } func (AWSMachineProviderConfig) SwaggerDoc() map[string]string { @@ -83,7 +84,7 @@ func (BlockDeviceMappingSpec) SwaggerDoc() map[string]string { var map_EBSBlockDeviceSpec = map[string]string{ "": "EBSBlockDeviceSpec describes a block device for an EBS volume. https://docs.aws.amazon.com/goto/WebAPI/ec2-2016-11-15/EbsBlockDevice", - "deleteOnTermination": "Indicates whether the EBS volume is deleted on machine termination.", + "deleteOnTermination": "Indicates whether the EBS volume is deleted on machine termination.\n\nDeprecated: setting this field has no effect.", "encrypted": "Indicates whether the EBS volume is encrypted. Encrypted Amazon EBS volumes may only be attached to machines that support Amazon EBS encryption.", "kmsKey": "Indicates the KMS key that should be used to encrypt the Amazon EBS volume.", "iops": "The number of I/O operations per second (IOPS) that the volume supports. For io1, this represents the number of IOPS that are provisioned for the volume. For gp2, this represents the baseline performance of the volume and the rate at which the volume accumulates I/O credits for bursting. For more information about General Purpose SSD baseline performance, I/O credits, and bursting, see Amazon EBS Volume Types (http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSVolumeTypes.html) in the Amazon Elastic Compute Cloud User Guide.\n\nMinimal and maximal IOPS for io1 and gp2 are constrained. Please, check https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSVolumeTypes.html for precise boundaries for individual volumes.\n\nCondition: This parameter is required for requests to create io1 volumes; it is not used in requests to create gp2, st1, sc1, or standard volumes.", @@ -444,7 +445,7 @@ var map_GCPMachineProviderSpec = map[string]string{ "onHostMaintenance": "onHostMaintenance determines the behavior when a maintenance event occurs that might cause the instance to reboot. This is required to be set to \"Terminate\" if you want to provision machine with attached GPUs. Otherwise, allowed values are \"Migrate\" and \"Terminate\". If omitted, the platform chooses a default, which is subject to change over time, currently that default is \"Migrate\".", "restartPolicy": "restartPolicy determines the behavior when an instance crashes or the underlying infrastructure provider stops the instance as part of a maintenance event (default \"Always\"). Cannot be \"Always\" with preemptible instances. Otherwise, allowed values are \"Always\" and \"Never\". If omitted, the platform chooses a default, which is subject to change over time, currently that default is \"Always\". RestartPolicy represents AutomaticRestart in GCP compute api", "shieldedInstanceConfig": "shieldedInstanceConfig is the Shielded VM configuration for the VM", - "confidentialCompute": "confidentialCompute Defines whether the instance should have confidential compute enabled. If enabled OnHostMaintenance is required to be set to \"Terminate\". If omitted, the platform chooses a default, which is subject to change over time, currently that default is false.", + "confidentialCompute": "confidentialCompute is an optional field defining whether the instance should have confidential compute enabled or not, and the confidential computing technology of choice. Allowed values are omitted, Disabled, Enabled, AMDEncryptedVirtualization, AMDEncryptedVirtualizationNestedPaging, and IntelTrustedDomainExtensions When set to Disabled, the machine will not be configured to be a confidential computing instance. When set to Enabled, the machine will be configured as a confidential computing instance with no preference on the confidential compute policy used. In this mode, the platform chooses a default that is subject to change over time. Currently, the default is to use AMD Secure Encrypted Virtualization. When set to AMDEncryptedVirtualization, the machine will be configured as a confidential computing instance with AMD Secure Encrypted Virtualization (AMD SEV) as the confidential computing technology. When set to AMDEncryptedVirtualizationNestedPaging, the machine will be configured as a confidential computing instance with AMD Secure Encrypted Virtualization Secure Nested Paging (AMD SEV-SNP) as the confidential computing technology. When set to IntelTrustedDomainExtensions, the machine will be configured as a confidential computing instance with Intel Trusted Domain Extensions (Intel TDX) as the confidential computing technology. If any value other than Disabled is set the selected machine type must support that specific confidential computing technology. The machine series supporting confidential computing technologies can be checked at https://cloud.google.com/confidential-computing/confidential-vm/docs/supported-configurations#all-confidential-vm-instances Currently, AMDEncryptedVirtualization is supported in c2d, n2d, and c3d machines. AMDEncryptedVirtualizationNestedPaging is supported in n2d machines. IntelTrustedDomainExtensions is supported in c3 machines. If any value other than Disabled is set, the selected region must support that specific confidential computing technology. The list of regions supporting confidential computing technologies can be checked at https://cloud.google.com/confidential-computing/confidential-vm/docs/supported-configurations#supported-zones If any value other than Disabled is set onHostMaintenance is required to be set to \"Terminate\". If omitted, the platform chooses a default, which is subject to change over time, currently that default is Disabled.", "resourceManagerTags": "resourceManagerTags is an optional list of tags to apply to the GCP resources created for the cluster. See https://cloud.google.com/resource-manager/docs/tags/tags-overview for information on tagging GCP resources. GCP supports a maximum of 50 tags per resource.", } @@ -784,9 +785,10 @@ func (NetworkSpec) SwaggerDoc() map[string]string { } var map_VSphereDisk = map[string]string{ - "": "VSphereDisk describes additional disks for vSphere.", - "name": "name is used to identify the disk definition. name is required needs to be unique so that it can be used to clearly identify purpose of the disk. It must be at most 80 characters in length and must consist only of alphanumeric characters, hyphens and underscores, and must start and end with an alphanumeric character.", - "sizeGiB": "sizeGiB is the size of the disk in GiB. The maximum supported size 16384 GiB.", + "": "VSphereDisk describes additional disks for vSphere.", + "name": "name is used to identify the disk definition. name is required needs to be unique so that it can be used to clearly identify purpose of the disk. It must be at most 80 characters in length and must consist only of alphanumeric characters, hyphens and underscores, and must start and end with an alphanumeric character.", + "sizeGiB": "sizeGiB is the size of the disk in GiB. The maximum supported size 16384 GiB.", + "provisioningMode": "provisioningMode is an optional field that specifies the provisioning type to be used by this vSphere data disk. Allowed values are \"Thin\", \"Thick\", \"EagerlyZeroed\", and omitted. When set to Thin, the disk will be made using thin provisioning allocating the bare minimum space. When set to Thick, the full disk size will be allocated when disk is created. When set to EagerlyZeroed, the disk will be created using eager zero provisioning. An eager zeroed thick disk has all space allocated and wiped clean of any previous contents on the physical media at creation time. Such disks may take longer time during creation compared to other disk formats. When omitted, no setting will be applied to the data disk and the provisioning mode for the disk will be determined by the default storage policy configured for the datastore in vSphere.", } func (VSphereDisk) SwaggerDoc() map[string]string { diff --git a/vendor/github.com/openshift/api/monitoring/v1/types.go b/vendor/github.com/openshift/api/monitoring/v1/types.go index fc650d961..faa250ed3 100644 --- a/vendor/github.com/openshift/api/monitoring/v1/types.go +++ b/vendor/github.com/openshift/api/monitoring/v1/types.go @@ -264,6 +264,8 @@ type AlertRelabelConfigStatus struct { // empty. // // +optional + // +listType=map + // +listMapKey=type Conditions []metav1.Condition `json:"conditions,omitempty"` } diff --git a/vendor/github.com/openshift/api/monitoring/v1/zz_generated.deepcopy.go b/vendor/github.com/openshift/api/monitoring/v1/zz_generated.deepcopy.go index 67af0e082..bc572dc5b 100644 --- a/vendor/github.com/openshift/api/monitoring/v1/zz_generated.deepcopy.go +++ b/vendor/github.com/openshift/api/monitoring/v1/zz_generated.deepcopy.go @@ -1,7 +1,7 @@ //go:build !ignore_autogenerated // +build !ignore_autogenerated -// Code generated by deepcopy-gen. DO NOT EDIT. +// Code generated by codegen. DO NOT EDIT. package v1 diff --git a/vendor/github.com/openshift/api/network/v1/zz_generated.deepcopy.go b/vendor/github.com/openshift/api/network/v1/zz_generated.deepcopy.go index ab6eb72aa..c24667442 100644 --- a/vendor/github.com/openshift/api/network/v1/zz_generated.deepcopy.go +++ b/vendor/github.com/openshift/api/network/v1/zz_generated.deepcopy.go @@ -1,7 +1,7 @@ //go:build !ignore_autogenerated // +build !ignore_autogenerated -// Code generated by deepcopy-gen. DO NOT EDIT. +// Code generated by codegen. DO NOT EDIT. package v1 diff --git a/vendor/github.com/openshift/api/network/v1alpha1/zz_generated.deepcopy.go b/vendor/github.com/openshift/api/network/v1alpha1/zz_generated.deepcopy.go index b8308c3f8..e04794e15 100644 --- a/vendor/github.com/openshift/api/network/v1alpha1/zz_generated.deepcopy.go +++ b/vendor/github.com/openshift/api/network/v1alpha1/zz_generated.deepcopy.go @@ -1,7 +1,7 @@ //go:build !ignore_autogenerated // +build !ignore_autogenerated -// Code generated by deepcopy-gen. DO NOT EDIT. +// Code generated by codegen. DO NOT EDIT. package v1alpha1 diff --git a/vendor/github.com/openshift/api/networkoperator/v1/generated.proto b/vendor/github.com/openshift/api/networkoperator/v1/generated.proto index ebf09e7e9..1999f71e8 100644 --- a/vendor/github.com/openshift/api/networkoperator/v1/generated.proto +++ b/vendor/github.com/openshift/api/networkoperator/v1/generated.proto @@ -110,6 +110,8 @@ message EgressRouterSpec { message EgressRouterStatus { // Observed status of the egress router // +required + // +listType=map + // +listMapKey=type repeated EgressRouterStatusCondition conditions = 1; } diff --git a/vendor/github.com/openshift/api/networkoperator/v1/types_egressrouter.go b/vendor/github.com/openshift/api/networkoperator/v1/types_egressrouter.go index 87e279eda..541c3b559 100644 --- a/vendor/github.com/openshift/api/networkoperator/v1/types_egressrouter.go +++ b/vendor/github.com/openshift/api/networkoperator/v1/types_egressrouter.go @@ -247,6 +247,8 @@ type EgressRouterStatusCondition struct { type EgressRouterStatus struct { // Observed status of the egress router // +required + // +listType=map + // +listMapKey=type Conditions []EgressRouterStatusCondition `json:"conditions,omitempty" protobuf:"bytes,1,rep,name=conditions"` } diff --git a/vendor/github.com/openshift/api/networkoperator/v1/zz_generated.deepcopy.go b/vendor/github.com/openshift/api/networkoperator/v1/zz_generated.deepcopy.go index e58d3dfaa..27b39ffdc 100644 --- a/vendor/github.com/openshift/api/networkoperator/v1/zz_generated.deepcopy.go +++ b/vendor/github.com/openshift/api/networkoperator/v1/zz_generated.deepcopy.go @@ -1,7 +1,7 @@ //go:build !ignore_autogenerated // +build !ignore_autogenerated -// Code generated by deepcopy-gen. DO NOT EDIT. +// Code generated by codegen. DO NOT EDIT. package v1 diff --git a/vendor/github.com/openshift/api/oauth/v1/zz_generated.deepcopy.go b/vendor/github.com/openshift/api/oauth/v1/zz_generated.deepcopy.go index f1af9dc5f..73191b616 100644 --- a/vendor/github.com/openshift/api/oauth/v1/zz_generated.deepcopy.go +++ b/vendor/github.com/openshift/api/oauth/v1/zz_generated.deepcopy.go @@ -1,7 +1,7 @@ //go:build !ignore_autogenerated // +build !ignore_autogenerated -// Code generated by deepcopy-gen. DO NOT EDIT. +// Code generated by codegen. DO NOT EDIT. package v1 diff --git a/vendor/github.com/openshift/api/openshiftcontrolplane/v1/types.go b/vendor/github.com/openshift/api/openshiftcontrolplane/v1/types.go index 498f78df6..0d71e3f8b 100644 --- a/vendor/github.com/openshift/api/openshiftcontrolplane/v1/types.go +++ b/vendor/github.com/openshift/api/openshiftcontrolplane/v1/types.go @@ -258,7 +258,10 @@ const ( type OpenShiftControllerManagerConfig struct { metav1.TypeMeta `json:",inline"` - KubeClientConfig configv1.KubeClientConfig `json:"kubeClientConfig"` + // KubeClientConfig is no longer being used. + // The field is being ignored by OCM. + // + // KubeClientConfig configv1.KubeClientConfig `json:"kubeClientConfig"` // servingInfo describes how to start serving ServingInfo *configv1.HTTPServingInfo `json:"servingInfo"` diff --git a/vendor/github.com/openshift/api/openshiftcontrolplane/v1/zz_generated.deepcopy.go b/vendor/github.com/openshift/api/openshiftcontrolplane/v1/zz_generated.deepcopy.go index 62de55ed4..4d7774caa 100644 --- a/vendor/github.com/openshift/api/openshiftcontrolplane/v1/zz_generated.deepcopy.go +++ b/vendor/github.com/openshift/api/openshiftcontrolplane/v1/zz_generated.deepcopy.go @@ -1,7 +1,7 @@ //go:build !ignore_autogenerated // +build !ignore_autogenerated -// Code generated by deepcopy-gen. DO NOT EDIT. +// Code generated by codegen. DO NOT EDIT. package v1 @@ -459,7 +459,6 @@ func (in *OpenShiftAPIServerConfig) DeepCopyObject() runtime.Object { func (in *OpenShiftControllerManagerConfig) DeepCopyInto(out *OpenShiftControllerManagerConfig) { *out = *in out.TypeMeta = in.TypeMeta - out.KubeClientConfig = in.KubeClientConfig if in.ServingInfo != nil { in, out := &in.ServingInfo, &out.ServingInfo *out = new(configv1.HTTPServingInfo) diff --git a/vendor/github.com/openshift/api/operator/v1/types.go b/vendor/github.com/openshift/api/operator/v1/types.go index 284dfe54d..4b0c48a10 100644 --- a/vendor/github.com/openshift/api/operator/v1/types.go +++ b/vendor/github.com/openshift/api/operator/v1/types.go @@ -258,15 +258,21 @@ type StaticPodOperatorStatus struct { // NodeStatus provides information about the current state of a particular node managed by this operator. // +kubebuilder:validation:XValidation:rule="has(self.currentRevision) || !has(oldSelf.currentRevision)",message="cannot be unset once set",fieldPath=".currentRevision" +// +kubebuilder:validation:XValidation:rule="oldSelf.hasValue() || !has(self.currentRevision)",message="currentRevision can not be set on creation of a nodeStatus",optionalOldSelf=true,fieldPath=.currentRevision +// +kubebuilder:validation:XValidation:rule="oldSelf.hasValue() || !has(self.targetRevision)",message="targetRevision can not be set on creation of a nodeStatus",optionalOldSelf=true,fieldPath=.targetRevision type NodeStatus struct { // nodeName is the name of the node // +required NodeName string `json:"nodeName"` - // currentRevision is the generation of the most recently successful deployment + // currentRevision is the generation of the most recently successful deployment. + // Can not be set on creation of a nodeStatus. Updates must only increase the value. // +kubebuilder:validation:XValidation:rule="self >= oldSelf",message="must only increase" - CurrentRevision int32 `json:"currentRevision"` - // targetRevision is the generation of the deployment we're trying to apply + // +optional + CurrentRevision int32 `json:"currentRevision,omitempty"` + // targetRevision is the generation of the deployment we're trying to apply. + // Can not be set on creation of a nodeStatus. + // +optional TargetRevision int32 `json:"targetRevision,omitempty"` // lastFailedRevision is the generation of the deployment we tried and failed to deploy. diff --git a/vendor/github.com/openshift/api/operator/v1/types_console.go b/vendor/github.com/openshift/api/operator/v1/types_console.go index 68d9daa45..c2f25e4e6 100644 --- a/vendor/github.com/openshift/api/operator/v1/types_console.go +++ b/vendor/github.com/openshift/api/operator/v1/types_console.go @@ -143,8 +143,141 @@ type Capability struct { Visibility CapabilityVisibility `json:"visibility"` } +// ThemeMode is the value of the logo theme mode that determines the theme mode in the console UI. +// +kubebuilder:validation:Enum="Dark";"Light" +// +enum +type ThemeMode string + +// ThemeMode values +const ( + // ThemeModeDark represents the dark mode for a console theme. + ThemeModeDark ThemeMode = "Dark" + + // ThemeModeLight represents the light mode for a console theme. + ThemeModeLight ThemeMode = "Light" +) + +// LogoType is the value of the logo type that determines if the logo is for the masthead or the favicon in the console UI. +// The masthead logo is displayed in the masthead and about modal of the console UI. +// +kubebuilder:validation:Enum="Masthead";"Favicon" +// +enum +type LogoType string + +const ( + // Masthead represents the logo in the masthead. + LogoTypeMasthead LogoType = "Masthead" + + // Favicon represents the favicon logo. + LogoTypeFavicon LogoType = "Favicon" +) + +// SourceType defines the source type of the file reference. +// +kubebuilder:validation:Enum="ConfigMap" +// +enum +type SourceType string + +const ( + // SourceTypeConfigMap represents a ConfigMap source. + SourceTypeConfigMap SourceType = "ConfigMap" +) + +// ConfigMapFileReference references a specific file within a ConfigMap. +type ConfigMapFileReference struct { + // name is the name of the ConfigMap. + // name is a required field. + // Must consist of lower case alphanumeric characters, '-' or '.', and must start and end with an alphanumeric character. + // Must be at most 253 characters in length. + // +kubebuilder:validation:MaxLength=253 + // +kubebuilder:validation:XValidation:rule="!format.dns1123Subdomain().validate(self).hasValue()",message="a lowercase RFC 1123 subdomain must consist of lower case alphanumeric characters, '-' or '.', and must start and end with an alphanumeric character." + // +required + Name string `json:"name"` + + // key is the logo key inside the referenced ConfigMap. + // Must consist only of alphanumeric characters, dashes (-), underscores (_), and periods (.). + // Must be at most 253 characters in length. + // Must end in a valid file extension. + // A valid file extension must consist of a period followed by 2 to 5 alpha characters. + // +kubebuilder:validation:MaxLength=253 + // +kubebuilder:validation:XValidation:rule="self.matches('^[a-zA-Z0-9._-]+$')",message="The ConfigMap key must consist only of alphanumeric characters, dashes (-), underscores (_), and periods (.)." + // +kubebuilder:validation:XValidation:rule="self.matches('.*\\\\.[a-zA-Z]{2,5}$')",message="The ConfigMap key must end with a valid file extension (2 to 5 letters)." + // +required + Key string `json:"key"` +} +// FileReferenceSource is used by the console to locate the specified file containing a custom logo. +// +kubebuilder:validation:XValidation:rule="has(self.from) && self.from == 'ConfigMap' ? has(self.configMap) : !has(self.configMap)",message="configMap is required when from is 'ConfigMap', and forbidden otherwise." +type FileReferenceSource struct { + // from is a required field to specify the source type of the file reference. + // Allowed values are ConfigMap. + // When set to ConfigMap, the file will be sourced from a ConfigMap in the openshift-config namespace. The configMap field must be set when from is set to ConfigMap. + // +required + From SourceType `json:"from"` + + // configMap specifies the ConfigMap sourcing details such as the name of the ConfigMap and the key for the file. + // The ConfigMap must exist in the openshift-config namespace. + // Required when from is "ConfigMap", and forbidden otherwise. + // +optional + ConfigMap *ConfigMapFileReference `json:"configMap"` +} + +// Theme defines a theme mode for the console UI. +type Theme struct { + // mode is used to specify what theme mode a logo will apply to in the console UI. + // mode is a required field that allows values of Dark and Light. + // When set to Dark, the logo file referenced in the 'file' field will be used when an end-user of the console UI enables the Dark mode. + // When set to Light, the logo file referenced in the 'file' field will be used when an end-user of the console UI enables the Light mode. + // +required + Mode ThemeMode `json:"mode"` + + // source is used by the console to locate the specified file containing a custom logo. + // source is a required field that references a ConfigMap name and key that contains the custom logo file in the openshift-config namespace. + // You can create it with a command like: + // - 'oc create configmap custom-logos-config --namespace=openshift-config --from-file=/path/to/file' + // The ConfigMap key must include the file extension so that the console serves the file with the correct MIME type. + // The recommended file format for the Masthead and Favicon logos is SVG, but other file formats are allowed if supported by the browser. + // The logo image size must be less than 1 MB due to constraints on the ConfigMap size. + // For more information, see the documentation: https://docs.redhat.com/en/documentation/openshift_container_platform/4.19/html/web_console/customizing-web-console#customizing-web-console + // +required + Source FileReferenceSource `json:"source"` +} + +// Logo defines a configuration based on theme modes for the console UI logo. +type Logo struct { + // type specifies the type of the logo for the console UI. It determines whether the logo is for the masthead or favicon. + // type is a required field that allows values of Masthead and Favicon. + // When set to "Masthead", the logo will be used in the masthead and about modal of the console UI. + // When set to "Favicon", the logo will be used as the favicon of the console UI. + // +required + Type LogoType `json:"type"` + + // themes specifies the themes for the console UI logo. + // themes is a required field that allows a list of themes. Each item in the themes list must have a unique mode and a source field. + // Each mode determines whether the logo is for the dark or light mode of the console UI. + // If a theme is not specified, the default OpenShift logo will be displayed for that theme. + // There must be at least one entry and no more than 2 entries. + // +kubebuilder:validation:MinItems=1 + // +kubebuilder:validation:MaxItems=2 + // +listType=map + // +listMapKey=mode + // +required + Themes []Theme `json:"themes"` +} + // ConsoleCustomization defines a list of optional configuration for the console UI. +// Ensure that Logos and CustomLogoFile cannot be set at the same time. +// +kubebuilder:validation:XValidation:rule="!(has(self.logos) && has(self.customLogoFile))",message="Only one of logos or customLogoFile can be set." type ConsoleCustomization struct { + // logos is used to replace the OpenShift Masthead and Favicon logos in the console UI with custom logos. + // logos is an optional field that allows a list of logos. + // Only one of logos or customLogoFile can be set at a time. + // If logos is set, customLogoFile must be unset. + // When specified, there must be at least one entry and no more than 2 entries. + // Each type must appear only once in the list. + // +kubebuilder:validation:MaxItems=2 + // +listType=map + // +listMapKey=type + // +optional + Logos []Logo `json:"logos"` + // capabilities defines an array of capabilities that can be interacted with in the console UI. // Each capability defines a visual state that can be interacted with the console to render in the UI. // Available capabilities are LightspeedButton and GettingStartedBanner. @@ -172,14 +305,14 @@ type ConsoleCustomization struct { // +optional CustomProductName string `json:"customProductName,omitempty"` // customLogoFile replaces the default OpenShift logo in the masthead and about dialog. It is a reference to a + // Only one of customLogoFile or logos can be set at a time. // ConfigMap in the openshift-config namespace. This can be created with a command like // 'oc create configmap custom-logo --from-file=/path/to/file -n openshift-config'. // Image size must be less than 1 MB due to constraints on the ConfigMap size. // The ConfigMap key should include a file extension so that the console serves the file // with the correct MIME type. - // Recommended logo specifications: - // Dimensions: Max height of 68px and max width of 200px - // SVG format preferred + // The recommended file format for the logo is SVG, but other file formats are allowed if supported by the browser. + // Deprecated: Use logos instead. // +optional CustomLogoFile configv1.ConfigMapFileReference `json:"customLogoFile,omitempty"` // developerCatalog allows to configure the shown developer catalog categories (filters) and types (sub-catalogs). diff --git a/vendor/github.com/openshift/api/operator/v1/types_csi_cluster_driver.go b/vendor/github.com/openshift/api/operator/v1/types_csi_cluster_driver.go index 731323750..cf7922fcd 100644 --- a/vendor/github.com/openshift/api/operator/v1/types_csi_cluster_driver.go +++ b/vendor/github.com/openshift/api/operator/v1/types_csi_cluster_driver.go @@ -348,7 +348,6 @@ type VSphereCSIDriverConfigSpec struct { // Volume snapshot documentation: https://docs.vmware.com/en/VMware-vSphere-Container-Storage-Plug-in/3.0/vmware-vsphere-csp-getting-started/GUID-E0B41C69-7EEB-450F-A73D-5FD2FF39E891.html // +kubebuilder:validation:Minimum=1 // +kubebuilder:validation:Maximum=32 - // +openshift:enable:FeatureGate=VSphereDriverConfiguration // +optional GlobalMaxSnapshotsPerBlockVolume *uint32 `json:"globalMaxSnapshotsPerBlockVolume,omitempty"` @@ -357,7 +356,6 @@ type VSphereCSIDriverConfigSpec struct { // Snapshots for VSAN can not be disabled using this parameter. // +kubebuilder:validation:Minimum=1 // +kubebuilder:validation:Maximum=32 - // +openshift:enable:FeatureGate=VSphereDriverConfiguration // +optional GranularMaxSnapshotsPerBlockVolumeInVSAN *uint32 `json:"granularMaxSnapshotsPerBlockVolumeInVSAN,omitempty"` @@ -366,9 +364,23 @@ type VSphereCSIDriverConfigSpec struct { // Snapshots for VVOL can not be disabled using this parameter. // +kubebuilder:validation:Minimum=1 // +kubebuilder:validation:Maximum=32 - // +openshift:enable:FeatureGate=VSphereDriverConfiguration // +optional GranularMaxSnapshotsPerBlockVolumeInVVOL *uint32 `json:"granularMaxSnapshotsPerBlockVolumeInVVOL,omitempty"` + + // maxAllowedBlockVolumesPerNode is an optional configuration parameter that allows setting a custom value for the + // limit of the number of PersistentVolumes attached to a node. In vSphere version 7 this limit was set to 59 by + // default, however in vSphere version 8 this limit was increased to 255. + // Before increasing this value above 59 the cluster administrator needs to ensure that every node forming the + // cluster is updated to ESXi version 8 or higher and that all nodes are running the same version. + // The limit must be between 1 and 255, which matches the vSphere version 8 maximum. + // When omitted, this means no opinion and the platform is left to choose a reasonable default, which is subject to + // change over time. + // The current default is 59, which matches the limit for vSphere version 7. + // +kubebuilder:validation:Minimum=1 + // +kubebuilder:validation:Maximum=255 + // +openshift:enable:FeatureGate=VSphereConfigurableMaxAllowedBlockVolumesPerNode + // +optional + MaxAllowedBlockVolumesPerNode int32 `json:"maxAllowedBlockVolumesPerNode,omitempty"` } // ClusterCSIDriverStatus is the observed status of CSI driver operator diff --git a/vendor/github.com/openshift/api/operator/v1/types_ingress.go b/vendor/github.com/openshift/api/operator/v1/types_ingress.go index a8ea2d695..240ab12c7 100644 --- a/vendor/github.com/openshift/api/operator/v1/types_ingress.go +++ b/vendor/github.com/openshift/api/operator/v1/types_ingress.go @@ -803,9 +803,9 @@ type AWSClassicLoadBalancerParameters struct { // AWSNetworkLoadBalancerParameters holds configuration parameters for an // AWS Network load balancer. For Example: Setting AWS EIPs https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/elastic-ip-addresses-eip.html -// +openshift:validation:FeatureGateAwareXValidation:featureGate=SetEIPForNLBIngressController,rule=`has(self.subnets) && has(self.subnets.ids) && has(self.subnets.names) && has(self.eipAllocations) ? size(self.subnets.ids + self.subnets.names) == size(self.eipAllocations) : true`,message="number of subnets must be equal to number of eipAllocations" -// +openshift:validation:FeatureGateAwareXValidation:featureGate=SetEIPForNLBIngressController,rule=`has(self.subnets) && has(self.subnets.ids) && !has(self.subnets.names) && has(self.eipAllocations) ? size(self.subnets.ids) == size(self.eipAllocations) : true`,message="number of subnets must be equal to number of eipAllocations" -// +openshift:validation:FeatureGateAwareXValidation:featureGate=SetEIPForNLBIngressController,rule=`has(self.subnets) && has(self.subnets.names) && !has(self.subnets.ids) && has(self.eipAllocations) ? size(self.subnets.names) == size(self.eipAllocations) : true`,message="number of subnets must be equal to number of eipAllocations" +// +openshift:validation:FeatureGateAwareXValidation:requiredFeatureGate=SetEIPForNLBIngressController;IngressControllerLBSubnetsAWS,rule=`has(self.subnets) && has(self.subnets.ids) && has(self.subnets.names) && has(self.eipAllocations) ? size(self.subnets.ids + self.subnets.names) == size(self.eipAllocations) : true`,message="number of subnets must be equal to number of eipAllocations" +// +openshift:validation:FeatureGateAwareXValidation:requiredFeatureGate=SetEIPForNLBIngressController;IngressControllerLBSubnetsAWS,rule=`has(self.subnets) && has(self.subnets.ids) && !has(self.subnets.names) && has(self.eipAllocations) ? size(self.subnets.ids) == size(self.eipAllocations) : true`,message="number of subnets must be equal to number of eipAllocations" +// +openshift:validation:FeatureGateAwareXValidation:requiredFeatureGate=SetEIPForNLBIngressController;IngressControllerLBSubnetsAWS,rule=`has(self.subnets) && has(self.subnets.names) && !has(self.subnets.ids) && has(self.eipAllocations) ? size(self.subnets.names) == size(self.eipAllocations) : true`,message="number of subnets must be equal to number of eipAllocations" type AWSNetworkLoadBalancerParameters struct { // subnets specifies the subnets to which the load balancer will // attach. The subnets may be specified by either their diff --git a/vendor/github.com/openshift/api/operator/v1/types_machineconfiguration.go b/vendor/github.com/openshift/api/operator/v1/types_machineconfiguration.go index 88b89f818..2d88bcd77 100644 --- a/vendor/github.com/openshift/api/operator/v1/types_machineconfiguration.go +++ b/vendor/github.com/openshift/api/operator/v1/types_machineconfiguration.go @@ -41,8 +41,10 @@ type MachineConfigurationSpec struct { // managedBootImages allows configuration for the management of boot images for machine // resources within the cluster. This configuration allows users to select resources that should // be updated to the latest boot images during cluster upgrades, ensuring that new machines - // always boot with the current cluster version's boot image. When omitted, no boot images - // will be updated. + // always boot with the current cluster version's boot image. When omitted, this means no opinion + // and the platform is left to choose a reasonable default, which is subject to change over time. + // The default for each machine manager mode is All for GCP and AWS platforms, and None for all + // other platforms. // +openshift:enable:FeatureGate=ManagedBootImages // +optional ManagedBootImages ManagedBootImages `json:"managedBootImages"` @@ -51,7 +53,6 @@ type MachineConfigurationSpec struct { // MachineConfig-based updates, such as drains, service reloads, etc. Specifying this will allow // for less downtime when doing small configuration updates to the cluster. This configuration // has no effect on cluster upgrades which will still incur node disruption where required. - // +openshift:enable:FeatureGate=NodeDisruptionPolicy // +optional NodeDisruptionPolicy NodeDisruptionPolicyConfig `json:"nodeDisruptionPolicy"` } @@ -62,11 +63,10 @@ type MachineConfigurationStatus struct { ObservedGeneration int64 `json:"observedGeneration,omitempty"` // conditions is a list of conditions and their status - // +patchMergeKey=type - // +patchStrategy=merge // +listType=map // +listMapKey=type - Conditions []metav1.Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type"` + // +optional + Conditions []metav1.Condition `json:"conditions,omitempty"` // Previously there was a StaticPodOperatorStatus here for legacy reasons. Many of the fields within // it are no longer relevant for the MachineConfiguration CRD's functions. The following remainder @@ -93,9 +93,14 @@ type MachineConfigurationStatus struct { // nodeDisruptionPolicyStatus status reflects what the latest cluster-validated policies are, // and will be used by the Machine Config Daemon during future node updates. - // +openshift:enable:FeatureGate=NodeDisruptionPolicy // +optional NodeDisruptionPolicyStatus NodeDisruptionPolicyStatus `json:"nodeDisruptionPolicyStatus"` + + // managedBootImagesStatus reflects what the latest cluster-validated boot image configuration is + // and will be used by Machine Config Controller while performing boot image updates. + // +openshift:enable:FeatureGate=ManagedBootImages + // +optional + ManagedBootImagesStatus ManagedBootImages `json:"managedBootImagesStatus"` } // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object @@ -122,6 +127,7 @@ type ManagedBootImages struct { // +listType=map // +listMapKey=resource // +listMapKey=apiGroup + // +kubebuilder:validation:MaxItems=5 MachineManagers []MachineManager `json:"machineManagers"` } @@ -152,6 +158,7 @@ type MachineManagerSelector struct { // Valid values are All and Partial. // All means that every resource matched by the machine manager will be updated. // Partial requires specified selector(s) and allows customisation of which resources matched by the machine manager will be updated. + // None means that every resource matched by the machine manager will not be updated. // +unionDiscriminator // +required Mode MachineManagerSelectorMode `json:"mode"` @@ -170,7 +177,7 @@ type PartialSelector struct { } // MachineManagerSelectorMode is a string enum used in the MachineManagerSelector union discriminator. -// +kubebuilder:validation:Enum:="All";"Partial" +// +kubebuilder:validation:Enum:="All";"Partial";"None" type MachineManagerSelectorMode string const ( @@ -180,6 +187,9 @@ const ( // Partial represents a configuration mode that will register resources specified by the parent MachineManager only // if they match with the label selector. Partial MachineManagerSelectorMode = "Partial" + + // None represents a configuration mode that excludes all resources specified by the parent MachineManager from boot image updates. + None MachineManagerSelectorMode = "None" ) // MachineManagerManagedResourceType is a string enum used in the MachineManager type to describe the resource diff --git a/vendor/github.com/openshift/api/operator/v1/types_network.go b/vendor/github.com/openshift/api/operator/v1/types_network.go index b4b0a6d6d..713939ddb 100644 --- a/vendor/github.com/openshift/api/operator/v1/types_network.go +++ b/vendor/github.com/openshift/api/operator/v1/types_network.go @@ -79,9 +79,10 @@ type NetworkSpec struct { // +listMapKey=name AdditionalNetworks []AdditionalNetworkDefinition `json:"additionalNetworks,omitempty"` - // disableMultiNetwork specifies whether or not multiple pod network - // support should be disabled. If unset, this property defaults to - // 'false' and multiple network support is enabled. + // disableMultiNetwork defaults to 'false' and this setting enables the pod multi-networking capability. + // disableMultiNetwork when set to 'true' at cluster install time does not install the components, typically the Multus CNI and the network-attachment-definition CRD, + // that enable the pod multi-networking capability. Setting the parameter to 'true' might be useful when you need install third-party CNI plugins, + // but these plugins are not supported by Red Hat. Changing the parameter value as a postinstallation cluster task has no effect. DisableMultiNetwork *bool `json:"disableMultiNetwork,omitempty"` // useMultiNetworkPolicy enables a controller which allows for @@ -440,7 +441,7 @@ type OVNKubernetesConfig struct { // any other subnet being used by OpenShift or by the node network. The size of the // subnet must be larger than the number of nodes. The value cannot be changed // after installation. - // Default is fd98::/48 + // Default is fd98::/64 // +optional V6InternalSubnet string `json:"v6InternalSubnet,omitempty"` // egressIPConfig holds the configuration for EgressIP options. @@ -529,7 +530,7 @@ type IPv6OVNKubernetesConfig struct { // subnet must be larger than the number of nodes. The value cannot be changed // after installation. // The subnet must be large enough to accomadate one IP per node in your cluster - // The current default value is fd98::/48 + // The current default value is fd98::/64 // The value must be in proper IPV6 CIDR format // Note that IPV6 dual addresses are not permitted // +kubebuilder:validation:MaxLength=48 @@ -579,8 +580,6 @@ type Encapsulation string const ( // EncapsulationAlways always enable UDP encapsulation regardless of whether NAT is detected. EncapsulationAlways = "Always" - // EncapsulationNever never enable UDP encapsulation even if NAT is present. - EncapsulationNever = "Never" // EncapsulationAuto enable UDP encapsulation based on the detection of NAT. EncapsulationAuto = "Auto" ) @@ -591,13 +590,12 @@ type IPsecFullModeConfig struct { // encapsulation option to configure libreswan on how inter-pod traffic across nodes // are encapsulated to handle NAT traversal. When configured it uses UDP port 4500 // for the encapsulation. - // Valid values are Always, Never, Auto and omitted. + // Valid values are Always, Auto and omitted. // Always means enable UDP encapsulation regardless of whether NAT is detected. - // Disable means never enable UDP encapsulation even if NAT is present. // Auto means enable UDP encapsulation based on the detection of NAT. // When omitted, this means no opinion and the platform is left to choose a reasonable // default, which is subject to change over time. The current default is Auto. - // +kubebuilder:validation:Enum:=Always;Never;Auto + // +kubebuilder:validation:Enum:=Always;Auto // +optional Encapsulation Encapsulation `json:"encapsulation,omitempty"` } diff --git a/vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_12_etcd_01_etcds-CustomNoUpgrade.crd.yaml b/vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_12_etcd_01_etcds-CustomNoUpgrade.crd.yaml index 294921e47..1f58ced4e 100644 --- a/vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_12_etcd_01_etcds-CustomNoUpgrade.crd.yaml +++ b/vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_12_etcd_01_etcds-CustomNoUpgrade.crd.yaml @@ -252,8 +252,9 @@ spec: of a particular node managed by this operator. properties: currentRevision: - description: currentRevision is the generation of the most recently - successful deployment + description: |- + currentRevision is the generation of the most recently successful deployment. + Can not be set on creation of a nodeStatus. Updates must only increase the value. format: int32 type: integer x-kubernetes-validations: @@ -292,8 +293,9 @@ spec: description: nodeName is the name of the node type: string targetRevision: - description: targetRevision is the generation of the deployment - we're trying to apply + description: |- + targetRevision is the generation of the deployment we're trying to apply. + Can not be set on creation of a nodeStatus. format: int32 type: integer required: @@ -303,6 +305,14 @@ spec: - fieldPath: .currentRevision message: cannot be unset once set rule: has(self.currentRevision) || !has(oldSelf.currentRevision) + - fieldPath: .currentRevision + message: currentRevision can not be set on creation of a nodeStatus + optionalOldSelf: true + rule: oldSelf.hasValue() || !has(self.currentRevision) + - fieldPath: .targetRevision + message: targetRevision can not be set on creation of a nodeStatus + optionalOldSelf: true + rule: oldSelf.hasValue() || !has(self.targetRevision) type: array x-kubernetes-list-map-keys: - nodeName diff --git a/vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_12_etcd_01_etcds-Default.crd.yaml b/vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_12_etcd_01_etcds-Default.crd.yaml index 7a41ad8bf..23e6bdc63 100644 --- a/vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_12_etcd_01_etcds-Default.crd.yaml +++ b/vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_12_etcd_01_etcds-Default.crd.yaml @@ -239,8 +239,9 @@ spec: of a particular node managed by this operator. properties: currentRevision: - description: currentRevision is the generation of the most recently - successful deployment + description: |- + currentRevision is the generation of the most recently successful deployment. + Can not be set on creation of a nodeStatus. Updates must only increase the value. format: int32 type: integer x-kubernetes-validations: @@ -279,8 +280,9 @@ spec: description: nodeName is the name of the node type: string targetRevision: - description: targetRevision is the generation of the deployment - we're trying to apply + description: |- + targetRevision is the generation of the deployment we're trying to apply. + Can not be set on creation of a nodeStatus. format: int32 type: integer required: @@ -290,6 +292,14 @@ spec: - fieldPath: .currentRevision message: cannot be unset once set rule: has(self.currentRevision) || !has(oldSelf.currentRevision) + - fieldPath: .currentRevision + message: currentRevision can not be set on creation of a nodeStatus + optionalOldSelf: true + rule: oldSelf.hasValue() || !has(self.currentRevision) + - fieldPath: .targetRevision + message: targetRevision can not be set on creation of a nodeStatus + optionalOldSelf: true + rule: oldSelf.hasValue() || !has(self.targetRevision) type: array x-kubernetes-list-map-keys: - nodeName diff --git a/vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_12_etcd_01_etcds-DevPreviewNoUpgrade.crd.yaml b/vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_12_etcd_01_etcds-DevPreviewNoUpgrade.crd.yaml index 71376efe1..76d63711f 100644 --- a/vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_12_etcd_01_etcds-DevPreviewNoUpgrade.crd.yaml +++ b/vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_12_etcd_01_etcds-DevPreviewNoUpgrade.crd.yaml @@ -252,8 +252,9 @@ spec: of a particular node managed by this operator. properties: currentRevision: - description: currentRevision is the generation of the most recently - successful deployment + description: |- + currentRevision is the generation of the most recently successful deployment. + Can not be set on creation of a nodeStatus. Updates must only increase the value. format: int32 type: integer x-kubernetes-validations: @@ -292,8 +293,9 @@ spec: description: nodeName is the name of the node type: string targetRevision: - description: targetRevision is the generation of the deployment - we're trying to apply + description: |- + targetRevision is the generation of the deployment we're trying to apply. + Can not be set on creation of a nodeStatus. format: int32 type: integer required: @@ -303,6 +305,14 @@ spec: - fieldPath: .currentRevision message: cannot be unset once set rule: has(self.currentRevision) || !has(oldSelf.currentRevision) + - fieldPath: .currentRevision + message: currentRevision can not be set on creation of a nodeStatus + optionalOldSelf: true + rule: oldSelf.hasValue() || !has(self.currentRevision) + - fieldPath: .targetRevision + message: targetRevision can not be set on creation of a nodeStatus + optionalOldSelf: true + rule: oldSelf.hasValue() || !has(self.targetRevision) type: array x-kubernetes-list-map-keys: - nodeName diff --git a/vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_12_etcd_01_etcds-TechPreviewNoUpgrade.crd.yaml b/vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_12_etcd_01_etcds-TechPreviewNoUpgrade.crd.yaml index 53ee94c57..7433b66d3 100644 --- a/vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_12_etcd_01_etcds-TechPreviewNoUpgrade.crd.yaml +++ b/vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_12_etcd_01_etcds-TechPreviewNoUpgrade.crd.yaml @@ -252,8 +252,9 @@ spec: of a particular node managed by this operator. properties: currentRevision: - description: currentRevision is the generation of the most recently - successful deployment + description: |- + currentRevision is the generation of the most recently successful deployment. + Can not be set on creation of a nodeStatus. Updates must only increase the value. format: int32 type: integer x-kubernetes-validations: @@ -292,8 +293,9 @@ spec: description: nodeName is the name of the node type: string targetRevision: - description: targetRevision is the generation of the deployment - we're trying to apply + description: |- + targetRevision is the generation of the deployment we're trying to apply. + Can not be set on creation of a nodeStatus. format: int32 type: integer required: @@ -303,6 +305,14 @@ spec: - fieldPath: .currentRevision message: cannot be unset once set rule: has(self.currentRevision) || !has(oldSelf.currentRevision) + - fieldPath: .currentRevision + message: currentRevision can not be set on creation of a nodeStatus + optionalOldSelf: true + rule: oldSelf.hasValue() || !has(self.currentRevision) + - fieldPath: .targetRevision + message: targetRevision can not be set on creation of a nodeStatus + optionalOldSelf: true + rule: oldSelf.hasValue() || !has(self.targetRevision) type: array x-kubernetes-list-map-keys: - nodeName diff --git a/vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_20_kube-apiserver_01_kubeapiservers.crd.yaml b/vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_20_kube-apiserver_01_kubeapiservers.crd.yaml index 189f12704..a8664362d 100644 --- a/vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_20_kube-apiserver_01_kubeapiservers.crd.yaml +++ b/vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_20_kube-apiserver_01_kubeapiservers.crd.yaml @@ -221,8 +221,9 @@ spec: of a particular node managed by this operator. properties: currentRevision: - description: currentRevision is the generation of the most recently - successful deployment + description: |- + currentRevision is the generation of the most recently successful deployment. + Can not be set on creation of a nodeStatus. Updates must only increase the value. format: int32 type: integer x-kubernetes-validations: @@ -261,8 +262,9 @@ spec: description: nodeName is the name of the node type: string targetRevision: - description: targetRevision is the generation of the deployment - we're trying to apply + description: |- + targetRevision is the generation of the deployment we're trying to apply. + Can not be set on creation of a nodeStatus. format: int32 type: integer required: @@ -272,6 +274,14 @@ spec: - fieldPath: .currentRevision message: cannot be unset once set rule: has(self.currentRevision) || !has(oldSelf.currentRevision) + - fieldPath: .currentRevision + message: currentRevision can not be set on creation of a nodeStatus + optionalOldSelf: true + rule: oldSelf.hasValue() || !has(self.currentRevision) + - fieldPath: .targetRevision + message: targetRevision can not be set on creation of a nodeStatus + optionalOldSelf: true + rule: oldSelf.hasValue() || !has(self.targetRevision) type: array x-kubernetes-list-map-keys: - nodeName diff --git a/vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_25_kube-controller-manager_01_kubecontrollermanagers.crd.yaml b/vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_25_kube-controller-manager_01_kubecontrollermanagers.crd.yaml index 7b6b138b7..72bb37b76 100644 --- a/vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_25_kube-controller-manager_01_kubecontrollermanagers.crd.yaml +++ b/vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_25_kube-controller-manager_01_kubecontrollermanagers.crd.yaml @@ -230,8 +230,9 @@ spec: of a particular node managed by this operator. properties: currentRevision: - description: currentRevision is the generation of the most recently - successful deployment + description: |- + currentRevision is the generation of the most recently successful deployment. + Can not be set on creation of a nodeStatus. Updates must only increase the value. format: int32 type: integer x-kubernetes-validations: @@ -270,8 +271,9 @@ spec: description: nodeName is the name of the node type: string targetRevision: - description: targetRevision is the generation of the deployment - we're trying to apply + description: |- + targetRevision is the generation of the deployment we're trying to apply. + Can not be set on creation of a nodeStatus. format: int32 type: integer required: @@ -281,6 +283,14 @@ spec: - fieldPath: .currentRevision message: cannot be unset once set rule: has(self.currentRevision) || !has(oldSelf.currentRevision) + - fieldPath: .currentRevision + message: currentRevision can not be set on creation of a nodeStatus + optionalOldSelf: true + rule: oldSelf.hasValue() || !has(self.currentRevision) + - fieldPath: .targetRevision + message: targetRevision can not be set on creation of a nodeStatus + optionalOldSelf: true + rule: oldSelf.hasValue() || !has(self.targetRevision) type: array x-kubernetes-list-map-keys: - nodeName diff --git a/vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_25_kube-scheduler_01_kubeschedulers.crd.yaml b/vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_25_kube-scheduler_01_kubeschedulers.crd.yaml index ced827d0a..e59fedb33 100644 --- a/vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_25_kube-scheduler_01_kubeschedulers.crd.yaml +++ b/vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_25_kube-scheduler_01_kubeschedulers.crd.yaml @@ -221,8 +221,9 @@ spec: of a particular node managed by this operator. properties: currentRevision: - description: currentRevision is the generation of the most recently - successful deployment + description: |- + currentRevision is the generation of the most recently successful deployment. + Can not be set on creation of a nodeStatus. Updates must only increase the value. format: int32 type: integer x-kubernetes-validations: @@ -261,8 +262,9 @@ spec: description: nodeName is the name of the node type: string targetRevision: - description: targetRevision is the generation of the deployment - we're trying to apply + description: |- + targetRevision is the generation of the deployment we're trying to apply. + Can not be set on creation of a nodeStatus. format: int32 type: integer required: @@ -272,6 +274,14 @@ spec: - fieldPath: .currentRevision message: cannot be unset once set rule: has(self.currentRevision) || !has(oldSelf.currentRevision) + - fieldPath: .currentRevision + message: currentRevision can not be set on creation of a nodeStatus + optionalOldSelf: true + rule: oldSelf.hasValue() || !has(self.currentRevision) + - fieldPath: .targetRevision + message: targetRevision can not be set on creation of a nodeStatus + optionalOldSelf: true + rule: oldSelf.hasValue() || !has(self.targetRevision) type: array x-kubernetes-list-map-keys: - nodeName diff --git a/vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_50_console_01_consoles.crd.yaml b/vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_50_console_01_consoles.crd.yaml index 6578035ed..dfd9e3ddb 100644 --- a/vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_50_console_01_consoles.crd.yaml +++ b/vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_50_console_01_consoles.crd.yaml @@ -131,14 +131,14 @@ spec: customLogoFile: description: |- customLogoFile replaces the default OpenShift logo in the masthead and about dialog. It is a reference to a + Only one of customLogoFile or logos can be set at a time. ConfigMap in the openshift-config namespace. This can be created with a command like 'oc create configmap custom-logo --from-file=/path/to/file -n openshift-config'. Image size must be less than 1 MB due to constraints on the ConfigMap size. The ConfigMap key should include a file extension so that the console serves the file with the correct MIME type. - Recommended logo specifications: - Dimensions: Max height of 68px and max width of 200px - SVG format preferred + The recommended file format for the logo is SVG, but other file formats are allowed if supported by the browser. + Deprecated: Use logos instead. properties: key: description: key allows pointing to a specific key/value inside @@ -273,6 +273,136 @@ spec: Invalid value will prevent a console rollout. pattern: ^$|^((https):\/\/?)[^\s()<>]+(?:\([\w\d]+\)|([^[:punct:]\s]|\/?))\/$ type: string + logos: + description: |- + logos is used to replace the OpenShift Masthead and Favicon logos in the console UI with custom logos. + logos is an optional field that allows a list of logos. + Only one of logos or customLogoFile can be set at a time. + If logos is set, customLogoFile must be unset. + When specified, there must be at least one entry and no more than 2 entries. + Each type must appear only once in the list. + items: + description: Logo defines a configuration based on theme modes + for the console UI logo. + properties: + themes: + description: |- + themes specifies the themes for the console UI logo. + themes is a required field that allows a list of themes. Each item in the themes list must have a unique mode and a source field. + Each mode determines whether the logo is for the dark or light mode of the console UI. + If a theme is not specified, the default OpenShift logo will be displayed for that theme. + There must be at least one entry and no more than 2 entries. + items: + description: Theme defines a theme mode for the console + UI. + properties: + mode: + description: |- + mode is used to specify what theme mode a logo will apply to in the console UI. + mode is a required field that allows values of Dark and Light. + When set to Dark, the logo file referenced in the 'file' field will be used when an end-user of the console UI enables the Dark mode. + When set to Light, the logo file referenced in the 'file' field will be used when an end-user of the console UI enables the Light mode. + enum: + - Dark + - Light + type: string + source: + description: |- + source is used by the console to locate the specified file containing a custom logo. + source is a required field that references a ConfigMap name and key that contains the custom logo file in the openshift-config namespace. + You can create it with a command like: + - 'oc create configmap custom-logos-config --namespace=openshift-config --from-file=/path/to/file' + The ConfigMap key must include the file extension so that the console serves the file with the correct MIME type. + The recommended file format for the Masthead and Favicon logos is SVG, but other file formats are allowed if supported by the browser. + The logo image size must be less than 1 MB due to constraints on the ConfigMap size. + For more information, see the documentation: https://docs.redhat.com/en/documentation/openshift_container_platform/4.19/html/web_console/customizing-web-console#customizing-web-console + properties: + configMap: + description: |- + configMap specifies the ConfigMap sourcing details such as the name of the ConfigMap and the key for the file. + The ConfigMap must exist in the openshift-config namespace. + Required when from is "ConfigMap", and forbidden otherwise. + properties: + key: + description: |- + key is the logo key inside the referenced ConfigMap. + Must consist only of alphanumeric characters, dashes (-), underscores (_), and periods (.). + Must be at most 253 characters in length. + Must end in a valid file extension. + A valid file extension must consist of a period followed by 2 to 5 alpha characters. + maxLength: 253 + type: string + x-kubernetes-validations: + - message: The ConfigMap key must consist + only of alphanumeric characters, dashes + (-), underscores (_), and periods (.). + rule: self.matches('^[a-zA-Z0-9._-]+$') + - message: The ConfigMap key must end with + a valid file extension (2 to 5 letters). + rule: self.matches('.*\\.[a-zA-Z]{2,5}$') + name: + description: |- + name is the name of the ConfigMap. + name is a required field. + Must consist of lower case alphanumeric characters, '-' or '.', and must start and end with an alphanumeric character. + Must be at most 253 characters in length. + maxLength: 253 + type: string + x-kubernetes-validations: + - message: a lowercase RFC 1123 subdomain + must consist of lower case alphanumeric + characters, '-' or '.', and must start + and end with an alphanumeric character. + rule: '!format.dns1123Subdomain().validate(self).hasValue()' + required: + - key + - name + type: object + from: + description: |- + from is a required field to specify the source type of the file reference. + Allowed values are ConfigMap. + When set to ConfigMap, the file will be sourced from a ConfigMap in the openshift-config namespace. The configMap field must be set when from is set to ConfigMap. + enum: + - ConfigMap + type: string + required: + - from + type: object + x-kubernetes-validations: + - message: configMap is required when from is 'ConfigMap', + and forbidden otherwise. + rule: 'has(self.from) && self.from == ''ConfigMap'' + ? has(self.configMap) : !has(self.configMap)' + required: + - mode + - source + type: object + maxItems: 2 + minItems: 1 + type: array + x-kubernetes-list-map-keys: + - mode + x-kubernetes-list-type: map + type: + description: |- + type specifies the type of the logo for the console UI. It determines whether the logo is for the masthead or favicon. + type is a required field that allows values of Masthead and Favicon. + When set to "Masthead", the logo will be used in the masthead and about modal of the console UI. + When set to "Favicon", the logo will be used as the favicon of the console UI. + enum: + - Masthead + - Favicon + type: string + required: + - themes + - type + type: object + maxItems: 2 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map perspectives: description: perspectives allows enabling/disabling of perspective(s) that user can see in the Perspective switcher dropdown. @@ -694,6 +824,9 @@ spec: type: array type: object type: object + x-kubernetes-validations: + - message: Only one of logos or customLogoFile can be set. + rule: '!(has(self.logos) && has(self.customLogoFile))' ingress: description: |- ingress allows to configure the alternative ingress for the console. diff --git a/vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_50_csi-driver_01_clustercsidrivers.crd.yaml b/vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_50_csi-driver_01_clustercsidrivers.crd.yaml deleted file mode 100644 index 1db446757..000000000 --- a/vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_50_csi-driver_01_clustercsidrivers.crd.yaml +++ /dev/null @@ -1,488 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - api-approved.openshift.io: https://github.com/openshift/api/pull/701 - api.openshift.io/merged-by-featuregates: "true" - include.release.openshift.io/ibm-cloud-managed: "true" - include.release.openshift.io/self-managed-high-availability: "true" - name: clustercsidrivers.operator.openshift.io -spec: - group: operator.openshift.io - names: - kind: ClusterCSIDriver - listKind: ClusterCSIDriverList - plural: clustercsidrivers - singular: clustercsidriver - scope: Cluster - versions: - - name: v1 - schema: - openAPIV3Schema: - description: |- - ClusterCSIDriver object allows management and configuration of a CSI driver operator - installed by default in OpenShift. Name of the object must be name of the CSI driver - it operates. See CSIDriverName type for list of allowed values. - - Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer). - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - properties: - name: - enum: - - ebs.csi.aws.com - - efs.csi.aws.com - - disk.csi.azure.com - - file.csi.azure.com - - filestore.csi.storage.gke.io - - pd.csi.storage.gke.io - - cinder.csi.openstack.org - - csi.vsphere.vmware.com - - manila.csi.openstack.org - - csi.ovirt.org - - csi.kubevirt.io - - csi.sharedresource.openshift.io - - diskplugin.csi.alibabacloud.com - - vpc.block.csi.ibm.io - - powervs.csi.ibm.com - - secrets-store.csi.k8s.io - - smb.csi.k8s.io - type: string - type: object - spec: - description: spec holds user settable values for configuration - properties: - driverConfig: - description: |- - driverConfig can be used to specify platform specific driver configuration. - When omitted, this means no opinion and the platform is left to choose reasonable - defaults. These defaults are subject to change over time. - properties: - aws: - description: aws is used to configure the AWS CSI driver. - properties: - efsVolumeMetrics: - description: efsVolumeMetrics sets the configuration for collecting - metrics from EFS volumes used by the EFS CSI Driver. - properties: - recursiveWalk: - description: |- - recursiveWalk provides additional configuration for collecting volume metrics in the AWS EFS CSI Driver - when the state is set to RecursiveWalk. - properties: - fsRateLimit: - description: |- - fsRateLimit defines the rate limit, in goroutines per file system, for processing volume metrics. - When omitted, this means no opinion and the platform is left to choose a reasonable - default, which is subject to change over time. The current default is 5. - The valid range is from 1 to 100 goroutines. - format: int32 - maximum: 100 - minimum: 1 - type: integer - refreshPeriodMinutes: - description: |- - refreshPeriodMinutes specifies the frequency, in minutes, at which volume metrics are refreshed. - When omitted, this means no opinion and the platform is left to choose a reasonable - default, which is subject to change over time. The current default is 240. - The valid range is from 1 to 43200 minutes (30 days). - format: int32 - maximum: 43200 - minimum: 1 - type: integer - type: object - state: - description: |- - state defines the state of metric collection in the AWS EFS CSI Driver. - This field is required and must be set to one of the following values: Disabled or RecursiveWalk. - Disabled means no metrics collection will be performed. This is the default value. - RecursiveWalk means the AWS EFS CSI Driver will recursively scan volumes to collect metrics. - This process may result in high CPU and memory usage, depending on the volume size. - enum: - - RecursiveWalk - - Disabled - type: string - required: - - state - type: object - kmsKeyARN: - description: |- - kmsKeyARN sets the cluster default storage class to encrypt volumes with a user-defined KMS key, - rather than the default KMS key used by AWS. - The value may be either the ARN or Alias ARN of a KMS key. - pattern: ^arn:(aws|aws-cn|aws-us-gov|aws-iso|aws-iso-b|aws-iso-e|aws-iso-f):kms:[a-z0-9-]+:[0-9]{12}:(key|alias)\/.*$ - type: string - type: object - azure: - description: azure is used to configure the Azure CSI driver. - properties: - diskEncryptionSet: - description: |- - diskEncryptionSet sets the cluster default storage class to encrypt volumes with a - customer-managed encryption set, rather than the default platform-managed keys. - properties: - name: - description: |- - name is the name of the disk encryption set that will be set on the default storage class. - The value should consist of only alphanumberic characters, - underscores (_), hyphens, and be at most 80 characters in length. - maxLength: 80 - pattern: ^[a-zA-Z0-9\_-]+$ - type: string - resourceGroup: - description: |- - resourceGroup defines the Azure resource group that contains the disk encryption set. - The value should consist of only alphanumberic characters, - underscores (_), parentheses, hyphens and periods. - The value should not end in a period and be at most 90 characters in - length. - maxLength: 90 - pattern: ^[\w\.\-\(\)]*[\w\-\(\)]$ - type: string - subscriptionID: - description: |- - subscriptionID defines the Azure subscription that contains the disk encryption set. - The value should meet the following conditions: - 1. It should be a 128-bit number. - 2. It should be 36 characters (32 hexadecimal characters and 4 hyphens) long. - 3. It should be displayed in five groups separated by hyphens (-). - 4. The first group should be 8 characters long. - 5. The second, third, and fourth groups should be 4 characters long. - 6. The fifth group should be 12 characters long. - An Example SubscrionID: f2007bbf-f802-4a47-9336-cf7c6b89b378 - maxLength: 36 - pattern: ^[a-fA-F0-9]{8}-[a-fA-F0-9]{4}-[a-fA-F0-9]{4}-[a-fA-F0-9]{4}-[a-fA-F0-9]{12}$ - type: string - required: - - name - - resourceGroup - - subscriptionID - type: object - type: object - driverType: - description: |- - driverType indicates type of CSI driver for which the - driverConfig is being applied to. - Valid values are: AWS, Azure, GCP, IBMCloud, vSphere and omitted. - Consumers should treat unknown values as a NO-OP. - enum: - - "" - - AWS - - Azure - - GCP - - IBMCloud - - vSphere - type: string - gcp: - description: gcp is used to configure the GCP CSI driver. - properties: - kmsKey: - description: |- - kmsKey sets the cluster default storage class to encrypt volumes with customer-supplied - encryption keys, rather than the default keys managed by GCP. - properties: - keyRing: - description: |- - keyRing is the name of the KMS Key Ring which the KMS Key belongs to. - The value should correspond to an existing KMS key ring and should - consist of only alphanumeric characters, hyphens (-) and underscores (_), - and be at most 63 characters in length. - maxLength: 63 - minLength: 1 - pattern: ^[a-zA-Z0-9\_-]+$ - type: string - location: - description: |- - location is the GCP location in which the Key Ring exists. - The value must match an existing GCP location, or "global". - Defaults to global, if not set. - pattern: ^[a-zA-Z0-9\_-]+$ - type: string - name: - description: |- - name is the name of the customer-managed encryption key to be used for disk encryption. - The value should correspond to an existing KMS key and should - consist of only alphanumeric characters, hyphens (-) and underscores (_), - and be at most 63 characters in length. - maxLength: 63 - minLength: 1 - pattern: ^[a-zA-Z0-9\_-]+$ - type: string - projectID: - description: |- - projectID is the ID of the Project in which the KMS Key Ring exists. - It must be 6 to 30 lowercase letters, digits, or hyphens. - It must start with a letter. Trailing hyphens are prohibited. - maxLength: 30 - minLength: 6 - pattern: ^[a-z][a-z0-9-]+[a-z0-9]$ - type: string - required: - - keyRing - - name - - projectID - type: object - type: object - ibmcloud: - description: ibmcloud is used to configure the IBM Cloud CSI driver. - properties: - encryptionKeyCRN: - description: |- - encryptionKeyCRN is the IBM Cloud CRN of the customer-managed root key to use - for disk encryption of volumes for the default storage classes. - maxLength: 154 - minLength: 144 - pattern: ^crn:v[0-9]+:bluemix:(public|private):(kms|hs-crypto):[a-z-]+:a/[0-9a-f]+:[0-9a-f-]{36}:key:[0-9a-f-]{36}$ - type: string - required: - - encryptionKeyCRN - type: object - vSphere: - description: vSphere is used to configure the vsphere CSI driver. - properties: - globalMaxSnapshotsPerBlockVolume: - description: |- - globalMaxSnapshotsPerBlockVolume is a global configuration parameter that applies to volumes on all kinds of - datastores. If omitted, the platform chooses a default, which is subject to change over time, currently that default is 3. - Snapshots can not be disabled using this parameter. - Increasing number of snapshots above 3 can have negative impact on performance, for more details see: https://kb.vmware.com/s/article/1025279 - Volume snapshot documentation: https://docs.vmware.com/en/VMware-vSphere-Container-Storage-Plug-in/3.0/vmware-vsphere-csp-getting-started/GUID-E0B41C69-7EEB-450F-A73D-5FD2FF39E891.html - format: int32 - maximum: 32 - minimum: 1 - type: integer - granularMaxSnapshotsPerBlockVolumeInVSAN: - description: |- - granularMaxSnapshotsPerBlockVolumeInVSAN is a granular configuration parameter on vSAN datastore only. It - overrides GlobalMaxSnapshotsPerBlockVolume if set, while it falls back to the global constraint if unset. - Snapshots for VSAN can not be disabled using this parameter. - format: int32 - maximum: 32 - minimum: 1 - type: integer - granularMaxSnapshotsPerBlockVolumeInVVOL: - description: |- - granularMaxSnapshotsPerBlockVolumeInVVOL is a granular configuration parameter on Virtual Volumes datastore only. - It overrides GlobalMaxSnapshotsPerBlockVolume if set, while it falls back to the global constraint if unset. - Snapshots for VVOL can not be disabled using this parameter. - format: int32 - maximum: 32 - minimum: 1 - type: integer - topologyCategories: - description: |- - topologyCategories indicates tag categories with which - vcenter resources such as hostcluster or datacenter were tagged with. - If cluster Infrastructure object has a topology, values specified in - Infrastructure object will be used and modifications to topologyCategories - will be rejected. - items: - type: string - type: array - x-kubernetes-list-type: atomic - type: object - required: - - driverType - type: object - x-kubernetes-validations: - - message: ibmcloud must be set if driverType is 'IBMCloud', but remain - unset otherwise - rule: 'has(self.driverType) && self.driverType == ''IBMCloud'' ? - has(self.ibmcloud) : !has(self.ibmcloud)' - logLevel: - default: Normal - description: |- - logLevel is an intent based logging for an overall component. It does not give fine grained control, but it is a - simple way to manage coarse grained logging choices that operators have to interpret for their operands. - - Valid values are: "Normal", "Debug", "Trace", "TraceAll". - Defaults to "Normal". - enum: - - "" - - Normal - - Debug - - Trace - - TraceAll - type: string - managementState: - description: managementState indicates whether and how the operator - should manage the component - pattern: ^(Managed|Unmanaged|Force|Removed)$ - type: string - observedConfig: - description: |- - observedConfig holds a sparse config that controller has observed from the cluster state. It exists in spec because - it is an input to the level for the operator - nullable: true - type: object - x-kubernetes-preserve-unknown-fields: true - operatorLogLevel: - default: Normal - description: |- - operatorLogLevel is an intent based logging for the operator itself. It does not give fine grained control, but it is a - simple way to manage coarse grained logging choices that operators have to interpret for themselves. - - Valid values are: "Normal", "Debug", "Trace", "TraceAll". - Defaults to "Normal". - enum: - - "" - - Normal - - Debug - - Trace - - TraceAll - type: string - storageClassState: - description: |- - storageClassState determines if CSI operator should create and manage storage classes. - If this field value is empty or Managed - CSI operator will continuously reconcile - storage class and create if necessary. - If this field value is Unmanaged - CSI operator will not reconcile any previously created - storage class. - If this field value is Removed - CSI operator will delete the storage class it created previously. - When omitted, this means the user has no opinion and the platform chooses a reasonable default, - which is subject to change over time. - The current default behaviour is Managed. - enum: - - "" - - Managed - - Unmanaged - - Removed - type: string - unsupportedConfigOverrides: - description: |- - unsupportedConfigOverrides overrides the final configuration that was computed by the operator. - Red Hat does not support the use of this field. - Misuse of this field could lead to unexpected behavior or conflict with other configuration options. - Seek guidance from the Red Hat support before using this field. - Use of this property blocks cluster upgrades, it must be removed before upgrading your cluster. - nullable: true - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - status: - description: status holds observed values from the cluster. They may not - be overridden. - properties: - conditions: - description: conditions is a list of conditions and their status - items: - description: OperatorCondition is just the standard condition fields. - properties: - lastTransitionTime: - description: |- - lastTransitionTime is the last time the condition transitioned from one status to another. - This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. - format: date-time - type: string - message: - type: string - reason: - type: string - status: - description: status of the condition, one of True, False, Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - status - - type - type: object - type: array - x-kubernetes-list-map-keys: - - type - x-kubernetes-list-type: map - generations: - description: generations are used to determine when an item needs - to be reconciled or has changed in a way that needs a reaction. - items: - description: GenerationStatus keeps track of the generation for - a given resource so that decisions about forced updates can be - made. - properties: - group: - description: group is the group of the thing you're tracking - type: string - hash: - description: hash is an optional field set for resources without - generation that are content sensitive like secrets and configmaps - type: string - lastGeneration: - description: lastGeneration is the last generation of the workload - controller involved - format: int64 - type: integer - name: - description: name is the name of the thing you're tracking - type: string - namespace: - description: namespace is where the thing you're tracking is - type: string - resource: - description: resource is the resource type of the thing you're - tracking - type: string - required: - - group - - name - - namespace - - resource - type: object - type: array - x-kubernetes-list-map-keys: - - group - - resource - - namespace - - name - x-kubernetes-list-type: map - latestAvailableRevision: - description: latestAvailableRevision is the deploymentID of the most - recent deployment - format: int32 - type: integer - x-kubernetes-validations: - - message: must only increase - rule: self >= oldSelf - observedGeneration: - description: observedGeneration is the last generation change you've - dealt with - format: int64 - type: integer - readyReplicas: - description: readyReplicas indicates how many replicas are ready and - at the desired state - format: int32 - type: integer - version: - description: version is the level this availability applies to - type: string - type: object - required: - - spec - type: object - served: true - storage: true - subresources: - status: {} diff --git a/vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_70_network_01_networks-CustomNoUpgrade.crd.yaml b/vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_70_network_01_networks-CustomNoUpgrade.crd.yaml deleted file mode 100644 index 2fbc8d62f..000000000 --- a/vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_70_network_01_networks-CustomNoUpgrade.crd.yaml +++ /dev/null @@ -1,1052 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - api-approved.openshift.io: https://github.com/openshift/api/pull/475 - api.openshift.io/merged-by-featuregates: "true" - include.release.openshift.io/ibm-cloud-managed: "true" - include.release.openshift.io/self-managed-high-availability: "true" - release.openshift.io/feature-set: CustomNoUpgrade - name: networks.operator.openshift.io -spec: - group: operator.openshift.io - names: - kind: Network - listKind: NetworkList - plural: networks - singular: network - scope: Cluster - versions: - - name: v1 - schema: - openAPIV3Schema: - description: |- - Network describes the cluster's desired network configuration. It is - consumed by the cluster-network-operator. - - Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer). - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: NetworkSpec is the top-level network configuration object. - properties: - additionalNetworks: - description: |- - additionalNetworks is a list of extra networks to make available to pods - when multiple networks are enabled. - items: - description: |- - AdditionalNetworkDefinition configures an extra network that is available but not - created by default. Instead, pods must request them by name. - type must be specified, along with exactly one "Config" that matches the type. - properties: - name: - description: |- - name is the name of the network. This will be populated in the resulting CRD - This must be unique. - type: string - namespace: - description: |- - namespace is the namespace of the network. This will be populated in the resulting CRD - If not given the network will be created in the default namespace. - type: string - rawCNIConfig: - description: |- - rawCNIConfig is the raw CNI configuration json to create in the - NetworkAttachmentDefinition CRD - type: string - simpleMacvlanConfig: - description: simpleMacvlanConfig configures the macvlan interface - in case of type:NetworkTypeSimpleMacvlan - properties: - ipamConfig: - description: ipamConfig configures IPAM module will be used - for IP Address Management (IPAM). - properties: - staticIPAMConfig: - description: staticIPAMConfig configures the static - IP address in case of type:IPAMTypeStatic - properties: - addresses: - description: addresses configures IP address for - the interface - items: - description: StaticIPAMAddresses provides IP address - and Gateway for static IPAM addresses - properties: - address: - description: address is the IP address in - CIDR format - type: string - gateway: - description: gateway is IP inside of subnet - to designate as the gateway - type: string - type: object - type: array - x-kubernetes-list-type: atomic - dns: - description: dns configures DNS for the interface - properties: - domain: - description: domain configures the domainname - the local domain used for short hostname lookups - type: string - nameservers: - description: nameservers points DNS servers - for IP lookup - items: - type: string - type: array - x-kubernetes-list-type: atomic - search: - description: search configures priority ordered - search domains for short hostname lookups - items: - type: string - type: array - x-kubernetes-list-type: atomic - type: object - routes: - description: routes configures IP routes for the - interface - items: - description: StaticIPAMRoutes provides Destination/Gateway - pairs for static IPAM routes - properties: - destination: - description: destination points the IP route - destination - type: string - gateway: - description: |- - gateway is the route's next-hop IP address - If unset, a default gateway is assumed (as determined by the CNI plugin). - type: string - type: object - type: array - x-kubernetes-list-type: atomic - type: object - type: - description: |- - type is the type of IPAM module will be used for IP Address Management(IPAM). - The supported values are IPAMTypeDHCP, IPAMTypeStatic - type: string - type: object - master: - description: |- - master is the host interface to create the macvlan interface from. - If not specified, it will be default route interface - type: string - mode: - description: 'mode is the macvlan mode: bridge, private, - vepa, passthru. The default is bridge' - type: string - mtu: - description: |- - mtu is the mtu to use for the macvlan interface. if unset, host's - kernel will select the value. - format: int32 - minimum: 0 - type: integer - type: object - type: - description: |- - type is the type of network - The supported values are NetworkTypeRaw, NetworkTypeSimpleMacvlan - type: string - required: - - name - type: object - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - additionalRoutingCapabilities: - description: |- - additionalRoutingCapabilities describes components and relevant - configuration providing additional routing capabilities. When set, it - enables such components and the usage of the routing capabilities they - provide for the machine network. Upstream operators, like MetalLB - operator, requiring these capabilities may rely on, or automatically set - this attribute. Network plugins may leverage advanced routing - capabilities acquired through the enablement of these components but may - require specific configuration on their side to do so; refer to their - respective documentation and configuration options. - properties: - providers: - description: |- - providers is a set of enabled components that provide additional routing - capabilities. Entries on this list must be unique. The only valid value - is currrently "FRR" which provides FRR routing capabilities through the - deployment of FRR. - items: - description: RoutingCapabilitiesProvider is a component providing - routing capabilities. - enum: - - FRR - type: string - maxItems: 1 - minItems: 1 - type: array - x-kubernetes-list-type: atomic - x-kubernetes-validations: - - rule: self.all(x, self.exists_one(y, x == y)) - required: - - providers - type: object - clusterNetwork: - description: |- - clusterNetwork is the IP address pool to use for pod IPs. - Some network providers support multiple ClusterNetworks. - Others only support one. This is equivalent to the cluster-cidr. - items: - description: |- - ClusterNetworkEntry is a subnet from which to allocate PodIPs. A network of size - HostPrefix (in CIDR notation) will be allocated when nodes join the cluster. If - the HostPrefix field is not used by the plugin, it can be left unset. - Not all network providers support multiple ClusterNetworks - properties: - cidr: - type: string - hostPrefix: - format: int32 - minimum: 0 - type: integer - type: object - type: array - x-kubernetes-list-type: atomic - defaultNetwork: - description: defaultNetwork is the "default" network that all pods - will receive - properties: - openshiftSDNConfig: - description: |- - openshiftSDNConfig was previously used to configure the openshift-sdn plugin. - DEPRECATED: OpenShift SDN is no longer supported. - properties: - enableUnidling: - description: |- - enableUnidling controls whether or not the service proxy will support idling - and unidling of services. By default, unidling is enabled. - type: boolean - mode: - description: mode is one of "Multitenant", "Subnet", or "NetworkPolicy" - type: string - mtu: - description: |- - mtu is the mtu to use for the tunnel interface. Defaults to 1450 if unset. - This must be 50 bytes smaller than the machine's uplink. - format: int32 - minimum: 0 - type: integer - useExternalOpenvswitch: - description: |- - useExternalOpenvswitch used to control whether the operator would deploy an OVS - DaemonSet itself or expect someone else to start OVS. As of 4.6, OVS is always - run as a system service, and this flag is ignored. - type: boolean - vxlanPort: - description: vxlanPort is the port to use for all vxlan packets. - The default is 4789. - format: int32 - minimum: 0 - type: integer - type: object - ovnKubernetesConfig: - description: ovnKubernetesConfig configures the ovn-kubernetes - plugin. - properties: - egressIPConfig: - description: egressIPConfig holds the configuration for EgressIP - options. - properties: - reachabilityTotalTimeoutSeconds: - description: |- - reachabilityTotalTimeout configures the EgressIP node reachability check total timeout in seconds. - If the EgressIP node cannot be reached within this timeout, the node is declared down. - Setting a large value may cause the EgressIP feature to react slowly to node changes. - In particular, it may react slowly for EgressIP nodes that really have a genuine problem and are unreachable. - When omitted, this means the user has no opinion and the platform is left to choose a reasonable default, which is subject to change over time. - The current default is 1 second. - A value of 0 disables the EgressIP node's reachability check. - format: int32 - maximum: 60 - minimum: 0 - type: integer - type: object - gatewayConfig: - description: gatewayConfig holds the configuration for node - gateway options. - properties: - ipForwarding: - description: |- - ipForwarding controls IP forwarding for all traffic on OVN-Kubernetes managed interfaces (such as br-ex). - By default this is set to Restricted, and Kubernetes related traffic is still forwarded appropriately, but other - IP traffic will not be routed by the OCP node. If there is a desire to allow the host to forward traffic across - OVN-Kubernetes managed interfaces, then set this field to "Global". - The supported values are "Restricted" and "Global". - type: string - ipv4: - description: |- - ipv4 allows users to configure IP settings for IPv4 connections. When omitted, this means no opinion and the default - configuration is used. Check individual members fields within ipv4 for details of default values. - properties: - internalMasqueradeSubnet: - description: |- - internalMasqueradeSubnet contains the masquerade addresses in IPV4 CIDR format used internally by - ovn-kubernetes to enable host to service traffic. Each host in the cluster is configured with these - addresses, as well as the shared gateway bridge interface. The values can be changed after - installation. The subnet chosen should not overlap with other networks specified for - OVN-Kubernetes as well as other networks used on the host. Additionally the subnet must - be large enough to accommodate 6 IPs (maximum prefix length /29). - When omitted, this means no opinion and the platform is left to choose a reasonable default which is subject to change over time. - The current default subnet is 169.254.169.0/29 - The value must be in proper IPV4 CIDR format - maxLength: 18 - type: string - x-kubernetes-validations: - - message: Subnet must be in valid IPV4 CIDR format - rule: isCIDR(self) && cidr(self).ip().family() == - 4 - - message: subnet must be in the range /0 to /29 inclusive - rule: isCIDR(self) && cidr(self).prefixLength() - <= 29 - - message: first IP address octet must not be 0 - rule: isCIDR(self) && int(self.split('.')[0]) > - 0 - type: object - ipv6: - description: |- - ipv6 allows users to configure IP settings for IPv6 connections. When omitted, this means no opinion and the default - configuration is used. Check individual members fields within ipv6 for details of default values. - properties: - internalMasqueradeSubnet: - description: |- - internalMasqueradeSubnet contains the masquerade addresses in IPV6 CIDR format used internally by - ovn-kubernetes to enable host to service traffic. Each host in the cluster is configured with these - addresses, as well as the shared gateway bridge interface. The values can be changed after - installation. The subnet chosen should not overlap with other networks specified for - OVN-Kubernetes as well as other networks used on the host. Additionally the subnet must - be large enough to accommodate 6 IPs (maximum prefix length /125). - When omitted, this means no opinion and the platform is left to choose a reasonable default which is subject to change over time. - The current default subnet is fd69::/125 - Note that IPV6 dual addresses are not permitted - type: string - x-kubernetes-validations: - - message: Subnet must be in valid IPV6 CIDR format - rule: isCIDR(self) && cidr(self).ip().family() == - 6 - - message: subnet must be in the range /0 to /125 - inclusive - rule: isCIDR(self) && cidr(self).prefixLength() - <= 125 - type: object - routingViaHost: - default: false - description: |- - routingViaHost allows pod egress traffic to exit via the ovn-k8s-mp0 management port - into the host before sending it out. If this is not set, traffic will always egress directly - from OVN to outside without touching the host stack. Setting this to true means hardware - offload will not be supported. Default is false if GatewayConfig is specified. - type: boolean - type: object - genevePort: - description: |- - geneve port is the UDP port to be used by geneve encapulation. - Default is 6081 - format: int32 - minimum: 1 - type: integer - hybridOverlayConfig: - description: |- - hybridOverlayConfig configures an additional overlay network for peers that are - not using OVN. - properties: - hybridClusterNetwork: - description: hybridClusterNetwork defines a network space - given to nodes on an additional overlay network. - items: - description: |- - ClusterNetworkEntry is a subnet from which to allocate PodIPs. A network of size - HostPrefix (in CIDR notation) will be allocated when nodes join the cluster. If - the HostPrefix field is not used by the plugin, it can be left unset. - Not all network providers support multiple ClusterNetworks - properties: - cidr: - type: string - hostPrefix: - format: int32 - minimum: 0 - type: integer - type: object - type: array - x-kubernetes-list-type: atomic - hybridOverlayVXLANPort: - description: |- - hybridOverlayVXLANPort defines the VXLAN port number to be used by the additional overlay network. - Default is 4789 - format: int32 - type: integer - type: object - ipsecConfig: - default: - mode: Disabled - description: |- - ipsecConfig enables and configures IPsec for pods on the pod network within the - cluster. - properties: - full: - description: |- - full defines configuration parameters for the IPsec `Full` mode. - This is permitted only when mode is configured with `Full`, - and forbidden otherwise. - minProperties: 1 - properties: - encapsulation: - description: |- - encapsulation option to configure libreswan on how inter-pod traffic across nodes - are encapsulated to handle NAT traversal. When configured it uses UDP port 4500 - for the encapsulation. - Valid values are Always, Never, Auto and omitted. - Always means enable UDP encapsulation regardless of whether NAT is detected. - Disable means never enable UDP encapsulation even if NAT is present. - Auto means enable UDP encapsulation based on the detection of NAT. - When omitted, this means no opinion and the platform is left to choose a reasonable - default, which is subject to change over time. The current default is Auto. - enum: - - Always - - Never - - Auto - type: string - type: object - mode: - description: |- - mode defines the behaviour of the ipsec configuration within the platform. - Valid values are `Disabled`, `External` and `Full`. - When 'Disabled', ipsec will not be enabled at the node level. - When 'External', ipsec is enabled on the node level but requires the user to configure the secure communication parameters. - This mode is for external secure communications and the configuration can be done using the k8s-nmstate operator. - When 'Full', ipsec is configured on the node level and inter-pod secure communication within the cluster is configured. - Note with `Full`, if ipsec is desired for communication with external (to the cluster) entities (such as storage arrays), - this is left to the user to configure. - enum: - - Disabled - - External - - Full - type: string - type: object - x-kubernetes-validations: - - message: ipsecConfig.mode is required - rule: self == oldSelf || has(self.mode) - - message: full is forbidden when mode is not Full - rule: 'has(self.mode) && self.mode == ''Full'' ? true : - !has(self.full)' - ipv4: - description: |- - ipv4 allows users to configure IP settings for IPv4 connections. When ommitted, - this means no opinions and the default configuration is used. Check individual - fields within ipv4 for details of default values. - properties: - internalJoinSubnet: - description: |- - internalJoinSubnet is a v4 subnet used internally by ovn-kubernetes in case the - default one is being already used by something else. It must not overlap with - any other subnet being used by OpenShift or by the node network. The size of the - subnet must be larger than the number of nodes. The value cannot be changed - after installation. - The current default value is 100.64.0.0/16 - The subnet must be large enough to accomadate one IP per node in your cluster - The value must be in proper IPV4 CIDR format - maxLength: 18 - type: string - x-kubernetes-validations: - - message: Subnet must be in valid IPV4 CIDR format - rule: isCIDR(self) && cidr(self).ip().family() == 4 - - message: subnet must be in the range /0 to /30 inclusive - rule: isCIDR(self) && cidr(self).prefixLength() <= 30 - - message: first IP address octet must not be 0 - rule: isCIDR(self) && int(self.split('.')[0]) > 0 - internalTransitSwitchSubnet: - description: |- - internalTransitSwitchSubnet is a v4 subnet in IPV4 CIDR format used internally - by OVN-Kubernetes for the distributed transit switch in the OVN Interconnect - architecture that connects the cluster routers on each node together to enable - east west traffic. The subnet chosen should not overlap with other networks - specified for OVN-Kubernetes as well as other networks used on the host. - The value cannot be changed after installation. - When ommitted, this means no opinion and the platform is left to choose a reasonable - default which is subject to change over time. - The current default subnet is 100.88.0.0/16 - The subnet must be large enough to accomadate one IP per node in your cluster - The value must be in proper IPV4 CIDR format - maxLength: 18 - type: string - x-kubernetes-validations: - - message: Subnet must be in valid IPV4 CIDR format - rule: isCIDR(self) && cidr(self).ip().family() == 4 - - message: subnet must be in the range /0 to /30 inclusive - rule: isCIDR(self) && cidr(self).prefixLength() <= 30 - - message: first IP address octet must not be 0 - rule: isCIDR(self) && int(self.split('.')[0]) > 0 - type: object - ipv6: - description: |- - ipv6 allows users to configure IP settings for IPv6 connections. When ommitted, - this means no opinions and the default configuration is used. Check individual - fields within ipv4 for details of default values. - properties: - internalJoinSubnet: - description: |- - internalJoinSubnet is a v6 subnet used internally by ovn-kubernetes in case the - default one is being already used by something else. It must not overlap with - any other subnet being used by OpenShift or by the node network. The size of the - subnet must be larger than the number of nodes. The value cannot be changed - after installation. - The subnet must be large enough to accomadate one IP per node in your cluster - The current default value is fd98::/48 - The value must be in proper IPV6 CIDR format - Note that IPV6 dual addresses are not permitted - maxLength: 48 - type: string - x-kubernetes-validations: - - message: Subnet must be in valid IPV6 CIDR format - rule: isCIDR(self) && cidr(self).ip().family() == 6 - - message: subnet must be in the range /0 to /125 inclusive - rule: isCIDR(self) && cidr(self).prefixLength() <= 125 - internalTransitSwitchSubnet: - description: |- - internalTransitSwitchSubnet is a v4 subnet in IPV4 CIDR format used internally - by OVN-Kubernetes for the distributed transit switch in the OVN Interconnect - architecture that connects the cluster routers on each node together to enable - east west traffic. The subnet chosen should not overlap with other networks - specified for OVN-Kubernetes as well as other networks used on the host. - The value cannot be changed after installation. - When ommitted, this means no opinion and the platform is left to choose a reasonable - default which is subject to change over time. - The subnet must be large enough to accomadate one IP per node in your cluster - The current default subnet is fd97::/64 - The value must be in proper IPV6 CIDR format - Note that IPV6 dual addresses are not permitted - maxLength: 48 - type: string - x-kubernetes-validations: - - message: Subnet must be in valid IPV6 CIDR format - rule: isCIDR(self) && cidr(self).ip().family() == 6 - - message: subnet must be in the range /0 to /125 inclusive - rule: isCIDR(self) && cidr(self).prefixLength() <= 125 - type: object - mtu: - description: |- - mtu is the MTU to use for the tunnel interface. This must be 100 - bytes smaller than the uplink mtu. - Default is 1400 - format: int32 - minimum: 0 - type: integer - policyAuditConfig: - description: |- - policyAuditConfig is the configuration for network policy audit events. If unset, - reported defaults are used. - properties: - destination: - default: "null" - description: |- - destination is the location for policy log messages. - Regardless of this config, persistent logs will always be dumped to the host - at /var/log/ovn/ however - Additionally syslog output may be configured as follows. - Valid values are: - - "libc" -> to use the libc syslog() function of the host node's journdald process - - "udp:host:port" -> for sending syslog over UDP - - "unix:file" -> for using the UNIX domain socket directly - - "null" -> to discard all messages logged to syslog - The default is "null" - type: string - maxFileSize: - default: 50 - description: |- - maxFilesSize is the max size an ACL_audit log file is allowed to reach before rotation occurs - Units are in MB and the Default is 50MB - format: int32 - minimum: 1 - type: integer - maxLogFiles: - default: 5 - description: maxLogFiles specifies the maximum number - of ACL_audit log files that can be present. - format: int32 - minimum: 1 - type: integer - rateLimit: - default: 20 - description: |- - rateLimit is the approximate maximum number of messages to generate per-second per-node. If - unset the default of 20 msg/sec is used. - format: int32 - minimum: 1 - type: integer - syslogFacility: - default: local0 - description: syslogFacility the RFC5424 facility for generated - messages, e.g. "kern". Default is "local0" - type: string - type: object - routeAdvertisements: - description: |- - routeAdvertisements determines if the functionality to advertise cluster - network routes through a dynamic routing protocol, such as BGP, is - enabled or not. This functionality is configured through the - ovn-kubernetes RouteAdvertisements CRD. Requires the 'FRR' routing - capability provider to be enabled as an additional routing capability. - Allowed values are "Enabled", "Disabled" and ommited. When omitted, this - means the user has no opinion and the platform is left to choose - reasonable defaults. These defaults are subject to change over time. The - current default is "Disabled". - enum: - - "" - - Enabled - - Disabled - type: string - v4InternalSubnet: - description: |- - v4InternalSubnet is a v4 subnet used internally by ovn-kubernetes in case the - default one is being already used by something else. It must not overlap with - any other subnet being used by OpenShift or by the node network. The size of the - subnet must be larger than the number of nodes. The value cannot be changed - after installation. - Default is 100.64.0.0/16 - type: string - v6InternalSubnet: - description: |- - v6InternalSubnet is a v6 subnet used internally by ovn-kubernetes in case the - default one is being already used by something else. It must not overlap with - any other subnet being used by OpenShift or by the node network. The size of the - subnet must be larger than the number of nodes. The value cannot be changed - after installation. - Default is fd98::/48 - type: string - type: object - type: - description: |- - type is the type of network - All NetworkTypes are supported except for NetworkTypeRaw - type: string - type: object - deployKubeProxy: - description: |- - deployKubeProxy specifies whether or not a standalone kube-proxy should - be deployed by the operator. Some network providers include kube-proxy - or similar functionality. If unset, the plugin will attempt to select - the correct value, which is false when ovn-kubernetes is used and true - otherwise. - type: boolean - disableMultiNetwork: - description: |- - disableMultiNetwork specifies whether or not multiple pod network - support should be disabled. If unset, this property defaults to - 'false' and multiple network support is enabled. - type: boolean - disableNetworkDiagnostics: - default: false - description: |- - disableNetworkDiagnostics specifies whether or not PodNetworkConnectivityCheck - CRs from a test pod to every node, apiserver and LB should be disabled or not. - If unset, this property defaults to 'false' and network diagnostics is enabled. - Setting this to 'true' would reduce the additional load of the pods performing the checks. - type: boolean - exportNetworkFlows: - description: |- - exportNetworkFlows enables and configures the export of network flow metadata from the pod network - by using protocols NetFlow, SFlow or IPFIX. Currently only supported on OVN-Kubernetes plugin. - If unset, flows will not be exported to any collector. - properties: - ipfix: - description: ipfix defines IPFIX configuration. - properties: - collectors: - description: ipfixCollectors is list of strings formatted - as ip:port with a maximum of ten items - items: - pattern: ^(([0-9]|[0-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[0-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5]):([1-9][0-9]{0,3}|[1-5][0-9]{4}|6[0-4][0-9]{3}|65[0-4][0-9]{2}|655[0-2][0-9]|6553[0-5])$ - type: string - maxItems: 10 - minItems: 1 - type: array - x-kubernetes-list-type: atomic - type: object - netFlow: - description: netFlow defines the NetFlow configuration. - properties: - collectors: - description: |- - netFlow defines the NetFlow collectors that will consume the flow data exported from OVS. - It is a list of strings formatted as ip:port with a maximum of ten items - items: - pattern: ^(([0-9]|[0-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[0-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5]):([1-9][0-9]{0,3}|[1-5][0-9]{4}|6[0-4][0-9]{3}|65[0-4][0-9]{2}|655[0-2][0-9]|6553[0-5])$ - type: string - maxItems: 10 - minItems: 1 - type: array - x-kubernetes-list-type: atomic - type: object - sFlow: - description: sFlow defines the SFlow configuration. - properties: - collectors: - description: sFlowCollectors is list of strings formatted - as ip:port with a maximum of ten items - items: - pattern: ^(([0-9]|[0-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[0-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5]):([1-9][0-9]{0,3}|[1-5][0-9]{4}|6[0-4][0-9]{3}|65[0-4][0-9]{2}|655[0-2][0-9]|6553[0-5])$ - type: string - maxItems: 10 - minItems: 1 - type: array - x-kubernetes-list-type: atomic - type: object - type: object - kubeProxyConfig: - description: |- - kubeProxyConfig lets us configure desired proxy configuration, if - deployKubeProxy is true. If not specified, sensible defaults will be chosen by - OpenShift directly. - properties: - bindAddress: - description: |- - The address to "bind" on - Defaults to 0.0.0.0 - type: string - iptablesSyncPeriod: - description: |- - An internal kube-proxy parameter. In older releases of OCP, this sometimes needed to be adjusted - in large clusters for performance reasons, but this is no longer necessary, and there is no reason - to change this from the default value. - Default: 30s - type: string - proxyArguments: - additionalProperties: - description: ProxyArgumentList is a list of arguments to pass - to the kubeproxy process - items: - type: string - type: array - x-kubernetes-list-type: atomic - description: Any additional arguments to pass to the kubeproxy - process - type: object - type: object - logLevel: - default: Normal - description: |- - logLevel is an intent based logging for an overall component. It does not give fine grained control, but it is a - simple way to manage coarse grained logging choices that operators have to interpret for their operands. - - Valid values are: "Normal", "Debug", "Trace", "TraceAll". - Defaults to "Normal". - enum: - - "" - - Normal - - Debug - - Trace - - TraceAll - type: string - managementState: - description: managementState indicates whether and how the operator - should manage the component - pattern: ^(Managed|Unmanaged|Force|Removed)$ - type: string - migration: - description: |- - migration enables and configures cluster network migration, for network changes - that cannot be made instantly. - properties: - features: - description: |- - features was previously used to configure which network plugin features - would be migrated in a network type migration. - DEPRECATED: network type migration is no longer supported, and setting - this to a non-empty value will result in the network operator rejecting - the configuration. - properties: - egressFirewall: - default: true - description: |- - egressFirewall specified whether or not the Egress Firewall configuration was migrated. - DEPRECATED: network type migration is no longer supported. - type: boolean - egressIP: - default: true - description: |- - egressIP specified whether or not the Egress IP configuration was migrated. - DEPRECATED: network type migration is no longer supported. - type: boolean - multicast: - default: true - description: |- - multicast specified whether or not the multicast configuration was migrated. - DEPRECATED: network type migration is no longer supported. - type: boolean - type: object - mode: - description: |- - mode indicates the mode of network type migration. - DEPRECATED: network type migration is no longer supported, and setting - this to a non-empty value will result in the network operator rejecting - the configuration. - enum: - - Live - - Offline - - "" - type: string - mtu: - description: |- - mtu contains the MTU migration configuration. Set this to allow changing - the MTU values for the default network. If unset, the operation of - changing the MTU for the default network will be rejected. - properties: - machine: - description: |- - machine contains MTU migration configuration for the machine's uplink. - Needs to be migrated along with the default network MTU unless the - current uplink MTU already accommodates the default network MTU. - properties: - from: - description: from is the MTU to migrate from. - format: int32 - minimum: 0 - type: integer - to: - description: to is the MTU to migrate to. - format: int32 - minimum: 0 - type: integer - type: object - network: - description: |- - network contains information about MTU migration for the default network. - Migrations are only allowed to MTU values lower than the machine's uplink - MTU by the minimum appropriate offset. - properties: - from: - description: from is the MTU to migrate from. - format: int32 - minimum: 0 - type: integer - to: - description: to is the MTU to migrate to. - format: int32 - minimum: 0 - type: integer - type: object - type: object - networkType: - description: |- - networkType was previously used when changing the default network type. - DEPRECATED: network type migration is no longer supported, and setting - this to a non-empty value will result in the network operator rejecting - the configuration. - type: string - type: object - x-kubernetes-validations: - - message: networkType migration in mode other than 'Live' may not - be configured at the same time as mtu migration - rule: '!has(self.mtu) || !has(self.networkType) || self.networkType - == "" || has(self.mode) && self.mode == ''Live''' - observedConfig: - description: |- - observedConfig holds a sparse config that controller has observed from the cluster state. It exists in spec because - it is an input to the level for the operator - nullable: true - type: object - x-kubernetes-preserve-unknown-fields: true - operatorLogLevel: - default: Normal - description: |- - operatorLogLevel is an intent based logging for the operator itself. It does not give fine grained control, but it is a - simple way to manage coarse grained logging choices that operators have to interpret for themselves. - - Valid values are: "Normal", "Debug", "Trace", "TraceAll". - Defaults to "Normal". - enum: - - "" - - Normal - - Debug - - Trace - - TraceAll - type: string - serviceNetwork: - description: |- - serviceNetwork is the ip address pool to use for Service IPs - Currently, all existing network providers only support a single value - here, but this is an array to allow for growth. - items: - type: string - type: array - x-kubernetes-list-type: atomic - unsupportedConfigOverrides: - description: |- - unsupportedConfigOverrides overrides the final configuration that was computed by the operator. - Red Hat does not support the use of this field. - Misuse of this field could lead to unexpected behavior or conflict with other configuration options. - Seek guidance from the Red Hat support before using this field. - Use of this property blocks cluster upgrades, it must be removed before upgrading your cluster. - nullable: true - type: object - x-kubernetes-preserve-unknown-fields: true - useMultiNetworkPolicy: - description: |- - useMultiNetworkPolicy enables a controller which allows for - MultiNetworkPolicy objects to be used on additional networks as - created by Multus CNI. MultiNetworkPolicy are similar to NetworkPolicy - objects, but NetworkPolicy objects only apply to the primary interface. - With MultiNetworkPolicy, you can control the traffic that a pod can receive - over the secondary interfaces. If unset, this property defaults to 'false' - and MultiNetworkPolicy objects are ignored. If 'disableMultiNetwork' is - 'true' then the value of this field is ignored. - type: boolean - type: object - x-kubernetes-validations: - - message: Route advertisements cannot be Enabled if 'FRR' routing capability - provider is not available - rule: (has(self.additionalRoutingCapabilities) && ('FRR' in self.additionalRoutingCapabilities.providers)) - || !has(self.defaultNetwork) || !has(self.defaultNetwork.ovnKubernetesConfig) - || !has(self.defaultNetwork.ovnKubernetesConfig.routeAdvertisements) - || self.defaultNetwork.ovnKubernetesConfig.routeAdvertisements != - 'Enabled' - - message: invalid value for IPForwarding, valid values are 'Restricted' - or 'Global' - rule: '!has(self.defaultNetwork) || !has(self.defaultNetwork.ovnKubernetesConfig) - || !has(self.defaultNetwork.ovnKubernetesConfig.gatewayConfig) || - !has(self.defaultNetwork.ovnKubernetesConfig.gatewayConfig.ipForwarding) - || self.defaultNetwork.ovnKubernetesConfig.gatewayConfig.ipForwarding - == oldSelf.defaultNetwork.ovnKubernetesConfig.gatewayConfig.ipForwarding - || self.defaultNetwork.ovnKubernetesConfig.gatewayConfig.ipForwarding - == ''Restricted'' || self.defaultNetwork.ovnKubernetesConfig.gatewayConfig.ipForwarding - == ''Global''' - status: - description: |- - NetworkStatus is detailed operator status, which is distilled - up to the Network clusteroperator object. - properties: - conditions: - description: conditions is a list of conditions and their status - items: - description: OperatorCondition is just the standard condition fields. - properties: - lastTransitionTime: - description: |- - lastTransitionTime is the last time the condition transitioned from one status to another. - This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. - format: date-time - type: string - message: - type: string - reason: - type: string - status: - description: status of the condition, one of True, False, Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - status - - type - type: object - type: array - x-kubernetes-list-map-keys: - - type - x-kubernetes-list-type: map - generations: - description: generations are used to determine when an item needs - to be reconciled or has changed in a way that needs a reaction. - items: - description: GenerationStatus keeps track of the generation for - a given resource so that decisions about forced updates can be - made. - properties: - group: - description: group is the group of the thing you're tracking - type: string - hash: - description: hash is an optional field set for resources without - generation that are content sensitive like secrets and configmaps - type: string - lastGeneration: - description: lastGeneration is the last generation of the workload - controller involved - format: int64 - type: integer - name: - description: name is the name of the thing you're tracking - type: string - namespace: - description: namespace is where the thing you're tracking is - type: string - resource: - description: resource is the resource type of the thing you're - tracking - type: string - required: - - group - - name - - namespace - - resource - type: object - type: array - x-kubernetes-list-map-keys: - - group - - resource - - namespace - - name - x-kubernetes-list-type: map - latestAvailableRevision: - description: latestAvailableRevision is the deploymentID of the most - recent deployment - format: int32 - type: integer - x-kubernetes-validations: - - message: must only increase - rule: self >= oldSelf - observedGeneration: - description: observedGeneration is the last generation change you've - dealt with - format: int64 - type: integer - readyReplicas: - description: readyReplicas indicates how many replicas are ready and - at the desired state - format: int32 - type: integer - version: - description: version is the level this availability applies to - type: string - type: object - type: object - served: true - storage: true - subresources: - status: {} diff --git a/vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_70_network_01_networks-Default.crd.yaml b/vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_70_network_01_networks-Default.crd.yaml deleted file mode 100644 index 513d6b733..000000000 --- a/vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_70_network_01_networks-Default.crd.yaml +++ /dev/null @@ -1,1029 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - api-approved.openshift.io: https://github.com/openshift/api/pull/475 - api.openshift.io/merged-by-featuregates: "true" - include.release.openshift.io/ibm-cloud-managed: "true" - include.release.openshift.io/self-managed-high-availability: "true" - release.openshift.io/feature-set: Default - name: networks.operator.openshift.io -spec: - group: operator.openshift.io - names: - kind: Network - listKind: NetworkList - plural: networks - singular: network - scope: Cluster - versions: - - name: v1 - schema: - openAPIV3Schema: - description: |- - Network describes the cluster's desired network configuration. It is - consumed by the cluster-network-operator. - - Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer). - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: NetworkSpec is the top-level network configuration object. - properties: - additionalNetworks: - description: |- - additionalNetworks is a list of extra networks to make available to pods - when multiple networks are enabled. - items: - description: |- - AdditionalNetworkDefinition configures an extra network that is available but not - created by default. Instead, pods must request them by name. - type must be specified, along with exactly one "Config" that matches the type. - properties: - name: - description: |- - name is the name of the network. This will be populated in the resulting CRD - This must be unique. - type: string - namespace: - description: |- - namespace is the namespace of the network. This will be populated in the resulting CRD - If not given the network will be created in the default namespace. - type: string - rawCNIConfig: - description: |- - rawCNIConfig is the raw CNI configuration json to create in the - NetworkAttachmentDefinition CRD - type: string - simpleMacvlanConfig: - description: simpleMacvlanConfig configures the macvlan interface - in case of type:NetworkTypeSimpleMacvlan - properties: - ipamConfig: - description: ipamConfig configures IPAM module will be used - for IP Address Management (IPAM). - properties: - staticIPAMConfig: - description: staticIPAMConfig configures the static - IP address in case of type:IPAMTypeStatic - properties: - addresses: - description: addresses configures IP address for - the interface - items: - description: StaticIPAMAddresses provides IP address - and Gateway for static IPAM addresses - properties: - address: - description: address is the IP address in - CIDR format - type: string - gateway: - description: gateway is IP inside of subnet - to designate as the gateway - type: string - type: object - type: array - x-kubernetes-list-type: atomic - dns: - description: dns configures DNS for the interface - properties: - domain: - description: domain configures the domainname - the local domain used for short hostname lookups - type: string - nameservers: - description: nameservers points DNS servers - for IP lookup - items: - type: string - type: array - x-kubernetes-list-type: atomic - search: - description: search configures priority ordered - search domains for short hostname lookups - items: - type: string - type: array - x-kubernetes-list-type: atomic - type: object - routes: - description: routes configures IP routes for the - interface - items: - description: StaticIPAMRoutes provides Destination/Gateway - pairs for static IPAM routes - properties: - destination: - description: destination points the IP route - destination - type: string - gateway: - description: |- - gateway is the route's next-hop IP address - If unset, a default gateway is assumed (as determined by the CNI plugin). - type: string - type: object - type: array - x-kubernetes-list-type: atomic - type: object - type: - description: |- - type is the type of IPAM module will be used for IP Address Management(IPAM). - The supported values are IPAMTypeDHCP, IPAMTypeStatic - type: string - type: object - master: - description: |- - master is the host interface to create the macvlan interface from. - If not specified, it will be default route interface - type: string - mode: - description: 'mode is the macvlan mode: bridge, private, - vepa, passthru. The default is bridge' - type: string - mtu: - description: |- - mtu is the mtu to use for the macvlan interface. if unset, host's - kernel will select the value. - format: int32 - minimum: 0 - type: integer - type: object - type: - description: |- - type is the type of network - The supported values are NetworkTypeRaw, NetworkTypeSimpleMacvlan - type: string - required: - - name - type: object - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - additionalRoutingCapabilities: - description: |- - additionalRoutingCapabilities describes components and relevant - configuration providing additional routing capabilities. When set, it - enables such components and the usage of the routing capabilities they - provide for the machine network. Upstream operators, like MetalLB - operator, requiring these capabilities may rely on, or automatically set - this attribute. Network plugins may leverage advanced routing - capabilities acquired through the enablement of these components but may - require specific configuration on their side to do so; refer to their - respective documentation and configuration options. - properties: - providers: - description: |- - providers is a set of enabled components that provide additional routing - capabilities. Entries on this list must be unique. The only valid value - is currrently "FRR" which provides FRR routing capabilities through the - deployment of FRR. - items: - description: RoutingCapabilitiesProvider is a component providing - routing capabilities. - enum: - - FRR - type: string - maxItems: 1 - minItems: 1 - type: array - x-kubernetes-list-type: atomic - x-kubernetes-validations: - - rule: self.all(x, self.exists_one(y, x == y)) - required: - - providers - type: object - clusterNetwork: - description: |- - clusterNetwork is the IP address pool to use for pod IPs. - Some network providers support multiple ClusterNetworks. - Others only support one. This is equivalent to the cluster-cidr. - items: - description: |- - ClusterNetworkEntry is a subnet from which to allocate PodIPs. A network of size - HostPrefix (in CIDR notation) will be allocated when nodes join the cluster. If - the HostPrefix field is not used by the plugin, it can be left unset. - Not all network providers support multiple ClusterNetworks - properties: - cidr: - type: string - hostPrefix: - format: int32 - minimum: 0 - type: integer - type: object - type: array - x-kubernetes-list-type: atomic - defaultNetwork: - description: defaultNetwork is the "default" network that all pods - will receive - properties: - openshiftSDNConfig: - description: |- - openshiftSDNConfig was previously used to configure the openshift-sdn plugin. - DEPRECATED: OpenShift SDN is no longer supported. - properties: - enableUnidling: - description: |- - enableUnidling controls whether or not the service proxy will support idling - and unidling of services. By default, unidling is enabled. - type: boolean - mode: - description: mode is one of "Multitenant", "Subnet", or "NetworkPolicy" - type: string - mtu: - description: |- - mtu is the mtu to use for the tunnel interface. Defaults to 1450 if unset. - This must be 50 bytes smaller than the machine's uplink. - format: int32 - minimum: 0 - type: integer - useExternalOpenvswitch: - description: |- - useExternalOpenvswitch used to control whether the operator would deploy an OVS - DaemonSet itself or expect someone else to start OVS. As of 4.6, OVS is always - run as a system service, and this flag is ignored. - type: boolean - vxlanPort: - description: vxlanPort is the port to use for all vxlan packets. - The default is 4789. - format: int32 - minimum: 0 - type: integer - type: object - ovnKubernetesConfig: - description: ovnKubernetesConfig configures the ovn-kubernetes - plugin. - properties: - egressIPConfig: - description: egressIPConfig holds the configuration for EgressIP - options. - properties: - reachabilityTotalTimeoutSeconds: - description: |- - reachabilityTotalTimeout configures the EgressIP node reachability check total timeout in seconds. - If the EgressIP node cannot be reached within this timeout, the node is declared down. - Setting a large value may cause the EgressIP feature to react slowly to node changes. - In particular, it may react slowly for EgressIP nodes that really have a genuine problem and are unreachable. - When omitted, this means the user has no opinion and the platform is left to choose a reasonable default, which is subject to change over time. - The current default is 1 second. - A value of 0 disables the EgressIP node's reachability check. - format: int32 - maximum: 60 - minimum: 0 - type: integer - type: object - gatewayConfig: - description: gatewayConfig holds the configuration for node - gateway options. - properties: - ipForwarding: - description: |- - ipForwarding controls IP forwarding for all traffic on OVN-Kubernetes managed interfaces (such as br-ex). - By default this is set to Restricted, and Kubernetes related traffic is still forwarded appropriately, but other - IP traffic will not be routed by the OCP node. If there is a desire to allow the host to forward traffic across - OVN-Kubernetes managed interfaces, then set this field to "Global". - The supported values are "Restricted" and "Global". - type: string - ipv4: - description: |- - ipv4 allows users to configure IP settings for IPv4 connections. When omitted, this means no opinion and the default - configuration is used. Check individual members fields within ipv4 for details of default values. - properties: - internalMasqueradeSubnet: - description: |- - internalMasqueradeSubnet contains the masquerade addresses in IPV4 CIDR format used internally by - ovn-kubernetes to enable host to service traffic. Each host in the cluster is configured with these - addresses, as well as the shared gateway bridge interface. The values can be changed after - installation. The subnet chosen should not overlap with other networks specified for - OVN-Kubernetes as well as other networks used on the host. Additionally the subnet must - be large enough to accommodate 6 IPs (maximum prefix length /29). - When omitted, this means no opinion and the platform is left to choose a reasonable default which is subject to change over time. - The current default subnet is 169.254.169.0/29 - The value must be in proper IPV4 CIDR format - maxLength: 18 - type: string - x-kubernetes-validations: - - message: Subnet must be in valid IPV4 CIDR format - rule: isCIDR(self) && cidr(self).ip().family() == - 4 - - message: subnet must be in the range /0 to /29 inclusive - rule: isCIDR(self) && cidr(self).prefixLength() - <= 29 - - message: first IP address octet must not be 0 - rule: isCIDR(self) && int(self.split('.')[0]) > - 0 - type: object - ipv6: - description: |- - ipv6 allows users to configure IP settings for IPv6 connections. When omitted, this means no opinion and the default - configuration is used. Check individual members fields within ipv6 for details of default values. - properties: - internalMasqueradeSubnet: - description: |- - internalMasqueradeSubnet contains the masquerade addresses in IPV6 CIDR format used internally by - ovn-kubernetes to enable host to service traffic. Each host in the cluster is configured with these - addresses, as well as the shared gateway bridge interface. The values can be changed after - installation. The subnet chosen should not overlap with other networks specified for - OVN-Kubernetes as well as other networks used on the host. Additionally the subnet must - be large enough to accommodate 6 IPs (maximum prefix length /125). - When omitted, this means no opinion and the platform is left to choose a reasonable default which is subject to change over time. - The current default subnet is fd69::/125 - Note that IPV6 dual addresses are not permitted - type: string - x-kubernetes-validations: - - message: Subnet must be in valid IPV6 CIDR format - rule: isCIDR(self) && cidr(self).ip().family() == - 6 - - message: subnet must be in the range /0 to /125 - inclusive - rule: isCIDR(self) && cidr(self).prefixLength() - <= 125 - type: object - routingViaHost: - default: false - description: |- - routingViaHost allows pod egress traffic to exit via the ovn-k8s-mp0 management port - into the host before sending it out. If this is not set, traffic will always egress directly - from OVN to outside without touching the host stack. Setting this to true means hardware - offload will not be supported. Default is false if GatewayConfig is specified. - type: boolean - type: object - genevePort: - description: |- - geneve port is the UDP port to be used by geneve encapulation. - Default is 6081 - format: int32 - minimum: 1 - type: integer - hybridOverlayConfig: - description: |- - hybridOverlayConfig configures an additional overlay network for peers that are - not using OVN. - properties: - hybridClusterNetwork: - description: hybridClusterNetwork defines a network space - given to nodes on an additional overlay network. - items: - description: |- - ClusterNetworkEntry is a subnet from which to allocate PodIPs. A network of size - HostPrefix (in CIDR notation) will be allocated when nodes join the cluster. If - the HostPrefix field is not used by the plugin, it can be left unset. - Not all network providers support multiple ClusterNetworks - properties: - cidr: - type: string - hostPrefix: - format: int32 - minimum: 0 - type: integer - type: object - type: array - x-kubernetes-list-type: atomic - hybridOverlayVXLANPort: - description: |- - hybridOverlayVXLANPort defines the VXLAN port number to be used by the additional overlay network. - Default is 4789 - format: int32 - type: integer - type: object - ipsecConfig: - default: - mode: Disabled - description: |- - ipsecConfig enables and configures IPsec for pods on the pod network within the - cluster. - properties: - full: - description: |- - full defines configuration parameters for the IPsec `Full` mode. - This is permitted only when mode is configured with `Full`, - and forbidden otherwise. - minProperties: 1 - properties: - encapsulation: - description: |- - encapsulation option to configure libreswan on how inter-pod traffic across nodes - are encapsulated to handle NAT traversal. When configured it uses UDP port 4500 - for the encapsulation. - Valid values are Always, Never, Auto and omitted. - Always means enable UDP encapsulation regardless of whether NAT is detected. - Disable means never enable UDP encapsulation even if NAT is present. - Auto means enable UDP encapsulation based on the detection of NAT. - When omitted, this means no opinion and the platform is left to choose a reasonable - default, which is subject to change over time. The current default is Auto. - enum: - - Always - - Never - - Auto - type: string - type: object - mode: - description: |- - mode defines the behaviour of the ipsec configuration within the platform. - Valid values are `Disabled`, `External` and `Full`. - When 'Disabled', ipsec will not be enabled at the node level. - When 'External', ipsec is enabled on the node level but requires the user to configure the secure communication parameters. - This mode is for external secure communications and the configuration can be done using the k8s-nmstate operator. - When 'Full', ipsec is configured on the node level and inter-pod secure communication within the cluster is configured. - Note with `Full`, if ipsec is desired for communication with external (to the cluster) entities (such as storage arrays), - this is left to the user to configure. - enum: - - Disabled - - External - - Full - type: string - type: object - x-kubernetes-validations: - - message: ipsecConfig.mode is required - rule: self == oldSelf || has(self.mode) - - message: full is forbidden when mode is not Full - rule: 'has(self.mode) && self.mode == ''Full'' ? true : - !has(self.full)' - ipv4: - description: |- - ipv4 allows users to configure IP settings for IPv4 connections. When ommitted, - this means no opinions and the default configuration is used. Check individual - fields within ipv4 for details of default values. - properties: - internalJoinSubnet: - description: |- - internalJoinSubnet is a v4 subnet used internally by ovn-kubernetes in case the - default one is being already used by something else. It must not overlap with - any other subnet being used by OpenShift or by the node network. The size of the - subnet must be larger than the number of nodes. The value cannot be changed - after installation. - The current default value is 100.64.0.0/16 - The subnet must be large enough to accomadate one IP per node in your cluster - The value must be in proper IPV4 CIDR format - maxLength: 18 - type: string - x-kubernetes-validations: - - message: Subnet must be in valid IPV4 CIDR format - rule: isCIDR(self) && cidr(self).ip().family() == 4 - - message: subnet must be in the range /0 to /30 inclusive - rule: isCIDR(self) && cidr(self).prefixLength() <= 30 - - message: first IP address octet must not be 0 - rule: isCIDR(self) && int(self.split('.')[0]) > 0 - internalTransitSwitchSubnet: - description: |- - internalTransitSwitchSubnet is a v4 subnet in IPV4 CIDR format used internally - by OVN-Kubernetes for the distributed transit switch in the OVN Interconnect - architecture that connects the cluster routers on each node together to enable - east west traffic. The subnet chosen should not overlap with other networks - specified for OVN-Kubernetes as well as other networks used on the host. - The value cannot be changed after installation. - When ommitted, this means no opinion and the platform is left to choose a reasonable - default which is subject to change over time. - The current default subnet is 100.88.0.0/16 - The subnet must be large enough to accomadate one IP per node in your cluster - The value must be in proper IPV4 CIDR format - maxLength: 18 - type: string - x-kubernetes-validations: - - message: Subnet must be in valid IPV4 CIDR format - rule: isCIDR(self) && cidr(self).ip().family() == 4 - - message: subnet must be in the range /0 to /30 inclusive - rule: isCIDR(self) && cidr(self).prefixLength() <= 30 - - message: first IP address octet must not be 0 - rule: isCIDR(self) && int(self.split('.')[0]) > 0 - type: object - ipv6: - description: |- - ipv6 allows users to configure IP settings for IPv6 connections. When ommitted, - this means no opinions and the default configuration is used. Check individual - fields within ipv4 for details of default values. - properties: - internalJoinSubnet: - description: |- - internalJoinSubnet is a v6 subnet used internally by ovn-kubernetes in case the - default one is being already used by something else. It must not overlap with - any other subnet being used by OpenShift or by the node network. The size of the - subnet must be larger than the number of nodes. The value cannot be changed - after installation. - The subnet must be large enough to accomadate one IP per node in your cluster - The current default value is fd98::/48 - The value must be in proper IPV6 CIDR format - Note that IPV6 dual addresses are not permitted - maxLength: 48 - type: string - x-kubernetes-validations: - - message: Subnet must be in valid IPV6 CIDR format - rule: isCIDR(self) && cidr(self).ip().family() == 6 - - message: subnet must be in the range /0 to /125 inclusive - rule: isCIDR(self) && cidr(self).prefixLength() <= 125 - internalTransitSwitchSubnet: - description: |- - internalTransitSwitchSubnet is a v4 subnet in IPV4 CIDR format used internally - by OVN-Kubernetes for the distributed transit switch in the OVN Interconnect - architecture that connects the cluster routers on each node together to enable - east west traffic. The subnet chosen should not overlap with other networks - specified for OVN-Kubernetes as well as other networks used on the host. - The value cannot be changed after installation. - When ommitted, this means no opinion and the platform is left to choose a reasonable - default which is subject to change over time. - The subnet must be large enough to accomadate one IP per node in your cluster - The current default subnet is fd97::/64 - The value must be in proper IPV6 CIDR format - Note that IPV6 dual addresses are not permitted - maxLength: 48 - type: string - x-kubernetes-validations: - - message: Subnet must be in valid IPV6 CIDR format - rule: isCIDR(self) && cidr(self).ip().family() == 6 - - message: subnet must be in the range /0 to /125 inclusive - rule: isCIDR(self) && cidr(self).prefixLength() <= 125 - type: object - mtu: - description: |- - mtu is the MTU to use for the tunnel interface. This must be 100 - bytes smaller than the uplink mtu. - Default is 1400 - format: int32 - minimum: 0 - type: integer - policyAuditConfig: - description: |- - policyAuditConfig is the configuration for network policy audit events. If unset, - reported defaults are used. - properties: - destination: - default: "null" - description: |- - destination is the location for policy log messages. - Regardless of this config, persistent logs will always be dumped to the host - at /var/log/ovn/ however - Additionally syslog output may be configured as follows. - Valid values are: - - "libc" -> to use the libc syslog() function of the host node's journdald process - - "udp:host:port" -> for sending syslog over UDP - - "unix:file" -> for using the UNIX domain socket directly - - "null" -> to discard all messages logged to syslog - The default is "null" - type: string - maxFileSize: - default: 50 - description: |- - maxFilesSize is the max size an ACL_audit log file is allowed to reach before rotation occurs - Units are in MB and the Default is 50MB - format: int32 - minimum: 1 - type: integer - maxLogFiles: - default: 5 - description: maxLogFiles specifies the maximum number - of ACL_audit log files that can be present. - format: int32 - minimum: 1 - type: integer - rateLimit: - default: 20 - description: |- - rateLimit is the approximate maximum number of messages to generate per-second per-node. If - unset the default of 20 msg/sec is used. - format: int32 - minimum: 1 - type: integer - syslogFacility: - default: local0 - description: syslogFacility the RFC5424 facility for generated - messages, e.g. "kern". Default is "local0" - type: string - type: object - v4InternalSubnet: - description: |- - v4InternalSubnet is a v4 subnet used internally by ovn-kubernetes in case the - default one is being already used by something else. It must not overlap with - any other subnet being used by OpenShift or by the node network. The size of the - subnet must be larger than the number of nodes. The value cannot be changed - after installation. - Default is 100.64.0.0/16 - type: string - v6InternalSubnet: - description: |- - v6InternalSubnet is a v6 subnet used internally by ovn-kubernetes in case the - default one is being already used by something else. It must not overlap with - any other subnet being used by OpenShift or by the node network. The size of the - subnet must be larger than the number of nodes. The value cannot be changed - after installation. - Default is fd98::/48 - type: string - type: object - type: - description: |- - type is the type of network - All NetworkTypes are supported except for NetworkTypeRaw - type: string - type: object - deployKubeProxy: - description: |- - deployKubeProxy specifies whether or not a standalone kube-proxy should - be deployed by the operator. Some network providers include kube-proxy - or similar functionality. If unset, the plugin will attempt to select - the correct value, which is false when ovn-kubernetes is used and true - otherwise. - type: boolean - disableMultiNetwork: - description: |- - disableMultiNetwork specifies whether or not multiple pod network - support should be disabled. If unset, this property defaults to - 'false' and multiple network support is enabled. - type: boolean - disableNetworkDiagnostics: - default: false - description: |- - disableNetworkDiagnostics specifies whether or not PodNetworkConnectivityCheck - CRs from a test pod to every node, apiserver and LB should be disabled or not. - If unset, this property defaults to 'false' and network diagnostics is enabled. - Setting this to 'true' would reduce the additional load of the pods performing the checks. - type: boolean - exportNetworkFlows: - description: |- - exportNetworkFlows enables and configures the export of network flow metadata from the pod network - by using protocols NetFlow, SFlow or IPFIX. Currently only supported on OVN-Kubernetes plugin. - If unset, flows will not be exported to any collector. - properties: - ipfix: - description: ipfix defines IPFIX configuration. - properties: - collectors: - description: ipfixCollectors is list of strings formatted - as ip:port with a maximum of ten items - items: - pattern: ^(([0-9]|[0-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[0-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5]):([1-9][0-9]{0,3}|[1-5][0-9]{4}|6[0-4][0-9]{3}|65[0-4][0-9]{2}|655[0-2][0-9]|6553[0-5])$ - type: string - maxItems: 10 - minItems: 1 - type: array - x-kubernetes-list-type: atomic - type: object - netFlow: - description: netFlow defines the NetFlow configuration. - properties: - collectors: - description: |- - netFlow defines the NetFlow collectors that will consume the flow data exported from OVS. - It is a list of strings formatted as ip:port with a maximum of ten items - items: - pattern: ^(([0-9]|[0-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[0-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5]):([1-9][0-9]{0,3}|[1-5][0-9]{4}|6[0-4][0-9]{3}|65[0-4][0-9]{2}|655[0-2][0-9]|6553[0-5])$ - type: string - maxItems: 10 - minItems: 1 - type: array - x-kubernetes-list-type: atomic - type: object - sFlow: - description: sFlow defines the SFlow configuration. - properties: - collectors: - description: sFlowCollectors is list of strings formatted - as ip:port with a maximum of ten items - items: - pattern: ^(([0-9]|[0-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[0-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5]):([1-9][0-9]{0,3}|[1-5][0-9]{4}|6[0-4][0-9]{3}|65[0-4][0-9]{2}|655[0-2][0-9]|6553[0-5])$ - type: string - maxItems: 10 - minItems: 1 - type: array - x-kubernetes-list-type: atomic - type: object - type: object - kubeProxyConfig: - description: |- - kubeProxyConfig lets us configure desired proxy configuration, if - deployKubeProxy is true. If not specified, sensible defaults will be chosen by - OpenShift directly. - properties: - bindAddress: - description: |- - The address to "bind" on - Defaults to 0.0.0.0 - type: string - iptablesSyncPeriod: - description: |- - An internal kube-proxy parameter. In older releases of OCP, this sometimes needed to be adjusted - in large clusters for performance reasons, but this is no longer necessary, and there is no reason - to change this from the default value. - Default: 30s - type: string - proxyArguments: - additionalProperties: - description: ProxyArgumentList is a list of arguments to pass - to the kubeproxy process - items: - type: string - type: array - x-kubernetes-list-type: atomic - description: Any additional arguments to pass to the kubeproxy - process - type: object - type: object - logLevel: - default: Normal - description: |- - logLevel is an intent based logging for an overall component. It does not give fine grained control, but it is a - simple way to manage coarse grained logging choices that operators have to interpret for their operands. - - Valid values are: "Normal", "Debug", "Trace", "TraceAll". - Defaults to "Normal". - enum: - - "" - - Normal - - Debug - - Trace - - TraceAll - type: string - managementState: - description: managementState indicates whether and how the operator - should manage the component - pattern: ^(Managed|Unmanaged|Force|Removed)$ - type: string - migration: - description: |- - migration enables and configures cluster network migration, for network changes - that cannot be made instantly. - properties: - features: - description: |- - features was previously used to configure which network plugin features - would be migrated in a network type migration. - DEPRECATED: network type migration is no longer supported, and setting - this to a non-empty value will result in the network operator rejecting - the configuration. - properties: - egressFirewall: - default: true - description: |- - egressFirewall specified whether or not the Egress Firewall configuration was migrated. - DEPRECATED: network type migration is no longer supported. - type: boolean - egressIP: - default: true - description: |- - egressIP specified whether or not the Egress IP configuration was migrated. - DEPRECATED: network type migration is no longer supported. - type: boolean - multicast: - default: true - description: |- - multicast specified whether or not the multicast configuration was migrated. - DEPRECATED: network type migration is no longer supported. - type: boolean - type: object - mode: - description: |- - mode indicates the mode of network type migration. - DEPRECATED: network type migration is no longer supported, and setting - this to a non-empty value will result in the network operator rejecting - the configuration. - enum: - - Live - - Offline - - "" - type: string - mtu: - description: |- - mtu contains the MTU migration configuration. Set this to allow changing - the MTU values for the default network. If unset, the operation of - changing the MTU for the default network will be rejected. - properties: - machine: - description: |- - machine contains MTU migration configuration for the machine's uplink. - Needs to be migrated along with the default network MTU unless the - current uplink MTU already accommodates the default network MTU. - properties: - from: - description: from is the MTU to migrate from. - format: int32 - minimum: 0 - type: integer - to: - description: to is the MTU to migrate to. - format: int32 - minimum: 0 - type: integer - type: object - network: - description: |- - network contains information about MTU migration for the default network. - Migrations are only allowed to MTU values lower than the machine's uplink - MTU by the minimum appropriate offset. - properties: - from: - description: from is the MTU to migrate from. - format: int32 - minimum: 0 - type: integer - to: - description: to is the MTU to migrate to. - format: int32 - minimum: 0 - type: integer - type: object - type: object - networkType: - description: |- - networkType was previously used when changing the default network type. - DEPRECATED: network type migration is no longer supported, and setting - this to a non-empty value will result in the network operator rejecting - the configuration. - type: string - type: object - x-kubernetes-validations: - - message: networkType migration in mode other than 'Live' may not - be configured at the same time as mtu migration - rule: '!has(self.mtu) || !has(self.networkType) || self.networkType - == "" || has(self.mode) && self.mode == ''Live''' - observedConfig: - description: |- - observedConfig holds a sparse config that controller has observed from the cluster state. It exists in spec because - it is an input to the level for the operator - nullable: true - type: object - x-kubernetes-preserve-unknown-fields: true - operatorLogLevel: - default: Normal - description: |- - operatorLogLevel is an intent based logging for the operator itself. It does not give fine grained control, but it is a - simple way to manage coarse grained logging choices that operators have to interpret for themselves. - - Valid values are: "Normal", "Debug", "Trace", "TraceAll". - Defaults to "Normal". - enum: - - "" - - Normal - - Debug - - Trace - - TraceAll - type: string - serviceNetwork: - description: |- - serviceNetwork is the ip address pool to use for Service IPs - Currently, all existing network providers only support a single value - here, but this is an array to allow for growth. - items: - type: string - type: array - x-kubernetes-list-type: atomic - unsupportedConfigOverrides: - description: |- - unsupportedConfigOverrides overrides the final configuration that was computed by the operator. - Red Hat does not support the use of this field. - Misuse of this field could lead to unexpected behavior or conflict with other configuration options. - Seek guidance from the Red Hat support before using this field. - Use of this property blocks cluster upgrades, it must be removed before upgrading your cluster. - nullable: true - type: object - x-kubernetes-preserve-unknown-fields: true - useMultiNetworkPolicy: - description: |- - useMultiNetworkPolicy enables a controller which allows for - MultiNetworkPolicy objects to be used on additional networks as - created by Multus CNI. MultiNetworkPolicy are similar to NetworkPolicy - objects, but NetworkPolicy objects only apply to the primary interface. - With MultiNetworkPolicy, you can control the traffic that a pod can receive - over the secondary interfaces. If unset, this property defaults to 'false' - and MultiNetworkPolicy objects are ignored. If 'disableMultiNetwork' is - 'true' then the value of this field is ignored. - type: boolean - type: object - x-kubernetes-validations: - - message: invalid value for IPForwarding, valid values are 'Restricted' - or 'Global' - rule: '!has(self.defaultNetwork) || !has(self.defaultNetwork.ovnKubernetesConfig) - || !has(self.defaultNetwork.ovnKubernetesConfig.gatewayConfig) || - !has(self.defaultNetwork.ovnKubernetesConfig.gatewayConfig.ipForwarding) - || self.defaultNetwork.ovnKubernetesConfig.gatewayConfig.ipForwarding - == oldSelf.defaultNetwork.ovnKubernetesConfig.gatewayConfig.ipForwarding - || self.defaultNetwork.ovnKubernetesConfig.gatewayConfig.ipForwarding - == ''Restricted'' || self.defaultNetwork.ovnKubernetesConfig.gatewayConfig.ipForwarding - == ''Global''' - status: - description: |- - NetworkStatus is detailed operator status, which is distilled - up to the Network clusteroperator object. - properties: - conditions: - description: conditions is a list of conditions and their status - items: - description: OperatorCondition is just the standard condition fields. - properties: - lastTransitionTime: - description: |- - lastTransitionTime is the last time the condition transitioned from one status to another. - This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. - format: date-time - type: string - message: - type: string - reason: - type: string - status: - description: status of the condition, one of True, False, Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - status - - type - type: object - type: array - x-kubernetes-list-map-keys: - - type - x-kubernetes-list-type: map - generations: - description: generations are used to determine when an item needs - to be reconciled or has changed in a way that needs a reaction. - items: - description: GenerationStatus keeps track of the generation for - a given resource so that decisions about forced updates can be - made. - properties: - group: - description: group is the group of the thing you're tracking - type: string - hash: - description: hash is an optional field set for resources without - generation that are content sensitive like secrets and configmaps - type: string - lastGeneration: - description: lastGeneration is the last generation of the workload - controller involved - format: int64 - type: integer - name: - description: name is the name of the thing you're tracking - type: string - namespace: - description: namespace is where the thing you're tracking is - type: string - resource: - description: resource is the resource type of the thing you're - tracking - type: string - required: - - group - - name - - namespace - - resource - type: object - type: array - x-kubernetes-list-map-keys: - - group - - resource - - namespace - - name - x-kubernetes-list-type: map - latestAvailableRevision: - description: latestAvailableRevision is the deploymentID of the most - recent deployment - format: int32 - type: integer - x-kubernetes-validations: - - message: must only increase - rule: self >= oldSelf - observedGeneration: - description: observedGeneration is the last generation change you've - dealt with - format: int64 - type: integer - readyReplicas: - description: readyReplicas indicates how many replicas are ready and - at the desired state - format: int32 - type: integer - version: - description: version is the level this availability applies to - type: string - type: object - type: object - served: true - storage: true - subresources: - status: {} diff --git a/vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_70_network_01_networks-DevPreviewNoUpgrade.crd.yaml b/vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_70_network_01_networks-DevPreviewNoUpgrade.crd.yaml deleted file mode 100644 index 86128eaf4..000000000 --- a/vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_70_network_01_networks-DevPreviewNoUpgrade.crd.yaml +++ /dev/null @@ -1,1052 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - api-approved.openshift.io: https://github.com/openshift/api/pull/475 - api.openshift.io/merged-by-featuregates: "true" - include.release.openshift.io/ibm-cloud-managed: "true" - include.release.openshift.io/self-managed-high-availability: "true" - release.openshift.io/feature-set: DevPreviewNoUpgrade - name: networks.operator.openshift.io -spec: - group: operator.openshift.io - names: - kind: Network - listKind: NetworkList - plural: networks - singular: network - scope: Cluster - versions: - - name: v1 - schema: - openAPIV3Schema: - description: |- - Network describes the cluster's desired network configuration. It is - consumed by the cluster-network-operator. - - Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer). - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: NetworkSpec is the top-level network configuration object. - properties: - additionalNetworks: - description: |- - additionalNetworks is a list of extra networks to make available to pods - when multiple networks are enabled. - items: - description: |- - AdditionalNetworkDefinition configures an extra network that is available but not - created by default. Instead, pods must request them by name. - type must be specified, along with exactly one "Config" that matches the type. - properties: - name: - description: |- - name is the name of the network. This will be populated in the resulting CRD - This must be unique. - type: string - namespace: - description: |- - namespace is the namespace of the network. This will be populated in the resulting CRD - If not given the network will be created in the default namespace. - type: string - rawCNIConfig: - description: |- - rawCNIConfig is the raw CNI configuration json to create in the - NetworkAttachmentDefinition CRD - type: string - simpleMacvlanConfig: - description: simpleMacvlanConfig configures the macvlan interface - in case of type:NetworkTypeSimpleMacvlan - properties: - ipamConfig: - description: ipamConfig configures IPAM module will be used - for IP Address Management (IPAM). - properties: - staticIPAMConfig: - description: staticIPAMConfig configures the static - IP address in case of type:IPAMTypeStatic - properties: - addresses: - description: addresses configures IP address for - the interface - items: - description: StaticIPAMAddresses provides IP address - and Gateway for static IPAM addresses - properties: - address: - description: address is the IP address in - CIDR format - type: string - gateway: - description: gateway is IP inside of subnet - to designate as the gateway - type: string - type: object - type: array - x-kubernetes-list-type: atomic - dns: - description: dns configures DNS for the interface - properties: - domain: - description: domain configures the domainname - the local domain used for short hostname lookups - type: string - nameservers: - description: nameservers points DNS servers - for IP lookup - items: - type: string - type: array - x-kubernetes-list-type: atomic - search: - description: search configures priority ordered - search domains for short hostname lookups - items: - type: string - type: array - x-kubernetes-list-type: atomic - type: object - routes: - description: routes configures IP routes for the - interface - items: - description: StaticIPAMRoutes provides Destination/Gateway - pairs for static IPAM routes - properties: - destination: - description: destination points the IP route - destination - type: string - gateway: - description: |- - gateway is the route's next-hop IP address - If unset, a default gateway is assumed (as determined by the CNI plugin). - type: string - type: object - type: array - x-kubernetes-list-type: atomic - type: object - type: - description: |- - type is the type of IPAM module will be used for IP Address Management(IPAM). - The supported values are IPAMTypeDHCP, IPAMTypeStatic - type: string - type: object - master: - description: |- - master is the host interface to create the macvlan interface from. - If not specified, it will be default route interface - type: string - mode: - description: 'mode is the macvlan mode: bridge, private, - vepa, passthru. The default is bridge' - type: string - mtu: - description: |- - mtu is the mtu to use for the macvlan interface. if unset, host's - kernel will select the value. - format: int32 - minimum: 0 - type: integer - type: object - type: - description: |- - type is the type of network - The supported values are NetworkTypeRaw, NetworkTypeSimpleMacvlan - type: string - required: - - name - type: object - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - additionalRoutingCapabilities: - description: |- - additionalRoutingCapabilities describes components and relevant - configuration providing additional routing capabilities. When set, it - enables such components and the usage of the routing capabilities they - provide for the machine network. Upstream operators, like MetalLB - operator, requiring these capabilities may rely on, or automatically set - this attribute. Network plugins may leverage advanced routing - capabilities acquired through the enablement of these components but may - require specific configuration on their side to do so; refer to their - respective documentation and configuration options. - properties: - providers: - description: |- - providers is a set of enabled components that provide additional routing - capabilities. Entries on this list must be unique. The only valid value - is currrently "FRR" which provides FRR routing capabilities through the - deployment of FRR. - items: - description: RoutingCapabilitiesProvider is a component providing - routing capabilities. - enum: - - FRR - type: string - maxItems: 1 - minItems: 1 - type: array - x-kubernetes-list-type: atomic - x-kubernetes-validations: - - rule: self.all(x, self.exists_one(y, x == y)) - required: - - providers - type: object - clusterNetwork: - description: |- - clusterNetwork is the IP address pool to use for pod IPs. - Some network providers support multiple ClusterNetworks. - Others only support one. This is equivalent to the cluster-cidr. - items: - description: |- - ClusterNetworkEntry is a subnet from which to allocate PodIPs. A network of size - HostPrefix (in CIDR notation) will be allocated when nodes join the cluster. If - the HostPrefix field is not used by the plugin, it can be left unset. - Not all network providers support multiple ClusterNetworks - properties: - cidr: - type: string - hostPrefix: - format: int32 - minimum: 0 - type: integer - type: object - type: array - x-kubernetes-list-type: atomic - defaultNetwork: - description: defaultNetwork is the "default" network that all pods - will receive - properties: - openshiftSDNConfig: - description: |- - openshiftSDNConfig was previously used to configure the openshift-sdn plugin. - DEPRECATED: OpenShift SDN is no longer supported. - properties: - enableUnidling: - description: |- - enableUnidling controls whether or not the service proxy will support idling - and unidling of services. By default, unidling is enabled. - type: boolean - mode: - description: mode is one of "Multitenant", "Subnet", or "NetworkPolicy" - type: string - mtu: - description: |- - mtu is the mtu to use for the tunnel interface. Defaults to 1450 if unset. - This must be 50 bytes smaller than the machine's uplink. - format: int32 - minimum: 0 - type: integer - useExternalOpenvswitch: - description: |- - useExternalOpenvswitch used to control whether the operator would deploy an OVS - DaemonSet itself or expect someone else to start OVS. As of 4.6, OVS is always - run as a system service, and this flag is ignored. - type: boolean - vxlanPort: - description: vxlanPort is the port to use for all vxlan packets. - The default is 4789. - format: int32 - minimum: 0 - type: integer - type: object - ovnKubernetesConfig: - description: ovnKubernetesConfig configures the ovn-kubernetes - plugin. - properties: - egressIPConfig: - description: egressIPConfig holds the configuration for EgressIP - options. - properties: - reachabilityTotalTimeoutSeconds: - description: |- - reachabilityTotalTimeout configures the EgressIP node reachability check total timeout in seconds. - If the EgressIP node cannot be reached within this timeout, the node is declared down. - Setting a large value may cause the EgressIP feature to react slowly to node changes. - In particular, it may react slowly for EgressIP nodes that really have a genuine problem and are unreachable. - When omitted, this means the user has no opinion and the platform is left to choose a reasonable default, which is subject to change over time. - The current default is 1 second. - A value of 0 disables the EgressIP node's reachability check. - format: int32 - maximum: 60 - minimum: 0 - type: integer - type: object - gatewayConfig: - description: gatewayConfig holds the configuration for node - gateway options. - properties: - ipForwarding: - description: |- - ipForwarding controls IP forwarding for all traffic on OVN-Kubernetes managed interfaces (such as br-ex). - By default this is set to Restricted, and Kubernetes related traffic is still forwarded appropriately, but other - IP traffic will not be routed by the OCP node. If there is a desire to allow the host to forward traffic across - OVN-Kubernetes managed interfaces, then set this field to "Global". - The supported values are "Restricted" and "Global". - type: string - ipv4: - description: |- - ipv4 allows users to configure IP settings for IPv4 connections. When omitted, this means no opinion and the default - configuration is used. Check individual members fields within ipv4 for details of default values. - properties: - internalMasqueradeSubnet: - description: |- - internalMasqueradeSubnet contains the masquerade addresses in IPV4 CIDR format used internally by - ovn-kubernetes to enable host to service traffic. Each host in the cluster is configured with these - addresses, as well as the shared gateway bridge interface. The values can be changed after - installation. The subnet chosen should not overlap with other networks specified for - OVN-Kubernetes as well as other networks used on the host. Additionally the subnet must - be large enough to accommodate 6 IPs (maximum prefix length /29). - When omitted, this means no opinion and the platform is left to choose a reasonable default which is subject to change over time. - The current default subnet is 169.254.169.0/29 - The value must be in proper IPV4 CIDR format - maxLength: 18 - type: string - x-kubernetes-validations: - - message: Subnet must be in valid IPV4 CIDR format - rule: isCIDR(self) && cidr(self).ip().family() == - 4 - - message: subnet must be in the range /0 to /29 inclusive - rule: isCIDR(self) && cidr(self).prefixLength() - <= 29 - - message: first IP address octet must not be 0 - rule: isCIDR(self) && int(self.split('.')[0]) > - 0 - type: object - ipv6: - description: |- - ipv6 allows users to configure IP settings for IPv6 connections. When omitted, this means no opinion and the default - configuration is used. Check individual members fields within ipv6 for details of default values. - properties: - internalMasqueradeSubnet: - description: |- - internalMasqueradeSubnet contains the masquerade addresses in IPV6 CIDR format used internally by - ovn-kubernetes to enable host to service traffic. Each host in the cluster is configured with these - addresses, as well as the shared gateway bridge interface. The values can be changed after - installation. The subnet chosen should not overlap with other networks specified for - OVN-Kubernetes as well as other networks used on the host. Additionally the subnet must - be large enough to accommodate 6 IPs (maximum prefix length /125). - When omitted, this means no opinion and the platform is left to choose a reasonable default which is subject to change over time. - The current default subnet is fd69::/125 - Note that IPV6 dual addresses are not permitted - type: string - x-kubernetes-validations: - - message: Subnet must be in valid IPV6 CIDR format - rule: isCIDR(self) && cidr(self).ip().family() == - 6 - - message: subnet must be in the range /0 to /125 - inclusive - rule: isCIDR(self) && cidr(self).prefixLength() - <= 125 - type: object - routingViaHost: - default: false - description: |- - routingViaHost allows pod egress traffic to exit via the ovn-k8s-mp0 management port - into the host before sending it out. If this is not set, traffic will always egress directly - from OVN to outside without touching the host stack. Setting this to true means hardware - offload will not be supported. Default is false if GatewayConfig is specified. - type: boolean - type: object - genevePort: - description: |- - geneve port is the UDP port to be used by geneve encapulation. - Default is 6081 - format: int32 - minimum: 1 - type: integer - hybridOverlayConfig: - description: |- - hybridOverlayConfig configures an additional overlay network for peers that are - not using OVN. - properties: - hybridClusterNetwork: - description: hybridClusterNetwork defines a network space - given to nodes on an additional overlay network. - items: - description: |- - ClusterNetworkEntry is a subnet from which to allocate PodIPs. A network of size - HostPrefix (in CIDR notation) will be allocated when nodes join the cluster. If - the HostPrefix field is not used by the plugin, it can be left unset. - Not all network providers support multiple ClusterNetworks - properties: - cidr: - type: string - hostPrefix: - format: int32 - minimum: 0 - type: integer - type: object - type: array - x-kubernetes-list-type: atomic - hybridOverlayVXLANPort: - description: |- - hybridOverlayVXLANPort defines the VXLAN port number to be used by the additional overlay network. - Default is 4789 - format: int32 - type: integer - type: object - ipsecConfig: - default: - mode: Disabled - description: |- - ipsecConfig enables and configures IPsec for pods on the pod network within the - cluster. - properties: - full: - description: |- - full defines configuration parameters for the IPsec `Full` mode. - This is permitted only when mode is configured with `Full`, - and forbidden otherwise. - minProperties: 1 - properties: - encapsulation: - description: |- - encapsulation option to configure libreswan on how inter-pod traffic across nodes - are encapsulated to handle NAT traversal. When configured it uses UDP port 4500 - for the encapsulation. - Valid values are Always, Never, Auto and omitted. - Always means enable UDP encapsulation regardless of whether NAT is detected. - Disable means never enable UDP encapsulation even if NAT is present. - Auto means enable UDP encapsulation based on the detection of NAT. - When omitted, this means no opinion and the platform is left to choose a reasonable - default, which is subject to change over time. The current default is Auto. - enum: - - Always - - Never - - Auto - type: string - type: object - mode: - description: |- - mode defines the behaviour of the ipsec configuration within the platform. - Valid values are `Disabled`, `External` and `Full`. - When 'Disabled', ipsec will not be enabled at the node level. - When 'External', ipsec is enabled on the node level but requires the user to configure the secure communication parameters. - This mode is for external secure communications and the configuration can be done using the k8s-nmstate operator. - When 'Full', ipsec is configured on the node level and inter-pod secure communication within the cluster is configured. - Note with `Full`, if ipsec is desired for communication with external (to the cluster) entities (such as storage arrays), - this is left to the user to configure. - enum: - - Disabled - - External - - Full - type: string - type: object - x-kubernetes-validations: - - message: ipsecConfig.mode is required - rule: self == oldSelf || has(self.mode) - - message: full is forbidden when mode is not Full - rule: 'has(self.mode) && self.mode == ''Full'' ? true : - !has(self.full)' - ipv4: - description: |- - ipv4 allows users to configure IP settings for IPv4 connections. When ommitted, - this means no opinions and the default configuration is used. Check individual - fields within ipv4 for details of default values. - properties: - internalJoinSubnet: - description: |- - internalJoinSubnet is a v4 subnet used internally by ovn-kubernetes in case the - default one is being already used by something else. It must not overlap with - any other subnet being used by OpenShift or by the node network. The size of the - subnet must be larger than the number of nodes. The value cannot be changed - after installation. - The current default value is 100.64.0.0/16 - The subnet must be large enough to accomadate one IP per node in your cluster - The value must be in proper IPV4 CIDR format - maxLength: 18 - type: string - x-kubernetes-validations: - - message: Subnet must be in valid IPV4 CIDR format - rule: isCIDR(self) && cidr(self).ip().family() == 4 - - message: subnet must be in the range /0 to /30 inclusive - rule: isCIDR(self) && cidr(self).prefixLength() <= 30 - - message: first IP address octet must not be 0 - rule: isCIDR(self) && int(self.split('.')[0]) > 0 - internalTransitSwitchSubnet: - description: |- - internalTransitSwitchSubnet is a v4 subnet in IPV4 CIDR format used internally - by OVN-Kubernetes for the distributed transit switch in the OVN Interconnect - architecture that connects the cluster routers on each node together to enable - east west traffic. The subnet chosen should not overlap with other networks - specified for OVN-Kubernetes as well as other networks used on the host. - The value cannot be changed after installation. - When ommitted, this means no opinion and the platform is left to choose a reasonable - default which is subject to change over time. - The current default subnet is 100.88.0.0/16 - The subnet must be large enough to accomadate one IP per node in your cluster - The value must be in proper IPV4 CIDR format - maxLength: 18 - type: string - x-kubernetes-validations: - - message: Subnet must be in valid IPV4 CIDR format - rule: isCIDR(self) && cidr(self).ip().family() == 4 - - message: subnet must be in the range /0 to /30 inclusive - rule: isCIDR(self) && cidr(self).prefixLength() <= 30 - - message: first IP address octet must not be 0 - rule: isCIDR(self) && int(self.split('.')[0]) > 0 - type: object - ipv6: - description: |- - ipv6 allows users to configure IP settings for IPv6 connections. When ommitted, - this means no opinions and the default configuration is used. Check individual - fields within ipv4 for details of default values. - properties: - internalJoinSubnet: - description: |- - internalJoinSubnet is a v6 subnet used internally by ovn-kubernetes in case the - default one is being already used by something else. It must not overlap with - any other subnet being used by OpenShift or by the node network. The size of the - subnet must be larger than the number of nodes. The value cannot be changed - after installation. - The subnet must be large enough to accomadate one IP per node in your cluster - The current default value is fd98::/48 - The value must be in proper IPV6 CIDR format - Note that IPV6 dual addresses are not permitted - maxLength: 48 - type: string - x-kubernetes-validations: - - message: Subnet must be in valid IPV6 CIDR format - rule: isCIDR(self) && cidr(self).ip().family() == 6 - - message: subnet must be in the range /0 to /125 inclusive - rule: isCIDR(self) && cidr(self).prefixLength() <= 125 - internalTransitSwitchSubnet: - description: |- - internalTransitSwitchSubnet is a v4 subnet in IPV4 CIDR format used internally - by OVN-Kubernetes for the distributed transit switch in the OVN Interconnect - architecture that connects the cluster routers on each node together to enable - east west traffic. The subnet chosen should not overlap with other networks - specified for OVN-Kubernetes as well as other networks used on the host. - The value cannot be changed after installation. - When ommitted, this means no opinion and the platform is left to choose a reasonable - default which is subject to change over time. - The subnet must be large enough to accomadate one IP per node in your cluster - The current default subnet is fd97::/64 - The value must be in proper IPV6 CIDR format - Note that IPV6 dual addresses are not permitted - maxLength: 48 - type: string - x-kubernetes-validations: - - message: Subnet must be in valid IPV6 CIDR format - rule: isCIDR(self) && cidr(self).ip().family() == 6 - - message: subnet must be in the range /0 to /125 inclusive - rule: isCIDR(self) && cidr(self).prefixLength() <= 125 - type: object - mtu: - description: |- - mtu is the MTU to use for the tunnel interface. This must be 100 - bytes smaller than the uplink mtu. - Default is 1400 - format: int32 - minimum: 0 - type: integer - policyAuditConfig: - description: |- - policyAuditConfig is the configuration for network policy audit events. If unset, - reported defaults are used. - properties: - destination: - default: "null" - description: |- - destination is the location for policy log messages. - Regardless of this config, persistent logs will always be dumped to the host - at /var/log/ovn/ however - Additionally syslog output may be configured as follows. - Valid values are: - - "libc" -> to use the libc syslog() function of the host node's journdald process - - "udp:host:port" -> for sending syslog over UDP - - "unix:file" -> for using the UNIX domain socket directly - - "null" -> to discard all messages logged to syslog - The default is "null" - type: string - maxFileSize: - default: 50 - description: |- - maxFilesSize is the max size an ACL_audit log file is allowed to reach before rotation occurs - Units are in MB and the Default is 50MB - format: int32 - minimum: 1 - type: integer - maxLogFiles: - default: 5 - description: maxLogFiles specifies the maximum number - of ACL_audit log files that can be present. - format: int32 - minimum: 1 - type: integer - rateLimit: - default: 20 - description: |- - rateLimit is the approximate maximum number of messages to generate per-second per-node. If - unset the default of 20 msg/sec is used. - format: int32 - minimum: 1 - type: integer - syslogFacility: - default: local0 - description: syslogFacility the RFC5424 facility for generated - messages, e.g. "kern". Default is "local0" - type: string - type: object - routeAdvertisements: - description: |- - routeAdvertisements determines if the functionality to advertise cluster - network routes through a dynamic routing protocol, such as BGP, is - enabled or not. This functionality is configured through the - ovn-kubernetes RouteAdvertisements CRD. Requires the 'FRR' routing - capability provider to be enabled as an additional routing capability. - Allowed values are "Enabled", "Disabled" and ommited. When omitted, this - means the user has no opinion and the platform is left to choose - reasonable defaults. These defaults are subject to change over time. The - current default is "Disabled". - enum: - - "" - - Enabled - - Disabled - type: string - v4InternalSubnet: - description: |- - v4InternalSubnet is a v4 subnet used internally by ovn-kubernetes in case the - default one is being already used by something else. It must not overlap with - any other subnet being used by OpenShift or by the node network. The size of the - subnet must be larger than the number of nodes. The value cannot be changed - after installation. - Default is 100.64.0.0/16 - type: string - v6InternalSubnet: - description: |- - v6InternalSubnet is a v6 subnet used internally by ovn-kubernetes in case the - default one is being already used by something else. It must not overlap with - any other subnet being used by OpenShift or by the node network. The size of the - subnet must be larger than the number of nodes. The value cannot be changed - after installation. - Default is fd98::/48 - type: string - type: object - type: - description: |- - type is the type of network - All NetworkTypes are supported except for NetworkTypeRaw - type: string - type: object - deployKubeProxy: - description: |- - deployKubeProxy specifies whether or not a standalone kube-proxy should - be deployed by the operator. Some network providers include kube-proxy - or similar functionality. If unset, the plugin will attempt to select - the correct value, which is false when ovn-kubernetes is used and true - otherwise. - type: boolean - disableMultiNetwork: - description: |- - disableMultiNetwork specifies whether or not multiple pod network - support should be disabled. If unset, this property defaults to - 'false' and multiple network support is enabled. - type: boolean - disableNetworkDiagnostics: - default: false - description: |- - disableNetworkDiagnostics specifies whether or not PodNetworkConnectivityCheck - CRs from a test pod to every node, apiserver and LB should be disabled or not. - If unset, this property defaults to 'false' and network diagnostics is enabled. - Setting this to 'true' would reduce the additional load of the pods performing the checks. - type: boolean - exportNetworkFlows: - description: |- - exportNetworkFlows enables and configures the export of network flow metadata from the pod network - by using protocols NetFlow, SFlow or IPFIX. Currently only supported on OVN-Kubernetes plugin. - If unset, flows will not be exported to any collector. - properties: - ipfix: - description: ipfix defines IPFIX configuration. - properties: - collectors: - description: ipfixCollectors is list of strings formatted - as ip:port with a maximum of ten items - items: - pattern: ^(([0-9]|[0-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[0-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5]):([1-9][0-9]{0,3}|[1-5][0-9]{4}|6[0-4][0-9]{3}|65[0-4][0-9]{2}|655[0-2][0-9]|6553[0-5])$ - type: string - maxItems: 10 - minItems: 1 - type: array - x-kubernetes-list-type: atomic - type: object - netFlow: - description: netFlow defines the NetFlow configuration. - properties: - collectors: - description: |- - netFlow defines the NetFlow collectors that will consume the flow data exported from OVS. - It is a list of strings formatted as ip:port with a maximum of ten items - items: - pattern: ^(([0-9]|[0-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[0-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5]):([1-9][0-9]{0,3}|[1-5][0-9]{4}|6[0-4][0-9]{3}|65[0-4][0-9]{2}|655[0-2][0-9]|6553[0-5])$ - type: string - maxItems: 10 - minItems: 1 - type: array - x-kubernetes-list-type: atomic - type: object - sFlow: - description: sFlow defines the SFlow configuration. - properties: - collectors: - description: sFlowCollectors is list of strings formatted - as ip:port with a maximum of ten items - items: - pattern: ^(([0-9]|[0-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[0-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5]):([1-9][0-9]{0,3}|[1-5][0-9]{4}|6[0-4][0-9]{3}|65[0-4][0-9]{2}|655[0-2][0-9]|6553[0-5])$ - type: string - maxItems: 10 - minItems: 1 - type: array - x-kubernetes-list-type: atomic - type: object - type: object - kubeProxyConfig: - description: |- - kubeProxyConfig lets us configure desired proxy configuration, if - deployKubeProxy is true. If not specified, sensible defaults will be chosen by - OpenShift directly. - properties: - bindAddress: - description: |- - The address to "bind" on - Defaults to 0.0.0.0 - type: string - iptablesSyncPeriod: - description: |- - An internal kube-proxy parameter. In older releases of OCP, this sometimes needed to be adjusted - in large clusters for performance reasons, but this is no longer necessary, and there is no reason - to change this from the default value. - Default: 30s - type: string - proxyArguments: - additionalProperties: - description: ProxyArgumentList is a list of arguments to pass - to the kubeproxy process - items: - type: string - type: array - x-kubernetes-list-type: atomic - description: Any additional arguments to pass to the kubeproxy - process - type: object - type: object - logLevel: - default: Normal - description: |- - logLevel is an intent based logging for an overall component. It does not give fine grained control, but it is a - simple way to manage coarse grained logging choices that operators have to interpret for their operands. - - Valid values are: "Normal", "Debug", "Trace", "TraceAll". - Defaults to "Normal". - enum: - - "" - - Normal - - Debug - - Trace - - TraceAll - type: string - managementState: - description: managementState indicates whether and how the operator - should manage the component - pattern: ^(Managed|Unmanaged|Force|Removed)$ - type: string - migration: - description: |- - migration enables and configures cluster network migration, for network changes - that cannot be made instantly. - properties: - features: - description: |- - features was previously used to configure which network plugin features - would be migrated in a network type migration. - DEPRECATED: network type migration is no longer supported, and setting - this to a non-empty value will result in the network operator rejecting - the configuration. - properties: - egressFirewall: - default: true - description: |- - egressFirewall specified whether or not the Egress Firewall configuration was migrated. - DEPRECATED: network type migration is no longer supported. - type: boolean - egressIP: - default: true - description: |- - egressIP specified whether or not the Egress IP configuration was migrated. - DEPRECATED: network type migration is no longer supported. - type: boolean - multicast: - default: true - description: |- - multicast specified whether or not the multicast configuration was migrated. - DEPRECATED: network type migration is no longer supported. - type: boolean - type: object - mode: - description: |- - mode indicates the mode of network type migration. - DEPRECATED: network type migration is no longer supported, and setting - this to a non-empty value will result in the network operator rejecting - the configuration. - enum: - - Live - - Offline - - "" - type: string - mtu: - description: |- - mtu contains the MTU migration configuration. Set this to allow changing - the MTU values for the default network. If unset, the operation of - changing the MTU for the default network will be rejected. - properties: - machine: - description: |- - machine contains MTU migration configuration for the machine's uplink. - Needs to be migrated along with the default network MTU unless the - current uplink MTU already accommodates the default network MTU. - properties: - from: - description: from is the MTU to migrate from. - format: int32 - minimum: 0 - type: integer - to: - description: to is the MTU to migrate to. - format: int32 - minimum: 0 - type: integer - type: object - network: - description: |- - network contains information about MTU migration for the default network. - Migrations are only allowed to MTU values lower than the machine's uplink - MTU by the minimum appropriate offset. - properties: - from: - description: from is the MTU to migrate from. - format: int32 - minimum: 0 - type: integer - to: - description: to is the MTU to migrate to. - format: int32 - minimum: 0 - type: integer - type: object - type: object - networkType: - description: |- - networkType was previously used when changing the default network type. - DEPRECATED: network type migration is no longer supported, and setting - this to a non-empty value will result in the network operator rejecting - the configuration. - type: string - type: object - x-kubernetes-validations: - - message: networkType migration in mode other than 'Live' may not - be configured at the same time as mtu migration - rule: '!has(self.mtu) || !has(self.networkType) || self.networkType - == "" || has(self.mode) && self.mode == ''Live''' - observedConfig: - description: |- - observedConfig holds a sparse config that controller has observed from the cluster state. It exists in spec because - it is an input to the level for the operator - nullable: true - type: object - x-kubernetes-preserve-unknown-fields: true - operatorLogLevel: - default: Normal - description: |- - operatorLogLevel is an intent based logging for the operator itself. It does not give fine grained control, but it is a - simple way to manage coarse grained logging choices that operators have to interpret for themselves. - - Valid values are: "Normal", "Debug", "Trace", "TraceAll". - Defaults to "Normal". - enum: - - "" - - Normal - - Debug - - Trace - - TraceAll - type: string - serviceNetwork: - description: |- - serviceNetwork is the ip address pool to use for Service IPs - Currently, all existing network providers only support a single value - here, but this is an array to allow for growth. - items: - type: string - type: array - x-kubernetes-list-type: atomic - unsupportedConfigOverrides: - description: |- - unsupportedConfigOverrides overrides the final configuration that was computed by the operator. - Red Hat does not support the use of this field. - Misuse of this field could lead to unexpected behavior or conflict with other configuration options. - Seek guidance from the Red Hat support before using this field. - Use of this property blocks cluster upgrades, it must be removed before upgrading your cluster. - nullable: true - type: object - x-kubernetes-preserve-unknown-fields: true - useMultiNetworkPolicy: - description: |- - useMultiNetworkPolicy enables a controller which allows for - MultiNetworkPolicy objects to be used on additional networks as - created by Multus CNI. MultiNetworkPolicy are similar to NetworkPolicy - objects, but NetworkPolicy objects only apply to the primary interface. - With MultiNetworkPolicy, you can control the traffic that a pod can receive - over the secondary interfaces. If unset, this property defaults to 'false' - and MultiNetworkPolicy objects are ignored. If 'disableMultiNetwork' is - 'true' then the value of this field is ignored. - type: boolean - type: object - x-kubernetes-validations: - - message: Route advertisements cannot be Enabled if 'FRR' routing capability - provider is not available - rule: (has(self.additionalRoutingCapabilities) && ('FRR' in self.additionalRoutingCapabilities.providers)) - || !has(self.defaultNetwork) || !has(self.defaultNetwork.ovnKubernetesConfig) - || !has(self.defaultNetwork.ovnKubernetesConfig.routeAdvertisements) - || self.defaultNetwork.ovnKubernetesConfig.routeAdvertisements != - 'Enabled' - - message: invalid value for IPForwarding, valid values are 'Restricted' - or 'Global' - rule: '!has(self.defaultNetwork) || !has(self.defaultNetwork.ovnKubernetesConfig) - || !has(self.defaultNetwork.ovnKubernetesConfig.gatewayConfig) || - !has(self.defaultNetwork.ovnKubernetesConfig.gatewayConfig.ipForwarding) - || self.defaultNetwork.ovnKubernetesConfig.gatewayConfig.ipForwarding - == oldSelf.defaultNetwork.ovnKubernetesConfig.gatewayConfig.ipForwarding - || self.defaultNetwork.ovnKubernetesConfig.gatewayConfig.ipForwarding - == ''Restricted'' || self.defaultNetwork.ovnKubernetesConfig.gatewayConfig.ipForwarding - == ''Global''' - status: - description: |- - NetworkStatus is detailed operator status, which is distilled - up to the Network clusteroperator object. - properties: - conditions: - description: conditions is a list of conditions and their status - items: - description: OperatorCondition is just the standard condition fields. - properties: - lastTransitionTime: - description: |- - lastTransitionTime is the last time the condition transitioned from one status to another. - This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. - format: date-time - type: string - message: - type: string - reason: - type: string - status: - description: status of the condition, one of True, False, Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - status - - type - type: object - type: array - x-kubernetes-list-map-keys: - - type - x-kubernetes-list-type: map - generations: - description: generations are used to determine when an item needs - to be reconciled or has changed in a way that needs a reaction. - items: - description: GenerationStatus keeps track of the generation for - a given resource so that decisions about forced updates can be - made. - properties: - group: - description: group is the group of the thing you're tracking - type: string - hash: - description: hash is an optional field set for resources without - generation that are content sensitive like secrets and configmaps - type: string - lastGeneration: - description: lastGeneration is the last generation of the workload - controller involved - format: int64 - type: integer - name: - description: name is the name of the thing you're tracking - type: string - namespace: - description: namespace is where the thing you're tracking is - type: string - resource: - description: resource is the resource type of the thing you're - tracking - type: string - required: - - group - - name - - namespace - - resource - type: object - type: array - x-kubernetes-list-map-keys: - - group - - resource - - namespace - - name - x-kubernetes-list-type: map - latestAvailableRevision: - description: latestAvailableRevision is the deploymentID of the most - recent deployment - format: int32 - type: integer - x-kubernetes-validations: - - message: must only increase - rule: self >= oldSelf - observedGeneration: - description: observedGeneration is the last generation change you've - dealt with - format: int64 - type: integer - readyReplicas: - description: readyReplicas indicates how many replicas are ready and - at the desired state - format: int32 - type: integer - version: - description: version is the level this availability applies to - type: string - type: object - type: object - served: true - storage: true - subresources: - status: {} diff --git a/vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_70_network_01_networks-TechPreviewNoUpgrade.crd.yaml b/vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_70_network_01_networks-TechPreviewNoUpgrade.crd.yaml deleted file mode 100644 index 5990e7063..000000000 --- a/vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_70_network_01_networks-TechPreviewNoUpgrade.crd.yaml +++ /dev/null @@ -1,1052 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - api-approved.openshift.io: https://github.com/openshift/api/pull/475 - api.openshift.io/merged-by-featuregates: "true" - include.release.openshift.io/ibm-cloud-managed: "true" - include.release.openshift.io/self-managed-high-availability: "true" - release.openshift.io/feature-set: TechPreviewNoUpgrade - name: networks.operator.openshift.io -spec: - group: operator.openshift.io - names: - kind: Network - listKind: NetworkList - plural: networks - singular: network - scope: Cluster - versions: - - name: v1 - schema: - openAPIV3Schema: - description: |- - Network describes the cluster's desired network configuration. It is - consumed by the cluster-network-operator. - - Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer). - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: NetworkSpec is the top-level network configuration object. - properties: - additionalNetworks: - description: |- - additionalNetworks is a list of extra networks to make available to pods - when multiple networks are enabled. - items: - description: |- - AdditionalNetworkDefinition configures an extra network that is available but not - created by default. Instead, pods must request them by name. - type must be specified, along with exactly one "Config" that matches the type. - properties: - name: - description: |- - name is the name of the network. This will be populated in the resulting CRD - This must be unique. - type: string - namespace: - description: |- - namespace is the namespace of the network. This will be populated in the resulting CRD - If not given the network will be created in the default namespace. - type: string - rawCNIConfig: - description: |- - rawCNIConfig is the raw CNI configuration json to create in the - NetworkAttachmentDefinition CRD - type: string - simpleMacvlanConfig: - description: simpleMacvlanConfig configures the macvlan interface - in case of type:NetworkTypeSimpleMacvlan - properties: - ipamConfig: - description: ipamConfig configures IPAM module will be used - for IP Address Management (IPAM). - properties: - staticIPAMConfig: - description: staticIPAMConfig configures the static - IP address in case of type:IPAMTypeStatic - properties: - addresses: - description: addresses configures IP address for - the interface - items: - description: StaticIPAMAddresses provides IP address - and Gateway for static IPAM addresses - properties: - address: - description: address is the IP address in - CIDR format - type: string - gateway: - description: gateway is IP inside of subnet - to designate as the gateway - type: string - type: object - type: array - x-kubernetes-list-type: atomic - dns: - description: dns configures DNS for the interface - properties: - domain: - description: domain configures the domainname - the local domain used for short hostname lookups - type: string - nameservers: - description: nameservers points DNS servers - for IP lookup - items: - type: string - type: array - x-kubernetes-list-type: atomic - search: - description: search configures priority ordered - search domains for short hostname lookups - items: - type: string - type: array - x-kubernetes-list-type: atomic - type: object - routes: - description: routes configures IP routes for the - interface - items: - description: StaticIPAMRoutes provides Destination/Gateway - pairs for static IPAM routes - properties: - destination: - description: destination points the IP route - destination - type: string - gateway: - description: |- - gateway is the route's next-hop IP address - If unset, a default gateway is assumed (as determined by the CNI plugin). - type: string - type: object - type: array - x-kubernetes-list-type: atomic - type: object - type: - description: |- - type is the type of IPAM module will be used for IP Address Management(IPAM). - The supported values are IPAMTypeDHCP, IPAMTypeStatic - type: string - type: object - master: - description: |- - master is the host interface to create the macvlan interface from. - If not specified, it will be default route interface - type: string - mode: - description: 'mode is the macvlan mode: bridge, private, - vepa, passthru. The default is bridge' - type: string - mtu: - description: |- - mtu is the mtu to use for the macvlan interface. if unset, host's - kernel will select the value. - format: int32 - minimum: 0 - type: integer - type: object - type: - description: |- - type is the type of network - The supported values are NetworkTypeRaw, NetworkTypeSimpleMacvlan - type: string - required: - - name - type: object - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - additionalRoutingCapabilities: - description: |- - additionalRoutingCapabilities describes components and relevant - configuration providing additional routing capabilities. When set, it - enables such components and the usage of the routing capabilities they - provide for the machine network. Upstream operators, like MetalLB - operator, requiring these capabilities may rely on, or automatically set - this attribute. Network plugins may leverage advanced routing - capabilities acquired through the enablement of these components but may - require specific configuration on their side to do so; refer to their - respective documentation and configuration options. - properties: - providers: - description: |- - providers is a set of enabled components that provide additional routing - capabilities. Entries on this list must be unique. The only valid value - is currrently "FRR" which provides FRR routing capabilities through the - deployment of FRR. - items: - description: RoutingCapabilitiesProvider is a component providing - routing capabilities. - enum: - - FRR - type: string - maxItems: 1 - minItems: 1 - type: array - x-kubernetes-list-type: atomic - x-kubernetes-validations: - - rule: self.all(x, self.exists_one(y, x == y)) - required: - - providers - type: object - clusterNetwork: - description: |- - clusterNetwork is the IP address pool to use for pod IPs. - Some network providers support multiple ClusterNetworks. - Others only support one. This is equivalent to the cluster-cidr. - items: - description: |- - ClusterNetworkEntry is a subnet from which to allocate PodIPs. A network of size - HostPrefix (in CIDR notation) will be allocated when nodes join the cluster. If - the HostPrefix field is not used by the plugin, it can be left unset. - Not all network providers support multiple ClusterNetworks - properties: - cidr: - type: string - hostPrefix: - format: int32 - minimum: 0 - type: integer - type: object - type: array - x-kubernetes-list-type: atomic - defaultNetwork: - description: defaultNetwork is the "default" network that all pods - will receive - properties: - openshiftSDNConfig: - description: |- - openshiftSDNConfig was previously used to configure the openshift-sdn plugin. - DEPRECATED: OpenShift SDN is no longer supported. - properties: - enableUnidling: - description: |- - enableUnidling controls whether or not the service proxy will support idling - and unidling of services. By default, unidling is enabled. - type: boolean - mode: - description: mode is one of "Multitenant", "Subnet", or "NetworkPolicy" - type: string - mtu: - description: |- - mtu is the mtu to use for the tunnel interface. Defaults to 1450 if unset. - This must be 50 bytes smaller than the machine's uplink. - format: int32 - minimum: 0 - type: integer - useExternalOpenvswitch: - description: |- - useExternalOpenvswitch used to control whether the operator would deploy an OVS - DaemonSet itself or expect someone else to start OVS. As of 4.6, OVS is always - run as a system service, and this flag is ignored. - type: boolean - vxlanPort: - description: vxlanPort is the port to use for all vxlan packets. - The default is 4789. - format: int32 - minimum: 0 - type: integer - type: object - ovnKubernetesConfig: - description: ovnKubernetesConfig configures the ovn-kubernetes - plugin. - properties: - egressIPConfig: - description: egressIPConfig holds the configuration for EgressIP - options. - properties: - reachabilityTotalTimeoutSeconds: - description: |- - reachabilityTotalTimeout configures the EgressIP node reachability check total timeout in seconds. - If the EgressIP node cannot be reached within this timeout, the node is declared down. - Setting a large value may cause the EgressIP feature to react slowly to node changes. - In particular, it may react slowly for EgressIP nodes that really have a genuine problem and are unreachable. - When omitted, this means the user has no opinion and the platform is left to choose a reasonable default, which is subject to change over time. - The current default is 1 second. - A value of 0 disables the EgressIP node's reachability check. - format: int32 - maximum: 60 - minimum: 0 - type: integer - type: object - gatewayConfig: - description: gatewayConfig holds the configuration for node - gateway options. - properties: - ipForwarding: - description: |- - ipForwarding controls IP forwarding for all traffic on OVN-Kubernetes managed interfaces (such as br-ex). - By default this is set to Restricted, and Kubernetes related traffic is still forwarded appropriately, but other - IP traffic will not be routed by the OCP node. If there is a desire to allow the host to forward traffic across - OVN-Kubernetes managed interfaces, then set this field to "Global". - The supported values are "Restricted" and "Global". - type: string - ipv4: - description: |- - ipv4 allows users to configure IP settings for IPv4 connections. When omitted, this means no opinion and the default - configuration is used. Check individual members fields within ipv4 for details of default values. - properties: - internalMasqueradeSubnet: - description: |- - internalMasqueradeSubnet contains the masquerade addresses in IPV4 CIDR format used internally by - ovn-kubernetes to enable host to service traffic. Each host in the cluster is configured with these - addresses, as well as the shared gateway bridge interface. The values can be changed after - installation. The subnet chosen should not overlap with other networks specified for - OVN-Kubernetes as well as other networks used on the host. Additionally the subnet must - be large enough to accommodate 6 IPs (maximum prefix length /29). - When omitted, this means no opinion and the platform is left to choose a reasonable default which is subject to change over time. - The current default subnet is 169.254.169.0/29 - The value must be in proper IPV4 CIDR format - maxLength: 18 - type: string - x-kubernetes-validations: - - message: Subnet must be in valid IPV4 CIDR format - rule: isCIDR(self) && cidr(self).ip().family() == - 4 - - message: subnet must be in the range /0 to /29 inclusive - rule: isCIDR(self) && cidr(self).prefixLength() - <= 29 - - message: first IP address octet must not be 0 - rule: isCIDR(self) && int(self.split('.')[0]) > - 0 - type: object - ipv6: - description: |- - ipv6 allows users to configure IP settings for IPv6 connections. When omitted, this means no opinion and the default - configuration is used. Check individual members fields within ipv6 for details of default values. - properties: - internalMasqueradeSubnet: - description: |- - internalMasqueradeSubnet contains the masquerade addresses in IPV6 CIDR format used internally by - ovn-kubernetes to enable host to service traffic. Each host in the cluster is configured with these - addresses, as well as the shared gateway bridge interface. The values can be changed after - installation. The subnet chosen should not overlap with other networks specified for - OVN-Kubernetes as well as other networks used on the host. Additionally the subnet must - be large enough to accommodate 6 IPs (maximum prefix length /125). - When omitted, this means no opinion and the platform is left to choose a reasonable default which is subject to change over time. - The current default subnet is fd69::/125 - Note that IPV6 dual addresses are not permitted - type: string - x-kubernetes-validations: - - message: Subnet must be in valid IPV6 CIDR format - rule: isCIDR(self) && cidr(self).ip().family() == - 6 - - message: subnet must be in the range /0 to /125 - inclusive - rule: isCIDR(self) && cidr(self).prefixLength() - <= 125 - type: object - routingViaHost: - default: false - description: |- - routingViaHost allows pod egress traffic to exit via the ovn-k8s-mp0 management port - into the host before sending it out. If this is not set, traffic will always egress directly - from OVN to outside without touching the host stack. Setting this to true means hardware - offload will not be supported. Default is false if GatewayConfig is specified. - type: boolean - type: object - genevePort: - description: |- - geneve port is the UDP port to be used by geneve encapulation. - Default is 6081 - format: int32 - minimum: 1 - type: integer - hybridOverlayConfig: - description: |- - hybridOverlayConfig configures an additional overlay network for peers that are - not using OVN. - properties: - hybridClusterNetwork: - description: hybridClusterNetwork defines a network space - given to nodes on an additional overlay network. - items: - description: |- - ClusterNetworkEntry is a subnet from which to allocate PodIPs. A network of size - HostPrefix (in CIDR notation) will be allocated when nodes join the cluster. If - the HostPrefix field is not used by the plugin, it can be left unset. - Not all network providers support multiple ClusterNetworks - properties: - cidr: - type: string - hostPrefix: - format: int32 - minimum: 0 - type: integer - type: object - type: array - x-kubernetes-list-type: atomic - hybridOverlayVXLANPort: - description: |- - hybridOverlayVXLANPort defines the VXLAN port number to be used by the additional overlay network. - Default is 4789 - format: int32 - type: integer - type: object - ipsecConfig: - default: - mode: Disabled - description: |- - ipsecConfig enables and configures IPsec for pods on the pod network within the - cluster. - properties: - full: - description: |- - full defines configuration parameters for the IPsec `Full` mode. - This is permitted only when mode is configured with `Full`, - and forbidden otherwise. - minProperties: 1 - properties: - encapsulation: - description: |- - encapsulation option to configure libreswan on how inter-pod traffic across nodes - are encapsulated to handle NAT traversal. When configured it uses UDP port 4500 - for the encapsulation. - Valid values are Always, Never, Auto and omitted. - Always means enable UDP encapsulation regardless of whether NAT is detected. - Disable means never enable UDP encapsulation even if NAT is present. - Auto means enable UDP encapsulation based on the detection of NAT. - When omitted, this means no opinion and the platform is left to choose a reasonable - default, which is subject to change over time. The current default is Auto. - enum: - - Always - - Never - - Auto - type: string - type: object - mode: - description: |- - mode defines the behaviour of the ipsec configuration within the platform. - Valid values are `Disabled`, `External` and `Full`. - When 'Disabled', ipsec will not be enabled at the node level. - When 'External', ipsec is enabled on the node level but requires the user to configure the secure communication parameters. - This mode is for external secure communications and the configuration can be done using the k8s-nmstate operator. - When 'Full', ipsec is configured on the node level and inter-pod secure communication within the cluster is configured. - Note with `Full`, if ipsec is desired for communication with external (to the cluster) entities (such as storage arrays), - this is left to the user to configure. - enum: - - Disabled - - External - - Full - type: string - type: object - x-kubernetes-validations: - - message: ipsecConfig.mode is required - rule: self == oldSelf || has(self.mode) - - message: full is forbidden when mode is not Full - rule: 'has(self.mode) && self.mode == ''Full'' ? true : - !has(self.full)' - ipv4: - description: |- - ipv4 allows users to configure IP settings for IPv4 connections. When ommitted, - this means no opinions and the default configuration is used. Check individual - fields within ipv4 for details of default values. - properties: - internalJoinSubnet: - description: |- - internalJoinSubnet is a v4 subnet used internally by ovn-kubernetes in case the - default one is being already used by something else. It must not overlap with - any other subnet being used by OpenShift or by the node network. The size of the - subnet must be larger than the number of nodes. The value cannot be changed - after installation. - The current default value is 100.64.0.0/16 - The subnet must be large enough to accomadate one IP per node in your cluster - The value must be in proper IPV4 CIDR format - maxLength: 18 - type: string - x-kubernetes-validations: - - message: Subnet must be in valid IPV4 CIDR format - rule: isCIDR(self) && cidr(self).ip().family() == 4 - - message: subnet must be in the range /0 to /30 inclusive - rule: isCIDR(self) && cidr(self).prefixLength() <= 30 - - message: first IP address octet must not be 0 - rule: isCIDR(self) && int(self.split('.')[0]) > 0 - internalTransitSwitchSubnet: - description: |- - internalTransitSwitchSubnet is a v4 subnet in IPV4 CIDR format used internally - by OVN-Kubernetes for the distributed transit switch in the OVN Interconnect - architecture that connects the cluster routers on each node together to enable - east west traffic. The subnet chosen should not overlap with other networks - specified for OVN-Kubernetes as well as other networks used on the host. - The value cannot be changed after installation. - When ommitted, this means no opinion and the platform is left to choose a reasonable - default which is subject to change over time. - The current default subnet is 100.88.0.0/16 - The subnet must be large enough to accomadate one IP per node in your cluster - The value must be in proper IPV4 CIDR format - maxLength: 18 - type: string - x-kubernetes-validations: - - message: Subnet must be in valid IPV4 CIDR format - rule: isCIDR(self) && cidr(self).ip().family() == 4 - - message: subnet must be in the range /0 to /30 inclusive - rule: isCIDR(self) && cidr(self).prefixLength() <= 30 - - message: first IP address octet must not be 0 - rule: isCIDR(self) && int(self.split('.')[0]) > 0 - type: object - ipv6: - description: |- - ipv6 allows users to configure IP settings for IPv6 connections. When ommitted, - this means no opinions and the default configuration is used. Check individual - fields within ipv4 for details of default values. - properties: - internalJoinSubnet: - description: |- - internalJoinSubnet is a v6 subnet used internally by ovn-kubernetes in case the - default one is being already used by something else. It must not overlap with - any other subnet being used by OpenShift or by the node network. The size of the - subnet must be larger than the number of nodes. The value cannot be changed - after installation. - The subnet must be large enough to accomadate one IP per node in your cluster - The current default value is fd98::/48 - The value must be in proper IPV6 CIDR format - Note that IPV6 dual addresses are not permitted - maxLength: 48 - type: string - x-kubernetes-validations: - - message: Subnet must be in valid IPV6 CIDR format - rule: isCIDR(self) && cidr(self).ip().family() == 6 - - message: subnet must be in the range /0 to /125 inclusive - rule: isCIDR(self) && cidr(self).prefixLength() <= 125 - internalTransitSwitchSubnet: - description: |- - internalTransitSwitchSubnet is a v4 subnet in IPV4 CIDR format used internally - by OVN-Kubernetes for the distributed transit switch in the OVN Interconnect - architecture that connects the cluster routers on each node together to enable - east west traffic. The subnet chosen should not overlap with other networks - specified for OVN-Kubernetes as well as other networks used on the host. - The value cannot be changed after installation. - When ommitted, this means no opinion and the platform is left to choose a reasonable - default which is subject to change over time. - The subnet must be large enough to accomadate one IP per node in your cluster - The current default subnet is fd97::/64 - The value must be in proper IPV6 CIDR format - Note that IPV6 dual addresses are not permitted - maxLength: 48 - type: string - x-kubernetes-validations: - - message: Subnet must be in valid IPV6 CIDR format - rule: isCIDR(self) && cidr(self).ip().family() == 6 - - message: subnet must be in the range /0 to /125 inclusive - rule: isCIDR(self) && cidr(self).prefixLength() <= 125 - type: object - mtu: - description: |- - mtu is the MTU to use for the tunnel interface. This must be 100 - bytes smaller than the uplink mtu. - Default is 1400 - format: int32 - minimum: 0 - type: integer - policyAuditConfig: - description: |- - policyAuditConfig is the configuration for network policy audit events. If unset, - reported defaults are used. - properties: - destination: - default: "null" - description: |- - destination is the location for policy log messages. - Regardless of this config, persistent logs will always be dumped to the host - at /var/log/ovn/ however - Additionally syslog output may be configured as follows. - Valid values are: - - "libc" -> to use the libc syslog() function of the host node's journdald process - - "udp:host:port" -> for sending syslog over UDP - - "unix:file" -> for using the UNIX domain socket directly - - "null" -> to discard all messages logged to syslog - The default is "null" - type: string - maxFileSize: - default: 50 - description: |- - maxFilesSize is the max size an ACL_audit log file is allowed to reach before rotation occurs - Units are in MB and the Default is 50MB - format: int32 - minimum: 1 - type: integer - maxLogFiles: - default: 5 - description: maxLogFiles specifies the maximum number - of ACL_audit log files that can be present. - format: int32 - minimum: 1 - type: integer - rateLimit: - default: 20 - description: |- - rateLimit is the approximate maximum number of messages to generate per-second per-node. If - unset the default of 20 msg/sec is used. - format: int32 - minimum: 1 - type: integer - syslogFacility: - default: local0 - description: syslogFacility the RFC5424 facility for generated - messages, e.g. "kern". Default is "local0" - type: string - type: object - routeAdvertisements: - description: |- - routeAdvertisements determines if the functionality to advertise cluster - network routes through a dynamic routing protocol, such as BGP, is - enabled or not. This functionality is configured through the - ovn-kubernetes RouteAdvertisements CRD. Requires the 'FRR' routing - capability provider to be enabled as an additional routing capability. - Allowed values are "Enabled", "Disabled" and ommited. When omitted, this - means the user has no opinion and the platform is left to choose - reasonable defaults. These defaults are subject to change over time. The - current default is "Disabled". - enum: - - "" - - Enabled - - Disabled - type: string - v4InternalSubnet: - description: |- - v4InternalSubnet is a v4 subnet used internally by ovn-kubernetes in case the - default one is being already used by something else. It must not overlap with - any other subnet being used by OpenShift or by the node network. The size of the - subnet must be larger than the number of nodes. The value cannot be changed - after installation. - Default is 100.64.0.0/16 - type: string - v6InternalSubnet: - description: |- - v6InternalSubnet is a v6 subnet used internally by ovn-kubernetes in case the - default one is being already used by something else. It must not overlap with - any other subnet being used by OpenShift or by the node network. The size of the - subnet must be larger than the number of nodes. The value cannot be changed - after installation. - Default is fd98::/48 - type: string - type: object - type: - description: |- - type is the type of network - All NetworkTypes are supported except for NetworkTypeRaw - type: string - type: object - deployKubeProxy: - description: |- - deployKubeProxy specifies whether or not a standalone kube-proxy should - be deployed by the operator. Some network providers include kube-proxy - or similar functionality. If unset, the plugin will attempt to select - the correct value, which is false when ovn-kubernetes is used and true - otherwise. - type: boolean - disableMultiNetwork: - description: |- - disableMultiNetwork specifies whether or not multiple pod network - support should be disabled. If unset, this property defaults to - 'false' and multiple network support is enabled. - type: boolean - disableNetworkDiagnostics: - default: false - description: |- - disableNetworkDiagnostics specifies whether or not PodNetworkConnectivityCheck - CRs from a test pod to every node, apiserver and LB should be disabled or not. - If unset, this property defaults to 'false' and network diagnostics is enabled. - Setting this to 'true' would reduce the additional load of the pods performing the checks. - type: boolean - exportNetworkFlows: - description: |- - exportNetworkFlows enables and configures the export of network flow metadata from the pod network - by using protocols NetFlow, SFlow or IPFIX. Currently only supported on OVN-Kubernetes plugin. - If unset, flows will not be exported to any collector. - properties: - ipfix: - description: ipfix defines IPFIX configuration. - properties: - collectors: - description: ipfixCollectors is list of strings formatted - as ip:port with a maximum of ten items - items: - pattern: ^(([0-9]|[0-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[0-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5]):([1-9][0-9]{0,3}|[1-5][0-9]{4}|6[0-4][0-9]{3}|65[0-4][0-9]{2}|655[0-2][0-9]|6553[0-5])$ - type: string - maxItems: 10 - minItems: 1 - type: array - x-kubernetes-list-type: atomic - type: object - netFlow: - description: netFlow defines the NetFlow configuration. - properties: - collectors: - description: |- - netFlow defines the NetFlow collectors that will consume the flow data exported from OVS. - It is a list of strings formatted as ip:port with a maximum of ten items - items: - pattern: ^(([0-9]|[0-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[0-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5]):([1-9][0-9]{0,3}|[1-5][0-9]{4}|6[0-4][0-9]{3}|65[0-4][0-9]{2}|655[0-2][0-9]|6553[0-5])$ - type: string - maxItems: 10 - minItems: 1 - type: array - x-kubernetes-list-type: atomic - type: object - sFlow: - description: sFlow defines the SFlow configuration. - properties: - collectors: - description: sFlowCollectors is list of strings formatted - as ip:port with a maximum of ten items - items: - pattern: ^(([0-9]|[0-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[0-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5]):([1-9][0-9]{0,3}|[1-5][0-9]{4}|6[0-4][0-9]{3}|65[0-4][0-9]{2}|655[0-2][0-9]|6553[0-5])$ - type: string - maxItems: 10 - minItems: 1 - type: array - x-kubernetes-list-type: atomic - type: object - type: object - kubeProxyConfig: - description: |- - kubeProxyConfig lets us configure desired proxy configuration, if - deployKubeProxy is true. If not specified, sensible defaults will be chosen by - OpenShift directly. - properties: - bindAddress: - description: |- - The address to "bind" on - Defaults to 0.0.0.0 - type: string - iptablesSyncPeriod: - description: |- - An internal kube-proxy parameter. In older releases of OCP, this sometimes needed to be adjusted - in large clusters for performance reasons, but this is no longer necessary, and there is no reason - to change this from the default value. - Default: 30s - type: string - proxyArguments: - additionalProperties: - description: ProxyArgumentList is a list of arguments to pass - to the kubeproxy process - items: - type: string - type: array - x-kubernetes-list-type: atomic - description: Any additional arguments to pass to the kubeproxy - process - type: object - type: object - logLevel: - default: Normal - description: |- - logLevel is an intent based logging for an overall component. It does not give fine grained control, but it is a - simple way to manage coarse grained logging choices that operators have to interpret for their operands. - - Valid values are: "Normal", "Debug", "Trace", "TraceAll". - Defaults to "Normal". - enum: - - "" - - Normal - - Debug - - Trace - - TraceAll - type: string - managementState: - description: managementState indicates whether and how the operator - should manage the component - pattern: ^(Managed|Unmanaged|Force|Removed)$ - type: string - migration: - description: |- - migration enables and configures cluster network migration, for network changes - that cannot be made instantly. - properties: - features: - description: |- - features was previously used to configure which network plugin features - would be migrated in a network type migration. - DEPRECATED: network type migration is no longer supported, and setting - this to a non-empty value will result in the network operator rejecting - the configuration. - properties: - egressFirewall: - default: true - description: |- - egressFirewall specified whether or not the Egress Firewall configuration was migrated. - DEPRECATED: network type migration is no longer supported. - type: boolean - egressIP: - default: true - description: |- - egressIP specified whether or not the Egress IP configuration was migrated. - DEPRECATED: network type migration is no longer supported. - type: boolean - multicast: - default: true - description: |- - multicast specified whether or not the multicast configuration was migrated. - DEPRECATED: network type migration is no longer supported. - type: boolean - type: object - mode: - description: |- - mode indicates the mode of network type migration. - DEPRECATED: network type migration is no longer supported, and setting - this to a non-empty value will result in the network operator rejecting - the configuration. - enum: - - Live - - Offline - - "" - type: string - mtu: - description: |- - mtu contains the MTU migration configuration. Set this to allow changing - the MTU values for the default network. If unset, the operation of - changing the MTU for the default network will be rejected. - properties: - machine: - description: |- - machine contains MTU migration configuration for the machine's uplink. - Needs to be migrated along with the default network MTU unless the - current uplink MTU already accommodates the default network MTU. - properties: - from: - description: from is the MTU to migrate from. - format: int32 - minimum: 0 - type: integer - to: - description: to is the MTU to migrate to. - format: int32 - minimum: 0 - type: integer - type: object - network: - description: |- - network contains information about MTU migration for the default network. - Migrations are only allowed to MTU values lower than the machine's uplink - MTU by the minimum appropriate offset. - properties: - from: - description: from is the MTU to migrate from. - format: int32 - minimum: 0 - type: integer - to: - description: to is the MTU to migrate to. - format: int32 - minimum: 0 - type: integer - type: object - type: object - networkType: - description: |- - networkType was previously used when changing the default network type. - DEPRECATED: network type migration is no longer supported, and setting - this to a non-empty value will result in the network operator rejecting - the configuration. - type: string - type: object - x-kubernetes-validations: - - message: networkType migration in mode other than 'Live' may not - be configured at the same time as mtu migration - rule: '!has(self.mtu) || !has(self.networkType) || self.networkType - == "" || has(self.mode) && self.mode == ''Live''' - observedConfig: - description: |- - observedConfig holds a sparse config that controller has observed from the cluster state. It exists in spec because - it is an input to the level for the operator - nullable: true - type: object - x-kubernetes-preserve-unknown-fields: true - operatorLogLevel: - default: Normal - description: |- - operatorLogLevel is an intent based logging for the operator itself. It does not give fine grained control, but it is a - simple way to manage coarse grained logging choices that operators have to interpret for themselves. - - Valid values are: "Normal", "Debug", "Trace", "TraceAll". - Defaults to "Normal". - enum: - - "" - - Normal - - Debug - - Trace - - TraceAll - type: string - serviceNetwork: - description: |- - serviceNetwork is the ip address pool to use for Service IPs - Currently, all existing network providers only support a single value - here, but this is an array to allow for growth. - items: - type: string - type: array - x-kubernetes-list-type: atomic - unsupportedConfigOverrides: - description: |- - unsupportedConfigOverrides overrides the final configuration that was computed by the operator. - Red Hat does not support the use of this field. - Misuse of this field could lead to unexpected behavior or conflict with other configuration options. - Seek guidance from the Red Hat support before using this field. - Use of this property blocks cluster upgrades, it must be removed before upgrading your cluster. - nullable: true - type: object - x-kubernetes-preserve-unknown-fields: true - useMultiNetworkPolicy: - description: |- - useMultiNetworkPolicy enables a controller which allows for - MultiNetworkPolicy objects to be used on additional networks as - created by Multus CNI. MultiNetworkPolicy are similar to NetworkPolicy - objects, but NetworkPolicy objects only apply to the primary interface. - With MultiNetworkPolicy, you can control the traffic that a pod can receive - over the secondary interfaces. If unset, this property defaults to 'false' - and MultiNetworkPolicy objects are ignored. If 'disableMultiNetwork' is - 'true' then the value of this field is ignored. - type: boolean - type: object - x-kubernetes-validations: - - message: Route advertisements cannot be Enabled if 'FRR' routing capability - provider is not available - rule: (has(self.additionalRoutingCapabilities) && ('FRR' in self.additionalRoutingCapabilities.providers)) - || !has(self.defaultNetwork) || !has(self.defaultNetwork.ovnKubernetesConfig) - || !has(self.defaultNetwork.ovnKubernetesConfig.routeAdvertisements) - || self.defaultNetwork.ovnKubernetesConfig.routeAdvertisements != - 'Enabled' - - message: invalid value for IPForwarding, valid values are 'Restricted' - or 'Global' - rule: '!has(self.defaultNetwork) || !has(self.defaultNetwork.ovnKubernetesConfig) - || !has(self.defaultNetwork.ovnKubernetesConfig.gatewayConfig) || - !has(self.defaultNetwork.ovnKubernetesConfig.gatewayConfig.ipForwarding) - || self.defaultNetwork.ovnKubernetesConfig.gatewayConfig.ipForwarding - == oldSelf.defaultNetwork.ovnKubernetesConfig.gatewayConfig.ipForwarding - || self.defaultNetwork.ovnKubernetesConfig.gatewayConfig.ipForwarding - == ''Restricted'' || self.defaultNetwork.ovnKubernetesConfig.gatewayConfig.ipForwarding - == ''Global''' - status: - description: |- - NetworkStatus is detailed operator status, which is distilled - up to the Network clusteroperator object. - properties: - conditions: - description: conditions is a list of conditions and their status - items: - description: OperatorCondition is just the standard condition fields. - properties: - lastTransitionTime: - description: |- - lastTransitionTime is the last time the condition transitioned from one status to another. - This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. - format: date-time - type: string - message: - type: string - reason: - type: string - status: - description: status of the condition, one of True, False, Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - status - - type - type: object - type: array - x-kubernetes-list-map-keys: - - type - x-kubernetes-list-type: map - generations: - description: generations are used to determine when an item needs - to be reconciled or has changed in a way that needs a reaction. - items: - description: GenerationStatus keeps track of the generation for - a given resource so that decisions about forced updates can be - made. - properties: - group: - description: group is the group of the thing you're tracking - type: string - hash: - description: hash is an optional field set for resources without - generation that are content sensitive like secrets and configmaps - type: string - lastGeneration: - description: lastGeneration is the last generation of the workload - controller involved - format: int64 - type: integer - name: - description: name is the name of the thing you're tracking - type: string - namespace: - description: namespace is where the thing you're tracking is - type: string - resource: - description: resource is the resource type of the thing you're - tracking - type: string - required: - - group - - name - - namespace - - resource - type: object - type: array - x-kubernetes-list-map-keys: - - group - - resource - - namespace - - name - x-kubernetes-list-type: map - latestAvailableRevision: - description: latestAvailableRevision is the deploymentID of the most - recent deployment - format: int32 - type: integer - x-kubernetes-validations: - - message: must only increase - rule: self >= oldSelf - observedGeneration: - description: observedGeneration is the last generation change you've - dealt with - format: int64 - type: integer - readyReplicas: - description: readyReplicas indicates how many replicas are ready and - at the desired state - format: int32 - type: integer - version: - description: version is the level this availability applies to - type: string - type: object - type: object - served: true - storage: true - subresources: - status: {} diff --git a/vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_80_machine-config_01_machineconfigurations.crd.yaml b/vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_80_machine-config_01_machineconfigurations.crd.yaml index 073cb45f3..7976d1dab 100644 --- a/vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_80_machine-config_01_machineconfigurations.crd.yaml +++ b/vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_80_machine-config_01_machineconfigurations.crd.yaml @@ -77,8 +77,10 @@ spec: managedBootImages allows configuration for the management of boot images for machine resources within the cluster. This configuration allows users to select resources that should be updated to the latest boot images during cluster upgrades, ensuring that new machines - always boot with the current cluster version's boot image. When omitted, no boot images - will be updated. + always boot with the current cluster version's boot image. When omitted, this means no opinion + and the platform is left to choose a reasonable default, which is subject to change over time. + The default for each machine manager mode is All for GCP and AWS platforms, and None for all + other platforms. properties: machineManagers: description: |- @@ -116,9 +118,11 @@ spec: Valid values are All and Partial. All means that every resource matched by the machine manager will be updated. Partial requires specified selector(s) and allows customisation of which resources matched by the machine manager will be updated. + None means that every resource matched by the machine manager will not be updated. enum: - All - Partial + - None type: string partial: description: |- @@ -190,6 +194,7 @@ spec: - resource - selection type: object + maxItems: 5 type: array x-kubernetes-list-map-keys: - resource @@ -703,6 +708,130 @@ spec: x-kubernetes-list-map-keys: - type x-kubernetes-list-type: map + managedBootImagesStatus: + description: |- + managedBootImagesStatus reflects what the latest cluster-validated boot image configuration is + and will be used by Machine Config Controller while performing boot image updates. + properties: + machineManagers: + description: |- + machineManagers can be used to register machine management resources for boot image updates. The Machine Config Operator + will watch for changes to this list. Only one entry is permitted per type of machine management resource. + items: + description: |- + MachineManager describes a target machine resource that is registered for boot image updates. It stores identifying information + such as the resource type and the API Group of the resource. It also provides granular control via the selection field. + properties: + apiGroup: + description: |- + apiGroup is name of the APIGroup that the machine management resource belongs to. + The only current valid value is machine.openshift.io. + machine.openshift.io means that the machine manager will only register resources that belong to OpenShift machine API group. + enum: + - machine.openshift.io + type: string + resource: + description: |- + resource is the machine management resource's type. + The only current valid value is machinesets. + machinesets means that the machine manager will only register resources of the kind MachineSet. + enum: + - machinesets + type: string + selection: + description: selection allows granular control of the machine + management resources that will be registered for boot + image updates. + properties: + mode: + description: |- + mode determines how machine managers will be selected for updates. + Valid values are All and Partial. + All means that every resource matched by the machine manager will be updated. + Partial requires specified selector(s) and allows customisation of which resources matched by the machine manager will be updated. + None means that every resource matched by the machine manager will not be updated. + enum: + - All + - Partial + - None + type: string + partial: + description: |- + partial provides label selector(s) that can be used to match machine management resources. + Only permitted when mode is set to "Partial". + properties: + machineResourceSelector: + description: machineResourceSelector is a label + selector that can be used to select machine resources + like MachineSets. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + required: + - machineResourceSelector + type: object + required: + - mode + type: object + x-kubernetes-validations: + - message: Partial is required when type is partial, and + forbidden otherwise + rule: 'has(self.mode) && self.mode == ''Partial'' ? has(self.partial) + : !has(self.partial)' + required: + - apiGroup + - resource + - selection + type: object + maxItems: 5 + type: array + x-kubernetes-list-map-keys: + - resource + - apiGroup + x-kubernetes-list-type: map + type: object nodeDisruptionPolicyStatus: description: |- nodeDisruptionPolicyStatus status reflects what the latest cluster-validated policies are, diff --git a/vendor/github.com/openshift/api/operator/v1/zz_generated.deepcopy.go b/vendor/github.com/openshift/api/operator/v1/zz_generated.deepcopy.go index 700ae5e69..d8f3cbc2f 100644 --- a/vendor/github.com/openshift/api/operator/v1/zz_generated.deepcopy.go +++ b/vendor/github.com/openshift/api/operator/v1/zz_generated.deepcopy.go @@ -1,7 +1,7 @@ //go:build !ignore_autogenerated // +build !ignore_autogenerated -// Code generated by deepcopy-gen. DO NOT EDIT. +// Code generated by codegen. DO NOT EDIT. package v1 @@ -849,6 +849,22 @@ func (in *ConfigList) DeepCopyObject() runtime.Object { return nil } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *ConfigMapFileReference) DeepCopyInto(out *ConfigMapFileReference) { + *out = *in + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ConfigMapFileReference. +func (in *ConfigMapFileReference) DeepCopy() *ConfigMapFileReference { + if in == nil { + return nil + } + out := new(ConfigMapFileReference) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *ConfigSpec) DeepCopyInto(out *ConfigSpec) { *out = *in @@ -931,6 +947,13 @@ func (in *ConsoleConfigRoute) DeepCopy() *ConsoleConfigRoute { // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *ConsoleCustomization) DeepCopyInto(out *ConsoleCustomization) { *out = *in + if in.Logos != nil { + in, out := &in.Logos, &out.Logos + *out = make([]Logo, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } if in.Capabilities != nil { in, out := &in.Capabilities, &out.Capabilities *out = make([]Capability, len(*in)) @@ -1598,6 +1621,27 @@ func (in *FeaturesMigration) DeepCopy() *FeaturesMigration { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *FileReferenceSource) DeepCopyInto(out *FileReferenceSource) { + *out = *in + if in.ConfigMap != nil { + in, out := &in.ConfigMap, &out.ConfigMap + *out = new(ConfigMapFileReference) + **out = **in + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FileReferenceSource. +func (in *FileReferenceSource) DeepCopy() *FileReferenceSource { + if in == nil { + return nil + } + out := new(FileReferenceSource) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *ForwardPlugin) DeepCopyInto(out *ForwardPlugin) { *out = *in @@ -3035,6 +3079,29 @@ func (in *LoggingDestination) DeepCopy() *LoggingDestination { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *Logo) DeepCopyInto(out *Logo) { + *out = *in + if in.Themes != nil { + in, out := &in.Themes, &out.Themes + *out = make([]Theme, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Logo. +func (in *Logo) DeepCopy() *Logo { + if in == nil { + return nil + } + out := new(Logo) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *MTUMigration) DeepCopyInto(out *MTUMigration) { *out = *in @@ -3178,6 +3245,7 @@ func (in *MachineConfigurationStatus) DeepCopyInto(out *MachineConfigurationStat } } in.NodeDisruptionPolicyStatus.DeepCopyInto(&out.NodeDisruptionPolicyStatus) + in.ManagedBootImagesStatus.DeepCopyInto(&out.ManagedBootImagesStatus) return } @@ -5276,6 +5344,23 @@ func (in *SyslogLoggingDestinationParameters) DeepCopy() *SyslogLoggingDestinati return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *Theme) DeepCopyInto(out *Theme) { + *out = *in + in.Source.DeepCopyInto(&out.Source) + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Theme. +func (in *Theme) DeepCopy() *Theme { + if in == nil { + return nil + } + out := new(Theme) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *Upstream) DeepCopyInto(out *Upstream) { *out = *in diff --git a/vendor/github.com/openshift/api/operator/v1/zz_generated.featuregated-crd-manifests.yaml b/vendor/github.com/openshift/api/operator/v1/zz_generated.featuregated-crd-manifests.yaml index d45d8ac30..e9750a924 100644 --- a/vendor/github.com/openshift/api/operator/v1/zz_generated.featuregated-crd-manifests.yaml +++ b/vendor/github.com/openshift/api/operator/v1/zz_generated.featuregated-crd-manifests.yaml @@ -70,7 +70,7 @@ clustercsidrivers.operator.openshift.io: Category: "" FeatureGates: - AWSEFSDriverVolumeMetrics - - VSphereDriverConfiguration + - VSphereConfigurableMaxAllowedBlockVolumesPerNode FilenameOperatorName: csi-driver FilenameOperatorOrdering: "01" FilenameRunLevel: "0000_50" @@ -180,6 +180,7 @@ ingresscontrollers.operator.openshift.io: FeatureGates: - IngressControllerLBSubnetsAWS - SetEIPForNLBIngressController + - SetEIPForNLBIngressController+IngressControllerLBSubnetsAWS FilenameOperatorName: ingress FilenameOperatorOrdering: "00" FilenameRunLevel: "0000_50" @@ -307,7 +308,6 @@ machineconfigurations.operator.openshift.io: Category: "" FeatureGates: - ManagedBootImages - - NodeDisruptionPolicy FilenameOperatorName: machine-config FilenameOperatorOrdering: "01" FilenameRunLevel: "0000_80" diff --git a/vendor/github.com/openshift/api/operator/v1/zz_generated.swagger_doc_generated.go b/vendor/github.com/openshift/api/operator/v1/zz_generated.swagger_doc_generated.go index 93eca5730..a0fa4fe47 100644 --- a/vendor/github.com/openshift/api/operator/v1/zz_generated.swagger_doc_generated.go +++ b/vendor/github.com/openshift/api/operator/v1/zz_generated.swagger_doc_generated.go @@ -37,8 +37,8 @@ func (MyOperatorResource) SwaggerDoc() map[string]string { var map_NodeStatus = map[string]string{ "": "NodeStatus provides information about the current state of a particular node managed by this operator.", "nodeName": "nodeName is the name of the node", - "currentRevision": "currentRevision is the generation of the most recently successful deployment", - "targetRevision": "targetRevision is the generation of the deployment we're trying to apply", + "currentRevision": "currentRevision is the generation of the most recently successful deployment. Can not be set on creation of a nodeStatus. Updates must only increase the value.", + "targetRevision": "targetRevision is the generation of the deployment we're trying to apply. Can not be set on creation of a nodeStatus.", "lastFailedRevision": "lastFailedRevision is the generation of the deployment we tried and failed to deploy.", "lastFailedTime": "lastFailedTime is the time the last failed revision failed the last time.", "lastFailedReason": "lastFailedReason is a machine readable failure reason string.", @@ -227,6 +227,16 @@ func (CapabilityVisibility) SwaggerDoc() map[string]string { return map_CapabilityVisibility } +var map_ConfigMapFileReference = map[string]string{ + "": "ConfigMapFileReference references a specific file within a ConfigMap.", + "name": "name is the name of the ConfigMap. name is a required field. Must consist of lower case alphanumeric characters, '-' or '.', and must start and end with an alphanumeric character. Must be at most 253 characters in length.", + "key": "key is the logo key inside the referenced ConfigMap. Must consist only of alphanumeric characters, dashes (-), underscores (_), and periods (.). Must be at most 253 characters in length. Must end in a valid file extension. A valid file extension must consist of a period followed by 2 to 5 alpha characters.", +} + +func (ConfigMapFileReference) SwaggerDoc() map[string]string { + return map_ConfigMapFileReference +} + var map_Console = map[string]string{ "": "Console provides a means to configure an operator to manage the console.\n\nCompatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).", "metadata": "metadata is the standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata", @@ -247,12 +257,13 @@ func (ConsoleConfigRoute) SwaggerDoc() map[string]string { } var map_ConsoleCustomization = map[string]string{ - "": "ConsoleCustomization defines a list of optional configuration for the console UI.", + "": "ConsoleCustomization defines a list of optional configuration for the console UI. Ensure that Logos and CustomLogoFile cannot be set at the same time.", + "logos": "logos is used to replace the OpenShift Masthead and Favicon logos in the console UI with custom logos. logos is an optional field that allows a list of logos. Only one of logos or customLogoFile can be set at a time. If logos is set, customLogoFile must be unset. When specified, there must be at least one entry and no more than 2 entries. Each type must appear only once in the list.", "capabilities": "capabilities defines an array of capabilities that can be interacted with in the console UI. Each capability defines a visual state that can be interacted with the console to render in the UI. Available capabilities are LightspeedButton and GettingStartedBanner. Each of the available capabilities may appear only once in the list.", "brand": "brand is the default branding of the web console which can be overridden by providing the brand field. There is a limited set of specific brand options. This field controls elements of the console such as the logo. Invalid value will prevent a console rollout.", "documentationBaseURL": "documentationBaseURL links to external documentation are shown in various sections of the web console. Providing documentationBaseURL will override the default documentation URL. Invalid value will prevent a console rollout.", "customProductName": "customProductName is the name that will be displayed in page titles, logo alt text, and the about dialog instead of the normal OpenShift product name.", - "customLogoFile": "customLogoFile replaces the default OpenShift logo in the masthead and about dialog. It is a reference to a ConfigMap in the openshift-config namespace. This can be created with a command like 'oc create configmap custom-logo --from-file=/path/to/file -n openshift-config'. Image size must be less than 1 MB due to constraints on the ConfigMap size. The ConfigMap key should include a file extension so that the console serves the file with the correct MIME type. Recommended logo specifications: Dimensions: Max height of 68px and max width of 200px SVG format preferred", + "customLogoFile": "customLogoFile replaces the default OpenShift logo in the masthead and about dialog. It is a reference to a Only one of customLogoFile or logos can be set at a time. ConfigMap in the openshift-config namespace. This can be created with a command like 'oc create configmap custom-logo --from-file=/path/to/file -n openshift-config'. Image size must be less than 1 MB due to constraints on the ConfigMap size. The ConfigMap key should include a file extension so that the console serves the file with the correct MIME type. The recommended file format for the logo is SVG, but other file formats are allowed if supported by the browser. Deprecated: Use logos instead.", "developerCatalog": "developerCatalog allows to configure the shown developer catalog categories (filters) and types (sub-catalogs).", "projectAccess": "projectAccess allows customizing the available list of ClusterRoles in the Developer perspective Project access page which can be used by a project admin to specify roles to other users and restrict access within the project. If set, the list will replace the default ClusterRole options.", "quickStarts": "quickStarts allows customization of available ConsoleQuickStart resources in console.", @@ -344,6 +355,16 @@ func (DeveloperConsoleCatalogTypes) SwaggerDoc() map[string]string { return map_DeveloperConsoleCatalogTypes } +var map_FileReferenceSource = map[string]string{ + "": "FileReferenceSource is used by the console to locate the specified file containing a custom logo.", + "from": "from is a required field to specify the source type of the file reference. Allowed values are ConfigMap. When set to ConfigMap, the file will be sourced from a ConfigMap in the openshift-config namespace. The configMap field must be set when from is set to ConfigMap.", + "configMap": "configMap specifies the ConfigMap sourcing details such as the name of the ConfigMap and the key for the file. The ConfigMap must exist in the openshift-config namespace. Required when from is \"ConfigMap\", and forbidden otherwise.", +} + +func (FileReferenceSource) SwaggerDoc() map[string]string { + return map_FileReferenceSource +} + var map_Ingress = map[string]string{ "": "Ingress allows cluster admin to configure alternative ingress for the console.", "consoleURL": "consoleURL is a URL to be used as the base console address. If not specified, the console route hostname will be used. This field is required for clusters without ingress capability, where access to routes is not possible. Make sure that appropriate ingress is set up at this URL. The console operator will monitor the URL and may go degraded if it's unreachable for an extended period. Must use the HTTPS scheme.", @@ -354,6 +375,16 @@ func (Ingress) SwaggerDoc() map[string]string { return map_Ingress } +var map_Logo = map[string]string{ + "": "Logo defines a configuration based on theme modes for the console UI logo.", + "type": "type specifies the type of the logo for the console UI. It determines whether the logo is for the masthead or favicon. type is a required field that allows values of Masthead and Favicon. When set to \"Masthead\", the logo will be used in the masthead and about modal of the console UI. When set to \"Favicon\", the logo will be used as the favicon of the console UI.", + "themes": "themes specifies the themes for the console UI logo. themes is a required field that allows a list of themes. Each item in the themes list must have a unique mode and a source field. Each mode determines whether the logo is for the dark or light mode of the console UI. If a theme is not specified, the default OpenShift logo will be displayed for that theme. There must be at least one entry and no more than 2 entries.", +} + +func (Logo) SwaggerDoc() map[string]string { + return map_Logo +} + var map_Perspective = map[string]string{ "": "Perspective defines a perspective that cluster admins want to show/hide in the perspective switcher dropdown", "id": "id defines the id of the perspective. Example: \"dev\", \"admin\". The available perspective ids can be found in the code snippet section next to the yaml editor. Incorrect or unknown ids will be ignored.", @@ -423,6 +454,16 @@ func (StatuspageProvider) SwaggerDoc() map[string]string { return map_StatuspageProvider } +var map_Theme = map[string]string{ + "": "Theme defines a theme mode for the console UI.", + "mode": "mode is used to specify what theme mode a logo will apply to in the console UI. mode is a required field that allows values of Dark and Light. When set to Dark, the logo file referenced in the 'file' field will be used when an end-user of the console UI enables the Dark mode. When set to Light, the logo file referenced in the 'file' field will be used when an end-user of the console UI enables the Light mode.", + "source": "source is used by the console to locate the specified file containing a custom logo. source is a required field that references a ConfigMap name and key that contains the custom logo file in the openshift-config namespace. You can create it with a command like: - 'oc create configmap custom-logos-config --namespace=openshift-config --from-file=/path/to/file' The ConfigMap key must include the file extension so that the console serves the file with the correct MIME type. The recommended file format for the Masthead and Favicon logos is SVG, but other file formats are allowed if supported by the browser. The logo image size must be less than 1 MB due to constraints on the ConfigMap size. For more information, see the documentation: https://docs.redhat.com/en/documentation/openshift_container_platform/4.19/html/web_console/customizing-web-console#customizing-web-console", +} + +func (Theme) SwaggerDoc() map[string]string { + return map_Theme +} + var map_AWSCSIDriverConfigSpec = map[string]string{ "": "AWSCSIDriverConfigSpec defines properties that can be configured for the AWS CSI driver.", "kmsKeyARN": "kmsKeyARN sets the cluster default storage class to encrypt volumes with a user-defined KMS key, rather than the default KMS key used by AWS. The value may be either the ARN or Alias ARN of a KMS key.", @@ -561,6 +602,7 @@ var map_VSphereCSIDriverConfigSpec = map[string]string{ "globalMaxSnapshotsPerBlockVolume": "globalMaxSnapshotsPerBlockVolume is a global configuration parameter that applies to volumes on all kinds of datastores. If omitted, the platform chooses a default, which is subject to change over time, currently that default is 3. Snapshots can not be disabled using this parameter. Increasing number of snapshots above 3 can have negative impact on performance, for more details see: https://kb.vmware.com/s/article/1025279 Volume snapshot documentation: https://docs.vmware.com/en/VMware-vSphere-Container-Storage-Plug-in/3.0/vmware-vsphere-csp-getting-started/GUID-E0B41C69-7EEB-450F-A73D-5FD2FF39E891.html", "granularMaxSnapshotsPerBlockVolumeInVSAN": "granularMaxSnapshotsPerBlockVolumeInVSAN is a granular configuration parameter on vSAN datastore only. It overrides GlobalMaxSnapshotsPerBlockVolume if set, while it falls back to the global constraint if unset. Snapshots for VSAN can not be disabled using this parameter.", "granularMaxSnapshotsPerBlockVolumeInVVOL": "granularMaxSnapshotsPerBlockVolumeInVVOL is a granular configuration parameter on Virtual Volumes datastore only. It overrides GlobalMaxSnapshotsPerBlockVolume if set, while it falls back to the global constraint if unset. Snapshots for VVOL can not be disabled using this parameter.", + "maxAllowedBlockVolumesPerNode": "maxAllowedBlockVolumesPerNode is an optional configuration parameter that allows setting a custom value for the limit of the number of PersistentVolumes attached to a node. In vSphere version 7 this limit was set to 59 by default, however in vSphere version 8 this limit was increased to 255. Before increasing this value above 59 the cluster administrator needs to ensure that every node forming the cluster is updated to ESXi version 8 or higher and that all nodes are running the same version. The limit must be between 1 and 255, which matches the vSphere version 8 maximum. When omitted, this means no opinion and the platform is left to choose a reasonable default, which is subject to change over time. The current default is 59, which matches the limit for vSphere version 7.", } func (VSphereCSIDriverConfigSpec) SwaggerDoc() map[string]string { @@ -1359,7 +1401,7 @@ func (MachineConfigurationList) SwaggerDoc() map[string]string { } var map_MachineConfigurationSpec = map[string]string{ - "managedBootImages": "managedBootImages allows configuration for the management of boot images for machine resources within the cluster. This configuration allows users to select resources that should be updated to the latest boot images during cluster upgrades, ensuring that new machines always boot with the current cluster version's boot image. When omitted, no boot images will be updated.", + "managedBootImages": "managedBootImages allows configuration for the management of boot images for machine resources within the cluster. This configuration allows users to select resources that should be updated to the latest boot images during cluster upgrades, ensuring that new machines always boot with the current cluster version's boot image. When omitted, this means no opinion and the platform is left to choose a reasonable default, which is subject to change over time. The default for each machine manager mode is All for GCP and AWS platforms, and None for all other platforms.", "nodeDisruptionPolicy": "nodeDisruptionPolicy allows an admin to set granular node disruption actions for MachineConfig-based updates, such as drains, service reloads, etc. Specifying this will allow for less downtime when doing small configuration updates to the cluster. This configuration has no effect on cluster upgrades which will still incur node disruption where required.", } @@ -1371,6 +1413,7 @@ var map_MachineConfigurationStatus = map[string]string{ "observedGeneration": "observedGeneration is the last generation change you've dealt with", "conditions": "conditions is a list of conditions and their status", "nodeDisruptionPolicyStatus": "nodeDisruptionPolicyStatus status reflects what the latest cluster-validated policies are, and will be used by the Machine Config Daemon during future node updates.", + "managedBootImagesStatus": "managedBootImagesStatus reflects what the latest cluster-validated boot image configuration is and will be used by Machine Config Controller while performing boot image updates.", } func (MachineConfigurationStatus) SwaggerDoc() map[string]string { @@ -1389,7 +1432,7 @@ func (MachineManager) SwaggerDoc() map[string]string { } var map_MachineManagerSelector = map[string]string{ - "mode": "mode determines how machine managers will be selected for updates. Valid values are All and Partial. All means that every resource matched by the machine manager will be updated. Partial requires specified selector(s) and allows customisation of which resources matched by the machine manager will be updated.", + "mode": "mode determines how machine managers will be selected for updates. Valid values are All and Partial. All means that every resource matched by the machine manager will be updated. Partial requires specified selector(s) and allows customisation of which resources matched by the machine manager will be updated. None means that every resource matched by the machine manager will not be updated.", "partial": "partial provides label selector(s) that can be used to match machine management resources. Only permitted when mode is set to \"Partial\".", } @@ -1660,7 +1703,7 @@ func (IPsecConfig) SwaggerDoc() map[string]string { var map_IPsecFullModeConfig = map[string]string{ "": "IPsecFullModeConfig defines configuration parameters for the IPsec `Full` mode.", - "encapsulation": "encapsulation option to configure libreswan on how inter-pod traffic across nodes are encapsulated to handle NAT traversal. When configured it uses UDP port 4500 for the encapsulation. Valid values are Always, Never, Auto and omitted. Always means enable UDP encapsulation regardless of whether NAT is detected. Disable means never enable UDP encapsulation even if NAT is present. Auto means enable UDP encapsulation based on the detection of NAT. When omitted, this means no opinion and the platform is left to choose a reasonable default, which is subject to change over time. The current default is Auto.", + "encapsulation": "encapsulation option to configure libreswan on how inter-pod traffic across nodes are encapsulated to handle NAT traversal. When configured it uses UDP port 4500 for the encapsulation. Valid values are Always, Auto and omitted. Always means enable UDP encapsulation regardless of whether NAT is detected. Auto means enable UDP encapsulation based on the detection of NAT. When omitted, this means no opinion and the platform is left to choose a reasonable default, which is subject to change over time. The current default is Auto.", } func (IPsecFullModeConfig) SwaggerDoc() map[string]string { @@ -1696,7 +1739,7 @@ func (IPv6GatewayConfig) SwaggerDoc() map[string]string { var map_IPv6OVNKubernetesConfig = map[string]string{ "internalTransitSwitchSubnet": "internalTransitSwitchSubnet is a v4 subnet in IPV4 CIDR format used internally by OVN-Kubernetes for the distributed transit switch in the OVN Interconnect architecture that connects the cluster routers on each node together to enable east west traffic. The subnet chosen should not overlap with other networks specified for OVN-Kubernetes as well as other networks used on the host. The value cannot be changed after installation. When ommitted, this means no opinion and the platform is left to choose a reasonable default which is subject to change over time. The subnet must be large enough to accomadate one IP per node in your cluster The current default subnet is fd97::/64 The value must be in proper IPV6 CIDR format Note that IPV6 dual addresses are not permitted", - "internalJoinSubnet": "internalJoinSubnet is a v6 subnet used internally by ovn-kubernetes in case the default one is being already used by something else. It must not overlap with any other subnet being used by OpenShift or by the node network. The size of the subnet must be larger than the number of nodes. The value cannot be changed after installation. The subnet must be large enough to accomadate one IP per node in your cluster The current default value is fd98::/48 The value must be in proper IPV6 CIDR format Note that IPV6 dual addresses are not permitted", + "internalJoinSubnet": "internalJoinSubnet is a v6 subnet used internally by ovn-kubernetes in case the default one is being already used by something else. It must not overlap with any other subnet being used by OpenShift or by the node network. The size of the subnet must be larger than the number of nodes. The value cannot be changed after installation. The subnet must be large enough to accomadate one IP per node in your cluster The current default value is fd98::/64 The value must be in proper IPV6 CIDR format Note that IPV6 dual addresses are not permitted", } func (IPv6OVNKubernetesConfig) SwaggerDoc() map[string]string { @@ -1767,7 +1810,7 @@ var map_NetworkSpec = map[string]string{ "serviceNetwork": "serviceNetwork is the ip address pool to use for Service IPs Currently, all existing network providers only support a single value here, but this is an array to allow for growth.", "defaultNetwork": "defaultNetwork is the \"default\" network that all pods will receive", "additionalNetworks": "additionalNetworks is a list of extra networks to make available to pods when multiple networks are enabled.", - "disableMultiNetwork": "disableMultiNetwork specifies whether or not multiple pod network support should be disabled. If unset, this property defaults to 'false' and multiple network support is enabled.", + "disableMultiNetwork": "disableMultiNetwork defaults to 'false' and this setting enables the pod multi-networking capability. disableMultiNetwork when set to 'true' at cluster install time does not install the components, typically the Multus CNI and the network-attachment-definition CRD, that enable the pod multi-networking capability. Setting the parameter to 'true' might be useful when you need install third-party CNI plugins, but these plugins are not supported by Red Hat. Changing the parameter value as a postinstallation cluster task has no effect.", "useMultiNetworkPolicy": "useMultiNetworkPolicy enables a controller which allows for MultiNetworkPolicy objects to be used on additional networks as created by Multus CNI. MultiNetworkPolicy are similar to NetworkPolicy objects, but NetworkPolicy objects only apply to the primary interface. With MultiNetworkPolicy, you can control the traffic that a pod can receive over the secondary interfaces. If unset, this property defaults to 'false' and MultiNetworkPolicy objects are ignored. If 'disableMultiNetwork' is 'true' then the value of this field is ignored.", "deployKubeProxy": "deployKubeProxy specifies whether or not a standalone kube-proxy should be deployed by the operator. Some network providers include kube-proxy or similar functionality. If unset, the plugin will attempt to select the correct value, which is false when ovn-kubernetes is used and true otherwise.", "disableNetworkDiagnostics": "disableNetworkDiagnostics specifies whether or not PodNetworkConnectivityCheck CRs from a test pod to every node, apiserver and LB should be disabled or not. If unset, this property defaults to 'false' and network diagnostics is enabled. Setting this to 'true' would reduce the additional load of the pods performing the checks.", @@ -1798,7 +1841,7 @@ var map_OVNKubernetesConfig = map[string]string{ "policyAuditConfig": "policyAuditConfig is the configuration for network policy audit events. If unset, reported defaults are used.", "gatewayConfig": "gatewayConfig holds the configuration for node gateway options.", "v4InternalSubnet": "v4InternalSubnet is a v4 subnet used internally by ovn-kubernetes in case the default one is being already used by something else. It must not overlap with any other subnet being used by OpenShift or by the node network. The size of the subnet must be larger than the number of nodes. The value cannot be changed after installation. Default is 100.64.0.0/16", - "v6InternalSubnet": "v6InternalSubnet is a v6 subnet used internally by ovn-kubernetes in case the default one is being already used by something else. It must not overlap with any other subnet being used by OpenShift or by the node network. The size of the subnet must be larger than the number of nodes. The value cannot be changed after installation. Default is fd98::/48", + "v6InternalSubnet": "v6InternalSubnet is a v6 subnet used internally by ovn-kubernetes in case the default one is being already used by something else. It must not overlap with any other subnet being used by OpenShift or by the node network. The size of the subnet must be larger than the number of nodes. The value cannot be changed after installation. Default is fd98::/64", "egressIPConfig": "egressIPConfig holds the configuration for EgressIP options.", "ipv4": "ipv4 allows users to configure IP settings for IPv4 connections. When ommitted, this means no opinions and the default configuration is used. Check individual fields within ipv4 for details of default values.", "ipv6": "ipv6 allows users to configure IP settings for IPv6 connections. When ommitted, this means no opinions and the default configuration is used. Check individual fields within ipv4 for details of default values.", diff --git a/vendor/github.com/openshift/api/operator/v1alpha1/register.go b/vendor/github.com/openshift/api/operator/v1alpha1/register.go index 0921431c0..3e9b09cce 100644 --- a/vendor/github.com/openshift/api/operator/v1alpha1/register.go +++ b/vendor/github.com/openshift/api/operator/v1alpha1/register.go @@ -39,6 +39,8 @@ func addKnownTypes(scheme *runtime.Scheme) error { &OLMList{}, &EtcdBackup{}, &EtcdBackupList{}, + &ClusterVersionOperator{}, + &ClusterVersionOperatorList{}, ) return nil diff --git a/vendor/github.com/openshift/api/operator/v1alpha1/types_etcdbackup.go b/vendor/github.com/openshift/api/operator/v1alpha1/types_etcdbackup.go index 3c6f344b1..fe56b0eab 100644 --- a/vendor/github.com/openshift/api/operator/v1alpha1/types_etcdbackup.go +++ b/vendor/github.com/openshift/api/operator/v1alpha1/types_etcdbackup.go @@ -44,12 +44,10 @@ type EtcdBackupSpec struct { // +kubebuilder:validation:Optional type EtcdBackupStatus struct { // conditions provide details on the status of the etcd backup job. - // +patchMergeKey=type - // +patchStrategy=merge // +listType=map // +listMapKey=type // +optional - Conditions []metav1.Condition `json:"conditions" patchStrategy:"merge" patchMergeKey:"type"` + Conditions []metav1.Condition `json:"conditions,omitempty"` // backupJob is the reference to the Job that executes the backup. // Optional diff --git a/vendor/github.com/openshift/api/operator/v1alpha1/zz_generated.deepcopy.go b/vendor/github.com/openshift/api/operator/v1alpha1/zz_generated.deepcopy.go index f8daa0576..de4c07128 100644 --- a/vendor/github.com/openshift/api/operator/v1alpha1/zz_generated.deepcopy.go +++ b/vendor/github.com/openshift/api/operator/v1alpha1/zz_generated.deepcopy.go @@ -1,7 +1,7 @@ //go:build !ignore_autogenerated // +build !ignore_autogenerated -// Code generated by deepcopy-gen. DO NOT EDIT. +// Code generated by codegen. DO NOT EDIT. package v1alpha1 diff --git a/vendor/github.com/openshift/api/operatorcontrolplane/v1alpha1/zz_generated.deepcopy.go b/vendor/github.com/openshift/api/operatorcontrolplane/v1alpha1/zz_generated.deepcopy.go index 26431d8c1..d5276d664 100644 --- a/vendor/github.com/openshift/api/operatorcontrolplane/v1alpha1/zz_generated.deepcopy.go +++ b/vendor/github.com/openshift/api/operatorcontrolplane/v1alpha1/zz_generated.deepcopy.go @@ -1,7 +1,7 @@ //go:build !ignore_autogenerated // +build !ignore_autogenerated -// Code generated by deepcopy-gen. DO NOT EDIT. +// Code generated by codegen. DO NOT EDIT. package v1alpha1 diff --git a/vendor/github.com/openshift/api/osin/v1/zz_generated.deepcopy.go b/vendor/github.com/openshift/api/osin/v1/zz_generated.deepcopy.go index cb90b8365..7d7234534 100644 --- a/vendor/github.com/openshift/api/osin/v1/zz_generated.deepcopy.go +++ b/vendor/github.com/openshift/api/osin/v1/zz_generated.deepcopy.go @@ -1,7 +1,7 @@ //go:build !ignore_autogenerated // +build !ignore_autogenerated -// Code generated by deepcopy-gen. DO NOT EDIT. +// Code generated by codegen. DO NOT EDIT. package v1 diff --git a/vendor/github.com/openshift/api/project/v1/zz_generated.deepcopy.go b/vendor/github.com/openshift/api/project/v1/zz_generated.deepcopy.go index ddbdda971..b712a4811 100644 --- a/vendor/github.com/openshift/api/project/v1/zz_generated.deepcopy.go +++ b/vendor/github.com/openshift/api/project/v1/zz_generated.deepcopy.go @@ -1,7 +1,7 @@ //go:build !ignore_autogenerated // +build !ignore_autogenerated -// Code generated by deepcopy-gen. DO NOT EDIT. +// Code generated by codegen. DO NOT EDIT. package v1 diff --git a/vendor/github.com/openshift/api/quota/v1/zz_generated.deepcopy.go b/vendor/github.com/openshift/api/quota/v1/zz_generated.deepcopy.go index 72ac882fb..3ef29ce03 100644 --- a/vendor/github.com/openshift/api/quota/v1/zz_generated.deepcopy.go +++ b/vendor/github.com/openshift/api/quota/v1/zz_generated.deepcopy.go @@ -1,7 +1,7 @@ //go:build !ignore_autogenerated // +build !ignore_autogenerated -// Code generated by deepcopy-gen. DO NOT EDIT. +// Code generated by codegen. DO NOT EDIT. package v1 diff --git a/vendor/github.com/openshift/api/route/v1/generated.proto b/vendor/github.com/openshift/api/route/v1/generated.proto index d6e1845b4..adfce0d19 100644 --- a/vendor/github.com/openshift/api/route/v1/generated.proto +++ b/vendor/github.com/openshift/api/route/v1/generated.proto @@ -458,6 +458,8 @@ message TLSConfig { // chain. Do not include a CA certificate. The secret referenced should // be present in the same namespace as that of the Route. // Forbidden when `certificate` is set. + // The router service account needs to be granted with read-only access to this secret, + // please refer to openshift docs for additional details. // // +openshift:enable:FeatureGate=RouteExternalCertificate // +optional diff --git a/vendor/github.com/openshift/api/route/v1/types.go b/vendor/github.com/openshift/api/route/v1/types.go index 8fc250877..2feb425a2 100644 --- a/vendor/github.com/openshift/api/route/v1/types.go +++ b/vendor/github.com/openshift/api/route/v1/types.go @@ -469,6 +469,8 @@ type TLSConfig struct { // chain. Do not include a CA certificate. The secret referenced should // be present in the same namespace as that of the Route. // Forbidden when `certificate` is set. + // The router service account needs to be granted with read-only access to this secret, + // please refer to openshift docs for additional details. // // +openshift:enable:FeatureGate=RouteExternalCertificate // +optional diff --git a/vendor/github.com/openshift/api/route/v1/zz_generated.deepcopy.go b/vendor/github.com/openshift/api/route/v1/zz_generated.deepcopy.go index 23a2edd42..155348d36 100644 --- a/vendor/github.com/openshift/api/route/v1/zz_generated.deepcopy.go +++ b/vendor/github.com/openshift/api/route/v1/zz_generated.deepcopy.go @@ -1,7 +1,7 @@ //go:build !ignore_autogenerated // +build !ignore_autogenerated -// Code generated by deepcopy-gen. DO NOT EDIT. +// Code generated by codegen. DO NOT EDIT. package v1 diff --git a/vendor/github.com/openshift/api/route/v1/zz_generated.swagger_doc_generated.go b/vendor/github.com/openshift/api/route/v1/zz_generated.swagger_doc_generated.go index 1d59f1033..e6c44a6b0 100644 --- a/vendor/github.com/openshift/api/route/v1/zz_generated.swagger_doc_generated.go +++ b/vendor/github.com/openshift/api/route/v1/zz_generated.swagger_doc_generated.go @@ -179,7 +179,7 @@ var map_TLSConfig = map[string]string{ "caCertificate": "caCertificate provides the cert authority certificate contents", "destinationCACertificate": "destinationCACertificate provides the contents of the ca certificate of the final destination. When using reencrypt termination this file should be provided in order to have routers use it for health checks on the secure connection. If this field is not specified, the router may provide its own destination CA and perform hostname validation using the short service name (service.namespace.svc), which allows infrastructure generated certificates to automatically verify.", "insecureEdgeTerminationPolicy": "insecureEdgeTerminationPolicy indicates the desired behavior for insecure connections to a route. While each router may make its own decisions on which ports to expose, this is normally port 80.\n\nIf a route does not specify insecureEdgeTerminationPolicy, then the default behavior is \"None\".\n\n* Allow - traffic is sent to the server on the insecure port (edge/reencrypt terminations only).\n\n* None - no traffic is allowed on the insecure port (default).\n\n* Redirect - clients are redirected to the secure port.", - "externalCertificate": "externalCertificate provides certificate contents as a secret reference. This should be a single serving certificate, not a certificate chain. Do not include a CA certificate. The secret referenced should be present in the same namespace as that of the Route. Forbidden when `certificate` is set.", + "externalCertificate": "externalCertificate provides certificate contents as a secret reference. This should be a single serving certificate, not a certificate chain. Do not include a CA certificate. The secret referenced should be present in the same namespace as that of the Route. Forbidden when `certificate` is set. The router service account needs to be granted with read-only access to this secret, please refer to openshift docs for additional details.", } func (TLSConfig) SwaggerDoc() map[string]string { diff --git a/vendor/github.com/openshift/api/samples/v1/zz_generated.deepcopy.go b/vendor/github.com/openshift/api/samples/v1/zz_generated.deepcopy.go index 30979c048..115712beb 100644 --- a/vendor/github.com/openshift/api/samples/v1/zz_generated.deepcopy.go +++ b/vendor/github.com/openshift/api/samples/v1/zz_generated.deepcopy.go @@ -1,7 +1,7 @@ //go:build !ignore_autogenerated // +build !ignore_autogenerated -// Code generated by deepcopy-gen. DO NOT EDIT. +// Code generated by codegen. DO NOT EDIT. package v1 diff --git a/vendor/github.com/openshift/api/security/v1/consts.go b/vendor/github.com/openshift/api/security/v1/consts.go index 7e8adf6e6..92147d3c5 100644 --- a/vendor/github.com/openshift/api/security/v1/consts.go +++ b/vendor/github.com/openshift/api/security/v1/consts.go @@ -13,4 +13,9 @@ const ( // MinimallySufficientPodSecurityStandard indicates the PodSecurityStandard that matched the SCCs available to the users of the namespace. MinimallySufficientPodSecurityStandard = "security.openshift.io/MinimallySufficientPodSecurityStandard" + + // ValidatedSCCSubjectTypeAnnotation indicates the subject type that allowed the + // SCC admission. This can be used by controllers to detect potential issues + // between user-driven SCC usage and the ServiceAccount-driven SCC usage. + ValidatedSCCSubjectTypeAnnotation = "security.openshift.io/validated-scc-subject-type" ) diff --git a/vendor/github.com/openshift/api/security/v1/zz_generated.deepcopy.go b/vendor/github.com/openshift/api/security/v1/zz_generated.deepcopy.go index 66e8b5a21..d6263fc02 100644 --- a/vendor/github.com/openshift/api/security/v1/zz_generated.deepcopy.go +++ b/vendor/github.com/openshift/api/security/v1/zz_generated.deepcopy.go @@ -1,7 +1,7 @@ //go:build !ignore_autogenerated // +build !ignore_autogenerated -// Code generated by deepcopy-gen. DO NOT EDIT. +// Code generated by codegen. DO NOT EDIT. package v1 diff --git a/vendor/github.com/openshift/api/servicecertsigner/v1alpha1/zz_generated.deepcopy.go b/vendor/github.com/openshift/api/servicecertsigner/v1alpha1/zz_generated.deepcopy.go index 2661c23aa..58d9447a1 100644 --- a/vendor/github.com/openshift/api/servicecertsigner/v1alpha1/zz_generated.deepcopy.go +++ b/vendor/github.com/openshift/api/servicecertsigner/v1alpha1/zz_generated.deepcopy.go @@ -1,7 +1,7 @@ //go:build !ignore_autogenerated // +build !ignore_autogenerated -// Code generated by deepcopy-gen. DO NOT EDIT. +// Code generated by codegen. DO NOT EDIT. package v1alpha1 diff --git a/vendor/github.com/openshift/api/sharedresource/v1alpha1/types_shared_configmap.go b/vendor/github.com/openshift/api/sharedresource/v1alpha1/types_shared_configmap.go index 3b6e6be37..2a4a0d1b6 100644 --- a/vendor/github.com/openshift/api/sharedresource/v1alpha1/types_shared_configmap.go +++ b/vendor/github.com/openshift/api/sharedresource/v1alpha1/types_shared_configmap.go @@ -93,7 +93,8 @@ type SharedConfigMapSpec struct { // SharedSecretStatus contains the observed status of the shared resource type SharedConfigMapStatus struct { // conditions represents any observations made on this particular shared resource by the underlying CSI driver or Share controller. - // +patchMergeKey=type - // +patchStrategy=merge - Conditions []metav1.Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type"` + // +listType=map + // +listMapKey=type + // +optional + Conditions []metav1.Condition `json:"conditions,omitempty"` } diff --git a/vendor/github.com/openshift/api/sharedresource/v1alpha1/types_shared_secret.go b/vendor/github.com/openshift/api/sharedresource/v1alpha1/types_shared_secret.go index 3ea9260f0..be06f9774 100644 --- a/vendor/github.com/openshift/api/sharedresource/v1alpha1/types_shared_secret.go +++ b/vendor/github.com/openshift/api/sharedresource/v1alpha1/types_shared_secret.go @@ -92,7 +92,8 @@ type SharedSecretSpec struct { // SharedSecretStatus contains the observed status of the shared resource type SharedSecretStatus struct { // conditions represents any observations made on this particular shared resource by the underlying CSI driver or Share controller. - // +patchMergeKey=type - // +patchStrategy=merge - Conditions []metav1.Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type"` + // +listType=map + // +listMapKey=type + // +optional + Conditions []metav1.Condition `json:"conditions,omitempty"` } diff --git a/vendor/github.com/openshift/api/sharedresource/v1alpha1/zz_generated.deepcopy.go b/vendor/github.com/openshift/api/sharedresource/v1alpha1/zz_generated.deepcopy.go index 25ecd3836..d8ed6e906 100644 --- a/vendor/github.com/openshift/api/sharedresource/v1alpha1/zz_generated.deepcopy.go +++ b/vendor/github.com/openshift/api/sharedresource/v1alpha1/zz_generated.deepcopy.go @@ -1,7 +1,7 @@ //go:build !ignore_autogenerated // +build !ignore_autogenerated -// Code generated by deepcopy-gen. DO NOT EDIT. +// Code generated by codegen. DO NOT EDIT. package v1alpha1 diff --git a/vendor/github.com/openshift/api/template/v1/zz_generated.deepcopy.go b/vendor/github.com/openshift/api/template/v1/zz_generated.deepcopy.go index ff14f246b..7cefe4863 100644 --- a/vendor/github.com/openshift/api/template/v1/zz_generated.deepcopy.go +++ b/vendor/github.com/openshift/api/template/v1/zz_generated.deepcopy.go @@ -1,7 +1,7 @@ //go:build !ignore_autogenerated // +build !ignore_autogenerated -// Code generated by deepcopy-gen. DO NOT EDIT. +// Code generated by codegen. DO NOT EDIT. package v1 diff --git a/vendor/github.com/openshift/api/user/v1/zz_generated.deepcopy.go b/vendor/github.com/openshift/api/user/v1/zz_generated.deepcopy.go index e6b2fb867..b32e715a6 100644 --- a/vendor/github.com/openshift/api/user/v1/zz_generated.deepcopy.go +++ b/vendor/github.com/openshift/api/user/v1/zz_generated.deepcopy.go @@ -1,7 +1,7 @@ //go:build !ignore_autogenerated // +build !ignore_autogenerated -// Code generated by deepcopy-gen. DO NOT EDIT. +// Code generated by codegen. DO NOT EDIT. package v1 diff --git a/vendor/modules.txt b/vendor/modules.txt index b1a55e1df..409aa3de8 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -806,7 +806,7 @@ github.com/onsi/gomega/matchers/support/goraph/edge github.com/onsi/gomega/matchers/support/goraph/node github.com/onsi/gomega/matchers/support/goraph/util github.com/onsi/gomega/types -# github.com/openshift/api v0.0.0-20250128061932-d2791f98ff08 +# github.com/openshift/api v0.0.0-20250620092249-a8cbc218cd2c ## explicit; go 1.23.0 github.com/openshift/api github.com/openshift/api/annotations @@ -824,8 +824,10 @@ github.com/openshift/api/config github.com/openshift/api/config/v1 github.com/openshift/api/config/v1/zz_generated.crd-manifests github.com/openshift/api/config/v1alpha1 +github.com/openshift/api/config/v1alpha2 github.com/openshift/api/console github.com/openshift/api/console/v1 +github.com/openshift/api/features github.com/openshift/api/helm github.com/openshift/api/helm/v1beta1 github.com/openshift/api/image