diff --git a/Makefile b/Makefile index 59d93e713..2703c7f0b 100644 --- a/Makefile +++ b/Makefile @@ -39,7 +39,7 @@ bin/: manifests-gen: | bin/ ## Build manifests-gen binary cd manifests-gen && go build -o ../bin/manifests-gen && cd .. -bin/%: | bin/ FORCE +bin/%: FORCE | bin/ go build -o "$@" "./cmd/$*" .PHONY: localtestenv diff --git a/e2e/go.mod b/e2e/go.mod index 5b9b6561f..f54482ab9 100644 --- a/e2e/go.mod +++ b/e2e/go.mod @@ -16,7 +16,7 @@ require ( github.com/metal3-io/cluster-api-provider-metal3/api v1.11.2 github.com/onsi/ginkgo/v2 v2.27.2 github.com/onsi/gomega v1.38.2 - github.com/openshift/api v0.0.0-20260105114749-aae5635a71a7 + github.com/openshift/api v0.0.0-20260209232644-126cbbe24427 github.com/openshift/cluster-api-actuator-pkg v0.0.0-20251203134942-d9bd7b8593f3 github.com/openshift/cluster-api-provider-baremetal v0.0.0-20250619124612-fb678fec5f7e k8s.io/api v0.34.1 @@ -86,7 +86,7 @@ require ( github.com/modern-go/reflect2 v1.0.3-0.20250322232337-35a7c28c31ee // indirect github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect github.com/oklog/ulid v1.3.1 // indirect - github.com/openshift/client-go v0.0.0-20260105124352-f93a4291f9ae // indirect + github.com/openshift/client-go v0.0.0-20260108185524-48f4ccfc4e13 // indirect github.com/openshift/cluster-api-actuator-pkg/testutils v0.0.0 // indirect github.com/openshift/cluster-autoscaler-operator v0.0.1-0.20250702183526-4eb64d553940 // indirect github.com/openshift/library-go v0.0.0-20251222131241-289839b3ffe8 // indirect diff --git a/e2e/go.sum b/e2e/go.sum index 1147a8b94..42e7c3305 100644 --- a/e2e/go.sum +++ b/e2e/go.sum @@ -200,10 +200,10 @@ github.com/onsi/ginkgo/v2 v2.27.2 h1:LzwLj0b89qtIy6SSASkzlNvX6WktqurSHwkk2ipF/Ns github.com/onsi/ginkgo/v2 v2.27.2/go.mod h1:ArE1D/XhNXBXCBkKOLkbsb2c81dQHCRcF5zwn/ykDRo= github.com/onsi/gomega v1.38.2 h1:eZCjf2xjZAqe+LeWvKb5weQ+NcPwX84kqJ0cZNxok2A= github.com/onsi/gomega v1.38.2/go.mod h1:W2MJcYxRGV63b418Ai34Ud0hEdTVXq9NW9+Sx6uXf3k= -github.com/openshift/api v0.0.0-20260105114749-aae5635a71a7 h1:DeKd90ff6ieG02cFroiRTh7oKguGVaEYyTDkXHLIn5A= -github.com/openshift/api v0.0.0-20260105114749-aae5635a71a7/go.mod h1:d5uzF0YN2nQQFA0jIEWzzOZ+edmo6wzlGLvx5Fhz4uY= -github.com/openshift/client-go v0.0.0-20260105124352-f93a4291f9ae h1:veyDeAOBVJun1KoOsTIRlD7Q5LwRR32kfS2IPjPXJKE= -github.com/openshift/client-go v0.0.0-20260105124352-f93a4291f9ae/go.mod h1:leoeMrUnO40DwByGl7we2l+h6HQq3Y6bHUa+DnmRl+8= +github.com/openshift/api v0.0.0-20260209232644-126cbbe24427 h1:MExw+yvWGmbwlTpsO8sk16n3YQeeE2QxLmLpQouIGeE= +github.com/openshift/api v0.0.0-20260209232644-126cbbe24427/go.mod h1:d5uzF0YN2nQQFA0jIEWzzOZ+edmo6wzlGLvx5Fhz4uY= +github.com/openshift/client-go v0.0.0-20260108185524-48f4ccfc4e13 h1:6rd4zSo2UaWQcAPZfHK9yzKVqH0BnMv1hqMzqXZyTds= +github.com/openshift/client-go v0.0.0-20260108185524-48f4ccfc4e13/go.mod h1:YvOmPmV7wcJxpfhTDuFqqs2Xpb3M3ovsM6Qs/i2ptq4= github.com/openshift/cluster-api-actuator-pkg v0.0.0-20251203134942-d9bd7b8593f3 h1:hrMexZRXjVmqIXk+cuHhDA78UZDelEBMRpBRQij1uyY= github.com/openshift/cluster-api-actuator-pkg v0.0.0-20251203134942-d9bd7b8593f3/go.mod h1:D4Au/NRxORRuJa+/4W6O0WpvPyT+U/2aMOWeMsNZAnE= github.com/openshift/cluster-api-actuator-pkg/testutils v0.0.0-20251203134942-d9bd7b8593f3 h1:UvYbHBPobL34p9vdctJDtgD0tAJIVNSYNgKCr69oW5Y= diff --git a/e2e/machine_migration_capi_authoritative_test.go b/e2e/machine_migration_capi_authoritative_test.go index e78b53c95..d44e2fa27 100644 --- a/e2e/machine_migration_capi_authoritative_test.go +++ b/e2e/machine_migration_capi_authoritative_test.go @@ -198,6 +198,7 @@ var _ = Describe("[sig-cluster-lifecycle][OCPFeatureGate:MachineAPIMigration] Ma verifyMachineAuthoritative(newMapiMachine, mapiv1beta1.MachineAuthorityClusterAPI) verifyMAPIMachineSynchronizedCondition(newMapiMachine, mapiv1beta1.MachineAuthorityClusterAPI) verifyMachineSynchronizedGeneration(cl, newMapiMachine, mapiv1beta1.MachineAuthorityClusterAPI) + verifyMachineSynchronizedAPI(newMapiMachine, mapiv1beta1.ClusterAPISynchronized) verifyMachinePausedCondition(newMapiMachine, mapiv1beta1.MachineAuthorityClusterAPI) verifyMachinePausedCondition(newCapiMachine, mapiv1beta1.MachineAuthorityClusterAPI) }) @@ -209,6 +210,7 @@ var _ = Describe("[sig-cluster-lifecycle][OCPFeatureGate:MachineAPIMigration] Ma verifyMachineAuthoritative(newMapiMachine, mapiv1beta1.MachineAuthorityMachineAPI) verifyMAPIMachineSynchronizedCondition(newMapiMachine, mapiv1beta1.MachineAuthorityMachineAPI) verifyMachineSynchronizedGeneration(cl, newMapiMachine, mapiv1beta1.MachineAuthorityMachineAPI) + verifyMachineSynchronizedAPI(newMapiMachine, mapiv1beta1.MachineAPISynchronized) verifyMachinePausedCondition(newMapiMachine, mapiv1beta1.MachineAuthorityMachineAPI) verifyMachinePausedCondition(newCapiMachine, mapiv1beta1.MachineAuthorityMachineAPI) }) @@ -220,6 +222,7 @@ var _ = Describe("[sig-cluster-lifecycle][OCPFeatureGate:MachineAPIMigration] Ma verifyMachineAuthoritative(newMapiMachine, mapiv1beta1.MachineAuthorityClusterAPI) verifyMAPIMachineSynchronizedCondition(newMapiMachine, mapiv1beta1.MachineAuthorityClusterAPI) verifyMachineSynchronizedGeneration(cl, newMapiMachine, mapiv1beta1.MachineAuthorityClusterAPI) + verifyMachineSynchronizedAPI(newMapiMachine, mapiv1beta1.ClusterAPISynchronized) verifyMachinePausedCondition(newMapiMachine, mapiv1beta1.MachineAuthorityClusterAPI) verifyMachinePausedCondition(newCapiMachine, mapiv1beta1.MachineAuthorityClusterAPI) }) diff --git a/e2e/machine_migration_helpers.go b/e2e/machine_migration_helpers.go index 89f231edc..e0c5d0230 100644 --- a/e2e/machine_migration_helpers.go +++ b/e2e/machine_migration_helpers.go @@ -333,3 +333,12 @@ func verifyMachineSynchronizedGeneration(cl client.Client, mapiMachine *mapiv1be fmt.Sprintf("MAPI Machine SynchronizedGeneration should equal %s Machine Generation (%d)", authoritativeMachineType, expectedGeneration), ) } + +// verifyMachineSynchronizedAPI verifies that the MAPI Machine's status.synchronizedAPI matches the expected value. +func verifyMachineSynchronizedAPI(mapiMachine *mapiv1beta1.Machine, expectedSynchronizedAPI mapiv1beta1.SynchronizedAPI) { + By(fmt.Sprintf("Verifying MAPI Machine SynchronizedAPI is %s", expectedSynchronizedAPI)) + Eventually(komega.Object(mapiMachine), capiframework.WaitMedium, capiframework.RetryMedium).Should( + HaveField("Status.SynchronizedAPI", Equal(expectedSynchronizedAPI)), + fmt.Sprintf("MAPI Machine SynchronizedAPI should be %s", expectedSynchronizedAPI), + ) +} diff --git a/e2e/machine_migration_mapi_authoritative_test.go b/e2e/machine_migration_mapi_authoritative_test.go index 1d470f4c3..5a968da77 100644 --- a/e2e/machine_migration_mapi_authoritative_test.go +++ b/e2e/machine_migration_mapi_authoritative_test.go @@ -24,7 +24,7 @@ var _ = Describe("[sig-cluster-lifecycle][OCPFeatureGate:MachineAPIMigration] Ma } }) - var _ = Describe("Create standalone MAPI Machine", Ordered, func() { + Context("Create standalone MAPI Machine", Ordered, func() { var mapiMachineAuthMAPIName = "machine-authoritativeapi-mapi" var newCapiMachine *clusterv1.Machine var newMapiMachine *mapiv1beta1.Machine @@ -62,7 +62,7 @@ var _ = Describe("[sig-cluster-lifecycle][OCPFeatureGate:MachineAPIMigration] Ma }) }) - var _ = Describe("Deleting MAPI Machines", Ordered, func() { + Context("Deleting MAPI Machines", Ordered, func() { var mapiMachineAuthMAPINameDeleteMAPIMachine = "machine-authoritativeapi-mapi-delete-mapi" var mapiMachineAuthMAPINameDeleteCAPIMachine = "machine-authoritativeapi-mapi-delete-capi" var newCapiMachine *clusterv1.Machine @@ -133,7 +133,7 @@ var _ = Describe("[sig-cluster-lifecycle][OCPFeatureGate:MachineAPIMigration] Ma }) }) - var _ = Describe("Machine Migration Round Trip Tests", Ordered, func() { + Context("Machine Migration Round Trip Tests", Ordered, func() { var mapiCapiMapiRoundTripName = "machine-mapi-capi-mapi-roundtrip" var newMapiMachine *mapiv1beta1.Machine var newCapiMachine *clusterv1.Machine @@ -163,6 +163,7 @@ var _ = Describe("[sig-cluster-lifecycle][OCPFeatureGate:MachineAPIMigration] Ma verifyMachineAuthoritative(newMapiMachine, mapiv1beta1.MachineAuthorityMachineAPI) verifyMAPIMachineSynchronizedCondition(newMapiMachine, mapiv1beta1.MachineAuthorityMachineAPI) verifyMachineSynchronizedGeneration(cl, newMapiMachine, mapiv1beta1.MachineAuthorityMachineAPI) + verifyMachineSynchronizedAPI(newMapiMachine, mapiv1beta1.MachineAPISynchronized) verifyMachinePausedCondition(newMapiMachine, mapiv1beta1.MachineAuthorityMachineAPI) verifyMachinePausedCondition(newCapiMachine, mapiv1beta1.MachineAuthorityMachineAPI) }) @@ -174,6 +175,7 @@ var _ = Describe("[sig-cluster-lifecycle][OCPFeatureGate:MachineAPIMigration] Ma verifyMachineAuthoritative(newMapiMachine, mapiv1beta1.MachineAuthorityClusterAPI) verifyMAPIMachineSynchronizedCondition(newMapiMachine, mapiv1beta1.MachineAuthorityClusterAPI) verifyMachineSynchronizedGeneration(cl, newMapiMachine, mapiv1beta1.MachineAuthorityClusterAPI) + verifyMachineSynchronizedAPI(newMapiMachine, mapiv1beta1.ClusterAPISynchronized) verifyMachinePausedCondition(newMapiMachine, mapiv1beta1.MachineAuthorityClusterAPI) verifyMachinePausedCondition(newCapiMachine, mapiv1beta1.MachineAuthorityClusterAPI) }) @@ -185,6 +187,7 @@ var _ = Describe("[sig-cluster-lifecycle][OCPFeatureGate:MachineAPIMigration] Ma verifyMachineAuthoritative(newMapiMachine, mapiv1beta1.MachineAuthorityMachineAPI) verifyMAPIMachineSynchronizedCondition(newMapiMachine, mapiv1beta1.MachineAuthorityMachineAPI) verifyMachineSynchronizedGeneration(cl, newMapiMachine, mapiv1beta1.MachineAuthorityMachineAPI) + verifyMachineSynchronizedAPI(newMapiMachine, mapiv1beta1.MachineAPISynchronized) verifyMachinePausedCondition(newMapiMachine, mapiv1beta1.MachineAuthorityMachineAPI) verifyMachinePausedCondition(newCapiMachine, mapiv1beta1.MachineAuthorityMachineAPI) }) diff --git a/e2e/machineset_migration_capi_authoritative_test.go b/e2e/machineset_migration_capi_authoritative_test.go index 43bb5b023..810da9759 100644 --- a/e2e/machineset_migration_capi_authoritative_test.go +++ b/e2e/machineset_migration_capi_authoritative_test.go @@ -166,6 +166,7 @@ var _ = Describe("[sig-cluster-lifecycle][OCPFeatureGate:MachineAPIMigration] Ma verifyMachineSetPausedCondition(mapiMachineSet, mapiv1beta1.MachineAuthorityMachineAPI) verifyMachineSetPausedCondition(capiMachineSet, mapiv1beta1.MachineAuthorityMachineAPI) verifyMAPIMachineSetSynchronizedCondition(mapiMachineSet, mapiv1beta1.MachineAuthorityMachineAPI) + verifyMachineSetSynchronizedAPI(mapiMachineSet, mapiv1beta1.MachineAPISynchronized) }) It("should succeed scaling up MAPI MachineSet to 3, after switching AuthoritativeAPI to MachineAPI", func() { @@ -204,6 +205,7 @@ var _ = Describe("[sig-cluster-lifecycle][OCPFeatureGate:MachineAPIMigration] Ma verifyMachineSetPausedCondition(mapiMachineSet, mapiv1beta1.MachineAuthorityClusterAPI) verifyMachineSetPausedCondition(capiMachineSet, mapiv1beta1.MachineAuthorityClusterAPI) verifyMAPIMachineSetSynchronizedCondition(mapiMachineSet, mapiv1beta1.MachineAuthorityClusterAPI) + verifyMachineSetSynchronizedAPI(mapiMachineSet, mapiv1beta1.ClusterAPISynchronized) }) It("should delete both MAPI and CAPI MachineSets/Machines and InfraMachineTemplate when deleting CAPI MachineSet", func() { diff --git a/e2e/machineset_migration_helpers.go b/e2e/machineset_migration_helpers.go index 3a0b6cf24..a07cebdce 100644 --- a/e2e/machineset_migration_helpers.go +++ b/e2e/machineset_migration_helpers.go @@ -218,6 +218,15 @@ func verifyMAPIMachineSetSynchronizedCondition(mapiMachineSet *mapiv1beta1.Machi ) } +// verifyMachineSetSynchronizedAPI verifies that the MAPI MachineSet's status.synchronizedAPI matches the expected value. +func verifyMachineSetSynchronizedAPI(mapiMachineSet *mapiv1beta1.MachineSet, expectedSynchronizedAPI mapiv1beta1.SynchronizedAPI) { + By(fmt.Sprintf("Verifying MAPI MachineSet SynchronizedAPI is %s", expectedSynchronizedAPI)) + Eventually(komega.Object(mapiMachineSet), capiframework.WaitMedium, capiframework.RetryMedium).Should( + HaveField("Status.SynchronizedAPI", Equal(expectedSynchronizedAPI)), + fmt.Sprintf("MAPI MachineSet SynchronizedAPI should be %s", expectedSynchronizedAPI), + ) +} + // verifyMAPIMachineSetProviderSpec verifies that a MAPI MachineSet's providerSpec matches the given Gomega matcher. func verifyMAPIMachineSetProviderSpec(mapiMachineSet *mapiv1beta1.MachineSet, matcher types.GomegaMatcher) { By(fmt.Sprintf("Verifying MAPI MachineSet %s ProviderSpec", mapiMachineSet.Name)) diff --git a/e2e/machineset_migration_mapi_authoritative_test.go b/e2e/machineset_migration_mapi_authoritative_test.go index 800a5f4a6..2715832f9 100644 --- a/e2e/machineset_migration_mapi_authoritative_test.go +++ b/e2e/machineset_migration_mapi_authoritative_test.go @@ -166,6 +166,8 @@ var _ = Describe("[sig-cluster-lifecycle][OCPFeatureGate:MachineAPIMigration] Ma verifyMachineSetPausedCondition(mapiMachineSet, mapiv1beta1.MachineAuthorityClusterAPI) verifyMachineSetPausedCondition(capiMachineSet, mapiv1beta1.MachineAuthorityClusterAPI) verifyMAPIMachineSetSynchronizedCondition(mapiMachineSet, mapiv1beta1.MachineAuthorityClusterAPI) + verifyMachineSetAuthoritative(mapiMachineSet, mapiv1beta1.MachineAuthorityClusterAPI) + verifyMachineSetSynchronizedAPI(mapiMachineSet, mapiv1beta1.ClusterAPISynchronized) }) It("should succeed scaling up CAPI MachineSet to 3, after the switch of AuthoritativeAPI to ClusterAPI", func() { @@ -203,6 +205,8 @@ var _ = Describe("[sig-cluster-lifecycle][OCPFeatureGate:MachineAPIMigration] Ma It("should succeed in switching back the AuthoritativeAPI to MachineAPI after the initial switch to ClusterAPI", func() { switchMachineSetAuthoritativeAPI(mapiMachineSet, mapiv1beta1.MachineAuthorityMachineAPI, mapiv1beta1.MachineAuthorityMachineAPI) + verifyMachineSetAuthoritative(mapiMachineSet, mapiv1beta1.MachineAuthorityMachineAPI) + verifyMachineSetSynchronizedAPI(mapiMachineSet, mapiv1beta1.MachineAPISynchronized) verifyMachineSetPausedCondition(mapiMachineSet, mapiv1beta1.MachineAuthorityMachineAPI) verifyMachineSetPausedCondition(capiMachineSet, mapiv1beta1.MachineAuthorityMachineAPI) verifyMAPIMachineSetSynchronizedCondition(mapiMachineSet, mapiv1beta1.MachineAuthorityMachineAPI) @@ -332,6 +336,8 @@ var _ = Describe("[sig-cluster-lifecycle][OCPFeatureGate:MachineAPIMigration] Ma BeforeAll(func() { switchMachineSetAuthoritativeAPI(mapiMachineSet, mapiv1beta1.MachineAuthorityClusterAPI, mapiv1beta1.MachineAuthorityClusterAPI) verifyMAPIMachineSetSynchronizedCondition(mapiMachineSet, mapiv1beta1.MachineAuthorityClusterAPI) + verifyMachineSetAuthoritative(mapiMachineSet, mapiv1beta1.MachineAuthorityClusterAPI) + verifyMachineSetSynchronizedAPI(mapiMachineSet, mapiv1beta1.ClusterAPISynchronized) }) It("should be rejected when scaling MAPI MachineSet", func() { diff --git a/go.mod b/go.mod index a79fc0eb1..b0f18fd9c 100644 --- a/go.mod +++ b/go.mod @@ -21,8 +21,8 @@ require ( github.com/metal3-io/cluster-api-provider-metal3/api v1.11.2 github.com/onsi/ginkgo/v2 v2.27.2 github.com/onsi/gomega v1.38.2 - github.com/openshift/api v0.0.0-20260105114749-aae5635a71a7 - github.com/openshift/client-go v0.0.0-20260105124352-f93a4291f9ae + github.com/openshift/api v0.0.0-20260209232644-126cbbe24427 + github.com/openshift/client-go v0.0.0-20260108185524-48f4ccfc4e13 github.com/openshift/cluster-api-actuator-pkg/testutils v0.0.0 github.com/openshift/library-go v0.0.0-20251222131241-289839b3ffe8 github.com/pkg/errors v0.9.1 diff --git a/go.sum b/go.sum index 58292acf0..d257ad0da 100644 --- a/go.sum +++ b/go.sum @@ -437,10 +437,10 @@ github.com/onsi/ginkgo/v2 v2.27.2 h1:LzwLj0b89qtIy6SSASkzlNvX6WktqurSHwkk2ipF/Ns github.com/onsi/ginkgo/v2 v2.27.2/go.mod h1:ArE1D/XhNXBXCBkKOLkbsb2c81dQHCRcF5zwn/ykDRo= github.com/onsi/gomega v1.38.2 h1:eZCjf2xjZAqe+LeWvKb5weQ+NcPwX84kqJ0cZNxok2A= github.com/onsi/gomega v1.38.2/go.mod h1:W2MJcYxRGV63b418Ai34Ud0hEdTVXq9NW9+Sx6uXf3k= -github.com/openshift/api v0.0.0-20260105114749-aae5635a71a7 h1:DeKd90ff6ieG02cFroiRTh7oKguGVaEYyTDkXHLIn5A= -github.com/openshift/api v0.0.0-20260105114749-aae5635a71a7/go.mod h1:d5uzF0YN2nQQFA0jIEWzzOZ+edmo6wzlGLvx5Fhz4uY= -github.com/openshift/client-go v0.0.0-20260105124352-f93a4291f9ae h1:veyDeAOBVJun1KoOsTIRlD7Q5LwRR32kfS2IPjPXJKE= -github.com/openshift/client-go v0.0.0-20260105124352-f93a4291f9ae/go.mod h1:leoeMrUnO40DwByGl7we2l+h6HQq3Y6bHUa+DnmRl+8= +github.com/openshift/api v0.0.0-20260209232644-126cbbe24427 h1:MExw+yvWGmbwlTpsO8sk16n3YQeeE2QxLmLpQouIGeE= +github.com/openshift/api v0.0.0-20260209232644-126cbbe24427/go.mod h1:d5uzF0YN2nQQFA0jIEWzzOZ+edmo6wzlGLvx5Fhz4uY= +github.com/openshift/client-go v0.0.0-20260108185524-48f4ccfc4e13 h1:6rd4zSo2UaWQcAPZfHK9yzKVqH0BnMv1hqMzqXZyTds= +github.com/openshift/client-go v0.0.0-20260108185524-48f4ccfc4e13/go.mod h1:YvOmPmV7wcJxpfhTDuFqqs2Xpb3M3ovsM6Qs/i2ptq4= github.com/openshift/cluster-api-actuator-pkg/testutils v0.0.0-20251211141525-c707612472dc h1:aoEt01DcIODnDwmc7oTqWInTMytifc3QbBkLp2RKDOU= github.com/openshift/cluster-api-actuator-pkg/testutils v0.0.0-20251211141525-c707612472dc/go.mod h1:Ahm3XvgKKIyKKYCG3oX2w7bE7twCT2kG71ykwwxUh18= github.com/openshift/cluster-api-provider-azure v0.0.0-20251202084521-c2e0e38d1e0e h1:yP0NOooxbZNQVd0zZQ/k2gy9T7vE7QfxmuaS8Q+oZD8= diff --git a/go.work b/go.work index eb429a15f..89e3b643a 100644 --- a/go.work +++ b/go.work @@ -10,7 +10,8 @@ use ( replace ( github.com/metal3-io/baremetal-operator => github.com/metal3-io/baremetal-operator v0.5.1 github.com/openshift/cluster-api-actuator-pkg => github.com/openshift/cluster-api-actuator-pkg v0.0.0-20251212150432-4a60119d9691 - github.com/openshift/cluster-api-actuator-pkg/testutils => github.com/openshift/cluster-api-actuator-pkg/testutils v0.0.0-20251212150432-4a60119d9691 + github.com/openshift/cluster-api-actuator-pkg/testutils => github.com/radekmanak/cluster-api-actuator-pkg/testutils v0.0.0-20260204135636-0341bab0647e + github.com/openshift/client-go => ../client-go sigs.k8s.io/cluster-api => sigs.k8s.io/cluster-api v1.11.3 sigs.k8s.io/cluster-api-provider-azure => github.com/openshift/cluster-api-provider-azure v0.0.0-20251202084521-c2e0e38d1e0e ) diff --git a/go.work.sum b/go.work.sum index adde38675..693d6b72b 100644 --- a/go.work.sum +++ b/go.work.sum @@ -457,9 +457,11 @@ github.com/go-logfmt/logfmt v0.5.0/go.mod h1:wCYkCAKZfumFQihp8CzCvQ3paCTfi41vtzG github.com/go-logr/logr v0.2.0/go.mod h1:z6/tIYblkpsD+a4lm/fGIIU9mZ+XfAiaFtq7xTgseGU= github.com/go-logr/logr v1.2.0/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A= github.com/go-logr/logr v1.4.1/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY= +github.com/go-logr/logr v1.4.2/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY= github.com/go-ole/go-ole v1.2.6/go.mod h1:pprOEPIfldk/42T2oK7lQ4v4JSDwmV0As9GaiUsvbm0= github.com/go-openapi/analysis v0.21.5/go.mod h1:25YcZosX9Lwz2wBsrFrrsL8bmjjXdlyP6zsr2AMy29M= github.com/go-openapi/jsonpointer v0.19.6/go.mod h1:osyAmYz/mB/C3I+WsTTSgw1ONzaLJoLCyoi6/zppojs= +github.com/go-openapi/jsonpointer v0.21.0/go.mod h1:IUyH9l/+uyhIYQ/PXVA41Rexl+kOkAPDdXEYns6fzUY= github.com/go-openapi/jsonreference v0.20.1/go.mod h1:Bl1zwGIM8/wsvqjsOQLJ/SH+En5Ap4rVB5KVcIDZG2k= github.com/go-openapi/jsonreference v0.20.2/go.mod h1:Bl1zwGIM8/wsvqjsOQLJ/SH+En5Ap4rVB5KVcIDZG2k= github.com/go-openapi/jsonreference v0.20.3/go.mod h1:FviDZ46i9ivh810gqzFLl5NttD5q3tSlMLqLr6okedM= @@ -467,6 +469,7 @@ github.com/go-openapi/loads v0.21.3/go.mod h1:Y3aMR24iHbKHppOj91nQ/SHc0cuPbAr4nd github.com/go-openapi/runtime v0.26.2/go.mod h1:O034jyRZ557uJKzngbMDJXkcKJVzXJiymdSfgejrcRw= github.com/go-openapi/spec v0.20.12/go.mod h1:iSCgnBcwbMW9SfzJb8iYynXvcY6C/QFrI7otzF7xGM4= github.com/go-openapi/swag v0.22.3/go.mod h1:UzaqsxGiab7freDnrUUra0MwWfN/q7tE4j+VcZ0yl14= +github.com/go-openapi/swag v0.23.0/go.mod h1:esZ8ITTYEsH1V2trKHjAN8Ai7xHb8RV+YSZ577vPjgQ= github.com/go-openapi/validate v0.22.4/go.mod h1:qm6O8ZIcPVdSY5219468Jv7kBdGvkiZLPOmqnqTUZ2A= github.com/go-sql-driver/mysql v1.7.1/go.mod h1:OXbVy3sEdcQ2Doequ6Z5BW6fXNQTmx+9S1MCJN5yJMI= github.com/go-stack/stack v1.8.0/go.mod h1:v0f6uXyyMGvRgIKkXu+yp6POWl0qKG85gN/melR3HDY= @@ -780,6 +783,10 @@ github.com/prometheus/procfs v0.0.3/go.mod h1:4A/X28fw3Fc593LaREMrKMqOKvUAntwMDa github.com/prometheus/procfs v0.1.3/go.mod h1:lV6e/gmhEcM9IjHGsFOCxxuZ+z1YqCvr4OA4YeYWdaU= github.com/prometheus/procfs v0.6.0/go.mod h1:cz+aTbrPOrUb4q7XlbU9ygM+/jj0fzG6c1xBZuNvfVA= github.com/quasilyte/go-ruleguard/rules v0.0.0-20211022131956-028d6511ab71/go.mod h1:4cgAphtvu7Ftv7vOT2ZOYhC6CvBxZixcasr8qIOTA50= +github.com/radekmanak/cluster-api-actuator-pkg/testutils v0.0.0-20260126030211-e08505afaac7 h1:Nvq/cIXNqVFGDtbKtAgTEiaHtdTEZaNghM5Bo2B/A5o= +github.com/radekmanak/cluster-api-actuator-pkg/testutils v0.0.0-20260126030211-e08505afaac7/go.mod h1:Ahm3XvgKKIyKKYCG3oX2w7bE7twCT2kG71ykwwxUh18= +github.com/radekmanak/cluster-api-actuator-pkg/testutils v0.0.0-20260204135636-0341bab0647e h1:DcSjTDoelvmTFs+uznC4RR+T/tX/ka1jgi3pvG3xsXI= +github.com/radekmanak/cluster-api-actuator-pkg/testutils v0.0.0-20260204135636-0341bab0647e/go.mod h1:c4v/gqjGEITx27QPb6ivyRzwW/XD3bY41XsMQLL8I34= github.com/redis/go-redis/v9 v9.8.0/go.mod h1:huWgSWd8mW6+m0VPhJjSSQ+d6Nh1VICQ6Q5lHuCH/Iw= github.com/rivo/uniseg v0.4.2/go.mod h1:FN3SvrM+Zdj16jyLfmOkMNblXMcoc8DfTHruCPUcx88= github.com/rogpeppe/fastuuid v1.2.0/go.mod h1:jVj6XXZzXRy/MSR5jhDC/2q6DgLz+nrA6LYCDYWNEvQ= @@ -817,12 +824,14 @@ github.com/spf13/cobra v1.5.0/go.mod h1:dWXEIy2H428czQCjInthrTRUg7yKbok+2Qi/yBIJ github.com/spf13/cobra v1.8.0/go.mod h1:WXLWApfZ71AjXPya3WOlMsY9yMs7YeiHhFVlvLyhcho= github.com/spf13/cobra v1.8.1/go.mod h1:wHxEcudfqmLYa8iTfL+OuZPbBZkmvliBWKIezN3kD9Y= github.com/spf13/jwalterweatherman v1.1.0/go.mod h1:aNWZUN0dPAAO/Ljvb5BEdw96iTZ0EXowPYD95IqWIGo= +github.com/spf13/pflag v1.0.6/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg= github.com/spiffe/go-spiffe/v2 v2.5.0/go.mod h1:P+NxobPc6wXhVtINNtFjNWGBTreew1GBUCwT2wPmb7g= github.com/stoewer/go-strcase v1.2.0/go.mod h1:IBiWB2sKIp3wVVQ3Y035++gc+knqhUQag1KpM8ahLw8= github.com/stretchr/objx v0.1.1/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs= github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= github.com/stretchr/testify v1.9.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY= +github.com/stretchr/testify v1.10.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY= github.com/syndtr/gocapability v0.0.0-20200815063812-42c35b437635/go.mod h1:hkRG7XYTFWNJGYcbNJQlaLq0fg1yr4J4t/NcTQtrfww= github.com/tklauser/go-sysconf v0.3.12/go.mod h1:Ho14jnntGE1fpdOqQEEaiKRpvIavV0hSfmBq8nJbHYI= github.com/tklauser/numcpus v0.6.1/go.mod h1:1XfjsgE2zo8GVw7POkMbHENHzVg3GzmoZ9fESEdAacY= @@ -963,6 +972,7 @@ golang.org/x/crypto v0.33.0/go.mod h1:bVdXmD7IV/4GdElGPozy6U7lWdRXA4qyRVGJV57uQ5 golang.org/x/crypto v0.35.0/go.mod h1:dy7dXNW32cAb/6/PRuTNsix8T+vJAqvuIy5Bli/x0YQ= golang.org/x/crypto v0.36.0/go.mod h1:Y4J0ReaxCR1IMaabaSMugxJES1EpwhBHhv2bDHklZvc= golang.org/x/crypto v0.37.0/go.mod h1:vg+k43peMZ0pUMhYmVAWysMK35e6ioLh3wB8ZCAfbVc= +golang.org/x/crypto v0.44.0/go.mod h1:013i+Nw79BMiQiMsOPcVCB5ZIJbYkerPrGnOa00tvmc= golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= golang.org/x/exp v0.0.0-20190510132918-efd6b22b2522/go.mod h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8= @@ -1003,6 +1013,7 @@ golang.org/x/mod v0.17.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c= golang.org/x/mod v0.20.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c= golang.org/x/mod v0.21.0/go.mod h1:6SkKJ3Xj0I0BrPOZoBy3bdMptDDU9oJrpohJ3eWZ1fY= golang.org/x/mod v0.24.0/go.mod h1:IXM97Txy2VM4PJ3gI61r1YEk/gAj6zAHN3AdZt6S9Ww= +golang.org/x/mod v0.29.0/go.mod h1:NyhrlYXJ2H4eJiRy/WDBO6HMqZQ6q9nk4JzS3NuCK+w= golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20180906233101-161cd47e91fd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= @@ -1048,8 +1059,10 @@ golang.org/x/net v0.33.0/go.mod h1:HXLR5J+9DxmrqMwG9qjGCxZ+zKXxBru04zlTvWlWuN4= golang.org/x/net v0.34.0/go.mod h1:di0qlW3YNM5oh6GqDGQr92MyTozJPmybPK4Ev/Gm31k= golang.org/x/net v0.35.0/go.mod h1:EglIi67kWsHKlRzzVMUD93VMSWGFOMSZgxFjparz1Qk= golang.org/x/net v0.37.0/go.mod h1:ivrbrMbzFq5J41QOQh0siUuly180yBYtLp+CKbEaFx8= +golang.org/x/net v0.38.0/go.mod h1:ivrbrMbzFq5J41QOQh0siUuly180yBYtLp+CKbEaFx8= golang.org/x/net v0.39.0/go.mod h1:X7NRbYVEA+ewNkCNyJ513WmMdQ3BineSwVtN2zD/d+E= golang.org/x/net v0.40.0/go.mod h1:y0hY0exeL2Pku80/zKK7tpntoX23cqL3Oa6njdgRtds= +golang.org/x/net v0.46.0/go.mod h1:Q9BGdFy1y4nkUwiLvT5qtyhAnEHgnQ/zd8PfU6nc210= golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U= golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= @@ -1078,6 +1091,7 @@ golang.org/x/sync v0.10.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk= golang.org/x/sync v0.11.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk= golang.org/x/sync v0.12.0/go.mod h1:1dzgHSNfp02xaA81J2MS99Qcpr2w7fw1gpm99rleRqA= golang.org/x/sync v0.13.0/go.mod h1:1dzgHSNfp02xaA81J2MS99Qcpr2w7fw1gpm99rleRqA= +golang.org/x/sync v0.17.0/go.mod h1:9KTHXmSnoGruLpwFjVSX0lNNA75CykiMECbovNTZqGI= golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20180905080454-ebe1bf3edb33/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20180909124046-d0be0721c37e/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= @@ -1144,8 +1158,10 @@ golang.org/x/sys v0.29.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= golang.org/x/sys v0.30.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= golang.org/x/sys v0.31.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k= golang.org/x/sys v0.32.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k= +golang.org/x/sys v0.37.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks= golang.org/x/telemetry v0.0.0-20240228155512-f48c80bd79b2/go.mod h1:TeRTkGYfJXctD9OcfyVLyj2J3IxLnKwHJR8f4D8a3YE= golang.org/x/telemetry v0.0.0-20240521205824-bda55230c457/go.mod h1:pRgIJT+bRLFKnoM1ldnzKoxTIn14Yxz928LQRYYgIN0= +golang.org/x/telemetry v0.0.0-20251008203120-078029d740a8/go.mod h1:Pi4ztBfryZoJEkyFTI5/Ocsu2jXyDr6iSdgJiYE/uwE= golang.org/x/term v0.15.0/go.mod h1:BDl952bC7+uMoWR75FIrCDx79TPU9oHkTZ9yRbYOrX0= golang.org/x/term v0.17.0/go.mod h1:lLRBjIVuehSbZlaOtGMbcMncT+aqLLLmKrsjNrUguwk= golang.org/x/term v0.20.0/go.mod h1:8UkIAJTvZgivsXaD6/pH6U9ecQzZ45awqEOzuCvwpFY= @@ -1387,6 +1403,7 @@ google.golang.org/protobuf v1.36.1/go.mod h1:9fA7Ob0pmnwhb644+1+CVWFRbNajQ6iRojt google.golang.org/protobuf v1.36.2/go.mod h1:9fA7Ob0pmnwhb644+1+CVWFRbNajQ6iRojtC/QF5bRE= google.golang.org/protobuf v1.36.3/go.mod h1:9fA7Ob0pmnwhb644+1+CVWFRbNajQ6iRojtC/QF5bRE= google.golang.org/protobuf v1.36.4/go.mod h1:9fA7Ob0pmnwhb644+1+CVWFRbNajQ6iRojtC/QF5bRE= +google.golang.org/protobuf v1.36.5/go.mod h1:9fA7Ob0pmnwhb644+1+CVWFRbNajQ6iRojtC/QF5bRE= gopkg.in/alecthomas/kingpin.v2 v2.2.6/go.mod h1:FMv+mEhP44yOT+4EoQTLFTRgOQ1FBLkstjWtayDeSgw= gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/check.v1 v1.0.0-20200902074654-038fdea0a05b/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= @@ -1458,6 +1475,7 @@ k8s.io/pod-security-admission v0.32.2/go.mod h1:yxMPB3i1pGMLfxbe4BiWMuowMD7cdHR3 k8s.io/sample-apiserver v0.33.3/go.mod h1:2A8Kv24Rkpzepr7Y6/VL4lGyAZTySl1cvdWzZ2OB3DA= k8s.io/utils v0.0.0-20240711033017-18e509b52bc8/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0= k8s.io/utils v0.0.0-20241104100929-3ea5e8cea738/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0= +k8s.io/utils v0.0.0-20250604170112-4c0f3b243397/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0= rsc.io/binaryregexp v0.2.0/go.mod h1:qTv7/COck+e2FymRvadv62gMdZztPaShugOCi3I+8D8= rsc.io/quote/v3 v3.1.0/go.mod h1:yEA65RcK8LyAZtP9Kv3t0HmxON59tX3rD+tICJqUlj0= rsc.io/sampler v1.3.0/go.mod h1:T1hPZKmBbMNahiBKFy5HrXp6adAjACjK9JXDnKaTXpA= diff --git a/pkg/controllers/machinemigration/machine_migration_controller.go b/pkg/controllers/machinemigration/machine_migration_controller.go index d6eed8073..eec264725 100644 --- a/pkg/controllers/machinemigration/machine_migration_controller.go +++ b/pkg/controllers/machinemigration/machine_migration_controller.go @@ -18,6 +18,7 @@ package machinemigration import ( "context" + "errors" "fmt" "time" @@ -48,6 +49,12 @@ import ( const controllerName = "MachineMigrationController" +// errInvalidSynchronizedAPI is returned when SynchronizedAPI has an unexpected value. +var errInvalidSynchronizedAPI = errors.New("invalid synchronizedAPI value") + +// errInfraObjectAssertion is returned when the infra machine object cannot be asserted as client.Object. +var errInfraObjectAssertion = errors.New("unable to assert Cluster API infra machine as client.Object") + // MachineMigrationReconciler reconciles Machine resources for migration. type MachineMigrationReconciler struct { client.Client @@ -128,7 +135,8 @@ func (r *MachineMigrationReconciler) Reconcile(ctx context.Context, req reconcil // as such if any change is done to this logic, please consider changing it also there. See: // https://github.com/openshift/machine-api-operator/pull/1386/files#diff-8a4a734efbb8fef769f9f6ba5d30d94f19433a0b1eaeb1be4f2a55aa226c3b3dR180-R197 if mapiMachine.Status.AuthoritativeAPI == "" { - if err := r.applyStatusAuthoritativeAPIWithPatch(ctx, mapiMachine, mapiMachine.Spec.AuthoritativeAPI); err != nil { + // Initialize status.AuthoritativeAPI from spec.AuthoritativeAPI. + if err := r.applyMigrationStatusWithPatch(ctx, mapiMachine, mapiMachine.Spec.AuthoritativeAPI); err != nil { return ctrl.Result{}, fmt.Errorf("unable to apply authoritativeAPI to status with patch: %w", err) } @@ -136,6 +144,33 @@ func (r *MachineMigrationReconciler) Reconcile(ctx context.Context, req reconcil return ctrl.Result{}, nil } + currentAuthority, desiredAuthority, isMigrating := synccommon.MigrationDirection( + mapiMachine.Status.AuthoritativeAPI, + mapiMachine.Status.SynchronizedAPI, + mapiMachine.Spec.AuthoritativeAPI, + ) + + // Handle migration cancellation: if already in Migrating state and spec matches + // the source authority (before migration started), the user wants to cancel. + if isMigrating && currentAuthority != "" && desiredAuthority == currentAuthority { + logger.Info("Migration cancellation detected, rolling back to source authority", + "sourceAuthority", currentAuthority) + + // Unpause any resources that were paused during migration attempt. + if err := r.ensureUnpauseAfterCancellation(ctx, mapiMachine); err != nil { + return ctrl.Result{}, fmt.Errorf("failed to unpause after cancellation: %w", err) + } + + // Reset status back to source authority and reset sync status. + if err := r.applyMigrationStatusAndResetSyncStatusWithPatch(ctx, mapiMachine, currentAuthority); err != nil { + return ctrl.Result{}, fmt.Errorf("failed to rollback migration: %w", err) + } + + logger.Info("Migration cancelled and rolled back successfully") + + return ctrl.Result{}, nil + } + // Check that the resource is synchronized and up-to-date. // // This MUST be checked BEFORE setting status.authoritativeAPI to Migrating, @@ -151,11 +186,11 @@ func (r *MachineMigrationReconciler) Reconcile(ctx context.Context, req reconcil } // Make sure the authoritativeAPI resource status is set to migrating. - if mapiMachine.Status.AuthoritativeAPI != mapiv1beta1.MachineAuthorityMigrating { + if !isMigrating { logger.Info("Detected migration request for machine") - if err := r.applyStatusAuthoritativeAPIWithPatch(ctx, mapiMachine, mapiv1beta1.MachineAuthorityMigrating); err != nil { - return ctrl.Result{}, fmt.Errorf("unable to set authoritativeAPI %q to status: %w", mapiv1beta1.MachineAuthorityMigrating, err) + if err := r.applyMigrationStatusWithPatch(ctx, mapiMachine, mapiv1beta1.MachineAuthorityMigrating); err != nil { + return ctrl.Result{}, fmt.Errorf("unable to set authoritativeAPI to Migrating: %w", err) } logger.Info("Acknowledged migration request for machine") @@ -165,7 +200,7 @@ func (r *MachineMigrationReconciler) Reconcile(ctx context.Context, req reconcil } // Request pausing on the authoritative resource. - if updated, err := r.requestOldAuthoritativeResourcePaused(ctx, mapiMachine); err != nil { + if updated, err := r.requestOldAuthoritativeResourcePaused(ctx, mapiMachine, currentAuthority); err != nil { return ctrl.Result{}, fmt.Errorf("failed to request pause on authoritative machine: %w", err) } else if updated { logger.Info("Requested pausing for authoritative machine") @@ -178,7 +213,7 @@ func (r *MachineMigrationReconciler) Reconcile(ctx context.Context, req reconcil } // Check that the authoritative resource is paused. - if paused, err := r.isOldAuthoritativeResourcePaused(ctx, mapiMachine); err != nil { + if paused, err := r.isOldAuthoritativeResourcePaused(ctx, mapiMachine, currentAuthority); err != nil { return ctrl.Result{}, fmt.Errorf("failed to check paused on authoritative machine: %w", err) } else if !paused { // The Authoritative API resource is not paused yet, requeue to check later. @@ -188,24 +223,38 @@ func (r *MachineMigrationReconciler) Reconcile(ctx context.Context, req reconcil } // Make sure the new authoritative resource has been requested to unpause. - if err := r.ensureUnpauseRequestedOnNewAuthoritativeResource(ctx, mapiMachine); err != nil { + if err := r.ensureUnpauseRequestedOnNewAuthoritativeResource(ctx, mapiMachine, desiredAuthority); err != nil { return ctrl.Result{}, fmt.Errorf("unable to ensure the new AuthoritativeAPI has been un-paused: %w", err) } - // Set the actual AuthoritativeAPI to the desired one, reset the synchronized generation and condition. - if err := synccommon.ApplyAuthoritativeAPIAndResetSyncStatus[*machinev1applyconfigs.MachineStatusApplyConfiguration](ctx, r.Client, controllerName, machinev1applyconfigs.Machine, mapiMachine, mapiMachine.Spec.AuthoritativeAPI); err != nil { + // Check that the new authoritative resource has been unpaused by its controller. + // This ensures the target controller is running and responsive before completing migration. + if unpaused, err := r.isNewAuthoritativeResourceUnpaused(ctx, mapiMachine, desiredAuthority); err != nil { + return ctrl.Result{}, fmt.Errorf("failed to check unpaused on new authoritative machine: %w", err) + } else if !unpaused { + // The new authoritative resource is not unpaused yet. + // The watches on CAPI Machine and InfraMachine will trigger reconciliation + // when the target controller updates the Paused condition. + logger.Info("New authoritative machine is not unpaused yet, waiting for target controller") + + return ctrl.Result{}, nil + } + + // Set the actual AuthoritativeAPI to the desired one and reset the synchronized generation and condition. + // SynchronizedAPI will be updated by the sync controller after resync. + if err := r.applyMigrationStatusAndResetSyncStatusWithPatch(ctx, mapiMachine, mapiMachine.Spec.AuthoritativeAPI); err != nil { return ctrl.Result{}, fmt.Errorf("failed to apply authoritativeAPI and reset sync status: %w", err) } - logger.Info("Machine authority switch has now been completed and the resource unpaused") + logger.Info("Machine authority switch has now been completed and the resource unpaused", "authoritativeAPI", mapiMachine.Spec.AuthoritativeAPI) logger.Info("Machine migrated successfully") return ctrl.Result{}, nil } // isOldAuthoritativeResourcePaused checks whether the old authoritative resource is paused. -func (r *MachineMigrationReconciler) isOldAuthoritativeResourcePaused(ctx context.Context, m *mapiv1beta1.Machine) (bool, error) { - if m.Spec.AuthoritativeAPI == mapiv1beta1.MachineAuthorityClusterAPI { +func (r *MachineMigrationReconciler) isOldAuthoritativeResourcePaused(ctx context.Context, m *mapiv1beta1.Machine, sourceAuthority mapiv1beta1.MachineAuthority) (bool, error) { + if sourceAuthority == mapiv1beta1.MachineAuthorityMachineAPI { cond, err := util.GetConditionStatus(m, "Paused") if err != nil { return false, fmt.Errorf("unable to get paused condition for %s/%s: %w", m.Namespace, m.Name, err) @@ -214,7 +263,7 @@ func (r *MachineMigrationReconciler) isOldAuthoritativeResourcePaused(ctx contex return cond == corev1.ConditionTrue, nil } - // For MachineAuthorityMachineAPI, check the corresponding CAPI resource. + // For MachineAuthorityClusterAPI, check the corresponding CAPI resource. capiMachine := &clusterv1.Machine{} if err := r.Get(ctx, client.ObjectKey{Namespace: r.CAPINamespace, Name: m.Name}, capiMachine); err != nil { return false, fmt.Errorf("failed to get Cluster API machine: %w", err) @@ -240,10 +289,56 @@ func (r *MachineMigrationReconciler) isOldAuthoritativeResourcePaused(ctx contex return (machinePausedCondition.Status == metav1.ConditionTrue) && (infraMachinePausedConditionStatus == corev1.ConditionTrue), nil } -func (r *MachineMigrationReconciler) ensureUnpauseRequestedOnNewAuthoritativeResource(ctx context.Context, mapiMachine *mapiv1beta1.Machine) error { +// isNewAuthoritativeResourceUnpaused checks whether the new authoritative resource has been unpaused +// by its controller. This ensures the target controller is running and responsive before completing migration. +func (r *MachineMigrationReconciler) isNewAuthoritativeResourceUnpaused(ctx context.Context, m *mapiv1beta1.Machine, targetAuthority mapiv1beta1.MachineAuthority) (bool, error) { + switch targetAuthority { + case mapiv1beta1.MachineAuthorityMachineAPI: + cond, err := util.GetConditionStatus(m, "Paused") + if err != nil { + // If we can't get the condition (e.g., no status/conditions), treat as unpaused + return true, nil + } + + return cond != corev1.ConditionTrue, nil + case mapiv1beta1.MachineAuthorityClusterAPI: + capiMachine := &clusterv1.Machine{} + if err := r.Get(ctx, client.ObjectKey{Namespace: r.CAPINamespace, Name: m.Name}, capiMachine); err != nil { + return false, fmt.Errorf("failed to get Cluster API machine: %w", err) + } + + machinePausedCondition := conditions.Get(capiMachine, clusterv1.PausedCondition) + if machinePausedCondition != nil && machinePausedCondition.Status == metav1.ConditionTrue { + return false, nil + } + + infraMachineRef := capiMachine.Spec.InfrastructureRef + + infraMachine, err := external.GetObjectFromContractVersionedRef(ctx, r.Client, infraMachineRef, capiMachine.Namespace) + if err != nil { + return false, fmt.Errorf("failed to get Cluster API infra machine: %w", err) + } + + infraMachinePausedConditionStatus, err := util.GetConditionStatus(infraMachine, clusterv1.PausedCondition) + if err != nil { + // If we can't get the condition, treat as unpaused + return true, nil + } + + if infraMachinePausedConditionStatus == corev1.ConditionTrue { + return false, nil + } + + return true, nil + default: + return false, fmt.Errorf("unsupported target authority: %s", targetAuthority) + } +} + +func (r *MachineMigrationReconciler) ensureUnpauseRequestedOnNewAuthoritativeResource(ctx context.Context, mapiMachine *mapiv1beta1.Machine, targetAuthority mapiv1beta1.MachineAuthority) error { // Request that the new authoritative resource reconciliation is un-paused. //nolint:wsl - switch mapiMachine.Spec.AuthoritativeAPI { + switch targetAuthority { case mapiv1beta1.MachineAuthorityClusterAPI: // For requesting unpausing of a CAPI resource, remove the paused annotation on it. // So check if the ClusterAPI resource has the paused annotation and if so remove it. @@ -271,7 +366,7 @@ func (r *MachineMigrationReconciler) ensureUnpauseRequestedOnNewAuthoritativeRes if annotations.HasPaused(infraMachine) { infraMachineCopy, ok := infraMachine.DeepCopyObject().(client.Object) if !ok { - return fmt.Errorf("unable to assert Cluster API infra machine as client.Object: %w", err) + return errInfraObjectAssertion } util.RemoveAnnotation(infraMachine, clusterv1.PausedAnnotation) @@ -290,18 +385,18 @@ func (r *MachineMigrationReconciler) ensureUnpauseRequestedOnNewAuthoritativeRes } // requestOldAuthoritativeResourcePaused requests the old authoritative resource is paused. -func (r *MachineMigrationReconciler) requestOldAuthoritativeResourcePaused(ctx context.Context, m *mapiv1beta1.Machine) (bool, error) { +func (r *MachineMigrationReconciler) requestOldAuthoritativeResourcePaused(ctx context.Context, m *mapiv1beta1.Machine, sourceAuthority mapiv1beta1.MachineAuthority) (bool, error) { // Request that the old authoritative resource reconciliation is paused. updated := false //nolint:wsl - switch m.Spec.AuthoritativeAPI { - case mapiv1beta1.MachineAuthorityClusterAPI: + switch sourceAuthority { + case mapiv1beta1.MachineAuthorityMachineAPI: // For requesting pausing of a MAPI resource, it is sufficient to switch the spec.AuthoritativeAPI field on the MAPI resource. // which is already done before this code runs in this controller. - case mapiv1beta1.MachineAuthorityMachineAPI: + case mapiv1beta1.MachineAuthorityClusterAPI: // For requesting pausing of a CAPI resource, set the paused annotation on it. - // The spec.AuthoritativeAPI is set to MachineAPI, meaning that the old authoritativeAPI was ClusterAPI. - // So Check if the ClusterAPI resource has the paused annotation, otherwise set it. + // This is required when the old authoritative API is ClusterAPI, so check if the ClusterAPI resource + // has the paused annotation, otherwise set it. capiMachine := &clusterv1.Machine{} if err := r.Get(ctx, client.ObjectKey{Namespace: r.CAPINamespace, Name: m.Name}, capiMachine); err != nil { return false, fmt.Errorf("failed to get Cluster API machine: %w", err) @@ -327,7 +422,7 @@ func (r *MachineMigrationReconciler) requestOldAuthoritativeResourcePaused(ctx c if !annotations.HasPaused(infraMachine) { infraMachineCopy, ok := infraMachine.DeepCopyObject().(client.Object) if !ok { - return false, fmt.Errorf("unable to assert Cluster API infra machine as client.Object: %w", err) + return false, errInfraObjectAssertion } annotations.AddAnnotations(infraMachine, map[string]string{clusterv1.PausedAnnotation: ""}) if err := r.Patch(ctx, infraMachine, client.MergeFrom(infraMachineCopy)); err != nil { @@ -352,41 +447,102 @@ func (r *MachineMigrationReconciler) isSynchronized(ctx context.Context, mapiMac return false, nil } - // Because we are in a migration (spec.authoritativeAPI != - // status.authoritativeAPI), we assume that spec.authoritativeAPI is - // currently the migration target, not the migration source. So: - // - // target: spec.authoritativeAPI - // source: opposite of target - // - // We want to assert that source has been synched to target, so we need to - // treat spec.AuthoritativeAPI as the opposite of the direction we want to - // check. - // - // We may revisit this, as this assumption is not safe if a user aborts an - // in-progress migration by resetting spec.authoritativeAPI to its original - // value. - - switch mapiMachine.Spec.AuthoritativeAPI { - case mapiv1beta1.MachineAuthorityClusterAPI: + // Use SynchronizedAPI to deterministically know which object's generation + // the SynchronizedGeneration refers to. This avoids the previous heuristic + // which was not safe when a user aborts an in-progress migration. + switch mapiMachine.Status.SynchronizedAPI { + case mapiv1beta1.MachineAPISynchronized: return mapiMachine.Status.SynchronizedGeneration == mapiMachine.Generation, nil - case mapiv1beta1.MachineAuthorityMachineAPI: + case mapiv1beta1.ClusterAPISynchronized: capiMachine := &clusterv1.Machine{} if err := r.Get(ctx, client.ObjectKey{Namespace: r.CAPINamespace, Name: mapiMachine.Name}, capiMachine); err != nil { return false, fmt.Errorf("failed to get Cluster API machine: %w", err) } - // Given the CAPI infra machine template is immutable - // we do not check for its generation to be synced up with the generation of the MAPI machine set. - return (mapiMachine.Status.SynchronizedGeneration == capiMachine.Generation), nil - case mapiv1beta1.MachineAuthorityMigrating: + return mapiMachine.Status.SynchronizedGeneration == capiMachine.Generation, nil + case "": + // SynchronizedAPI not yet set by sync controller - not synchronized + return false, nil + default: + return false, fmt.Errorf("%w: %s", errInvalidSynchronizedAPI, mapiMachine.Status.SynchronizedAPI) } +} - // Should have been prevented by validation - return false, fmt.Errorf("%w: %s", controllers.ErrInvalidSpecAuthoritativeAPI, mapiMachine.Spec.AuthoritativeAPI) +// applyMigrationStatusWithPatch updates the migration controller status fields using a server-side apply patch. +func (r *MachineMigrationReconciler) applyMigrationStatusWithPatch(ctx context.Context, m *mapiv1beta1.Machine, authority mapiv1beta1.MachineAuthority) error { + return synccommon.ApplyMigrationStatus[*machinev1applyconfigs.MachineStatusApplyConfiguration](ctx, r.Client, controllerName, machinev1applyconfigs.Machine, m, authority) } -// applyStatusAuthoritativeAPIWithPatch updates the resource status.authoritativeAPI using a server-side apply patch. -func (r *MachineMigrationReconciler) applyStatusAuthoritativeAPIWithPatch(ctx context.Context, m *mapiv1beta1.Machine, authority mapiv1beta1.MachineAuthority) error { - return synccommon.ApplyAuthoritativeAPI[*machinev1applyconfigs.MachineStatusApplyConfiguration](ctx, r.Client, controllerName, machinev1applyconfigs.Machine, m, authority) +// applyMigrationStatusAndResetSyncStatusWithPatch updates the migration controller status and resets sync status. +func (r *MachineMigrationReconciler) applyMigrationStatusAndResetSyncStatusWithPatch(ctx context.Context, m *mapiv1beta1.Machine, authority mapiv1beta1.MachineAuthority) error { + return synccommon.ApplyMigrationStatusAndResetSyncStatus[*machinev1applyconfigs.MachineStatusApplyConfiguration](ctx, r.Client, controllerName, machinev1applyconfigs.Machine, m, authority) +} + +// ensureUnpauseAfterCancellation ensures CAPI resources are unpaused after migration cancellation. +// When cancelling a migration, any CAPI resources that may have been paused should be unpaused. +func (r *MachineMigrationReconciler) ensureUnpauseAfterCancellation(ctx context.Context, mapiMachine *mapiv1beta1.Machine) error { + capiMachine := &clusterv1.Machine{} + if err := r.Get(ctx, client.ObjectKey{Namespace: r.CAPINamespace, Name: mapiMachine.Name}, capiMachine); err != nil { + if apierrors.IsNotFound(err) { + return nil + } + + return fmt.Errorf("failed to get Cluster API machine: %w", err) + } + + if err := r.removePausedAnnotation(ctx, capiMachine); err != nil { + return err + } + + return r.unpauseInfraMachine(ctx, capiMachine) +} + +// removePausedAnnotation removes the paused annotation from a CAPI machine if present. +func (r *MachineMigrationReconciler) removePausedAnnotation(ctx context.Context, capiMachine *clusterv1.Machine) error { + if !annotations.HasPaused(capiMachine) { + return nil + } + + capiMachineCopy := capiMachine.DeepCopy() + delete(capiMachine.Annotations, clusterv1.PausedAnnotation) + + if err := r.Patch(ctx, capiMachine, client.MergeFrom(capiMachineCopy)); err != nil { + return fmt.Errorf("failed to remove paused annotation from Cluster API machine: %w", err) + } + + return nil +} + +// unpauseInfraMachine removes the paused annotation from the infra machine if present. +func (r *MachineMigrationReconciler) unpauseInfraMachine(ctx context.Context, capiMachine *clusterv1.Machine) error { + infraMachineRef := capiMachine.Spec.InfrastructureRef + if infraMachineRef.Name == "" { + return nil + } + + infraMachine, err := external.GetObjectFromContractVersionedRef(ctx, r.Client, infraMachineRef, capiMachine.Namespace) + if err != nil { + if apierrors.IsNotFound(err) { + return nil + } + + return fmt.Errorf("failed to get Cluster API infra machine: %w", err) + } + + if !annotations.HasPaused(infraMachine) { + return nil + } + + infraMachineCopy, ok := infraMachine.DeepCopyObject().(client.Object) + if !ok { + return errInfraObjectAssertion + } + + util.RemoveAnnotation(infraMachine, clusterv1.PausedAnnotation) + + if err := r.Patch(ctx, infraMachine, client.MergeFrom(infraMachineCopy)); err != nil { + return fmt.Errorf("failed to remove paused annotation from Cluster API infra machine: %w", err) + } + + return nil } diff --git a/pkg/controllers/machinemigration/machine_migration_controller_test.go b/pkg/controllers/machinemigration/machine_migration_controller_test.go index 7ed302a17..c95f8c4b3 100644 --- a/pkg/controllers/machinemigration/machine_migration_controller_test.go +++ b/pkg/controllers/machinemigration/machine_migration_controller_test.go @@ -17,8 +17,10 @@ limitations under the License. package machinemigration import ( + "github.com/google/go-cmp/cmp" . "github.com/onsi/ginkgo/v2" . "github.com/onsi/gomega" + ctrl "sigs.k8s.io/controller-runtime" mapiv1beta1 "github.com/openshift/api/machine/v1beta1" capiv1resourcebuilder "github.com/openshift/cluster-api-actuator-pkg/testutils/resourcebuilder/cluster-api/core/v1beta2" @@ -197,16 +199,18 @@ var _ = Describe("With a running MachineMigration controller", func() { Build() Eventually(k8sClient.Create(ctx, mapiMachine)).Should(Succeed()) - By("Setting the MAPI machine status AuthoritativeAPI to MachineAPI") + By("Setting the MAPI machine status AuthoritativeAPI and SynchronizedAPI to MachineAPI") Eventually(k.UpdateStatus(mapiMachine, func() { updatedMAPIMachine := mapiMachineBuilder. WithAuthoritativeAPIStatus(mapiv1beta1.MachineAuthorityMachineAPI). + WithSynchronizedAPIStatus(mapiv1beta1.MachineAPISynchronized). WithConditions([]mapiv1beta1.Condition{{ Type: consts.SynchronizedCondition, LastTransitionTime: metav1.Now(), Status: corev1.ConditionFalse}}). Build() mapiMachine.Status.AuthoritativeAPI = updatedMAPIMachine.Status.AuthoritativeAPI + mapiMachine.Status.SynchronizedAPI = updatedMAPIMachine.Status.SynchronizedAPI mapiMachine.Status.Conditions = updatedMAPIMachine.Status.Conditions })).Should(Succeed()) @@ -214,10 +218,12 @@ var _ = Describe("With a running MachineMigration controller", func() { }) It("should do nothing", func() { + initialMAPIMachine := mapiMachine.DeepCopy() initialMAPIMachineRV := mapiMachine.ResourceVersion _, err := reconciler.Reconcile(ctx, req) Expect(err).NotTo(HaveOccurred(), "reconciler should not have errored") - Eventually(k.Object(mapiMachine)).Should(HaveField("ObjectMeta.ResourceVersion", Equal(initialMAPIMachineRV)), "should not have modified the machine") + Expect(k8sClient.Get(ctx, client.ObjectKeyFromObject(mapiMachine), mapiMachine)).To(Succeed()) + Expect(mapiMachine.ResourceVersion).To(Equal(initialMAPIMachineRV), "should not have modified the machine: %s", cmp.Diff(initialMAPIMachine, mapiMachine)) }) }) @@ -239,12 +245,14 @@ var _ = Describe("With a running MachineMigration controller", func() { Eventually(k.UpdateStatus(mapiMachine, func() { updatedMAPIMachine := mapiMachineBuilder. WithAuthoritativeAPIStatus(mapiv1beta1.MachineAuthorityMachineAPI). + WithSynchronizedAPIStatus(mapiv1beta1.MachineAPISynchronized). WithConditions([]mapiv1beta1.Condition{{ Type: consts.SynchronizedCondition, LastTransitionTime: metav1.Now(), Status: corev1.ConditionTrue}}). Build() mapiMachine.Status.AuthoritativeAPI = updatedMAPIMachine.Status.AuthoritativeAPI + mapiMachine.Status.SynchronizedAPI = updatedMAPIMachine.Status.SynchronizedAPI mapiMachine.Status.Conditions = updatedMAPIMachine.Status.Conditions mapiMachine.Status.SynchronizedGeneration = capiMachine.Generation })).Should(Succeed()) @@ -281,12 +289,14 @@ var _ = Describe("With a running MachineMigration controller", func() { Eventually(k.UpdateStatus(mapiMachine, func() { updatedMAPIMachine := mapiMachineBuilder. WithAuthoritativeAPIStatus(mapiv1beta1.MachineAuthorityMigrating). + WithSynchronizedAPIStatus(mapiv1beta1.MachineAPISynchronized). WithConditions([]mapiv1beta1.Condition{{ Type: consts.SynchronizedCondition, LastTransitionTime: metav1.Now(), Status: corev1.ConditionTrue}}). Build() mapiMachine.Status.AuthoritativeAPI = updatedMAPIMachine.Status.AuthoritativeAPI + mapiMachine.Status.SynchronizedAPI = updatedMAPIMachine.Status.SynchronizedAPI mapiMachine.Status.Conditions = updatedMAPIMachine.Status.Conditions mapiMachine.Status.SynchronizedGeneration = capiMachine.Generation })).Should(Succeed()) @@ -323,12 +333,14 @@ var _ = Describe("With a running MachineMigration controller", func() { Eventually(k.UpdateStatus(mapiMachine, func() { updatedMAPIMachine := mapiMachineBuilder. WithAuthoritativeAPIStatus(mapiv1beta1.MachineAuthorityMigrating). + WithSynchronizedAPIStatus(mapiv1beta1.ClusterAPISynchronized). WithConditions([]mapiv1beta1.Condition{{ Type: consts.SynchronizedCondition, LastTransitionTime: metav1.Now(), Status: corev1.ConditionTrue}}). Build() mapiMachine.Status.AuthoritativeAPI = updatedMAPIMachine.Status.AuthoritativeAPI + mapiMachine.Status.SynchronizedAPI = updatedMAPIMachine.Status.SynchronizedAPI mapiMachine.Status.Conditions = updatedMAPIMachine.Status.Conditions mapiMachine.Status.SynchronizedGeneration = mapiMachine.Generation })).Should(Succeed()) @@ -378,6 +390,7 @@ var _ = Describe("With a running MachineMigration controller", func() { Eventually(k.UpdateStatus(mapiMachine, func() { updatedMAPIMachine := mapiMachineBuilder. WithAuthoritativeAPIStatus(mapiv1beta1.MachineAuthorityMigrating). + WithSynchronizedAPIStatus(mapiv1beta1.MachineAPISynchronized). WithConditions([]mapiv1beta1.Condition{ { Type: consts.SynchronizedCondition, @@ -392,6 +405,7 @@ var _ = Describe("With a running MachineMigration controller", func() { }). Build() mapiMachine.Status.AuthoritativeAPI = updatedMAPIMachine.Status.AuthoritativeAPI + mapiMachine.Status.SynchronizedAPI = updatedMAPIMachine.Status.SynchronizedAPI mapiMachine.Status.Conditions = updatedMAPIMachine.Status.Conditions mapiMachine.Status.SynchronizedGeneration = capiMachine.Generation })).Should(Succeed()) @@ -434,12 +448,14 @@ var _ = Describe("With a running MachineMigration controller", func() { Eventually(k.UpdateStatus(mapiMachine, func() { updatedMAPIMachine := mapiMachineBuilder. WithAuthoritativeAPIStatus(mapiv1beta1.MachineAuthorityMigrating). + WithSynchronizedAPIStatus(mapiv1beta1.ClusterAPISynchronized). WithConditions([]mapiv1beta1.Condition{{ Type: consts.SynchronizedCondition, LastTransitionTime: metav1.Now(), Status: corev1.ConditionTrue}}). Build() mapiMachine.Status.AuthoritativeAPI = updatedMAPIMachine.Status.AuthoritativeAPI + mapiMachine.Status.SynchronizedAPI = updatedMAPIMachine.Status.SynchronizedAPI mapiMachine.Status.Conditions = updatedMAPIMachine.Status.Conditions })).Should(Succeed()) @@ -520,12 +536,14 @@ var _ = Describe("With a running MachineMigration controller", func() { Eventually(k.UpdateStatus(mapiMachine, func() { updatedMAPIMachine := mapiMachineBuilder. WithAuthoritativeAPIStatus(mapiv1beta1.MachineAuthorityMigrating). + WithSynchronizedAPIStatus(mapiv1beta1.MachineAPISynchronized). WithConditions([]mapiv1beta1.Condition{{ Type: consts.SynchronizedCondition, LastTransitionTime: metav1.Now(), Status: corev1.ConditionTrue}}). Build() mapiMachine.Status.AuthoritativeAPI = updatedMAPIMachine.Status.AuthoritativeAPI + mapiMachine.Status.SynchronizedAPI = updatedMAPIMachine.Status.SynchronizedAPI mapiMachine.Status.SynchronizedGeneration = 9999 // Do not match .metadata.generation field. mapiMachine.Status.Conditions = updatedMAPIMachine.Status.Conditions })).Should(Succeed()) @@ -560,12 +578,14 @@ var _ = Describe("With a running MachineMigration controller", func() { Eventually(k.UpdateStatus(mapiMachine, func() { updatedMAPIMachine := mapiMachineBuilder. WithAuthoritativeAPIStatus(mapiv1beta1.MachineAuthorityMigrating). + WithSynchronizedAPIStatus(mapiv1beta1.ClusterAPISynchronized). WithConditions([]mapiv1beta1.Condition{{ Type: consts.SynchronizedCondition, LastTransitionTime: metav1.Now(), Status: corev1.ConditionTrue}}). Build() mapiMachine.Status.AuthoritativeAPI = updatedMAPIMachine.Status.AuthoritativeAPI + mapiMachine.Status.SynchronizedAPI = updatedMAPIMachine.Status.SynchronizedAPI mapiMachine.Status.SynchronizedGeneration = 9999 // Do not match .metadata.generation field. mapiMachine.Status.Conditions = updatedMAPIMachine.Status.Conditions })).Should(Succeed()) @@ -583,14 +603,11 @@ var _ = Describe("With a running MachineMigration controller", func() { }) }) - Context("when all the prerequisites for switching the authoritative API are satisfied", func() { + Context("when the new authoritative resource is still paused", func() { Context("when migrating from MachineAPI to ClusterAPI", func() { BeforeEach(func() { By("Setting the MAPI machine spec AuthoritativeAPI to ClusterAPI") mapiMachine = mapiMachineBuilder. - // Set desired authoritative API in spec to ClusterAPI. - // To check for requesting pausing on the the MAPI resource it is sufficient - // see that the spec.AuthoritativeAPI field is set to ClusterAPI. WithAuthoritativeAPI(mapiv1beta1.MachineAuthorityClusterAPI). Build() Eventually(k8sClient.Create(ctx, mapiMachine)).Should(Succeed()) @@ -599,6 +616,7 @@ var _ = Describe("With a running MachineMigration controller", func() { Eventually(k.UpdateStatus(mapiMachine, func() { updatedMAPIMachine := mapiMachineBuilder. WithAuthoritativeAPIStatus(mapiv1beta1.MachineAuthorityMigrating). + WithSynchronizedAPIStatus(mapiv1beta1.MachineAPISynchronized). WithConditions([]mapiv1beta1.Condition{ { Type: consts.SynchronizedCondition, @@ -613,11 +631,12 @@ var _ = Describe("With a running MachineMigration controller", func() { }). Build() mapiMachine.Status.AuthoritativeAPI = updatedMAPIMachine.Status.AuthoritativeAPI - mapiMachine.Status.SynchronizedGeneration = mapiMachine.Generation // Match the MAPI .metadata.generation field. + mapiMachine.Status.SynchronizedAPI = updatedMAPIMachine.Status.SynchronizedAPI + mapiMachine.Status.SynchronizedGeneration = mapiMachine.Generation mapiMachine.Status.Conditions = updatedMAPIMachine.Status.Conditions })).Should(Succeed()) - By("Creating a mirror CAPI machine") + By("Creating a mirror CAPI machine with Paused=True (controller has not acknowledged unpause)") capiMachine = capiMachineBuilder. WithAnnotations(map[string]string{ clusterv1.PausedAnnotation: "", @@ -633,7 +652,7 @@ var _ = Describe("With a running MachineMigration controller", func() { Build() Eventually(k8sClient.Create(ctx, capaMachine)).Should(Succeed()) - By("Setting the CAPI machine status condition to 'Paused'") + By("Setting the CAPI machine status condition to 'Paused' (not yet unpaused)") Eventually(k.UpdateStatus(capiMachine, func() { updatedCAPIMachine := capiMachineBuilder.Build() updatedCAPIMachine.Status.Conditions = []metav1.Condition{{ @@ -647,20 +666,55 @@ var _ = Describe("With a running MachineMigration controller", func() { req = reconcile.Request{NamespacedName: client.ObjectKeyFromObject(mapiMachine)} }) - It("should set the new to-be authoritative resource (CAPI) to actually be authoritative and unpause it", func() { - result, err := reconciler.Reconcile(ctx, req) - Expect(err).NotTo(HaveOccurred()) - Expect(result.Requeue).To(BeFalse()) + It("should wait in Migrating until unpaused, then complete migration", func() { + result, err := reconciler.Reconcile(ctx, req) + Expect(err).NotTo(HaveOccurred()) + Expect(result).To(Equal(ctrl.Result{})) + + Eventually(komega.Object(mapiMachine)).Should( + HaveField("Status.AuthoritativeAPI", Equal(mapiv1beta1.MachineAuthorityMigrating)), + ) + Eventually(komega.Object(capiMachine)).ShouldNot( + HaveField("ObjectMeta.Annotations", HaveKey(clusterv1.PausedAnnotation)), + ) + Eventually(komega.Object(capaMachine)).ShouldNot( + HaveField("ObjectMeta.Annotations", HaveKey(clusterv1.PausedAnnotation)), + ) + + By("Unpausing the CAPI machine and infra machine") + Eventually(k.UpdateStatus(capiMachine, func() { + updatedCAPIMachine := capiMachineBuilder.Build() + updatedCAPIMachine.Status.Conditions = []metav1.Condition{{ + Type: clusterv1.PausedCondition, + Status: metav1.ConditionFalse, + LastTransitionTime: metav1.Now(), + }} + capiMachine.Status = updatedCAPIMachine.Status + })).Should(Succeed()) - Eventually(komega.Object(mapiMachine)).Should(SatisfyAll( - HaveField("Status.AuthoritativeAPI", Equal(mapiv1beta1.MachineAuthorityClusterAPI)), - HaveField("Status.SynchronizedGeneration", BeZero()), - )) + Eventually(k.UpdateStatus(capaMachine, func() { + updatedCAPIInfraMachine := capaMachineBuilder.Build() + updatedCAPIInfraMachine.Status.Conditions = clusterv1beta1.Conditions{ + { + Type: clusterv1beta1.PausedV1Beta2Condition, + Status: corev1.ConditionFalse, + LastTransitionTime: metav1.Now(), + }, + } + capaMachine.Status = updatedCAPIInfraMachine.Status + })).Should(Succeed()) - Eventually(komega.Object(capiMachine)).ShouldNot( - HaveField("ObjectMeta.Annotations", ContainElement(HaveKeyWithValue(clusterv1.PausedAnnotation, "")))) - }) + result, err = reconciler.Reconcile(ctx, req) + Expect(err).NotTo(HaveOccurred()) + Expect(result).To(Equal(ctrl.Result{})) + + Eventually(komega.Object(mapiMachine)).Should(SatisfyAll( + HaveField("Status.AuthoritativeAPI", Equal(mapiv1beta1.MachineAuthorityClusterAPI)), + HaveField("Status.SynchronizedGeneration", BeZero()), + )) + }) }) + Context("when migrating from ClusterAPI to MachineAPI", func() { BeforeEach(func() { By("Setting the MAPI machine spec AuthoritativeAPI to MachineAPI") @@ -683,10 +737,11 @@ var _ = Describe("With a running MachineMigration controller", func() { Build() Eventually(k8sClient.Create(ctx, capaMachine)).Should(Succeed()) - By("Setting the MAPI machine status AuthoritativeAPI to 'Migrating'") + By("Setting the MAPI machine status AuthoritativeAPI to 'Migrating' with Paused=True (not yet unpaused)") Eventually(k.UpdateStatus(mapiMachine, func() { updatedMAPIMachine := mapiMachineBuilder. WithAuthoritativeAPIStatus(mapiv1beta1.MachineAuthorityMigrating). + WithSynchronizedAPIStatus(mapiv1beta1.ClusterAPISynchronized). WithConditions([]mapiv1beta1.Condition{ { Type: consts.SynchronizedCondition, @@ -701,7 +756,8 @@ var _ = Describe("With a running MachineMigration controller", func() { }). Build() mapiMachine.Status.AuthoritativeAPI = updatedMAPIMachine.Status.AuthoritativeAPI - mapiMachine.Status.SynchronizedGeneration = capiMachine.Generation // Match the CAPI .metadata.generation field. + mapiMachine.Status.SynchronizedAPI = updatedMAPIMachine.Status.SynchronizedAPI + mapiMachine.Status.SynchronizedGeneration = capiMachine.Generation mapiMachine.Status.Conditions = updatedMAPIMachine.Status.Conditions })).Should(Succeed()) @@ -731,17 +787,184 @@ var _ = Describe("With a running MachineMigration controller", func() { req = reconcile.Request{NamespacedName: client.ObjectKeyFromObject(mapiMachine)} }) - It("should set the new to-be authoritative resource (MAPI) to actually be authoritative and requeue to unpause it", func() { - result, err := reconciler.Reconcile(ctx, req) + It("should wait in Migrating until unpaused, then complete migration", func() { + result, err := reconciler.Reconcile(ctx, req) + Expect(err).NotTo(HaveOccurred()) + Expect(result).To(Equal(ctrl.Result{})) + + Eventually(komega.Object(mapiMachine)).Should( + HaveField("Status.AuthoritativeAPI", Equal(mapiv1beta1.MachineAuthorityMigrating)), + ) + + By("Unpausing the MAPI machine") + Eventually(k.UpdateStatus(mapiMachine, func() { + updatedMAPIMachine := mapiMachineBuilder. + WithAuthoritativeAPIStatus(mapiv1beta1.MachineAuthorityMigrating). + WithSynchronizedAPIStatus(mapiv1beta1.ClusterAPISynchronized). + WithConditions([]mapiv1beta1.Condition{ + { + Type: consts.SynchronizedCondition, + LastTransitionTime: metav1.Now(), + Status: corev1.ConditionTrue, + }, + { + Type: "Paused", + LastTransitionTime: metav1.Now(), + Status: corev1.ConditionFalse, + }, + }). + Build() + mapiMachine.Status.AuthoritativeAPI = updatedMAPIMachine.Status.AuthoritativeAPI + mapiMachine.Status.SynchronizedAPI = updatedMAPIMachine.Status.SynchronizedAPI + mapiMachine.Status.SynchronizedGeneration = capiMachine.Generation + mapiMachine.Status.Conditions = updatedMAPIMachine.Status.Conditions + })).Should(Succeed()) + + result, err = reconciler.Reconcile(ctx, req) + Expect(err).NotTo(HaveOccurred()) + Expect(result).To(Equal(ctrl.Result{})) + + Eventually(komega.Object(mapiMachine)).Should(SatisfyAll( + HaveField("Status.AuthoritativeAPI", Equal(mapiv1beta1.MachineAuthorityMachineAPI)), + HaveField("Status.SynchronizedGeneration", BeZero()), + )) + }) + }) + }) + + Context("when transitioning from stable state to Migrating", func() { + BeforeEach(func() { + By("Setting the MAPI machine spec AuthoritativeAPI to MachineAPI (target)") + mapiMachine = mapiMachineBuilder. + WithAuthoritativeAPI(mapiv1beta1.MachineAuthorityMachineAPI). + Build() + Eventually(k8sClient.Create(ctx, mapiMachine)).Should(Succeed()) + + By("Creating mirror CAPI machines") + capiMachine = capiMachineBuilder.Build() + Eventually(k8sClient.Create(ctx, capiMachine)).Should(Succeed()) + capaMachine = capaMachineBuilder.Build() + Eventually(k8sClient.Create(ctx, capaMachine)).Should(Succeed()) + + By("Setting current authority to ClusterAPI with proper sync status") + Eventually(k.UpdateStatus(mapiMachine, func() { + mapiMachine.Status.AuthoritativeAPI = mapiv1beta1.MachineAuthorityClusterAPI + mapiMachine.Status.SynchronizedAPI = mapiv1beta1.ClusterAPISynchronized + mapiMachine.Status.SynchronizedGeneration = capiMachine.Generation + mapiMachine.Status.Conditions = []mapiv1beta1.Condition{{ + Type: consts.SynchronizedCondition, + LastTransitionTime: metav1.Now(), + Status: corev1.ConditionTrue, + }} + })).Should(Succeed()) + + req = reconcile.Request{NamespacedName: client.ObjectKeyFromObject(mapiMachine)} + }) + + It("should preserve SynchronizedAPI as ClusterAPI when transitioning to Migrating", func() { + _, err := reconciler.Reconcile(ctx, req) + Expect(err).NotTo(HaveOccurred()) + + Eventually(k.Object(mapiMachine)).Should(SatisfyAll( + HaveField("Status.AuthoritativeAPI", Equal(mapiv1beta1.MachineAuthorityMigrating)), + HaveField("Status.SynchronizedAPI", Equal(mapiv1beta1.ClusterAPISynchronized)), + )) + }) + }) + + Context("when migration is cancelled during Migrating state", func() { + Context("when cancelling MAPI->CAPI migration back to MAPI", func() { + BeforeEach(func() { + By("Setting the MAPI machine spec AuthoritativeAPI to MachineAPI (cancellation)") + mapiMachine = mapiMachineBuilder. + WithAuthoritativeAPI(mapiv1beta1.MachineAuthorityMachineAPI). + Build() + Eventually(k8sClient.Create(ctx, mapiMachine)).Should(Succeed()) + + By("Creating mirror CAPI machines") + capiMachine = capiMachineBuilder.Build() + Eventually(k8sClient.Create(ctx, capiMachine)).Should(Succeed()) + capaMachine = capaMachineBuilder.Build() + Eventually(k8sClient.Create(ctx, capaMachine)).Should(Succeed()) + + By("Setting status to Migrating with SynchronizedAPI=MachineAPISynchronized (was migrating from MAPI)") + Eventually(k.UpdateStatus(mapiMachine, func() { + mapiMachine.Status.AuthoritativeAPI = mapiv1beta1.MachineAuthorityMigrating + mapiMachine.Status.SynchronizedAPI = mapiv1beta1.MachineAPISynchronized + mapiMachine.Status.SynchronizedGeneration = mapiMachine.Generation + mapiMachine.Status.Conditions = []mapiv1beta1.Condition{{ + Type: consts.SynchronizedCondition, + LastTransitionTime: metav1.Now(), + Status: corev1.ConditionTrue, + }} + })).Should(Succeed()) + + req = reconcile.Request{NamespacedName: client.ObjectKeyFromObject(mapiMachine)} + }) + + It("should rollback to MachineAPI and reset sync status", func() { + _, err := reconciler.Reconcile(ctx, req) Expect(err).NotTo(HaveOccurred()) - Expect(result.Requeue).To(BeFalse()) - Eventually(komega.Object(mapiMachine)).Should(SatisfyAll( + Eventually(k.Object(mapiMachine)).Should(SatisfyAll( HaveField("Status.AuthoritativeAPI", Equal(mapiv1beta1.MachineAuthorityMachineAPI)), HaveField("Status.SynchronizedGeneration", BeZero()), )) }) }) + + Context("when cancelling CAPI->MAPI migration back to CAPI", func() { + BeforeEach(func() { + By("Setting the MAPI machine spec AuthoritativeAPI to ClusterAPI (cancellation)") + mapiMachine = mapiMachineBuilder. + WithAuthoritativeAPI(mapiv1beta1.MachineAuthorityClusterAPI). + Build() + Eventually(k8sClient.Create(ctx, mapiMachine)).Should(Succeed()) + + By("Creating mirror CAPI machines with paused annotation") + capiMachine = capiMachineBuilder. + WithAnnotations(map[string]string{ + clusterv1.PausedAnnotation: "", + }). + Build() + Eventually(k8sClient.Create(ctx, capiMachine)).Should(Succeed()) + capaMachine = capaMachineBuilder. + WithAnnotations(map[string]string{ + clusterv1.PausedAnnotation: "", + }). + Build() + Eventually(k8sClient.Create(ctx, capaMachine)).Should(Succeed()) + + By("Setting status to Migrating with SynchronizedAPI=ClusterAPISynchronized (was migrating from CAPI)") + Eventually(k.UpdateStatus(mapiMachine, func() { + mapiMachine.Status.AuthoritativeAPI = mapiv1beta1.MachineAuthorityMigrating + mapiMachine.Status.SynchronizedAPI = mapiv1beta1.ClusterAPISynchronized + mapiMachine.Status.SynchronizedGeneration = capiMachine.Generation + mapiMachine.Status.Conditions = []mapiv1beta1.Condition{{ + Type: consts.SynchronizedCondition, + LastTransitionTime: metav1.Now(), + Status: corev1.ConditionTrue, + }} + })).Should(Succeed()) + + req = reconcile.Request{NamespacedName: client.ObjectKeyFromObject(mapiMachine)} + }) + + It("should rollback to ClusterAPI, reset sync status, and remove paused annotation from CAPI resources", func() { + _, err := reconciler.Reconcile(ctx, req) + Expect(err).NotTo(HaveOccurred()) + + Eventually(k.Object(mapiMachine)).Should(SatisfyAll( + HaveField("Status.AuthoritativeAPI", Equal(mapiv1beta1.MachineAuthorityClusterAPI)), + HaveField("Status.SynchronizedGeneration", BeZero()), + )) + + Eventually(k.Object(capiMachine)).ShouldNot( + HaveField("ObjectMeta.Annotations", HaveKey(clusterv1.PausedAnnotation))) + Eventually(k.Object(capaMachine)).ShouldNot( + HaveField("ObjectMeta.Annotations", HaveKey(clusterv1.PausedAnnotation))) + }) + }) }) }) }) diff --git a/pkg/controllers/machinesetmigration/machineset_migration_controller.go b/pkg/controllers/machinesetmigration/machineset_migration_controller.go index 29a8850f2..6ac4f65af 100644 --- a/pkg/controllers/machinesetmigration/machineset_migration_controller.go +++ b/pkg/controllers/machinesetmigration/machineset_migration_controller.go @@ -18,6 +18,7 @@ package machinesetmigration import ( "context" + "errors" "fmt" "github.com/go-logr/logr" @@ -47,6 +48,9 @@ import ( const controllerName = "MachineSetMigrationController" +// errInvalidSynchronizedAPI is returned when SynchronizedAPI has an unexpected value. +var errInvalidSynchronizedAPI = errors.New("invalid synchronizedAPI value") + // MachineSetMigrationReconciler reconciles MachineSet resources for migration. type MachineSetMigrationReconciler struct { client.Client @@ -119,19 +123,45 @@ func (r *MachineSetMigrationReconciler) Reconcile(ctx context.Context, req recon return ctrl.Result{}, nil } - // If authoritativeAPI status is empty, it means it is the first time we see this resource. - // Set the status.authoritativeAPI to match the spec.authoritativeAPI. - // // N.B. Very similar logic is also present in the Machine API machine/machineset controllers // to cover for the cases when the migration controller is not running (e.g. on not yet supported platforms), // as such if any change is done to this logic, please consider changing it also there. See: // https://github.com/openshift/machine-api-operator/pull/1386/files#diff-3a93acbdaa255c0afa7f52535fc7df9c3890d6403035dd4c3bd47b0092eb3a37R177-R194 + // Handle the case where AuthoritativeAPI status field is empty. if mapiMachineSet.Status.AuthoritativeAPI == "" { - if err := r.applyStatusAuthoritativeAPIWithPatch(ctx, mapiMachineSet, mapiMachineSet.Spec.AuthoritativeAPI); err != nil { - return ctrl.Result{}, fmt.Errorf("unable to apply authoritativeAPI to status with patch: %w", err) + // Initialize status.AuthoritativeAPI from spec.AuthoritativeAPI. + // SynchronizedAPI will be set by the sync controller after first successful sync. + if err := r.applyMigrationStatusWithPatch(ctx, mapiMachineSet, mapiMachineSet.Spec.AuthoritativeAPI); err != nil { + return ctrl.Result{}, fmt.Errorf("unable to apply authoritativeAPI to status: %w", err) + } + + return ctrl.Result{}, nil + } + + currentAuthority, desiredAuthority, isMigrating := synccommon.MigrationDirection( + mapiMachineSet.Status.AuthoritativeAPI, + mapiMachineSet.Status.SynchronizedAPI, + mapiMachineSet.Spec.AuthoritativeAPI, + ) + + // Handle migration cancellation: if already in Migrating state and spec matches + // the source authority (before migration started), the user wants to cancel. + if isMigrating && currentAuthority != "" && desiredAuthority == currentAuthority { + logger.Info("Migration cancellation detected, rolling back to source authority", + "sourceAuthority", currentAuthority) + + // Unpause any resources that were paused during migration attempt. + if err := r.ensureUnpauseAfterCancellation(ctx, mapiMachineSet); err != nil { + return ctrl.Result{}, fmt.Errorf("failed to unpause after cancellation: %w", err) } - // Wait for the patching to take effect. + // Reset status back to source authority and reset sync status. + if err := r.applyMigrationStatusAndResetSyncStatusWithPatch(ctx, mapiMachineSet, currentAuthority); err != nil { + return ctrl.Result{}, fmt.Errorf("failed to rollback migration: %w", err) + } + + logger.Info("Migration cancelled and rolled back successfully") + return ctrl.Result{}, nil } @@ -150,11 +180,11 @@ func (r *MachineSetMigrationReconciler) Reconcile(ctx context.Context, req recon } // Make sure the authoritativeAPI resource status is set to migrating. - if mapiMachineSet.Status.AuthoritativeAPI != mapiv1beta1.MachineAuthorityMigrating { + if !isMigrating { logger.Info("Detected migration request for machine set") - if err := r.applyStatusAuthoritativeAPIWithPatch(ctx, mapiMachineSet, mapiv1beta1.MachineAuthorityMigrating); err != nil { - return ctrl.Result{}, fmt.Errorf("unable to set authoritativeAPI %q to status: %w", mapiv1beta1.MachineAuthorityMigrating, err) + if err := r.applyMigrationStatusWithPatch(ctx, mapiMachineSet, mapiv1beta1.MachineAuthorityMigrating); err != nil { + return ctrl.Result{}, fmt.Errorf("unable to set authoritativeAPI to Migrating: %w", err) } logger.Info("Acknowledged migration request for machine set") @@ -164,7 +194,7 @@ func (r *MachineSetMigrationReconciler) Reconcile(ctx context.Context, req recon } // Request pausing on the authoritative resource. - if updated, err := r.requestOldAuthoritativeResourcePaused(ctx, mapiMachineSet); err != nil { + if updated, err := r.requestOldAuthoritativeResourcePaused(ctx, mapiMachineSet, currentAuthority); err != nil { return ctrl.Result{}, fmt.Errorf("failed to request pause on authoritative machine set: %w", err) } else if updated { logger.Info("Requested pausing for authoritative machine set") @@ -174,7 +204,7 @@ func (r *MachineSetMigrationReconciler) Reconcile(ctx context.Context, req recon } // Check that the old authoritative resource is paused. - if paused, err := r.isOldAuthoritativeResourcePaused(ctx, mapiMachineSet); err != nil { + if paused, err := r.isOldAuthoritativeResourcePaused(ctx, mapiMachineSet, currentAuthority); err != nil { return ctrl.Result{}, fmt.Errorf("failed to check paused on old authoritative machine set: %w", err) } else if !paused { // The Authoritative API resource is not paused yet, requeue to check later. @@ -184,24 +214,38 @@ func (r *MachineSetMigrationReconciler) Reconcile(ctx context.Context, req recon } // Make sure the new authoritative resource has been requested to unpause. - if err := r.ensureUnpauseRequestedOnNewAuthoritativeResource(ctx, mapiMachineSet); err != nil { + if err := r.ensureUnpauseRequestedOnNewAuthoritativeResource(ctx, mapiMachineSet, desiredAuthority); err != nil { return ctrl.Result{}, fmt.Errorf("unable to ensure the new AuthoritativeAPI has been un-paused: %w", err) } - // Set the actual AuthoritativeAPI to the desired one, reset the synchronized generation and condition. - if err := synccommon.ApplyAuthoritativeAPIAndResetSyncStatus[*machinev1applyconfigs.MachineSetStatusApplyConfiguration](ctx, r.Client, controllerName, machinev1applyconfigs.MachineSet, mapiMachineSet, mapiMachineSet.Spec.AuthoritativeAPI); err != nil { + // Check that the new authoritative resource has been unpaused by its controller. + // This ensures the target controller is running and responsive before completing migration. + if unpaused, err := r.isNewAuthoritativeResourceUnpaused(ctx, mapiMachineSet, desiredAuthority); err != nil { + return ctrl.Result{}, fmt.Errorf("failed to check unpaused on new authoritative machine set: %w", err) + } else if !unpaused { + // The new authoritative resource is not unpaused yet. + // The watches on CAPI MachineSet will trigger reconciliation + // when the target controller updates the Paused condition. + logger.Info("New authoritative machine set is not unpaused yet, waiting for target controller") + + return ctrl.Result{}, nil + } + + // Set the actual AuthoritativeAPI to the desired one and reset the synchronized generation and condition. + // SynchronizedAPI will be updated by the sync controller after resync. + if err := r.applyMigrationStatusAndResetSyncStatusWithPatch(ctx, mapiMachineSet, mapiMachineSet.Spec.AuthoritativeAPI); err != nil { return ctrl.Result{}, fmt.Errorf("failed to apply authoritativeAPI and reset sync status: %w", err) } - logger.Info("Machine set authority switch has now been completed and the resource unpaused") + logger.Info("Machine set authority switch has now been completed and the resource unpaused", "authoritativeAPI", mapiMachineSet.Spec.AuthoritativeAPI) logger.Info("Machine set migrated successfully") return ctrl.Result{}, nil } // isOldAuthoritativeResourcePaused checks whether the old authoritative resource is paused. -func (r *MachineSetMigrationReconciler) isOldAuthoritativeResourcePaused(ctx context.Context, ms *mapiv1beta1.MachineSet) (bool, error) { - if ms.Spec.AuthoritativeAPI == mapiv1beta1.MachineAuthorityClusterAPI { +func (r *MachineSetMigrationReconciler) isOldAuthoritativeResourcePaused(ctx context.Context, ms *mapiv1beta1.MachineSet, sourceAuthority mapiv1beta1.MachineAuthority) (bool, error) { + if sourceAuthority == mapiv1beta1.MachineAuthorityMachineAPI { cond, err := util.GetConditionStatus(ms, "Paused") if err != nil { return false, fmt.Errorf("unable to get paused condition for %s/%s: %w", ms.Namespace, ms.Name, err) @@ -210,7 +254,7 @@ func (r *MachineSetMigrationReconciler) isOldAuthoritativeResourcePaused(ctx con return cond == corev1.ConditionTrue, nil } - // For MachineAuthorityMachineAPI, check the corresponding CAPI resource. + // For MachineAuthorityClusterAPI, check the corresponding CAPI resource. capiMachineSet := &clusterv1.MachineSet{} if err := r.Get(ctx, client.ObjectKey{Namespace: r.CAPINamespace, Name: ms.Name}, capiMachineSet); err != nil { return false, fmt.Errorf("failed to get Cluster API machine set: %w", err) @@ -228,10 +272,39 @@ func (r *MachineSetMigrationReconciler) isOldAuthoritativeResourcePaused(ctx con return (machinePausedCondition.Status == metav1.ConditionTrue), nil } -func (r *MachineSetMigrationReconciler) ensureUnpauseRequestedOnNewAuthoritativeResource(ctx context.Context, mapiMachineSet *mapiv1beta1.MachineSet) error { +// isNewAuthoritativeResourceUnpaused checks whether the new authoritative resource has been unpaused +// by its controller. This ensures the target controller is running and responsive before completing migration. +func (r *MachineSetMigrationReconciler) isNewAuthoritativeResourceUnpaused(ctx context.Context, ms *mapiv1beta1.MachineSet, targetAuthority mapiv1beta1.MachineAuthority) (bool, error) { + switch targetAuthority { + case mapiv1beta1.MachineAuthorityMachineAPI: + cond, err := util.GetConditionStatus(ms, "Paused") + if err != nil { + // If we can't get the condition, treat as unpaused + return true, nil + } + + return cond != corev1.ConditionTrue, nil + case mapiv1beta1.MachineAuthorityClusterAPI: + capiMachineSet := &clusterv1.MachineSet{} + if err := r.Get(ctx, client.ObjectKey{Namespace: r.CAPINamespace, Name: ms.Name}, capiMachineSet); err != nil { + return false, fmt.Errorf("failed to get Cluster API machine set: %w", err) + } + + machinePausedCondition := conditions.Get(capiMachineSet, clusterv1.PausedCondition) + if machinePausedCondition != nil && machinePausedCondition.Status == metav1.ConditionTrue { + return false, nil + } + + return true, nil + default: + return false, fmt.Errorf("unsupported target authority: %s", targetAuthority) + } +} + +func (r *MachineSetMigrationReconciler) ensureUnpauseRequestedOnNewAuthoritativeResource(ctx context.Context, mapiMachineSet *mapiv1beta1.MachineSet, targetAuthority mapiv1beta1.MachineAuthority) error { // Request that the new authoritative resource reconciliation is un-paused. //nolint:wsl - switch mapiMachineSet.Spec.AuthoritativeAPI { + switch targetAuthority { case mapiv1beta1.MachineAuthorityClusterAPI: // For requesting unpausing of a CAPI resource, remove the paused annotation on it. // So check if the ClusterAPI resource has the paused annotation and if so remove it. @@ -264,18 +337,18 @@ func (r *MachineSetMigrationReconciler) ensureUnpauseRequestedOnNewAuthoritative } // requestOldAuthoritativeResourcePaused requests the old authoritative resource is paused. -func (r *MachineSetMigrationReconciler) requestOldAuthoritativeResourcePaused(ctx context.Context, ms *mapiv1beta1.MachineSet) (bool, error) { +func (r *MachineSetMigrationReconciler) requestOldAuthoritativeResourcePaused(ctx context.Context, ms *mapiv1beta1.MachineSet, sourceAuthority mapiv1beta1.MachineAuthority) (bool, error) { // Request that the old authoritative resource reconciliation is paused. updated := false //nolint:wsl - switch ms.Spec.AuthoritativeAPI { - case mapiv1beta1.MachineAuthorityClusterAPI: + switch sourceAuthority { + case mapiv1beta1.MachineAuthorityMachineAPI: // For requesting pausing of a MAPI resource, it is sufficient to switch the spec.AuthoritativeAPI field on the MAPI resource. // which is already done before this code runs in this controller. - case mapiv1beta1.MachineAuthorityMachineAPI: + case mapiv1beta1.MachineAuthorityClusterAPI: // For requesting pausing of a CAPI resource, set the paused annotation on it. - // The spec.AuthoritativeAPI is set to MachineAPI, meaning that the old authoritativeAPI was ClusterAPI. - // So Check if the ClusterAPI resource has the paused annotation, otherwise set it. + // This is required when the old authoritative API is ClusterAPI, so check if the ClusterAPI resource + // has the paused annotation, otherwise set it. capiMachineSet := &clusterv1.MachineSet{} if err := r.Get(ctx, client.ObjectKey{Namespace: r.CAPINamespace, Name: ms.Name}, capiMachineSet); err != nil { return false, fmt.Errorf("failed to get Cluster API machine set: %w", err) @@ -311,41 +384,60 @@ func (r *MachineSetMigrationReconciler) isSynchronized(ctx context.Context, mapi return false, nil } - // Because we are in a migration (spec.authoritativeAPI != - // status.authoritativeAPI), we assume that spec.authoritativeAPI is - // currently the migration target, not the migration source. So: - // - // target: spec.authoritativeAPI - // source: opposite of target - // - // We want to assert that source has been synched to target, so we need to - // treat spec.AuthoritativeAPI as the opposite of the direction we want to - // check. - // - // We may revisit this, as this assumption is not safe if a user aborts an - // in-progress migration by resetting spec.authoritativeAPI to its original - // value. - - switch mapiMachineSet.Spec.AuthoritativeAPI { - case mapiv1beta1.MachineAuthorityClusterAPI: + // Use SynchronizedAPI to deterministically know which object's generation + // the SynchronizedGeneration refers to. This avoids the previous heuristic + // which was not safe when a user aborts an in-progress migration. + switch mapiMachineSet.Status.SynchronizedAPI { + case mapiv1beta1.MachineAPISynchronized: return mapiMachineSet.Status.SynchronizedGeneration == mapiMachineSet.Generation, nil - case mapiv1beta1.MachineAuthorityMachineAPI: + case mapiv1beta1.ClusterAPISynchronized: capiMachineSet := &clusterv1.MachineSet{} if err := r.Get(ctx, client.ObjectKey{Namespace: r.CAPINamespace, Name: mapiMachineSet.Name}, capiMachineSet); err != nil { return false, fmt.Errorf("failed to get Cluster API machine set: %w", err) } - // Given the CAPI infra machine template is immutable - // we do not check for its generation to be synced up with the generation of the MAPI machine set. - return (mapiMachineSet.Status.SynchronizedGeneration == capiMachineSet.Generation), nil - case mapiv1beta1.MachineAuthorityMigrating: + return mapiMachineSet.Status.SynchronizedGeneration == capiMachineSet.Generation, nil + case "": + // SynchronizedAPI not yet set by sync controller - not synchronized + return false, nil + default: + return false, fmt.Errorf("%w: %s", errInvalidSynchronizedAPI, mapiMachineSet.Status.SynchronizedAPI) } +} + +// applyMigrationStatusWithPatch updates the migration controller status fields using a server-side apply patch. +func (r *MachineSetMigrationReconciler) applyMigrationStatusWithPatch(ctx context.Context, ms *mapiv1beta1.MachineSet, authority mapiv1beta1.MachineAuthority) error { + return synccommon.ApplyMigrationStatus[*machinev1applyconfigs.MachineSetStatusApplyConfiguration](ctx, r.Client, controllerName, machinev1applyconfigs.MachineSet, ms, authority) +} - // Should have been prevented by validation - return false, fmt.Errorf("%w: %s", controllers.ErrInvalidSpecAuthoritativeAPI, mapiMachineSet.Spec.AuthoritativeAPI) +// applyMigrationStatusAndResetSyncStatusWithPatch updates the migration controller status and resets sync status. +func (r *MachineSetMigrationReconciler) applyMigrationStatusAndResetSyncStatusWithPatch(ctx context.Context, ms *mapiv1beta1.MachineSet, authority mapiv1beta1.MachineAuthority) error { + return synccommon.ApplyMigrationStatusAndResetSyncStatus[*machinev1applyconfigs.MachineSetStatusApplyConfiguration](ctx, r.Client, controllerName, machinev1applyconfigs.MachineSet, ms, authority) } -// applyStatusAuthoritativeAPIWithPatch updates the resource status.authoritativeAPI using a server-side apply patch. -func (r *MachineSetMigrationReconciler) applyStatusAuthoritativeAPIWithPatch(ctx context.Context, ms *mapiv1beta1.MachineSet, authority mapiv1beta1.MachineAuthority) error { - return synccommon.ApplyAuthoritativeAPI[*machinev1applyconfigs.MachineSetStatusApplyConfiguration](ctx, r.Client, controllerName, machinev1applyconfigs.MachineSet, ms, authority) +// ensureUnpauseAfterCancellation ensures CAPI resources are unpaused after migration cancellation. +// When cancelling a migration, any CAPI resources that may have been paused should be unpaused. +// InfraMachineTemplate doesn't have a reconciler and thus doesn't need unpausing. +func (r *MachineSetMigrationReconciler) ensureUnpauseAfterCancellation(ctx context.Context, mapiMachineSet *mapiv1beta1.MachineSet) error { + capiMachineSet := &clusterv1.MachineSet{} + if err := r.Get(ctx, client.ObjectKey{Namespace: r.CAPINamespace, Name: mapiMachineSet.Name}, capiMachineSet); err != nil { + if apierrors.IsNotFound(err) { + return nil + } + + return fmt.Errorf("failed to get Cluster API machine set: %w", err) + } + + if !annotations.HasPaused(capiMachineSet) { + return nil + } + + capiMachineSetCopy := capiMachineSet.DeepCopy() + delete(capiMachineSet.Annotations, clusterv1.PausedAnnotation) + + if err := r.Patch(ctx, capiMachineSet, client.MergeFrom(capiMachineSetCopy)); err != nil { + return fmt.Errorf("failed to remove paused annotation from Cluster API machine set: %w", err) + } + + return nil } diff --git a/pkg/controllers/machinesetmigration/machineset_migration_controller_test.go b/pkg/controllers/machinesetmigration/machineset_migration_controller_test.go index 763477ff2..256ef7441 100644 --- a/pkg/controllers/machinesetmigration/machineset_migration_controller_test.go +++ b/pkg/controllers/machinesetmigration/machineset_migration_controller_test.go @@ -19,6 +19,7 @@ package machinesetmigration import ( . "github.com/onsi/ginkgo/v2" . "github.com/onsi/gomega" + ctrl "sigs.k8s.io/controller-runtime" mapiv1beta1 "github.com/openshift/api/machine/v1beta1" clusterv1resourcebuilder "github.com/openshift/cluster-api-actuator-pkg/testutils/resourcebuilder/cluster-api/core/v1beta2" @@ -196,7 +197,7 @@ var _ = Describe("With a running MachineSetMigration controller", func() { Build() Eventually(k8sClient.Create(ctx, mapiMachineSet)).Should(Succeed()) - By("Setting the MAPI machine set status AuthoritativeAPI to MachineAPI") + By("Setting the MAPI machine set status AuthoritativeAPI and SynchronizedAPI to MachineAPI") Eventually(k.UpdateStatus(mapiMachineSet, func() { updatedMAPIMachineSet := mapiMachineSetBuilder. WithAuthoritativeAPIStatus(mapiv1beta1.MachineAuthorityMachineAPI). @@ -206,6 +207,7 @@ var _ = Describe("With a running MachineSetMigration controller", func() { Status: corev1.ConditionFalse}}). Build() mapiMachineSet.Status.AuthoritativeAPI = updatedMAPIMachineSet.Status.AuthoritativeAPI + mapiMachineSet.Status.SynchronizedAPI = mapiv1beta1.MachineAPISynchronized mapiMachineSet.Status.Conditions = updatedMAPIMachineSet.Status.Conditions })).Should(Succeed()) @@ -242,6 +244,7 @@ var _ = Describe("With a running MachineSetMigration controller", func() { Status: corev1.ConditionTrue}}). Build() mapiMachineSet.Status.AuthoritativeAPI = updatedMAPIMachineSet.Status.AuthoritativeAPI + mapiMachineSet.Status.SynchronizedAPI = mapiv1beta1.MachineAPISynchronized mapiMachineSet.Status.Conditions = updatedMAPIMachineSet.Status.Conditions mapiMachineSet.Status.SynchronizedGeneration = capiMachineSet.Generation })).Should(Succeed()) @@ -268,8 +271,12 @@ var _ = Describe("With a running MachineSetMigration controller", func() { Build() Eventually(k8sClient.Create(ctx, mapiMachineSet)).Should(Succeed()) - By("Creating a mirror CAPI machine set") - capiMachineSet = capiMachineSetBuilder.Build() + By("Creating a mirror CAPI machine set with paused annotation") + capiMachineSet = capiMachineSetBuilder. + WithAnnotations(map[string]string{ + clusterv1.PausedAnnotation: "", + }). + Build() Eventually(k8sClient.Create(ctx, capiMachineSet)).Should(Succeed()) By("Setting the MAPI machine set status AuthoritativeAPI to 'Migrating'") @@ -282,6 +289,7 @@ var _ = Describe("With a running MachineSetMigration controller", func() { Status: corev1.ConditionTrue}}). Build() mapiMachineSet.Status.AuthoritativeAPI = updatedMAPIMachineSet.Status.AuthoritativeAPI + mapiMachineSet.Status.SynchronizedAPI = mapiv1beta1.MachineAPISynchronized mapiMachineSet.Status.Conditions = updatedMAPIMachineSet.Status.Conditions mapiMachineSet.Status.SynchronizedGeneration = capiMachineSet.Generation })).Should(Succeed()) @@ -316,12 +324,14 @@ var _ = Describe("With a running MachineSetMigration controller", func() { Eventually(k.UpdateStatus(mapiMachineSet, func() { updatedMAPIMachineSet := mapiMachineSetBuilder. WithAuthoritativeAPIStatus(mapiv1beta1.MachineAuthorityMigrating). + WithSynchronizedAPIStatus(mapiv1beta1.ClusterAPISynchronized). WithConditions([]mapiv1beta1.Condition{{ Type: consts.SynchronizedCondition, LastTransitionTime: metav1.Now(), Status: corev1.ConditionTrue}}). Build() mapiMachineSet.Status.AuthoritativeAPI = updatedMAPIMachineSet.Status.AuthoritativeAPI + mapiMachineSet.Status.SynchronizedAPI = updatedMAPIMachineSet.Status.SynchronizedAPI mapiMachineSet.Status.Conditions = updatedMAPIMachineSet.Status.Conditions mapiMachineSet.Status.SynchronizedGeneration = mapiMachineSet.Generation })).Should(Succeed()) @@ -365,6 +375,7 @@ var _ = Describe("With a running MachineSetMigration controller", func() { Eventually(k.UpdateStatus(mapiMachineSet, func() { updatedMAPIMachineSet := mapiMachineSetBuilder. WithAuthoritativeAPIStatus(mapiv1beta1.MachineAuthorityMigrating). + WithSynchronizedAPIStatus(mapiv1beta1.MachineAPISynchronized). WithConditions([]mapiv1beta1.Condition{ { Type: consts.SynchronizedCondition, @@ -379,6 +390,7 @@ var _ = Describe("With a running MachineSetMigration controller", func() { }). Build() mapiMachineSet.Status.AuthoritativeAPI = updatedMAPIMachineSet.Status.AuthoritativeAPI + mapiMachineSet.Status.SynchronizedAPI = updatedMAPIMachineSet.Status.SynchronizedAPI mapiMachineSet.Status.Conditions = updatedMAPIMachineSet.Status.Conditions mapiMachineSet.Status.SynchronizedGeneration = capiMachineSet.Generation })).Should(Succeed()) @@ -419,12 +431,14 @@ var _ = Describe("With a running MachineSetMigration controller", func() { Eventually(k.UpdateStatus(mapiMachineSet, func() { updatedMAPIMachineSet := mapiMachineSetBuilder. WithAuthoritativeAPIStatus(mapiv1beta1.MachineAuthorityMigrating). + WithSynchronizedAPIStatus(mapiv1beta1.ClusterAPISynchronized). WithConditions([]mapiv1beta1.Condition{{ Type: consts.SynchronizedCondition, LastTransitionTime: metav1.Now(), Status: corev1.ConditionTrue}}). Build() mapiMachineSet.Status.AuthoritativeAPI = updatedMAPIMachineSet.Status.AuthoritativeAPI + mapiMachineSet.Status.SynchronizedAPI = updatedMAPIMachineSet.Status.SynchronizedAPI mapiMachineSet.Status.Conditions = updatedMAPIMachineSet.Status.Conditions })).Should(Succeed()) @@ -481,6 +495,7 @@ var _ = Describe("With a running MachineSetMigration controller", func() { Eventually(k.UpdateStatus(mapiMachineSet, func() { updatedMAPIMachineSet := mapiMachineSetBuilder. WithAuthoritativeAPIStatus(mapiv1beta1.MachineAuthorityMigrating). + WithSynchronizedAPIStatus(mapiv1beta1.MachineAPISynchronized). WithSynchronizedGeneration(9999). // Do not match .metadata.generation field. WithConditions([]mapiv1beta1.Condition{{ Type: consts.SynchronizedCondition, @@ -488,6 +503,7 @@ var _ = Describe("With a running MachineSetMigration controller", func() { Status: corev1.ConditionTrue}}). Build() mapiMachineSet.Status.AuthoritativeAPI = updatedMAPIMachineSet.Status.AuthoritativeAPI + mapiMachineSet.Status.SynchronizedAPI = updatedMAPIMachineSet.Status.SynchronizedAPI mapiMachineSet.Status.SynchronizedGeneration = updatedMAPIMachineSet.Status.SynchronizedGeneration mapiMachineSet.Status.Conditions = updatedMAPIMachineSet.Status.Conditions })).Should(Succeed()) @@ -520,6 +536,7 @@ var _ = Describe("With a running MachineSetMigration controller", func() { Eventually(k.UpdateStatus(mapiMachineSet, func() { updatedMAPIMachineSet := mapiMachineSetBuilder. WithAuthoritativeAPIStatus(mapiv1beta1.MachineAuthorityMigrating). + WithSynchronizedAPIStatus(mapiv1beta1.ClusterAPISynchronized). WithSynchronizedGeneration(9999). // Do not match .metadata.generation field. WithConditions([]mapiv1beta1.Condition{{ Type: consts.SynchronizedCondition, @@ -527,6 +544,7 @@ var _ = Describe("With a running MachineSetMigration controller", func() { Status: corev1.ConditionTrue}}). Build() mapiMachineSet.Status.AuthoritativeAPI = updatedMAPIMachineSet.Status.AuthoritativeAPI + mapiMachineSet.Status.SynchronizedAPI = updatedMAPIMachineSet.Status.SynchronizedAPI mapiMachineSet.Status.SynchronizedGeneration = updatedMAPIMachineSet.Status.SynchronizedGeneration mapiMachineSet.Status.Conditions = updatedMAPIMachineSet.Status.Conditions })).Should(Succeed()) @@ -544,23 +562,25 @@ var _ = Describe("With a running MachineSetMigration controller", func() { }) }) - Context("when all the prerequisites for switching the authoritative API are satisfied", func() { + Context("when the new authoritative resource is still paused", func() { Context("when migrating from MachineAPI to ClusterAPI", func() { BeforeEach(func() { By("Setting the MAPI machine set spec AuthoritativeAPI to ClusterAPI") mapiMachineSet = mapiMachineSetBuilder. - // Set desired authoritative API in spec to ClusterAPI. - // To check for requesting pausing on the the MAPI resource it is sufficient - // see that the spec.AuthoritativeAPI field is set to ClusterAPI. WithAuthoritativeAPI(mapiv1beta1.MachineAuthorityClusterAPI). Build() Eventually(k8sClient.Create(ctx, mapiMachineSet)).Should(Succeed()) - By("Setting the MAPI machine set status AuthoritativeAPI to 'Migrating'") + By("Creating a mirror CAPI machine set") + capiMachineSet = capiMachineSetBuilder.Build() + Eventually(k8sClient.Create(ctx, capiMachineSet)).Should(Succeed()) + + By("Setting the MAPI machine set status AuthoritativeAPI to 'Migrating' with Paused=True (not yet unpaused)") Eventually(k.UpdateStatus(mapiMachineSet, func() { updatedMAPIMachineSet := mapiMachineSetBuilder. WithAuthoritativeAPIStatus(mapiv1beta1.MachineAuthorityMigrating). - WithSynchronizedGeneration(mapiMachineSet.Generation). // Match the MAPI .metadata.generation field. + WithSynchronizedAPIStatus(mapiv1beta1.MachineAPISynchronized). + WithSynchronizedGeneration(mapiMachineSet.Generation). WithConditions([]mapiv1beta1.Condition{ { Type: consts.SynchronizedCondition, @@ -575,20 +595,12 @@ var _ = Describe("With a running MachineSetMigration controller", func() { }). Build() mapiMachineSet.Status.AuthoritativeAPI = updatedMAPIMachineSet.Status.AuthoritativeAPI + mapiMachineSet.Status.SynchronizedAPI = updatedMAPIMachineSet.Status.SynchronizedAPI mapiMachineSet.Status.SynchronizedGeneration = updatedMAPIMachineSet.Status.SynchronizedGeneration mapiMachineSet.Status.Conditions = updatedMAPIMachineSet.Status.Conditions })).Should(Succeed()) - By("Creating a mirror CAPI machine set") - capiMachineSet = capiMachineSetBuilder. - WithAnnotations(map[string]string{ - clusterv1.PausedAnnotation: "", - }). - Build() - capiMachineSet.Finalizers = append(capiMachineSet.Finalizers, clusterv1.MachineSetFinalizer) - Eventually(k8sClient.Create(ctx, capiMachineSet)).Should(Succeed()) - - By("Setting the CAPI machine set status condition to 'Paused'") + By("Setting the CAPI machine set status condition to 'Paused' (not yet unpaused)") Eventually(k.UpdateStatus(capiMachineSet, func() { updatedCAPIMachineSet := capiMachineSetBuilder.Build() updatedCAPIMachineSet.Status.Conditions = []metav1.Condition{{ @@ -602,20 +614,40 @@ var _ = Describe("With a running MachineSetMigration controller", func() { req = reconcile.Request{NamespacedName: client.ObjectKeyFromObject(mapiMachineSet)} }) - It("should set the new to-be authoritative resource (CAPI) to actually be authoritative and unpause it", func() { + It("should wait in Migrating until unpaused, then complete migration", func() { result, err := reconciler.Reconcile(ctx, req) Expect(err).NotTo(HaveOccurred()) - Expect(result.Requeue).To(BeFalse()) + Expect(result).To(Equal(ctrl.Result{})) + + Eventually(komega.Object(mapiMachineSet)).Should( + HaveField("Status.AuthoritativeAPI", Equal(mapiv1beta1.MachineAuthorityMigrating)), + ) + Eventually(komega.Object(capiMachineSet)).ShouldNot( + HaveField("ObjectMeta.Annotations", HaveKey(clusterv1.PausedAnnotation)), + ) + + By("Unpausing the CAPI machine set") + Eventually(k.UpdateStatus(capiMachineSet, func() { + updatedCAPIMachineSet := capiMachineSetBuilder.Build() + updatedCAPIMachineSet.Status.Conditions = []metav1.Condition{{ + Type: clusterv1.PausedCondition, + Status: metav1.ConditionFalse, + LastTransitionTime: metav1.Now(), + }} + capiMachineSet.Status = updatedCAPIMachineSet.Status + })).Should(Succeed()) + + result, err = reconciler.Reconcile(ctx, req) + Expect(err).NotTo(HaveOccurred()) + Expect(result).To(Equal(ctrl.Result{})) Eventually(komega.Object(mapiMachineSet)).Should(SatisfyAll( HaveField("Status.AuthoritativeAPI", Equal(mapiv1beta1.MachineAuthorityClusterAPI)), HaveField("Status.SynchronizedGeneration", BeZero()), )) - - Eventually(komega.Object(capiMachineSet)).ShouldNot( - HaveField("ObjectMeta.Annotations", ContainElement(HaveKeyWithValue(clusterv1.PausedAnnotation, "")))) }) }) + Context("when migrating from ClusterAPI to MachineAPI", func() { BeforeEach(func() { By("Setting the MAPI machine set spec AuthoritativeAPI to MachineAPI") @@ -624,7 +656,7 @@ var _ = Describe("With a running MachineSetMigration controller", func() { Build() Eventually(k8sClient.Create(ctx, mapiMachineSet)).Should(Succeed()) - By("Creating a mirror CAPI machine set") + By("Creating a mirror CAPI machine set with paused annotation") capiMachineSet = capiMachineSetBuilder. WithAnnotations(map[string]string{ clusterv1.PausedAnnotation: "", @@ -632,11 +664,12 @@ var _ = Describe("With a running MachineSetMigration controller", func() { Build() Eventually(k8sClient.Create(ctx, capiMachineSet)).Should(Succeed()) - By("Setting the MAPI machine set status AuthoritativeAPI to 'Migrating'") + By("Setting the MAPI machine set status AuthoritativeAPI to 'Migrating' with Paused=True (not yet unpaused)") Eventually(k.UpdateStatus(mapiMachineSet, func() { updatedMAPIMachineSet := mapiMachineSetBuilder. WithAuthoritativeAPIStatus(mapiv1beta1.MachineAuthorityMigrating). - WithSynchronizedGeneration(capiMachineSet.Generation). // Match the CAPI .metadata.generation field. + WithSynchronizedAPIStatus(mapiv1beta1.ClusterAPISynchronized). + WithSynchronizedGeneration(capiMachineSet.Generation). WithConditions([]mapiv1beta1.Condition{ { Type: consts.SynchronizedCondition, @@ -651,6 +684,7 @@ var _ = Describe("With a running MachineSetMigration controller", func() { }). Build() mapiMachineSet.Status.AuthoritativeAPI = updatedMAPIMachineSet.Status.AuthoritativeAPI + mapiMachineSet.Status.SynchronizedAPI = updatedMAPIMachineSet.Status.SynchronizedAPI mapiMachineSet.Status.SynchronizedGeneration = updatedMAPIMachineSet.Status.SynchronizedGeneration mapiMachineSet.Status.Conditions = updatedMAPIMachineSet.Status.Conditions })).Should(Succeed()) @@ -669,10 +703,43 @@ var _ = Describe("With a running MachineSetMigration controller", func() { req = reconcile.Request{NamespacedName: client.ObjectKeyFromObject(mapiMachineSet)} }) - It("should set the new to-be authoritative resource (MAPI) to actually be authoritative and requeue to unpause it", func() { + It("should wait in Migrating until unpaused, then complete migration", func() { result, err := reconciler.Reconcile(ctx, req) Expect(err).NotTo(HaveOccurred()) - Expect(result.Requeue).To(BeFalse()) + Expect(result).To(Equal(ctrl.Result{})) + + Eventually(komega.Object(mapiMachineSet)).Should( + HaveField("Status.AuthoritativeAPI", Equal(mapiv1beta1.MachineAuthorityMigrating)), + ) + + By("Unpausing the MAPI machine set") + Eventually(k.UpdateStatus(mapiMachineSet, func() { + updatedMAPIMachineSet := mapiMachineSetBuilder. + WithAuthoritativeAPIStatus(mapiv1beta1.MachineAuthorityMigrating). + WithSynchronizedAPIStatus(mapiv1beta1.ClusterAPISynchronized). + WithSynchronizedGeneration(capiMachineSet.Generation). + WithConditions([]mapiv1beta1.Condition{ + { + Type: consts.SynchronizedCondition, + LastTransitionTime: metav1.Now(), + Status: corev1.ConditionTrue, + }, + { + Type: "Paused", + LastTransitionTime: metav1.Now(), + Status: corev1.ConditionFalse, + }, + }). + Build() + mapiMachineSet.Status.AuthoritativeAPI = updatedMAPIMachineSet.Status.AuthoritativeAPI + mapiMachineSet.Status.SynchronizedAPI = updatedMAPIMachineSet.Status.SynchronizedAPI + mapiMachineSet.Status.SynchronizedGeneration = updatedMAPIMachineSet.Status.SynchronizedGeneration + mapiMachineSet.Status.Conditions = updatedMAPIMachineSet.Status.Conditions + })).Should(Succeed()) + + result, err = reconciler.Reconcile(ctx, req) + Expect(err).NotTo(HaveOccurred()) + Expect(result).To(Equal(ctrl.Result{})) Eventually(komega.Object(mapiMachineSet)).Should(SatisfyAll( HaveField("Status.AuthoritativeAPI", Equal(mapiv1beta1.MachineAuthorityMachineAPI)), @@ -681,5 +748,128 @@ var _ = Describe("With a running MachineSetMigration controller", func() { }) }) }) + + Context("when transitioning from stable state to Migrating", func() { + BeforeEach(func() { + By("Setting the MAPI machine set spec AuthoritativeAPI to MachineAPI (target)") + mapiMachineSet = mapiMachineSetBuilder. + WithAuthoritativeAPI(mapiv1beta1.MachineAuthorityMachineAPI). + Build() + Eventually(k8sClient.Create(ctx, mapiMachineSet)).Should(Succeed()) + + By("Creating mirror CAPI machine set") + capiMachineSet = capiMachineSetBuilder.Build() + Eventually(k8sClient.Create(ctx, capiMachineSet)).Should(Succeed()) + + By("Setting current authority to ClusterAPI with proper sync status") + Eventually(k.UpdateStatus(mapiMachineSet, func() { + mapiMachineSet.Status.AuthoritativeAPI = mapiv1beta1.MachineAuthorityClusterAPI + mapiMachineSet.Status.SynchronizedAPI = mapiv1beta1.ClusterAPISynchronized + mapiMachineSet.Status.SynchronizedGeneration = capiMachineSet.Generation + mapiMachineSet.Status.Conditions = []mapiv1beta1.Condition{{ + Type: consts.SynchronizedCondition, + LastTransitionTime: metav1.Now(), + Status: corev1.ConditionTrue, + }} + })).Should(Succeed()) + + req = reconcile.Request{NamespacedName: client.ObjectKeyFromObject(mapiMachineSet)} + }) + + It("should preserve SynchronizedAPI as ClusterAPI when transitioning to Migrating", func() { + _, err := reconciler.Reconcile(ctx, req) + Expect(err).NotTo(HaveOccurred()) + + Eventually(k.Object(mapiMachineSet)).Should(SatisfyAll( + HaveField("Status.AuthoritativeAPI", Equal(mapiv1beta1.MachineAuthorityMigrating)), + HaveField("Status.SynchronizedAPI", Equal(mapiv1beta1.ClusterAPISynchronized)), + )) + }) + }) + + Context("when migration is cancelled during Migrating state", func() { + Context("when cancelling MAPI->CAPI migration back to MAPI", func() { + BeforeEach(func() { + By("Setting the MAPI machine set spec AuthoritativeAPI to MachineAPI (cancellation)") + mapiMachineSet = mapiMachineSetBuilder. + WithAuthoritativeAPI(mapiv1beta1.MachineAuthorityMachineAPI). + Build() + Eventually(k8sClient.Create(ctx, mapiMachineSet)).Should(Succeed()) + + By("Creating mirror CAPI machine set") + capiMachineSet = capiMachineSetBuilder.Build() + Eventually(k8sClient.Create(ctx, capiMachineSet)).Should(Succeed()) + + By("Setting status to Migrating with SynchronizedAPI=MachineAPISynchronized (was migrating from MAPI)") + Eventually(k.UpdateStatus(mapiMachineSet, func() { + mapiMachineSet.Status.AuthoritativeAPI = mapiv1beta1.MachineAuthorityMigrating + mapiMachineSet.Status.SynchronizedAPI = mapiv1beta1.MachineAPISynchronized + mapiMachineSet.Status.SynchronizedGeneration = mapiMachineSet.Generation + mapiMachineSet.Status.Conditions = []mapiv1beta1.Condition{{ + Type: consts.SynchronizedCondition, + LastTransitionTime: metav1.Now(), + Status: corev1.ConditionTrue, + }} + })).Should(Succeed()) + + req = reconcile.Request{NamespacedName: client.ObjectKeyFromObject(mapiMachineSet)} + }) + + It("should rollback to MachineAPI and reset sync status", func() { + _, err := reconciler.Reconcile(ctx, req) + Expect(err).NotTo(HaveOccurred()) + + Eventually(k.Object(mapiMachineSet)).Should(SatisfyAll( + HaveField("Status.AuthoritativeAPI", Equal(mapiv1beta1.MachineAuthorityMachineAPI)), + HaveField("Status.SynchronizedGeneration", BeZero()), + )) + }) + }) + + Context("when cancelling CAPI->MAPI migration back to CAPI", func() { + BeforeEach(func() { + By("Setting the MAPI machine set spec AuthoritativeAPI to ClusterAPI (cancellation)") + mapiMachineSet = mapiMachineSetBuilder. + WithAuthoritativeAPI(mapiv1beta1.MachineAuthorityClusterAPI). + Build() + Eventually(k8sClient.Create(ctx, mapiMachineSet)).Should(Succeed()) + + By("Creating mirror CAPI machine set with paused annotation") + capiMachineSet = capiMachineSetBuilder. + WithAnnotations(map[string]string{ + clusterv1.PausedAnnotation: "", + }). + Build() + Eventually(k8sClient.Create(ctx, capiMachineSet)).Should(Succeed()) + + By("Setting status to Migrating with SynchronizedAPI=ClusterAPISynchronized (was migrating from CAPI)") + Eventually(k.UpdateStatus(mapiMachineSet, func() { + mapiMachineSet.Status.AuthoritativeAPI = mapiv1beta1.MachineAuthorityMigrating + mapiMachineSet.Status.SynchronizedAPI = mapiv1beta1.ClusterAPISynchronized + mapiMachineSet.Status.SynchronizedGeneration = capiMachineSet.Generation + mapiMachineSet.Status.Conditions = []mapiv1beta1.Condition{{ + Type: consts.SynchronizedCondition, + LastTransitionTime: metav1.Now(), + Status: corev1.ConditionTrue, + }} + })).Should(Succeed()) + + req = reconcile.Request{NamespacedName: client.ObjectKeyFromObject(mapiMachineSet)} + }) + + It("should rollback to ClusterAPI, reset sync status, and remove paused annotation from CAPI resources", func() { + _, err := reconciler.Reconcile(ctx, req) + Expect(err).NotTo(HaveOccurred()) + + Eventually(k.Object(mapiMachineSet)).Should(SatisfyAll( + HaveField("Status.AuthoritativeAPI", Equal(mapiv1beta1.MachineAuthorityClusterAPI)), + HaveField("Status.SynchronizedGeneration", BeZero()), + )) + + Eventually(k.Object(capiMachineSet)).ShouldNot( + HaveField("ObjectMeta.Annotations", HaveKey(clusterv1.PausedAnnotation))) + }) + }) + }) }) }) diff --git a/pkg/controllers/machinesetsync/machineset_sync_controller.go b/pkg/controllers/machinesetsync/machineset_sync_controller.go index 6e1bc88a8..4eb7ad855 100644 --- a/pkg/controllers/machinesetsync/machineset_sync_controller.go +++ b/pkg/controllers/machinesetsync/machineset_sync_controller.go @@ -726,12 +726,13 @@ func (r *MachineSetSyncReconciler) convertMAPIToCAPIMachineSet(mapiMachineSet *m // applySynchronizedConditionWithPatch updates the synchronized condition // using a server side apply patch. We do this to force ownership of the -// 'Synchronized' condition and 'SynchronizedGeneration'. +// 'Synchronized' condition, 'SynchronizedGeneration', and 'SynchronizedAPI'. func (r *MachineSetSyncReconciler) applySynchronizedConditionWithPatch(ctx context.Context, mapiMachineSet *mapiv1beta1.MachineSet, status corev1.ConditionStatus, reason, message string, generation *int64) error { return synccommon.ApplySyncStatus[*machinev1applyconfigs.MachineSetStatusApplyConfiguration]( ctx, r.Client, controllerName, machinev1applyconfigs.MachineSet, mapiMachineSet, - status, reason, message, generation) + status, reason, message, generation, + synccommon.AuthoritativeAPIToSynchronizedAPI(mapiMachineSet.Status.AuthoritativeAPI)) } // createOrUpdateCAPIInfraMachineTemplate creates a CAPI infra machine template from a MAPI machine set, or updates if it exists and it is out of date. @@ -1078,9 +1079,10 @@ func setChangedMAPIMachineSetStatusFields(existingMAPIMachineSet, convertedMAPIM // Copy them back to the convertedMAPIMachineSet. convertedMAPIMachineSet.Status.Conditions = existingMAPIMachineSet.Status.Conditions - // Keep the current SynchronizedGeneration and AuthorativeAPI. They get handled separately in `applySynchronizedConditionWithPatch` + // Keep the current SynchronizedGeneration, AuthoritativeAPI, and SynchronizedAPI. They get handled separately in `applySynchronizedConditionWithPatch` convertedMAPIMachineSet.Status.SynchronizedGeneration = existingMAPIMachineSet.Status.SynchronizedGeneration convertedMAPIMachineSet.Status.AuthoritativeAPI = existingMAPIMachineSet.Status.AuthoritativeAPI + convertedMAPIMachineSet.Status.SynchronizedAPI = existingMAPIMachineSet.Status.SynchronizedAPI // Finally overwrite the entire existingMAPIMachineSet status with the convertedMAPIMachineSet status. existingMAPIMachineSet.Status = convertedMAPIMachineSet.Status diff --git a/pkg/controllers/machinesetsync/machineset_sync_controller_test.go b/pkg/controllers/machinesetsync/machineset_sync_controller_test.go index 32fe8358e..d86e336ae 100644 --- a/pkg/controllers/machinesetsync/machineset_sync_controller_test.go +++ b/pkg/controllers/machinesetsync/machineset_sync_controller_test.go @@ -1297,6 +1297,12 @@ var _ = Describe("applySynchronizedConditionWithPatch", func() { HaveField("Status.SynchronizedGeneration", Equal(int64(22))), ) }) + + It("should set SynchronizedAPI to MachineAPISynchronized", func() { + Eventually(k.Object(mapiMachineSet), timeout).Should( + HaveField("Status.SynchronizedAPI", Equal(mapiv1beta1.MachineAPISynchronized)), + ) + }) }) Context("when condition status is Unknown", func() { @@ -1323,10 +1329,16 @@ var _ = Describe("applySynchronizedConditionWithPatch", func() { HaveField("Status.SynchronizedGeneration", Equal(int64(22))), ) }) + + It("should set SynchronizedAPI to MachineAPISynchronized", func() { + Eventually(k.Object(mapiMachineSet), timeout).Should( + HaveField("Status.SynchronizedAPI", Equal(mapiv1beta1.MachineAPISynchronized)), + ) + }) }) Context("when condition status is True", func() { - BeforeEach(func() { + JustBeforeEach(func() { err := reconciler.applySynchronizedConditionWithPatch(ctx, mapiMachineSet, corev1.ConditionTrue, consts.ReasonResourceSynchronized, messageSuccessfullySynchronizedMAPItoCAPI, &mapiMachineSet.Generation) Expect(err).NotTo(HaveOccurred()) }) @@ -1349,6 +1361,33 @@ var _ = Describe("applySynchronizedConditionWithPatch", func() { HaveField("Status.SynchronizedGeneration", Equal(int64(23))), ) }) - }) + Context("when AuthoritativeAPI is MachineAPI", func() { + It("should set SynchronizedAPI to MachineAPISynchronized", func() { + Eventually(k.Object(mapiMachineSet), timeout).Should( + HaveField("Status.SynchronizedAPI", Equal(mapiv1beta1.MachineAPISynchronized)), + ) + }) + }) + + Context("when AuthoritativeAPI is ClusterAPI", func() { + BeforeEach(func() { + By("Set the status of the MAPI MachineSet with ClusterAPI authority") + Eventually(k.UpdateStatus(mapiMachineSet, func() { + mapiMachineSet.Status.AuthoritativeAPI = mapiv1beta1.MachineAuthorityMigrating + })).Should(Succeed()) + Eventually(k.UpdateStatus(mapiMachineSet, func() { + mapiMachineSet.Status.AuthoritativeAPI = mapiv1beta1.MachineAuthorityClusterAPI + })).Should(Succeed()) + // Restore the artificial generation after UpdateStatus refreshes the object. + mapiMachineSet.Generation = int64(23) + }) + + It("should set SynchronizedAPI to ClusterAPISynchronized", func() { + Eventually(k.Object(mapiMachineSet), timeout).Should( + HaveField("Status.SynchronizedAPI", Equal(mapiv1beta1.ClusterAPISynchronized)), + ) + }) + }) + }) }) diff --git a/pkg/controllers/machinesync/machine_sync_controller.go b/pkg/controllers/machinesync/machine_sync_controller.go index 3fe5b8cc6..d5a6591cf 100644 --- a/pkg/controllers/machinesync/machine_sync_controller.go +++ b/pkg/controllers/machinesync/machine_sync_controller.go @@ -1506,6 +1506,7 @@ func setChangedMAPIMachineStatusFields(existingMAPIMachine, convertedMAPIMachine // Copy the other fields that are not present in the convertedMAPIMachine from the existingMAPIMachine. convertedMAPIMachine.Status.AuthoritativeAPI = existingMAPIMachine.Status.AuthoritativeAPI convertedMAPIMachine.Status.SynchronizedGeneration = existingMAPIMachine.Status.SynchronizedGeneration + convertedMAPIMachine.Status.SynchronizedAPI = existingMAPIMachine.Status.SynchronizedAPI convertedMAPIMachine.Status.LastOperation = existingMAPIMachine.Status.LastOperation convertedMAPIMachine.Status.ProviderStatus = existingMAPIMachine.Status.ProviderStatus @@ -1515,12 +1516,13 @@ func setChangedMAPIMachineStatusFields(existingMAPIMachine, convertedMAPIMachine // applySynchronizedConditionWithPatch updates the synchronized condition // using a server side apply patch. We do this to force ownership of the -// 'Synchronized' condition and 'SynchronizedGeneration'. +// 'Synchronized' condition, 'SynchronizedGeneration', and 'SynchronizedAPI'. func (r *MachineSyncReconciler) applySynchronizedConditionWithPatch(ctx context.Context, mapiMachine *mapiv1beta1.Machine, status corev1.ConditionStatus, reason, message string, generation *int64) error { return synccommon.ApplySyncStatus[*machinev1applyconfigs.MachineStatusApplyConfiguration]( ctx, r.Client, controllerName, machinev1applyconfigs.Machine, mapiMachine, - status, reason, message, generation) + status, reason, message, generation, + synccommon.AuthoritativeAPIToSynchronizedAPI(mapiMachine.Status.AuthoritativeAPI)) } // isTerminalConfigurationError returns true if the provided error is diff --git a/pkg/controllers/machinesync/machine_sync_controller_test.go b/pkg/controllers/machinesync/machine_sync_controller_test.go index 9d12737dd..0b24e1379 100644 --- a/pkg/controllers/machinesync/machine_sync_controller_test.go +++ b/pkg/controllers/machinesync/machine_sync_controller_test.go @@ -2471,6 +2471,12 @@ var _ = Describe("applySynchronizedConditionWithPatch", func() { HaveField("Status.SynchronizedGeneration", Equal(int64(22))), ) }) + + It("should set SynchronizedAPI to MachineAPISynchronized", func() { + Eventually(k.Object(mapiMachine), timeout).Should( + HaveField("Status.SynchronizedAPI", Equal(mapiv1beta1.MachineAPISynchronized)), + ) + }) }) Context("when condition status is Unknown", func() { @@ -2497,10 +2503,16 @@ var _ = Describe("applySynchronizedConditionWithPatch", func() { HaveField("Status.SynchronizedGeneration", Equal(int64(22))), ) }) + + It("should set SynchronizedAPI to MachineAPISynchronized", func() { + Eventually(k.Object(mapiMachine), timeout).Should( + HaveField("Status.SynchronizedAPI", Equal(mapiv1beta1.MachineAPISynchronized)), + ) + }) }) Context("when condition status is True", func() { - BeforeEach(func() { + JustBeforeEach(func() { err := reconciler.applySynchronizedConditionWithPatch(ctx, mapiMachine, corev1.ConditionTrue, consts.ReasonResourceSynchronized, messageSuccessfullySynchronizedMAPItoCAPI, &mapiMachine.Generation) Expect(err).NotTo(HaveOccurred()) }) @@ -2523,6 +2535,34 @@ var _ = Describe("applySynchronizedConditionWithPatch", func() { HaveField("Status.SynchronizedGeneration", Equal(int64(23))), ) }) + + Context("when AuthoritativeAPI is MachineAPI", func() { + It("should set SynchronizedAPI to MachineAPISynchronized", func() { + Eventually(k.Object(mapiMachine), timeout).Should( + HaveField("Status.SynchronizedAPI", Equal(mapiv1beta1.MachineAPISynchronized)), + ) + }) + }) + + Context("when AuthoritativeAPI is ClusterAPI", func() { + BeforeEach(func() { + By("Set the status of the MAPI Machine with ClusterAPI authority") + Eventually(k.UpdateStatus(mapiMachine, func() { + mapiMachine.Status.AuthoritativeAPI = mapiv1beta1.MachineAuthorityMigrating + })).Should(Succeed()) + Eventually(k.UpdateStatus(mapiMachine, func() { + mapiMachine.Status.AuthoritativeAPI = mapiv1beta1.MachineAuthorityClusterAPI + })).Should(Succeed()) + // Restore the artificial generation after UpdateStatus refreshes the object. + mapiMachine.Generation = int64(23) + }) + + It("should set SynchronizedAPI to ClusterAPISynchronized", func() { + Eventually(k.Object(mapiMachine), timeout).Should( + HaveField("Status.SynchronizedAPI", Equal(mapiv1beta1.ClusterAPISynchronized)), + ) + }) + }) }) }) diff --git a/pkg/controllers/synccommon/applyconfiguration.go b/pkg/controllers/synccommon/applyconfiguration.go index 761a334c7..832c94527 100644 --- a/pkg/controllers/synccommon/applyconfiguration.go +++ b/pkg/controllers/synccommon/applyconfiguration.go @@ -41,6 +41,7 @@ type syncStatusApplyConfiguration[statusPT any] interface { WithConditions(...*machinev1applyconfigs.ConditionApplyConfiguration) statusPT WithSynchronizedGeneration(int64) statusPT WithAuthoritativeAPI(mapiv1beta1.MachineAuthority) statusPT + WithSynchronizedAPI(mapiv1beta1.SynchronizedAPI) statusPT } // syncStatusApplyConfigurationP asserts that a syncStatusApplyConfiguration is a pointer to a specific concrete type. diff --git a/pkg/controllers/synccommon/migratestatus.go b/pkg/controllers/synccommon/migratestatus.go index 6abef0a0c..d60b8f579 100644 --- a/pkg/controllers/synccommon/migratestatus.go +++ b/pkg/controllers/synccommon/migratestatus.go @@ -30,14 +30,16 @@ import ( "sigs.k8s.io/controller-runtime/pkg/client" ) -// ApplyAuthoritativeAPIAndResetSyncStatus writes the status of the migration -// controller, and also resets the status written by the sync controller. It -// does this in a single operation, using the field owner of the migration -// controller. +// ApplyMigrationStatusAndResetSyncStatus writes the migration controller status fields +// and resets the sync controller status (sets Synchronized condition to Unknown and +// synchronizedGeneration to 0). +// +// This is used when completing a migration to signal the sync controller that +// it needs to re-synchronize from the new authoritative API. // // Due to the potential for racing with the sync controller, it sets // ResourceVersion in the operation. -func ApplyAuthoritativeAPIAndResetSyncStatus[ +func ApplyMigrationStatusAndResetSyncStatus[ statusPT syncStatusApplyConfigurationP[statusT, statusPT], objPT syncObjApplyConfigurationP[objT, objPT, statusPT], statusT, objT any, @@ -47,7 +49,8 @@ func ApplyAuthoritativeAPIAndResetSyncStatus[ authority mapiv1beta1.MachineAuthority, ) error { objAC, statusAC, err := newSyncStatusApplyConfiguration(newApplyConfig, mapiObj, - corev1.ConditionUnknown, controllers.ReasonAuthoritativeAPIChanged, "Waiting for resync after change of AuthoritativeAPI", ptr.To(int64(0))) + corev1.ConditionUnknown, controllers.ReasonAuthoritativeAPIChanged, "Waiting for resync after change of AuthoritativeAPI", ptr.To(int64(0)), + nil) if err != nil { return err } @@ -55,9 +58,8 @@ func ApplyAuthoritativeAPIAndResetSyncStatus[ return applyAuthoritativeAPI(ctx, k8sClient, controllerName, mapiObj, authority, objAC, statusAC) } -// ApplyAuthoritativeAPI writes the status of the migration controller to a MAPI -// object. -func ApplyAuthoritativeAPI[ +// ApplyMigrationStatus writes the migration controller status fields to a MAPI object. +func ApplyMigrationStatus[ statusPT syncStatusApplyConfigurationP[statusT, statusPT], objPT syncObjApplyConfigurationP[objT, objPT, statusPT], statusT, objT any, @@ -95,13 +97,12 @@ func applyAuthoritativeAPI[ // Note that we are writing fields owned by the synchronization controller // and forcing ownership to the AuthoritativeAPI. The synchronization // controller will force ownership of its own fields back again the next - // time it modifies them. We think this is probably going to work out ok. - // Apologies to future self if it didn't. + // time it modifies them. // // We need to do this due to a validation rule which prevents resetting // synchronizedGeneration unless also changing authoritativeAPI. Given that - // these fields are owned by different controllers, some fudging is - // required. + // these fields are owned by different controllers, explicit field ownership + // management is required. if err := k8sClient.Status().Patch(ctx, mapiObj, util.ApplyConfigPatch(objAC), client.ForceOwnership, client.FieldOwner(controllerName+"-AuthoritativeAPI")); err != nil { return fmt.Errorf("failed to patch Machine API object set status with authoritativeAPI %q: %w", authority, err) } diff --git a/pkg/controllers/synccommon/syncstatus.go b/pkg/controllers/synccommon/syncstatus.go index 403ba7443..39f887a41 100644 --- a/pkg/controllers/synccommon/syncstatus.go +++ b/pkg/controllers/synccommon/syncstatus.go @@ -25,6 +25,7 @@ import ( "github.com/openshift/cluster-capi-operator/pkg/controllers" "github.com/openshift/cluster-capi-operator/pkg/util" corev1 "k8s.io/api/core/v1" + "k8s.io/utils/ptr" machinev1applyconfigs "github.com/openshift/client-go/machine/applyconfigurations/machine/v1beta1" "sigs.k8s.io/controller-runtime/pkg/client" @@ -52,8 +53,9 @@ func ApplySyncStatus[ ctx context.Context, k8sClient client.Client, controllerName string, applyConfigConstructor syncObjApplyConfigurationConstructor[objPT, statusPT], mapiObj client.Object, status corev1.ConditionStatus, reason, message string, generation *int64, + synchronizedAPI *mapiv1beta1.SynchronizedAPI, ) error { - objAC, _, err := newSyncStatusApplyConfiguration(applyConfigConstructor, mapiObj, status, reason, message, generation) + objAC, _, err := newSyncStatusApplyConfiguration(applyConfigConstructor, mapiObj, status, reason, message, generation, synchronizedAPI) if err != nil { return err } @@ -81,6 +83,7 @@ func newSyncStatusApplyConfiguration[ ]( applyConfigConstructor syncObjApplyConfigurationConstructor[objPT, statusPT], mapiObj client.Object, status corev1.ConditionStatus, reason, message string, generation *int64, + synchronizedAPI *mapiv1beta1.SynchronizedAPI, ) (objPT, statusPT, error) { var ( severity mapiv1beta1.ConditionSeverity @@ -124,6 +127,12 @@ func newSyncStatusApplyConfiguration[ WithConditions(conditionAC). WithSynchronizedGeneration(synchronizedGeneration) + // Set SynchronizedAPI to define deterministically which object's generation + // the SynchronizedGeneration refers to. + if synchronizedAPI != nil { + statusAC.WithSynchronizedAPI(*synchronizedAPI) + } + objAC := applyConfigConstructor(mapiObj.GetName(), mapiObj.GetNamespace()). WithResourceVersion(mapiObj.GetResourceVersion()). WithStatus(statusAC) @@ -131,6 +140,44 @@ func newSyncStatusApplyConfiguration[ return objAC, statusAC, nil } +// AuthoritativeAPIToSynchronizedAPI converts a MachineAuthority to its corresponding SynchronizedAPI value. +// Returns nil for values that don't have a direct mapping. +func AuthoritativeAPIToSynchronizedAPI(authority mapiv1beta1.MachineAuthority) *mapiv1beta1.SynchronizedAPI { + switch authority { + case mapiv1beta1.MachineAuthorityMachineAPI: + return ptr.To(mapiv1beta1.MachineAPISynchronized) + case mapiv1beta1.MachineAuthorityClusterAPI: + return ptr.To(mapiv1beta1.ClusterAPISynchronized) + } + + return nil +} + +// SynchronizedAPIToAuthoritativeAPI converts a SynchronizedAPI to its corresponding MachineAuthority. +// Returns an empty value for values that don't have a direct mapping. +func SynchronizedAPIToAuthoritativeAPI(synchronizedAPI mapiv1beta1.SynchronizedAPI) mapiv1beta1.MachineAuthority { + switch synchronizedAPI { + case mapiv1beta1.MachineAPISynchronized: + return mapiv1beta1.MachineAuthorityMachineAPI + case mapiv1beta1.ClusterAPISynchronized: + return mapiv1beta1.MachineAuthorityClusterAPI + } + + return "" +} + +// MigrationDirection determines the current and desired authorities for a migration. +// When statusAuthority is Migrating, it uses SynchronizedAPI to infer the current authority. +func MigrationDirection(statusAuthority mapiv1beta1.MachineAuthority, synchronizedAPI mapiv1beta1.SynchronizedAPI, specAuthority mapiv1beta1.MachineAuthority) (mapiv1beta1.MachineAuthority, mapiv1beta1.MachineAuthority, bool) { + desiredAuthority := specAuthority + if statusAuthority != mapiv1beta1.MachineAuthorityMigrating { + return statusAuthority, desiredAuthority, false + } + + currentAuthority := SynchronizedAPIToAuthoritativeAPI(synchronizedAPI) + return currentAuthority, desiredAuthority, true +} + func getPreviousSyncStatus(mapiObj interface{}) (int64, []mapiv1beta1.Condition, error) { // Unlike the apply configurations, which have method accessors, we can't // define an interface to assert the presence of fields. diff --git a/pkg/conversion/test/fuzz/fuzz.go b/pkg/conversion/test/fuzz/fuzz.go index 3ca84b8ec..306a3d465 100644 --- a/pkg/conversion/test/fuzz/fuzz.go +++ b/pkg/conversion/test/fuzz/fuzz.go @@ -761,6 +761,7 @@ func MAPIMachineFuzzerFuncs(providerSpec runtime.Object, providerStatus interfac m.LastOperation = nil // Ignore, this field as it is not present in CAPI. m.AuthoritativeAPI = "" // Ignore, this field as it is not present in CAPI. + m.SynchronizedAPI = "" // Ignore, this field as it is not present in CAPI. m.SynchronizedGeneration = 0 // Ignore, this field as it is not present in CAPI. m.Conditions = nil // Ignore, this field as it is not a 1:1 mapping between CAPI and MAPI but rather a recomputation of the conditions based on other fields. }, @@ -807,6 +808,7 @@ func MAPIMachineSetFuzzerFuncs() fuzzer.FuzzerFuncs { m.ObservedGeneration = 0 // Ignore, this field as it shouldn't match between CAPI and MAPI. m.AuthoritativeAPI = "" // Ignore, this field as it is not present in CAPI. + m.SynchronizedAPI = "" // Ignore, this field as it is not present in CAPI. m.SynchronizedGeneration = 0 // Ignore, this field as it is not present in CAPI. m.Conditions = nil // Ignore, this field as it is not a 1:1 mapping between CAPI and MAPI but rather a recomputation of the conditions based on other fields. }, diff --git a/vendor/github.com/openshift/api/.coderabbit.yaml b/vendor/github.com/openshift/api/.coderabbit.yaml index 1cb17f1e1..a3ee2d122 100644 --- a/vendor/github.com/openshift/api/.coderabbit.yaml +++ b/vendor/github.com/openshift/api/.coderabbit.yaml @@ -14,6 +14,7 @@ reviews: - "!payload-manifests" - "!**/zz_generated.crd-manifests/*" # Contains files - "!**/zz_generated.featuregated-crd-manifests/**" # Contains folders + - "!openapi/**" - "!**/vendor/**" - "!vendor/**" tools: diff --git a/vendor/github.com/openshift/api/.golangci.go-validated.yaml b/vendor/github.com/openshift/api/.golangci.go-validated.yaml index 44c73149d..ed8fcdbe2 100644 --- a/vendor/github.com/openshift/api/.golangci.go-validated.yaml +++ b/vendor/github.com/openshift/api/.golangci.go-validated.yaml @@ -12,6 +12,7 @@ linters: linters: enable: - optionalfields + - nonpointerstructs disable: - "*" lintersConfig: diff --git a/vendor/github.com/openshift/api/.golangci.yaml b/vendor/github.com/openshift/api/.golangci.yaml index 516339b48..4c6ded3f6 100644 --- a/vendor/github.com/openshift/api/.golangci.yaml +++ b/vendor/github.com/openshift/api/.golangci.yaml @@ -13,12 +13,15 @@ linters: enable: - forbiddenmarkers - maxlength + - minlength - namingconventions - nobools - nomaps + - preferredmarkers - statussubresource disable: - statusoptional # This is legacy and not something we currently recommend. + - nonpointerstructs # This is intended for native types, not CRD types. lintersConfig: conditions: isFirstField: Warn @@ -30,7 +33,6 @@ linters: - identifier: "openshift:validation:FeatureSetAwareEnum" - identifier: "openshift:validation:FeatureSetAwareXValidation" - identifier: "kubebuilder:validation:UniqueItems" - - identifier: "kubebuilder:validation:Pattern" # Use CEL expressions instead optionalfields: pointers: preference: WhenRequired @@ -44,6 +46,11 @@ linters: # This will force omitzero on optional struct fields. # This means they can be omitted correctly and prevents the need for pointers to structs. policy: SuggestFix + preferredmarkers: + markers: + - preferredIdentifier: "kubebuilder:validation:XValidation" + equivalentIdentifiers: + - identifier: "kubebuilder:validation:Pattern" # Use CEL expressions instead to allow more expressive error messages. requiredfields: pointers: # This will force pointers when the field is required, but only when the zero @@ -60,15 +67,13 @@ linters: policy: SuggestFix namingconventions: conventions: - - name: norefs - violationMatcher: "(?i)ref(erence)?s?$" - operation: Drop - message: "reference fields should not need to be named ref(s)/reference(s)" - name: nokind violationMatcher: "^Kind$" operation: Replacement replacement: "Resource" message: "API Kinds can be ambiguous and should be replaced with Resource" + noreferences: + policy: NoReferences uniquemarkers: customMarkers: - identifier: "openshift:validation:FeatureGateAwareEnum" diff --git a/vendor/github.com/openshift/api/Makefile b/vendor/github.com/openshift/api/Makefile index c069d8040..9b32b58e4 100644 --- a/vendor/github.com/openshift/api/Makefile +++ b/vendor/github.com/openshift/api/Makefile @@ -114,15 +114,17 @@ update-scripts: update-compatibility update-openapi update-deepcopy update-proto # Update codegen runs all generators in the order they are defined in the root.go file. # The per group generators are:[compatibility, deepcopy, swagger-docs, empty-partial-schema, schema-patch, crd-manifest-merge] # The multi group generators are:[openapi] +# The payload generation must come after these generators have run so they are included here as well, rather than in update-non-codegen. .PHONY: update-codegen update-codegen: hack/update-codegen.sh + make update-payload-crds update-payload-featuregates # Update non-codegen runs all generators that are not part of the codegen utility, or # are part of it, but are not run by default when invoking codegen without a specific generator. # E.g. the payload feature gates which is not part of the generator style, but is still a subcommand. .PHONY: update-non-codegen -update-non-codegen: update-protobuf tests-vendor update-prerelease-lifecycle-gen update-payload-crds update-payload-featuregates +update-non-codegen: update-protobuf tests-vendor update-prerelease-lifecycle-gen .PHONY: update-compatibility update-compatibility: diff --git a/vendor/github.com/openshift/api/apiextensions/v1alpha1/types_compatibilityrequirement.go b/vendor/github.com/openshift/api/apiextensions/v1alpha1/types_compatibilityrequirement.go index 46e211cd5..5abbfec7c 100644 --- a/vendor/github.com/openshift/api/apiextensions/v1alpha1/types_compatibilityrequirement.go +++ b/vendor/github.com/openshift/api/apiextensions/v1alpha1/types_compatibilityrequirement.go @@ -21,6 +21,7 @@ import ( // +kubebuilder:subresource:status // +kubebuilder:resource:path=compatibilityrequirements,scope=Cluster // +openshift:api-approved.openshift.io=https://github.com/openshift/api/pull/2479 +// +kubebuilder:metadata:annotations="release.openshift.io/feature-gate=CRDCompatibilityRequirementOperator" type CompatibilityRequirement struct { metav1.TypeMeta `json:",inline"` diff --git a/vendor/github.com/openshift/api/apiextensions/v1alpha1/zz_generated.featuregated-crd-manifests.yaml b/vendor/github.com/openshift/api/apiextensions/v1alpha1/zz_generated.featuregated-crd-manifests.yaml index 319f2b335..433546401 100644 --- a/vendor/github.com/openshift/api/apiextensions/v1alpha1/zz_generated.featuregated-crd-manifests.yaml +++ b/vendor/github.com/openshift/api/apiextensions/v1alpha1/zz_generated.featuregated-crd-manifests.yaml @@ -1,5 +1,6 @@ compatibilityrequirements.apiextensions.openshift.io: - Annotations: {} + Annotations: + release.openshift.io/feature-gate: CRDCompatibilityRequirementOperator ApprovedPRNumber: https://github.com/openshift/api/pull/2479 CRDName: compatibilityrequirements.apiextensions.openshift.io Capability: "" diff --git a/vendor/github.com/openshift/api/config/v1/types_apiserver.go b/vendor/github.com/openshift/api/config/v1/types_apiserver.go index 0afe7b1d8..31d888185 100644 --- a/vendor/github.com/openshift/api/config/v1/types_apiserver.go +++ b/vendor/github.com/openshift/api/config/v1/types_apiserver.go @@ -212,6 +212,7 @@ type APIServerEncryption struct { // +openshift:validation:FeatureGateAwareEnum:featureGate="",enum="";identity;aescbc;aesgcm // +openshift:validation:FeatureGateAwareEnum:featureGate=KMSEncryptionProvider,enum="";identity;aescbc;aesgcm;KMS +// +openshift:validation:FeatureGateAwareEnum:featureGate=KMSEncryption,enum="";identity;aescbc;aesgcm;KMS type EncryptionType string const ( diff --git a/vendor/github.com/openshift/api/config/v1/types_authentication.go b/vendor/github.com/openshift/api/config/v1/types_authentication.go index 52a41b2fe..e7433281f 100644 --- a/vendor/github.com/openshift/api/config/v1/types_authentication.go +++ b/vendor/github.com/openshift/api/config/v1/types_authentication.go @@ -5,7 +5,7 @@ import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" // +genclient // +genclient:nonNamespaced // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object -// +openshift:validation:FeatureGateAwareXValidation:featureGate=ExternalOIDC;ExternalOIDCWithUIDAndExtraClaimMappings,rule="!has(self.spec.oidcProviders) || self.spec.oidcProviders.all(p, !has(p.oidcClients) || p.oidcClients.all(specC, self.status.oidcClients.exists(statusC, statusC.componentNamespace == specC.componentNamespace && statusC.componentName == specC.componentName) || (has(oldSelf.spec.oidcProviders) && oldSelf.spec.oidcProviders.exists(oldP, oldP.name == p.name && has(oldP.oidcClients) && oldP.oidcClients.exists(oldC, oldC.componentNamespace == specC.componentNamespace && oldC.componentName == specC.componentName)))))",message="all oidcClients in the oidcProviders must match their componentName and componentNamespace to either a previously configured oidcClient or they must exist in the status.oidcClients" +// +openshift:validation:FeatureGateAwareXValidation:featureGate=ExternalOIDC;ExternalOIDCWithUIDAndExtraClaimMappings;ExternalOIDCWithUpstreamParity,rule="!has(self.spec.oidcProviders) || self.spec.oidcProviders.all(p, !has(p.oidcClients) || p.oidcClients.all(specC, self.status.oidcClients.exists(statusC, statusC.componentNamespace == specC.componentNamespace && statusC.componentName == specC.componentName) || (has(oldSelf.spec.oidcProviders) && oldSelf.spec.oidcProviders.exists(oldP, oldP.name == p.name && has(oldP.oidcClients) && oldP.oidcClients.exists(oldC, oldC.componentNamespace == specC.componentNamespace && oldC.componentName == specC.componentName)))))",message="all oidcClients in the oidcProviders must match their componentName and componentNamespace to either a previously configured oidcClient or they must exist in the status.oidcClients" // Authentication specifies cluster-wide settings for authentication (like OAuth and // webhook token authenticators). The canonical name of an instance is `cluster`. @@ -80,8 +80,7 @@ type AuthenticationSpec struct { // +optional ServiceAccountIssuer string `json:"serviceAccountIssuer"` - // oidcProviders are OIDC identity providers that can issue tokens - // for this cluster + // oidcProviders are OIDC identity providers that can issue tokens for this cluster // Can only be set if "Type" is set to "OIDC". // // At most one provider can be configured. @@ -91,6 +90,7 @@ type AuthenticationSpec struct { // +kubebuilder:validation:MaxItems=1 // +openshift:enable:FeatureGate=ExternalOIDC // +openshift:enable:FeatureGate=ExternalOIDCWithUIDAndExtraClaimMappings + // +openshift:enable:FeatureGate=ExternalOIDCWithUpstreamParity // +optional OIDCProviders []OIDCProvider `json:"oidcProviders,omitempty"` } @@ -112,8 +112,7 @@ type AuthenticationStatus struct { // +optional IntegratedOAuthMetadata ConfigMapNameReference `json:"integratedOAuthMetadata"` - // oidcClients is where participating operators place the current OIDC client status - // for OIDC clients that can be customized by the cluster-admin. + // oidcClients is where participating operators place the current OIDC client status for OIDC clients that can be customized by the cluster-admin. // // +listType=map // +listMapKey=componentNamespace @@ -145,8 +144,7 @@ type AuthenticationType string const ( // None means that no cluster managed authentication system is in place. - // Note that user login will only work if a manually configured system is in place and - // referenced in authentication spec via oauthMetadata and + // Note that user login will only work if a manually configured system is in place and referenced in authentication spec via oauthMetadata and // webhookTokenAuthenticator/oidcProviders AuthenticationTypeNone AuthenticationType = "None" @@ -198,10 +196,8 @@ const ( ) type OIDCProvider struct { - // name is a required field that configures the unique human-readable identifier - // associated with the identity provider. - // It is used to distinguish between multiple identity providers - // and has no impact on token validation or authentication mechanics. + // name is a required field that configures the unique human-readable identifier associated with the identity provider. + // It is used to distinguish between multiple identity providers and has no impact on token validation or authentication mechanics. // // name must not be an empty string (""). // @@ -209,15 +205,12 @@ type OIDCProvider struct { // +required Name string `json:"name"` - // issuer is a required field that configures how the platform interacts - // with the identity provider and how tokens issued from the identity provider - // are evaluated by the Kubernetes API server. + // issuer is a required field that configures how the platform interacts with the identity provider and how tokens issued from the identity provider are evaluated by the Kubernetes API server. // // +required Issuer TokenIssuer `json:"issuer"` - // oidcClients is an optional field that configures how on-cluster, - // platform clients should request tokens from the identity provider. + // oidcClients is an optional field that configures how on-cluster, platform clients should request tokens from the identity provider. // oidcClients must not exceed 20 entries and entries must have unique namespace/name pairs. // // +listType=map @@ -227,32 +220,40 @@ type OIDCProvider struct { // +optional OIDCClients []OIDCClientConfig `json:"oidcClients"` - // claimMappings is a required field that configures the rules to be used by - // the Kubernetes API server for translating claims in a JWT token, issued - // by the identity provider, to a cluster identity. + // claimMappings is a required field that configures the rules to be used by the Kubernetes API server for translating claims in a JWT token, issued by the identity provider, to a cluster identity. // // +required ClaimMappings TokenClaimMappings `json:"claimMappings"` - // claimValidationRules is an optional field that configures the rules to - // be used by the Kubernetes API server for validating the claims in a JWT - // token issued by the identity provider. + // claimValidationRules is an optional field that configures the rules to be used by the Kubernetes API server for validating the claims in a JWT token issued by the identity provider. // // Validation rules are joined via an AND operation. // // +listType=atomic // +optional ClaimValidationRules []TokenClaimValidationRule `json:"claimValidationRules,omitempty"` + + // userValidationRules is an optional field that configures the set of rules used to validate the cluster user identity that was constructed via mapping token claims to user identity attributes. + // Rules are CEL expressions that must evaluate to 'true' for authentication to succeed. + // If any rule in the chain of rules evaluates to 'false', authentication will fail. + // When specified, at least one rule must be specified and no more than 64 rules may be specified. + // + // +kubebuilder:validation:MaxItems=64 + // +kubebuilder:validation:MinItems=1 + // +listType=map + // +listMapKey=expression + // +optional + // +openshift:enable:FeatureGate=ExternalOIDCWithUpstreamParity + UserValidationRules []TokenUserValidationRule `json:"userValidationRules,omitempty"` } // +kubebuilder:validation:MinLength=1 type TokenAudience string +// +openshift:validation:FeatureGateAwareXValidation:featureGate=ExternalOIDCWithUpstreamParity,rule="self.?discoveryURL.orValue(\"\").size() > 0 ? (self.issuerURL.size() == 0 || self.discoveryURL.find('^.+[^/]') != self.issuerURL.find('^.+[^/]')) : true",message="discoveryURL must be different from issuerURL" type TokenIssuer struct { - // issuerURL is a required field that configures the URL used to issue tokens - // by the identity provider. - // The Kubernetes API server determines how authentication tokens should be handled - // by matching the 'iss' claim in the JWT to the issuerURL of configured identity providers. + // issuerURL is a required field that configures the URL used to issue tokens by the identity provider. + // The Kubernetes API server determines how authentication tokens should be handled by matching the 'iss' claim in the JWT to the issuerURL of configured identity providers. // // Must be at least 1 character and must not exceed 512 characters in length. // Must be a valid URL that uses the 'https' scheme and does not contain a query, fragment or user. @@ -267,8 +268,7 @@ type TokenIssuer struct { // +required URL string `json:"issuerURL"` - // audiences is a required field that configures the acceptable audiences - // the JWT token, issued by the identity provider, must be issued to. + // audiences is a required field that configures the acceptable audiences the JWT token, issued by the identity provider, must be issued to. // At least one of the entries must match the 'aud' claim in the JWT token. // // audiences must contain at least one entry and must not exceed ten entries. @@ -279,54 +279,65 @@ type TokenIssuer struct { // +required Audiences []TokenAudience `json:"audiences"` - // issuerCertificateAuthority is an optional field that configures the - // certificate authority, used by the Kubernetes API server, to validate - // the connection to the identity provider when fetching discovery information. + // issuerCertificateAuthority is an optional field that configures the certificate authority, used by the Kubernetes API server, to validate the connection to the identity provider when fetching discovery information. // // When not specified, the system trust is used. // - // When specified, it must reference a ConfigMap in the openshift-config - // namespace containing the PEM-encoded CA certificates under the 'ca-bundle.crt' - // key in the data field of the ConfigMap. + // When specified, it must reference a ConfigMap in the openshift-config namespace containing the PEM-encoded CA certificates under the 'ca-bundle.crt' key in the data field of the ConfigMap. // // +optional CertificateAuthority ConfigMapNameReference `json:"issuerCertificateAuthority"` + // discoveryURL is an optional field that, if specified, overrides the default discovery endpoint used to retrieve OIDC configuration metadata. + // By default, the discovery URL is derived from `issuerURL` as "{issuerURL}/.well-known/openid-configuration". + // + // The discoveryURL must be a valid absolute HTTPS URL. + // It must not contain query parameters, user information, or fragments. + // Additionally, it must differ from the value of `issuerURL` (ignoring trailing slashes). + // The discoveryURL value must be at least 1 character long and no longer than 2048 characters. + // + // +optional + // +openshift:enable:FeatureGate=ExternalOIDCWithUpstreamParity + // +kubebuilder:validation:XValidation:rule="isURL(self)",message="discoveryURL must be a valid URL" + // +kubebuilder:validation:XValidation:rule="url(self).getScheme() == 'https'",message="discoveryURL must be a valid https URL" + // +kubebuilder:validation:XValidation:rule="url(self).getQuery().size() == 0",message="discoveryURL must not contain query parameters" + // +kubebuilder:validation:XValidation:rule="self.matches('^[^#]*$')",message="discoveryURL must not contain fragments" + // +kubebuilder:validation:XValidation:rule="!self.matches('^https://.+:.+@.+/.*$')",message="discoveryURL must not contain user info" + // +kubebuilder:validation:MinLength=1 + // +kubebuilder:validation:MaxLength=2048 + DiscoveryURL string `json:"discoveryURL,omitempty"` } type TokenClaimMappings struct { - // username is a required field that configures how the username of a cluster identity - // should be constructed from the claims in a JWT token issued by the identity provider. + // username is a required field that configures how the username of a cluster identity should be constructed from the claims in a JWT token issued by the identity provider. // // +required Username UsernameClaimMapping `json:"username"` - // groups is an optional field that configures how the groups of a cluster identity - // should be constructed from the claims in a JWT token issued - // by the identity provider. - // When referencing a claim, if the claim is present in the JWT - // token, its value must be a list of groups separated by a comma (','). + // groups is an optional field that configures how the groups of a cluster identity should be constructed from the claims in a JWT token issued by the identity provider. + // + // When referencing a claim, if the claim is present in the JWT token, its value must be a list of groups separated by a comma (','). + // // For example - '"example"' and '"exampleOne", "exampleTwo", "exampleThree"' are valid claim values. // // +optional Groups PrefixedClaimMapping `json:"groups,omitempty"` - // uid is an optional field for configuring the claim mapping - // used to construct the uid for the cluster identity. + // uid is an optional field for configuring the claim mapping used to construct the uid for the cluster identity. // // When using uid.claim to specify the claim it must be a single string value. // When using uid.expression the expression must result in a single string value. // - // When omitted, this means the user has no opinion and the platform - // is left to choose a default, which is subject to change over time. + // When omitted, this means the user has no opinion and the platform is left to choose a default, which is subject to change over time. + // // The current default is to use the 'sub' claim. // // +optional // +openshift:enable:FeatureGate=ExternalOIDCWithUIDAndExtraClaimMappings UID *TokenClaimOrExpressionMapping `json:"uid,omitempty"` - // extra is an optional field for configuring the mappings - // used to construct the extra attribute for the cluster identity. + // extra is an optional field for configuring the mappings used to construct the extra attribute for the cluster identity. // When omitted, no extra attributes will be present on the cluster identity. + // // key values for extra mappings must be unique. // A maximum of 32 extra attribute mappings may be provided. // @@ -338,52 +349,39 @@ type TokenClaimMappings struct { Extra []ExtraMapping `json:"extra,omitempty"` } -// TokenClaimMapping allows specifying a JWT token -// claim to be used when mapping claims from an -// authentication token to cluster identities. +// TokenClaimMapping allows specifying a JWT token claim to be used when mapping claims from an authentication token to cluster identities. type TokenClaimMapping struct { - // claim is a required field that configures the JWT token - // claim whose value is assigned to the cluster identity - // field associated with this mapping. + // claim is a required field that configures the JWT token claim whose value is assigned to the cluster identity field associated with this mapping. // // +required Claim string `json:"claim"` } -// TokenClaimOrExpressionMapping allows specifying either a JWT -// token claim or CEL expression to be used when mapping claims -// from an authentication token to cluster identities. +// TokenClaimOrExpressionMapping allows specifying either a JWT token claim or CEL expression to be used when mapping claims from an authentication token to cluster identities. // +kubebuilder:validation:XValidation:rule="has(self.claim) ? !has(self.expression) : has(self.expression)",message="precisely one of claim or expression must be set" type TokenClaimOrExpressionMapping struct { - // claim is an optional field for specifying the - // JWT token claim that is used in the mapping. - // The value of this claim will be assigned to - // the field in which this mapping is associated. + // claim is an optional field for specifying the JWT token claim that is used in the mapping. + // The value of this claim will be assigned to the field in which this mapping is associated. // // Precisely one of claim or expression must be set. // claim must not be specified when expression is set. - // When specified, claim must be at least 1 character in length - // and must not exceed 256 characters in length. + // When specified, claim must be at least 1 character in length and must not exceed 256 characters in length. // // +optional // +kubebuilder:validation:MaxLength=256 // +kubebuilder:validation:MinLength=1 Claim string `json:"claim,omitempty"` - // expression is an optional field for specifying a - // CEL expression that produces a string value from - // JWT token claims. + // expression is an optional field for specifying a CEL expression that produces a string value from JWT token claims. // - // CEL expressions have access to the token claims - // through a CEL variable, 'claims'. + // CEL expressions have access to the token claims through a CEL variable, 'claims'. // 'claims' is a map of claim names to claim values. // For example, the 'sub' claim value can be accessed as 'claims.sub'. // Nested claims can be accessed using dot notation ('claims.foo.bar'). // // Precisely one of claim or expression must be set. // expression must not be specified when claim is set. - // When specified, expression must be at least 1 character in length - // and must not exceed 1024 characters in length. + // When specified, expression must be at least 1 character in length and must not exceed 1024 characters in length. // // +optional // +kubebuilder:validation:MaxLength=1024 @@ -391,13 +389,10 @@ type TokenClaimOrExpressionMapping struct { Expression string `json:"expression,omitempty"` } -// ExtraMapping allows specifying a key and CEL expression -// to evaluate the keys' value. It is used to create additional -// mappings and attributes added to a cluster identity from -// a provided authentication token. +// ExtraMapping allows specifying a key and CEL expression to evaluate the keys' value. +// It is used to create additional mappings and attributes added to a cluster identity from a provided authentication token. type ExtraMapping struct { - // key is a required field that specifies the string - // to use as the extra attribute key. + // key is a required field that specifies the string to use as the extra attribute key. // // key must be a domain-prefix path (e.g 'example.org/foo'). // key must not exceed 510 characters in length. @@ -410,8 +405,7 @@ type ExtraMapping struct { // It must only contain lower case alphanumeric characters and '-' or '.'. // It must not use the reserved domains, or be subdomains of, "kubernetes.io", "k8s.io", and "openshift.io". // - // The path portion of the key (string of characters after the '/') must not be empty and must consist of at least one - // alphanumeric character, percent-encoded octets, '-', '.', '_', '~', '!', '$', '&', ''', '(', ')', '*', '+', ',', ';', '=', and ':'. + // The path portion of the key (string of characters after the '/') must not be empty and must consist of at least one alphanumeric character, percent-encoded octets, '-', '.', '_', '~', '!', '$', '&', ''', '(', ')', '*', '+', ',', ';', '=', and ':'. // It must not exceed 256 characters in length. // // +required @@ -433,14 +427,12 @@ type ExtraMapping struct { // +kubebuilder:validation:XValidation:rule="self.split('/', 2)[1].size() <= 256",message="the path of the key must not exceed 256 characters in length" Key string `json:"key"` - // valueExpression is a required field to specify the CEL expression to extract - // the extra attribute value from a JWT token's claims. + // valueExpression is a required field to specify the CEL expression to extract the extra attribute value from a JWT token's claims. // valueExpression must produce a string or string array value. // "", [], and null are treated as the extra mapping not being present. // Empty string values within an array are filtered out. // - // CEL expressions have access to the token claims - // through a CEL variable, 'claims'. + // CEL expressions have access to the token claims through a CEL variable, 'claims'. // 'claims' is a map of claim names to claim values. // For example, the 'sub' claim value can be accessed as 'claims.sub'. // Nested claims can be accessed using dot notation ('claims.foo.bar'). @@ -454,12 +446,10 @@ type ExtraMapping struct { ValueExpression string `json:"valueExpression"` } -// OIDCClientConfig configures how platform clients -// interact with identity providers as an authentication -// method +// OIDCClientConfig configures how platform clients interact with identity providers as an authentication method. type OIDCClientConfig struct { - // componentName is a required field that specifies the name of the platform - // component being configured to use the identity provider as an authentication mode. + // componentName is a required field that specifies the name of the platform component being configured to use the identity provider as an authentication mode. + // // It is used in combination with componentNamespace as a unique identifier. // // componentName must not be an empty string ("") and must not exceed 256 characters in length. @@ -469,9 +459,8 @@ type OIDCClientConfig struct { // +required ComponentName string `json:"componentName"` - // componentNamespace is a required field that specifies the namespace in which the - // platform component being configured to use the identity provider as an authentication - // mode is running. + // componentNamespace is a required field that specifies the namespace in which the platform component being configured to use the identity provider as an authentication mode is running. + // // It is used in combination with componentName as a unique identifier. // // componentNamespace must not be an empty string ("") and must not exceed 63 characters in length. @@ -481,11 +470,8 @@ type OIDCClientConfig struct { // +required ComponentNamespace string `json:"componentNamespace"` - // clientID is a required field that configures the client identifier, from - // the identity provider, that the platform component uses for authentication - // requests made to the identity provider. - // The identity provider must accept this identifier for platform components - // to be able to use the identity provider as an authentication mode. + // clientID is a required field that configures the client identifier, from the identity provider, that the platform component uses for authentication requests made to the identity provider. + // The identity provider must accept this identifier for platform components to be able to use the identity provider as an authentication mode. // // clientID must not be an empty string (""). // @@ -493,27 +479,21 @@ type OIDCClientConfig struct { // +required ClientID string `json:"clientID"` - // clientSecret is an optional field that configures the client secret used - // by the platform component when making authentication requests to the identity provider. + // clientSecret is an optional field that configures the client secret used by the platform component when making authentication requests to the identity provider. // - // When not specified, no client secret will be used when making authentication requests - // to the identity provider. + // When not specified, no client secret will be used when making authentication requests to the identity provider. + // + // When specified, clientSecret references a Secret in the 'openshift-config' namespace that contains the client secret in the 'clientSecret' key of the '.data' field. // - // When specified, clientSecret references a Secret in the 'openshift-config' - // namespace that contains the client secret in the 'clientSecret' key of the '.data' field. // The client secret will be used when making authentication requests to the identity provider. // - // Public clients do not require a client secret but private - // clients do require a client secret to work with the identity provider. + // Public clients do not require a client secret but private clients do require a client secret to work with the identity provider. // // +optional ClientSecret SecretNameReference `json:"clientSecret"` - // extraScopes is an optional field that configures the extra scopes that should - // be requested by the platform component when making authentication requests to the - // identity provider. - // This is useful if you have configured claim mappings that requires specific - // scopes to be requested beyond the standard OIDC scopes. + // extraScopes is an optional field that configures the extra scopes that should be requested by the platform component when making authentication requests to the identity provider. + // This is useful if you have configured claim mappings that requires specific scopes to be requested beyond the standard OIDC scopes. // // When omitted, no additional scopes are requested. // @@ -526,8 +506,7 @@ type OIDCClientConfig struct { // of platform components and how they interact with // the configured identity providers. type OIDCClientStatus struct { - // componentName is a required field that specifies the name of the platform - // component using the identity provider as an authentication mode. + // componentName is a required field that specifies the name of the platform component using the identity provider as an authentication mode. // It is used in combination with componentNamespace as a unique identifier. // // componentName must not be an empty string ("") and must not exceed 256 characters in length. @@ -537,9 +516,8 @@ type OIDCClientStatus struct { // +required ComponentName string `json:"componentName"` - // componentNamespace is a required field that specifies the namespace in which the - // platform component using the identity provider as an authentication - // mode is running. + // componentNamespace is a required field that specifies the namespace in which the platform component using the identity provider as an authentication mode is running. + // // It is used in combination with componentName as a unique identifier. // // componentNamespace must not be an empty string ("") and must not exceed 63 characters in length. @@ -550,6 +528,7 @@ type OIDCClientStatus struct { ComponentNamespace string `json:"componentNamespace"` // currentOIDCClients is an optional list of clients that the component is currently using. + // // Entries must have unique issuerURL/clientID pairs. // // +listType=map @@ -558,8 +537,7 @@ type OIDCClientStatus struct { // +optional CurrentOIDCClients []OIDCClientReference `json:"currentOIDCClients"` - // consumingUsers is an optional list of ServiceAccounts requiring - // read permissions on the `clientSecret` secret. + // consumingUsers is an optional list of ServiceAccounts requiring read permissions on the `clientSecret` secret. // // consumingUsers must not exceed 5 entries. // @@ -585,8 +563,7 @@ type OIDCClientStatus struct { // OIDCClientReference is a reference to a platform component // client configuration. type OIDCClientReference struct { - // oidcProviderName is a required reference to the 'name' of the identity provider - // configured in 'oidcProviders' that this client is associated with. + // oidcProviderName is a required reference to the 'name' of the identity provider configured in 'oidcProviders' that this client is associated with. // // oidcProviderName must not be an empty string (""). // @@ -594,8 +571,7 @@ type OIDCClientReference struct { // +required OIDCProviderName string `json:"oidcProviderName"` - // issuerURL is a required field that specifies the URL of the identity - // provider that this client is configured to make requests against. + // issuerURL is a required field that specifies the URL of the identity provider that this client is configured to make requests against. // // issuerURL must use the 'https' scheme. // @@ -603,9 +579,7 @@ type OIDCClientReference struct { // +required IssuerURL string `json:"issuerURL"` - // clientID is a required field that specifies the client identifier, from - // the identity provider, that the platform component is using for authentication - // requests made to the identity provider. + // clientID is a required field that specifies the client identifier, from the identity provider, that the platform component is using for authentication requests made to the identity provider. // // clientID must not be empty. // @@ -617,9 +591,7 @@ type OIDCClientReference struct { // +kubebuilder:validation:XValidation:rule="has(self.prefixPolicy) && self.prefixPolicy == 'Prefix' ? (has(self.prefix) && size(self.prefix.prefixString) > 0) : !has(self.prefix)",message="prefix must be set if prefixPolicy is 'Prefix', but must remain unset otherwise" // +union type UsernameClaimMapping struct { - // claim is a required field that configures the JWT token - // claim whose value is assigned to the cluster identity - // field associated with this mapping. + // claim is a required field that configures the JWT token claim whose value is assigned to the cluster identity field associated with this mapping. // // claim must not be an empty string ("") and must not exceed 256 characters. // @@ -628,23 +600,21 @@ type UsernameClaimMapping struct { // +kubebuilder:validation:MaxLength:=256 Claim string `json:"claim"` - // prefixPolicy is an optional field that configures how a prefix should be - // applied to the value of the JWT claim specified in the 'claim' field. + // prefixPolicy is an optional field that configures how a prefix should be applied to the value of the JWT claim specified in the 'claim' field. // // Allowed values are 'Prefix', 'NoPrefix', and omitted (not provided or an empty string). // - // When set to 'Prefix', the value specified in the prefix field will be - // prepended to the value of the JWT claim. + // When set to 'Prefix', the value specified in the prefix field will be prepended to the value of the JWT claim. + // // The prefix field must be set when prefixPolicy is 'Prefix'. // - // When set to 'NoPrefix', no prefix will be prepended to the value - // of the JWT claim. + // When set to 'NoPrefix', no prefix will be prepended to the value of the JWT claim. + // + // When omitted, this means no opinion and the platform is left to choose any prefixes that are applied which is subject to change over time. + // Currently, the platform prepends `{issuerURL}#` to the value of the JWT claim when the claim is not 'email'. // - // When omitted, this means no opinion and the platform is left to choose - // any prefixes that are applied which is subject to change over time. - // Currently, the platform prepends `{issuerURL}#` to the value of the JWT claim - // when the claim is not 'email'. // As an example, consider the following scenario: + // // `prefix` is unset, `issuerURL` is set to `https://myoidc.tld`, // the JWT claims include "username":"userA" and "email":"userA@myoidc.tld", // and `claim` is set to: @@ -656,8 +626,7 @@ type UsernameClaimMapping struct { // +unionDiscriminator PrefixPolicy UsernamePrefixPolicy `json:"prefixPolicy"` - // prefix configures the prefix that should be prepended to the value - // of the JWT claim. + // prefix configures the prefix that should be prepended to the value of the JWT claim. // // prefix must be set when prefixPolicy is set to 'Prefix' and must be unset otherwise. // @@ -666,9 +635,7 @@ type UsernameClaimMapping struct { Prefix *UsernamePrefix `json:"prefix"` } -// UsernamePrefixPolicy configures how prefixes should be applied -// to values extracted from the JWT claims during the process of mapping -// JWT claims to cluster identity attributes. +// UsernamePrefixPolicy configures how prefixes should be applied to values extracted from the JWT claims during the process of mapping JWT claims to cluster identity attributes. // +enum type UsernamePrefixPolicy string @@ -687,9 +654,7 @@ var ( // UsernamePrefix configures the string that should // be used as a prefix for username claim mappings. type UsernamePrefix struct { - // prefixString is a required field that configures the prefix that will - // be applied to cluster identity username attribute - // during the process of mapping JWT claims to cluster identity attributes. + // prefixString is a required field that configures the prefix that will be applied to cluster identity username attribute during the process of mapping JWT claims to cluster identity attributes. // // prefixString must not be an empty string (""). // @@ -703,51 +668,62 @@ type UsernamePrefix struct { type PrefixedClaimMapping struct { TokenClaimMapping `json:",inline"` - // prefix is an optional field that configures the prefix that will be - // applied to the cluster identity attribute during the process of mapping - // JWT claims to cluster identity attributes. + // prefix is an optional field that configures the prefix that will be applied to the cluster identity attribute during the process of mapping JWT claims to cluster identity attributes. // // When omitted (""), no prefix is applied to the cluster identity attribute. // - // Example: if `prefix` is set to "myoidc:" and the `claim` in JWT contains - // an array of strings "a", "b" and "c", the mapping will result in an - // array of string "myoidc:a", "myoidc:b" and "myoidc:c". + // Example: if `prefix` is set to "myoidc:" and the `claim` in JWT contains an array of strings "a", "b" and "c", the mapping will result in an array of string "myoidc:a", "myoidc:b" and "myoidc:c". // // +optional Prefix string `json:"prefix"` } -// TokenValidationRuleType represents the different -// claim validation rule types that can be configured. +// TokenValidationRuleType defines the type of token validation rule. // +enum +// +openshift:validation:FeatureGateAwareEnum:featureGate="",enum="RequiredClaim"; +// +openshift:validation:FeatureGateAwareEnum:featureGate=ExternalOIDC,enum="RequiredClaim"; +// +openshift:validation:FeatureGateAwareEnum:featureGate=ExternalOIDCWithUIDAndExtraClaimMappings,enum="RequiredClaim"; +// +openshift:validation:FeatureGateAwareEnum:featureGate=ExternalOIDCWithUpstreamParity,enum="RequiredClaim";"CEL" type TokenValidationRuleType string const ( + // TokenValidationRuleTypeRequiredClaim indicates that the token must contain a specific claim. + // Used as a value for TokenValidationRuleType. TokenValidationRuleTypeRequiredClaim = "RequiredClaim" + // TokenValidationRuleTypeCEL indicates that the token validation is defined via a CEL expression. + // Used as a value for TokenValidationRuleType. + TokenValidationRuleTypeCEL = "CEL" ) +// TokenClaimValidationRule represents a validation rule based on token claims. +// If type is RequiredClaim, requiredClaim must be set. +// If Type is CEL, CEL must be set and RequiredClaim must be omitted. +// +// +kubebuilder:validation:XValidation:rule="has(self.type) && self.type == 'RequiredClaim' ? has(self.requiredClaim) : !has(self.requiredClaim)",message="requiredClaim must be set when type is 'RequiredClaim', and forbidden otherwise" +// +openshift:validation:FeatureGateAwareXValidation:featureGate=ExternalOIDCWithUpstreamParity,rule="has(self.type) && self.type == 'CEL' ? has(self.cel) : !has(self.cel)",message="cel must be set when type is 'CEL', and forbidden otherwise" type TokenClaimValidationRule struct { // type is an optional field that configures the type of the validation rule. // - // Allowed values are 'RequiredClaim' and omitted (not provided or an empty string). - // - // When set to 'RequiredClaim', the Kubernetes API server - // will be configured to validate that the incoming JWT - // contains the required claim and that its value matches - // the required value. + // Allowed values are "RequiredClaim" and "CEL". // - // Defaults to 'RequiredClaim'. + // When set to 'RequiredClaim', the Kubernetes API server will be configured to validate that the incoming JWT contains the required claim and that its value matches the required value. // - // +kubebuilder:validation:Enum={"RequiredClaim"} - // +kubebuilder:default="RequiredClaim" + // When set to 'CEL', the Kubernetes API server will be configured to validate the incoming JWT against the configured CEL expression. + // +required Type TokenValidationRuleType `json:"type"` - // requiredClaim is an optional field that configures the required claim - // and value that the Kubernetes API server will use to validate if an incoming - // JWT is valid for this identity provider. + // requiredClaim allows configuring a required claim name and its expected value. + // This field is required when `type` is set to RequiredClaim, and must be omitted when `type` is set to any other value. + // The Kubernetes API server uses this field to validate if an incoming JWT is valid for this identity provider. // // +optional RequiredClaim *TokenRequiredClaim `json:"requiredClaim,omitempty"` + + // cel holds the CEL expression and message for validation. + // Must be set when Type is "CEL", and forbidden otherwise. + // +optional + // +openshift:enable:FeatureGate=ExternalOIDCWithUpstreamParity + CEL TokenClaimValidationCELRule `json:"cel,omitempty,omitzero"` } type TokenRequiredClaim struct { @@ -760,10 +736,8 @@ type TokenRequiredClaim struct { // +required Claim string `json:"claim"` - // requiredValue is a required field that configures the value that 'claim' must - // have when taken from the incoming JWT claims. - // If the value in the JWT claims does not match, the token - // will be rejected for authentication. + // requiredValue is a required field that configures the value that 'claim' must have when taken from the incoming JWT claims. + // If the value in the JWT claims does not match, the token will be rejected for authentication. // // requiredValue must not be an empty string (""). // @@ -771,3 +745,43 @@ type TokenRequiredClaim struct { // +required RequiredValue string `json:"requiredValue"` } + +type TokenClaimValidationCELRule struct { + // expression is a CEL expression evaluated against token claims. + // expression is required, must be at least 1 character in length and must not exceed 1024 characters. + // The expression must return a boolean value where 'true' signals a valid token and 'false' an invalid one. + // + // +kubebuilder:validation:MinLength=1 + // +kubebuilder:validation:MaxLength=1024 + // +required + Expression string `json:"expression,omitempty"` + + // message is a required human-readable message to be logged by the Kubernetes API server if the CEL expression defined in 'expression' fails. + // message must be at least 1 character in length and must not exceed 256 characters. + // +required + // +kubebuilder:validation:MinLength=1 + // +kubebuilder:validation:MaxLength=256 + Message string `json:"message,omitempty"` +} + +// TokenUserValidationRule provides a CEL-based rule used to validate a token subject. +// Each rule contains a CEL expression that is evaluated against the token’s claims. +type TokenUserValidationRule struct { + // expression is a required CEL expression that performs a validation on cluster user identity attributes like username, groups, etc. + // + // The expression must evaluate to a boolean value. + // When the expression evaluates to 'true', the cluster user identity is considered valid. + // When the expression evaluates to 'false', the cluster user identity is not considered valid. + // expression must be at least 1 character in length and must not exceed 1024 characters. + // + // +required + // +kubebuilder:validation:MinLength=1 + // +kubebuilder:validation:MaxLength=1024 + Expression string `json:"expression,omitempty"` + // message is a required human-readable message to be logged by the Kubernetes API server if the CEL expression defined in 'expression' fails. + // message must be at least 1 character in length and must not exceed 256 characters. + // +required + // +kubebuilder:validation:MinLength=1 + // +kubebuilder:validation:MaxLength=256 + Message string `json:"message,omitempty"` +} diff --git a/vendor/github.com/openshift/api/config/v1/types_cluster_image_policy.go b/vendor/github.com/openshift/api/config/v1/types_cluster_image_policy.go index ca604e05c..491390098 100644 --- a/vendor/github.com/openshift/api/config/v1/types_cluster_image_policy.go +++ b/vendor/github.com/openshift/api/config/v1/types_cluster_image_policy.go @@ -52,7 +52,7 @@ type ClusterImagePolicySpec struct { // policy is a required field that contains configuration to allow scopes to be verified, and defines how // images not matching the verification policy will be treated. // +required - Policy Policy `json:"policy"` + Policy ImageSigstoreVerificationPolicy `json:"policy"` } // +k8s:deepcopy-gen=true diff --git a/vendor/github.com/openshift/api/config/v1/types_cluster_version.go b/vendor/github.com/openshift/api/config/v1/types_cluster_version.go index e5aad151e..5f36f693d 100644 --- a/vendor/github.com/openshift/api/config/v1/types_cluster_version.go +++ b/vendor/github.com/openshift/api/config/v1/types_cluster_version.go @@ -199,9 +199,23 @@ type ClusterVersionStatus struct { // availableUpdates. This list may be empty if no updates are // recommended, if the update service is unavailable, or if an empty // or invalid channel has been specified. + // +kubebuilder:validation:MaxItems=500 // +listType=atomic // +optional ConditionalUpdates []ConditionalUpdate `json:"conditionalUpdates,omitempty"` + + // conditionalUpdateRisks contains the list of risks associated with conditionalUpdates. + // When performing a conditional update, all its associated risks will be compared with the set of accepted risks in the spec.desiredUpdate.acceptRisks field. + // If all risks for a conditional update are included in the spec.desiredUpdate.acceptRisks set, the conditional update can proceed, otherwise it is blocked. + // The risk names in the list must be unique. + // conditionalUpdateRisks must not contain more than 500 entries. + // +openshift:enable:FeatureGate=ClusterUpdateAcceptRisks + // +kubebuilder:validation:MaxItems=500 + // +kubebuilder:validation:MinItems=1 + // +listType=map + // +listMapKey=name + // +optional + ConditionalUpdateRisks []ConditionalUpdateRisk `json:"conditionalUpdateRisks,omitempty"` } // UpdateState is a constant representing whether an update was successfully @@ -258,7 +272,7 @@ type UpdateHistory struct { Verified bool `json:"verified"` // acceptedRisks records risks which were accepted to initiate the update. - // For example, it may menition an Upgradeable=False or missing signature + // For example, it may mention an Upgradeable=False or missing signature // that was overridden via desiredUpdate.force, or an update that was // initiated despite not being in the availableUpdates set of recommended // update targets. @@ -732,6 +746,30 @@ type Update struct { // // +optional Force bool `json:"force"` + + // acceptRisks is an optional set of names of conditional update risks that are considered acceptable. + // A conditional update is performed only if all of its risks are acceptable. + // This list may contain entries that apply to current, previous or future updates. + // The entries therefore may not map directly to a risk in .status.conditionalUpdateRisks. + // acceptRisks must not contain more than 1000 entries. + // Entries in this list must be unique. + // +openshift:enable:FeatureGate=ClusterUpdateAcceptRisks + // +kubebuilder:validation:MaxItems=1000 + // +kubebuilder:validation:MinItems=1 + // +listType=map + // +listMapKey=name + // +optional + AcceptRisks []AcceptRisk `json:"acceptRisks,omitempty"` +} + +// AcceptRisk represents a risk that is considered acceptable. +type AcceptRisk struct { + // name is the name of the acceptable risk. + // It must be a non-empty string and must not exceed 256 characters. + // +kubebuilder:validation:MinLength=1 + // +kubebuilder:validation:MaxLength=256 + // +required + Name string `json:"name,omitempty"` } // Release represents an OpenShift release image and associated metadata. @@ -787,12 +825,27 @@ type ConditionalUpdate struct { // +required Release Release `json:"release"` + // riskNames represents the set of the names of conditionalUpdateRisks that are relevant to this update for some clusters. + // The Applies condition of each conditionalUpdateRisks entry declares if that risk applies to this cluster. + // A conditional update is accepted only if each of its risks either does not apply to the cluster or is considered acceptable by the cluster administrator. + // The latter means that the risk names are included in value of the spec.desiredUpdate.acceptRisks field. + // Entries must be unique and must not exceed 256 characters. + // riskNames must not contain more than 500 entries. + // +openshift:enable:FeatureGate=ClusterUpdateAcceptRisks + // +kubebuilder:validation:MinItems=1 + // +kubebuilder:validation:items:MaxLength=256 + // +kubebuilder:validation:MaxItems=500 + // +listType=set + // +optional + RiskNames []string `json:"riskNames,omitempty"` + // risks represents the range of issues associated with // updating to the target release. The cluster-version // operator will evaluate all entries, and only recommend the // update if there is at least one entry and all entries // recommend the update. // +kubebuilder:validation:MinItems=1 + // +kubebuilder:validation:MaxItems=200 // +patchMergeKey=name // +patchStrategy=merge // +listType=map @@ -813,6 +866,20 @@ type ConditionalUpdate struct { // for not recommending a conditional update. // +k8s:deepcopy-gen=true type ConditionalUpdateRisk struct { + // conditions represents the observations of the conditional update + // risk's current status. Known types are: + // * Applies, for whether the risk applies to the current cluster. + // The condition's types in the list must be unique. + // conditions must not contain more than one entry. + // +openshift:enable:FeatureGate=ClusterUpdateAcceptRisks + // +kubebuilder:validation:XValidation:rule="self.exists_one(x, x.type == 'Applies')",message="must contain a condition of type 'Applies'" + // +kubebuilder:validation:MaxItems=8 + // +kubebuilder:validation:MinItems=1 + // +listType=map + // +listMapKey=type + // +optional + Conditions []metav1.Condition `json:"conditions,omitempty"` + // url contains information about this risk. // +kubebuilder:validation:Format=uri // +kubebuilder:validation:MinLength=1 diff --git a/vendor/github.com/openshift/api/config/v1/types_image_policy.go b/vendor/github.com/openshift/api/config/v1/types_image_policy.go index a6a640513..3cc46141c 100644 --- a/vendor/github.com/openshift/api/config/v1/types_image_policy.go +++ b/vendor/github.com/openshift/api/config/v1/types_image_policy.go @@ -51,7 +51,7 @@ type ImagePolicySpec struct { // policy is a required field that contains configuration to allow scopes to be verified, and defines how // images not matching the verification policy will be treated. // +required - Policy Policy `json:"policy"` + Policy ImageSigstoreVerificationPolicy `json:"policy"` } // +kubebuilder:validation:XValidation:rule="size(self.split('/')[0].split('.')) == 1 ? self.split('/')[0].split('.')[0].split(':')[0] == 'localhost' : true",message="invalid image scope format, scope must contain a fully qualified domain name or 'localhost'" @@ -60,8 +60,8 @@ type ImagePolicySpec struct { // +kubebuilder:validation:MaxLength=512 type ImageScope string -// Policy defines the verification policy for the items in the scopes list. -type Policy struct { +// ImageSigstoreVerificationPolicy defines the verification policy for the items in the scopes list. +type ImageSigstoreVerificationPolicy struct { // rootOfTrust is a required field that defines the root of trust for verifying image signatures during retrieval. // This allows image consumers to specify policyType and corresponding configuration of the policy, matching how the policy was generated. // +required @@ -89,18 +89,18 @@ type PolicyRootOfTrust struct { // publicKey defines the root of trust configuration based on a sigstore public key. Optionally include a Rekor public key for Rekor verification. // publicKey is required when policyType is PublicKey, and forbidden otherwise. // +optional - PublicKey *PublicKey `json:"publicKey,omitempty"` + PublicKey *ImagePolicyPublicKeyRootOfTrust `json:"publicKey,omitempty"` // fulcioCAWithRekor defines the root of trust configuration based on the Fulcio certificate and the Rekor public key. // fulcioCAWithRekor is required when policyType is FulcioCAWithRekor, and forbidden otherwise // For more information about Fulcio and Rekor, please refer to the document at: // https://github.com/sigstore/fulcio and https://github.com/sigstore/rekor // +optional - FulcioCAWithRekor *FulcioCAWithRekor `json:"fulcioCAWithRekor,omitempty"` + FulcioCAWithRekor *ImagePolicyFulcioCAWithRekorRootOfTrust `json:"fulcioCAWithRekor,omitempty"` // pki defines the root of trust configuration based on Bring Your Own Public Key Infrastructure (BYOPKI) Root CA(s) and corresponding intermediate certificates. // pki is required when policyType is PKI, and forbidden otherwise. // +optional // +openshift:enable:FeatureGate=SigstoreImageVerificationPKI - PKI *PKI `json:"pki,omitempty"` + PKI *ImagePolicyPKIRootOfTrust `json:"pki,omitempty"` } // +openshift:validation:FeatureGateAwareEnum:featureGate="",enum=PublicKey;FulcioCAWithRekor @@ -113,8 +113,8 @@ const ( PKIRootOfTrust PolicyType = "PKI" ) -// PublicKey defines the root of trust based on a sigstore public key. -type PublicKey struct { +// ImagePolicyPublicKeyRootOfTrust defines the root of trust based on a sigstore public key. +type ImagePolicyPublicKeyRootOfTrust struct { // keyData is a required field contains inline base64-encoded data for the PEM format public key. // keyData must be at most 8192 characters. // +required @@ -132,8 +132,8 @@ type PublicKey struct { RekorKeyData []byte `json:"rekorKeyData,omitempty"` } -// FulcioCAWithRekor defines the root of trust based on the Fulcio certificate and the Rekor public key. -type FulcioCAWithRekor struct { +// ImagePolicyFulcioCAWithRekorRootOfTrust defines the root of trust based on the Fulcio certificate and the Rekor public key. +type ImagePolicyFulcioCAWithRekorRootOfTrust struct { // fulcioCAData is a required field contains inline base64-encoded data for the PEM format fulcio CA. // fulcioCAData must be at most 8192 characters. // +required @@ -172,8 +172,8 @@ type PolicyFulcioSubject struct { SignedEmail string `json:"signedEmail"` } -// PKI defines the root of trust based on Root CA(s) and corresponding intermediate certificates. -type PKI struct { +// ImagePolicyPKIRootOfTrust defines the root of trust based on Root CA(s) and corresponding intermediate certificates. +type ImagePolicyPKIRootOfTrust struct { // caRootsData contains base64-encoded data of a certificate bundle PEM file, which contains one or more CA roots in the PEM format. The total length of the data must not exceed 8192 characters. // +required // +kubebuilder:validation:MaxLength=8192 diff --git a/vendor/github.com/openshift/api/config/v1/types_infrastructure.go b/vendor/github.com/openshift/api/config/v1/types_infrastructure.go index 313ed57a4..369ba1e7a 100644 --- a/vendor/github.com/openshift/api/config/v1/types_infrastructure.go +++ b/vendor/github.com/openshift/api/config/v1/types_infrastructure.go @@ -302,9 +302,10 @@ type PlatformSpec struct { // balancers, dynamic volume provisioning, machine creation and deletion, and // other integrations are enabled. If None, no infrastructure automation is // enabled. Allowed values are "AWS", "Azure", "BareMetal", "GCP", "Libvirt", - // "OpenStack", "VSphere", "oVirt", "KubeVirt", "EquinixMetal", "PowerVS", - // "AlibabaCloud", "Nutanix" and "None". Individual components may not support all platforms, - // and must handle unrecognized platforms as None if they do not support that platform. + // "OpenStack", "VSphere", "oVirt", "IBMCloud", "KubeVirt", "EquinixMetal", + // "PowerVS", "AlibabaCloud", "Nutanix", "External", and "None". Individual + // components may not support all platforms, and must handle unrecognized + // platforms as None if they do not support that platform. // // +unionDiscriminator Type PlatformType `json:"type"` diff --git a/vendor/github.com/openshift/api/config/v1/types_insights.go b/vendor/github.com/openshift/api/config/v1/types_insights.go index b0959881f..710d4303d 100644 --- a/vendor/github.com/openshift/api/config/v1/types_insights.go +++ b/vendor/github.com/openshift/api/config/v1/types_insights.go @@ -13,6 +13,7 @@ import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" // +openshift:api-approved.openshift.io=https://github.com/openshift/api/pull/2448 // +openshift:file-pattern=cvoRunLevel=0000_10,operatorName=config-operator,operatorOrdering=01 // +openshift:enable:FeatureGate=InsightsConfig +// +openshift:capability=Insights // // Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer). // +openshift:compatibility-gen:level=1 diff --git a/vendor/github.com/openshift/api/config/v1/types_network.go b/vendor/github.com/openshift/api/config/v1/types_network.go index c0d1602b3..fb8ed2fff 100644 --- a/vendor/github.com/openshift/api/config/v1/types_network.go +++ b/vendor/github.com/openshift/api/config/v1/types_network.go @@ -41,7 +41,7 @@ type Network struct { // As a general rule, this SHOULD NOT be read directly. Instead, you should // consume the NetworkStatus, as it indicates the currently deployed configuration. // Currently, most spec fields are immutable after installation. Please view the individual ones for further details on each. -// +openshift:validation:FeatureGateAwareXValidation:featureGate=NetworkDiagnosticsConfig,rule="!has(self.networkDiagnostics) || !has(self.networkDiagnostics.mode) || self.networkDiagnostics.mode!='Disabled' || !has(self.networkDiagnostics.sourcePlacement) && !has(self.networkDiagnostics.targetPlacement)",message="cannot set networkDiagnostics.sourcePlacement and networkDiagnostics.targetPlacement when networkDiagnostics.mode is Disabled" +// +kubebuilder:validation:XValidation:rule="!has(self.networkDiagnostics) || !has(self.networkDiagnostics.mode) || self.networkDiagnostics.mode!='Disabled' || !has(self.networkDiagnostics.sourcePlacement) && !has(self.networkDiagnostics.targetPlacement)",message="cannot set networkDiagnostics.sourcePlacement and networkDiagnostics.targetPlacement when networkDiagnostics.mode is Disabled" type NetworkSpec struct { // IP address pool to use for pod IPs. // This field is immutable after installation. @@ -85,7 +85,6 @@ type NetworkSpec struct { // the network diagnostics feature will be disabled. // // +optional - // +openshift:enable:FeatureGate=NetworkDiagnosticsConfig NetworkDiagnostics NetworkDiagnostics `json:"networkDiagnostics"` } @@ -119,7 +118,6 @@ type NetworkStatus struct { // +optional // +listType=map // +listMapKey=type - // +openshift:enable:FeatureGate=NetworkDiagnosticsConfig Conditions []metav1.Condition `json:"conditions,omitempty"` } diff --git a/vendor/github.com/openshift/api/config/v1/types_tlssecurityprofile.go b/vendor/github.com/openshift/api/config/v1/types_tlssecurityprofile.go index b18ef647c..1e5189796 100644 --- a/vendor/github.com/openshift/api/config/v1/types_tlssecurityprofile.go +++ b/vendor/github.com/openshift/api/config/v1/types_tlssecurityprofile.go @@ -4,178 +4,130 @@ package v1 // is used by operators to apply TLS security settings to operands. // +union type TLSSecurityProfile struct { - // type is one of Old, Intermediate, Modern or Custom. Custom provides - // the ability to specify individual TLS security profile parameters. - // Old, Intermediate and Modern are TLS security profiles based on: + // type is one of Old, Intermediate, Modern or Custom. Custom provides the + // ability to specify individual TLS security profile parameters. // - // https://wiki.mozilla.org/Security/Server_Side_TLS#Recommended_configurations + // The profiles are currently based on version 5.0 of the Mozilla Server Side TLS + // configuration guidelines (released 2019-06-28) with TLS 1.3 ciphers added for + // forward compatibility. See: https://ssl-config.mozilla.org/guidelines/5.0.json // - // The profiles are intent based, so they may change over time as new ciphers are developed and existing ciphers - // are found to be insecure. Depending on precisely which ciphers are available to a process, the list may be - // reduced. - // - // Note that the Modern profile is currently not supported because it is not - // yet well adopted by common software libraries. + // The profiles are intent based, so they may change over time as new ciphers are + // developed and existing ciphers are found to be insecure. Depending on + // precisely which ciphers are available to a process, the list may be reduced. // // +unionDiscriminator // +optional Type TLSProfileType `json:"type"` - // old is a TLS security profile based on: - // - // https://wiki.mozilla.org/Security/Server_Side_TLS#Old_backward_compatibility + + // old is a TLS profile for use when services need to be accessed by very old + // clients or libraries and should be used only as a last resort. // - // and looks like this (yaml): + // The cipher list includes TLS 1.3 ciphers for forward compatibility, followed + // by the "old" profile ciphers. // + // This profile is equivalent to a Custom profile specified as: + // minTLSVersion: VersionTLS10 // ciphers: - // // - TLS_AES_128_GCM_SHA256 - // // - TLS_AES_256_GCM_SHA384 - // // - TLS_CHACHA20_POLY1305_SHA256 - // // - ECDHE-ECDSA-AES128-GCM-SHA256 - // // - ECDHE-RSA-AES128-GCM-SHA256 - // // - ECDHE-ECDSA-AES256-GCM-SHA384 - // // - ECDHE-RSA-AES256-GCM-SHA384 - // // - ECDHE-ECDSA-CHACHA20-POLY1305 - // // - ECDHE-RSA-CHACHA20-POLY1305 - // // - DHE-RSA-AES128-GCM-SHA256 - // // - DHE-RSA-AES256-GCM-SHA384 - // // - DHE-RSA-CHACHA20-POLY1305 - // // - ECDHE-ECDSA-AES128-SHA256 - // // - ECDHE-RSA-AES128-SHA256 - // // - ECDHE-ECDSA-AES128-SHA - // // - ECDHE-RSA-AES128-SHA - // // - ECDHE-ECDSA-AES256-SHA384 - // // - ECDHE-RSA-AES256-SHA384 - // // - ECDHE-ECDSA-AES256-SHA - // // - ECDHE-RSA-AES256-SHA - // // - DHE-RSA-AES128-SHA256 - // // - DHE-RSA-AES256-SHA256 - // // - AES128-GCM-SHA256 - // // - AES256-GCM-SHA384 - // // - AES128-SHA256 - // // - AES256-SHA256 - // // - AES128-SHA - // // - AES256-SHA - // // - DES-CBC3-SHA // - // minTLSVersion: VersionTLS10 - // // +optional // +nullable Old *OldTLSProfile `json:"old,omitempty"` - // intermediate is a TLS security profile based on: - // - // https://wiki.mozilla.org/Security/Server_Side_TLS#Intermediate_compatibility_.28recommended.29 + + // intermediate is a TLS profile for use when you do not need compatibility with + // legacy clients and want to remain highly secure while being compatible with + // most clients currently in use. // - // and looks like this (yaml): + // The cipher list includes TLS 1.3 ciphers for forward compatibility, followed + // by the "intermediate" profile ciphers. // + // This profile is equivalent to a Custom profile specified as: + // minTLSVersion: VersionTLS12 // ciphers: - // // - TLS_AES_128_GCM_SHA256 - // // - TLS_AES_256_GCM_SHA384 - // // - TLS_CHACHA20_POLY1305_SHA256 - // // - ECDHE-ECDSA-AES128-GCM-SHA256 - // // - ECDHE-RSA-AES128-GCM-SHA256 - // // - ECDHE-ECDSA-AES256-GCM-SHA384 - // // - ECDHE-RSA-AES256-GCM-SHA384 - // // - ECDHE-ECDSA-CHACHA20-POLY1305 - // // - ECDHE-RSA-CHACHA20-POLY1305 - // // - DHE-RSA-AES128-GCM-SHA256 - // // - DHE-RSA-AES256-GCM-SHA384 // - // minTLSVersion: VersionTLS12 - // // +optional // +nullable Intermediate *IntermediateTLSProfile `json:"intermediate,omitempty"` - // modern is a TLS security profile based on: - // - // https://wiki.mozilla.org/Security/Server_Side_TLS#Modern_compatibility - // - // and looks like this (yaml): + + // modern is a TLS security profile for use with clients that support TLS 1.3 and + // do not need backward compatibility for older clients. // + // This profile is equivalent to a Custom profile specified as: + // minTLSVersion: VersionTLS13 // ciphers: - // // - TLS_AES_128_GCM_SHA256 - // // - TLS_AES_256_GCM_SHA384 - // // - TLS_CHACHA20_POLY1305_SHA256 // - // minTLSVersion: VersionTLS13 - // // +optional // +nullable Modern *ModernTLSProfile `json:"modern,omitempty"` + // custom is a user-defined TLS security profile. Be extremely careful using a custom // profile as invalid configurations can be catastrophic. An example custom profile // looks like this: // + // minTLSVersion: VersionTLS11 // ciphers: - // // - ECDHE-ECDSA-CHACHA20-POLY1305 - // // - ECDHE-RSA-CHACHA20-POLY1305 - // // - ECDHE-RSA-AES128-GCM-SHA256 - // // - ECDHE-ECDSA-AES128-GCM-SHA256 // - // minTLSVersion: VersionTLS11 - // // +optional // +nullable Custom *CustomTLSProfile `json:"custom,omitempty"` } -// OldTLSProfile is a TLS security profile based on: -// https://wiki.mozilla.org/Security/Server_Side_TLS#Old_backward_compatibility +// OldTLSProfile is a TLS security profile based on the "old" configuration of +// the Mozilla Server Side TLS configuration guidelines. type OldTLSProfile struct{} -// IntermediateTLSProfile is a TLS security profile based on: -// https://wiki.mozilla.org/Security/Server_Side_TLS#Intermediate_compatibility_.28default.29 +// IntermediateTLSProfile is a TLS security profile based on the "intermediate" +// configuration of the Mozilla Server Side TLS configuration guidelines. type IntermediateTLSProfile struct{} -// ModernTLSProfile is a TLS security profile based on: -// https://wiki.mozilla.org/Security/Server_Side_TLS#Modern_compatibility +// ModernTLSProfile is a TLS security profile based on the "modern" configuration +// of the Mozilla Server Side TLS configuration guidelines. type ModernTLSProfile struct{} // CustomTLSProfile is a user-defined TLS security profile. Be extremely careful @@ -189,16 +141,19 @@ type CustomTLSProfile struct { type TLSProfileType string const ( - // Old is a TLS security profile based on: - // https://wiki.mozilla.org/Security/Server_Side_TLS#Old_backward_compatibility + // TLSProfileOldType sets parameters based on the "old" configuration of + // the Mozilla Server Side TLS configuration guidelines. TLSProfileOldType TLSProfileType = "Old" - // Intermediate is a TLS security profile based on: - // https://wiki.mozilla.org/Security/Server_Side_TLS#Intermediate_compatibility_.28default.29 + + // TLSProfileIntermediateType sets parameters based on the "intermediate" + // configuration of the Mozilla Server Side TLS configuration guidelines. TLSProfileIntermediateType TLSProfileType = "Intermediate" - // Modern is a TLS security profile based on: - // https://wiki.mozilla.org/Security/Server_Side_TLS#Modern_compatibility + + // TLSProfileModernType sets parameters based on the "modern" configuration + // of the Mozilla Server Side TLS configuration guidelines. TLSProfileModernType TLSProfileType = "Modern" - // Custom is a TLS security profile that allows for user-defined parameters. + + // TLSProfileCustomType is a TLS security profile that allows for user-defined parameters. TLSProfileCustomType TLSProfileType = "Custom" ) @@ -219,8 +174,6 @@ type TLSProfileSpec struct { // // minTLSVersion: VersionTLS11 // - // NOTE: currently the highest minTLSVersion allowed is VersionTLS12 - // MinTLSVersion TLSProtocolVersion `json:"minTLSVersion"` } @@ -245,11 +198,16 @@ const ( VersionTLS13 TLSProtocolVersion = "VersionTLS13" ) -// TLSProfiles Contains a map of TLSProfileType names to TLSProfileSpec. +// TLSProfiles contains a map of TLSProfileType names to TLSProfileSpec. +// +// These profiles are based on version 5.0 of the Mozilla Server Side TLS +// configuration guidelines (2019-06-28) with TLS 1.3 cipher suites prepended for +// forward compatibility. See: https://ssl-config.mozilla.org/guidelines/5.0.json // -// NOTE: The caller needs to make sure to check that these constants are valid for their binary. Not all -// entries map to values for all binaries. In the case of ties, the kube-apiserver wins. Do not fail, -// just be sure to whitelist only and everything will be ok. +// NOTE: The caller needs to make sure to check that these constants are valid +// for their binary. Not all entries map to values for all binaries. In the case +// of ties, the kube-apiserver wins. Do not fail, just be sure to include only +// valid entries and everything will be ok. var TLSProfiles = map[TLSProfileType]*TLSProfileSpec{ TLSProfileOldType: { Ciphers: []string{ diff --git a/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_00_cluster-version-operator_01_clusterversions-CustomNoUpgrade.crd.yaml b/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_00_cluster-version-operator_01_clusterversions-CustomNoUpgrade.crd.yaml index 762416197..c89d45ddc 100644 --- a/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_00_cluster-version-operator_01_clusterversions-CustomNoUpgrade.crd.yaml +++ b/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_00_cluster-version-operator_01_clusterversions-CustomNoUpgrade.crd.yaml @@ -156,6 +156,34 @@ spec: rollbacks will succeed, and some may unrecoverably break the cluster. properties: + acceptRisks: + description: |- + acceptRisks is an optional set of names of conditional update risks that are considered acceptable. + A conditional update is performed only if all of its risks are acceptable. + This list may contain entries that apply to current, previous or future updates. + The entries therefore may not map directly to a risk in .status.conditionalUpdateRisks. + acceptRisks must not contain more than 1000 entries. + Entries in this list must be unique. + items: + description: AcceptRisk represents a risk that is considered + acceptable. + properties: + name: + description: |- + name is the name of the acceptable risk. + It must be a non-empty string and must not exceed 256 characters. + maxLength: 256 + minLength: 1 + type: string + required: + - name + type: object + maxItems: 1000 + minItems: 1 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map architecture: description: |- architecture is an optional field that indicates the desired @@ -428,6 +456,166 @@ spec: type: array x-kubernetes-list-type: atomic type: object + conditionalUpdateRisks: + description: |- + conditionalUpdateRisks contains the list of risks associated with conditionalUpdates. + When performing a conditional update, all its associated risks will be compared with the set of accepted risks in the spec.desiredUpdate.acceptRisks field. + If all risks for a conditional update are included in the spec.desiredUpdate.acceptRisks set, the conditional update can proceed, otherwise it is blocked. + The risk names in the list must be unique. + conditionalUpdateRisks must not contain more than 500 entries. + items: + description: |- + ConditionalUpdateRisk represents a reason and cluster-state + for not recommending a conditional update. + properties: + conditions: + description: |- + conditions represents the observations of the conditional update + risk's current status. Known types are: + * Applies, for whether the risk applies to the current cluster. + The condition's types in the list must be unique. + conditions must not contain more than one entry. + items: + description: Condition contains details for one aspect of + the current state of this API Resource. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, + Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + minItems: 1 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + x-kubernetes-validations: + - message: must contain a condition of type 'Applies' + rule: self.exists_one(x, x.type == 'Applies') + matchingRules: + description: |- + matchingRules is a slice of conditions for deciding which + clusters match the risk and which do not. The slice is + ordered by decreasing precedence. The cluster-version + operator will walk the slice in order, and stop after the + first it can successfully evaluate. If no condition can be + successfully evaluated, the update will not be recommended. + items: + description: |- + ClusterCondition is a union of typed cluster conditions. The 'type' + property determines which of the type-specific properties are relevant. + When evaluated on a cluster, the condition may match, not match, or + fail to evaluate. + properties: + promql: + description: promql represents a cluster condition based + on PromQL. + properties: + promql: + description: |- + promql is a PromQL query classifying clusters. This query + query should return a 1 in the match case and a 0 in the + does-not-match case. Queries which return no time + series, or which return values besides 0 or 1, are + evaluation failures. + type: string + required: + - promql + type: object + type: + description: |- + type represents the cluster-condition type. This defines + the members and semantics of any additional properties. + enum: + - Always + - PromQL + type: string + required: + - type + type: object + minItems: 1 + type: array + x-kubernetes-list-type: atomic + message: + description: |- + message provides additional information about the risk of + updating, in the event that matchingRules match the cluster + state. This is only to be consumed by humans. It may + contain Line Feed characters (U+000A), which should be + rendered as new lines. + minLength: 1 + type: string + name: + description: |- + name is the CamelCase reason for not recommending a + conditional update, in the event that matchingRules match the + cluster state. + minLength: 1 + type: string + url: + description: url contains information about this risk. + format: uri + minLength: 1 + type: string + required: + - matchingRules + - message + - name + - url + type: object + maxItems: 500 + minItems: 1 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map conditionalUpdates: description: |- conditionalUpdates contains the list of updates that may be @@ -552,6 +740,21 @@ spec: - image - version type: object + riskNames: + description: |- + riskNames represents the set of the names of conditionalUpdateRisks that are relevant to this update for some clusters. + The Applies condition of each conditionalUpdateRisks entry declares if that risk applies to this cluster. + A conditional update is accepted only if each of its risks either does not apply to the cluster or is considered acceptable by the cluster administrator. + The latter means that the risk names are included in value of the spec.desiredUpdate.acceptRisks field. + Entries must be unique and must not exceed 256 characters. + riskNames must not contain more than 500 entries. + items: + maxLength: 256 + type: string + maxItems: 500 + minItems: 1 + type: array + x-kubernetes-list-type: set risks: description: |- risks represents the range of issues associated with @@ -564,6 +767,78 @@ spec: ConditionalUpdateRisk represents a reason and cluster-state for not recommending a conditional update. properties: + conditions: + description: |- + conditions represents the observations of the conditional update + risk's current status. Known types are: + * Applies, for whether the risk applies to the current cluster. + The condition's types in the list must be unique. + conditions must not contain more than one entry. + items: + description: Condition contains details for one aspect + of the current state of this API Resource. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, + False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in + foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + minItems: 1 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + x-kubernetes-validations: + - message: must contain a condition of type 'Applies' + rule: self.exists_one(x, x.type == 'Applies') matchingRules: description: |- matchingRules is a slice of conditions for deciding which @@ -635,6 +910,7 @@ spec: - name - url type: object + maxItems: 200 minItems: 1 type: array x-kubernetes-list-map-keys: @@ -644,6 +920,7 @@ spec: - release - risks type: object + maxItems: 500 type: array x-kubernetes-list-type: atomic conditions: @@ -753,7 +1030,7 @@ spec: acceptedRisks: description: |- acceptedRisks records risks which were accepted to initiate the update. - For example, it may menition an Upgradeable=False or missing signature + For example, it may mention an Upgradeable=False or missing signature that was overridden via desiredUpdate.force, or an update that was initiated despite not being in the availableUpdates set of recommended update targets. diff --git a/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_00_cluster-version-operator_01_clusterversions-Default.crd.yaml b/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_00_cluster-version-operator_01_clusterversions-Default.crd.yaml index 1388523f8..430a39025 100644 --- a/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_00_cluster-version-operator_01_clusterversions-Default.crd.yaml +++ b/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_00_cluster-version-operator_01_clusterversions-Default.crd.yaml @@ -584,6 +584,7 @@ spec: - name - url type: object + maxItems: 200 minItems: 1 type: array x-kubernetes-list-map-keys: @@ -593,6 +594,7 @@ spec: - release - risks type: object + maxItems: 500 type: array x-kubernetes-list-type: atomic conditions: @@ -702,7 +704,7 @@ spec: acceptedRisks: description: |- acceptedRisks records risks which were accepted to initiate the update. - For example, it may menition an Upgradeable=False or missing signature + For example, it may mention an Upgradeable=False or missing signature that was overridden via desiredUpdate.force, or an update that was initiated despite not being in the availableUpdates set of recommended update targets. diff --git a/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_00_cluster-version-operator_01_clusterversions-DevPreviewNoUpgrade.crd.yaml b/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_00_cluster-version-operator_01_clusterversions-DevPreviewNoUpgrade.crd.yaml index cae91bdb4..f24b2a16a 100644 --- a/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_00_cluster-version-operator_01_clusterversions-DevPreviewNoUpgrade.crd.yaml +++ b/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_00_cluster-version-operator_01_clusterversions-DevPreviewNoUpgrade.crd.yaml @@ -156,6 +156,34 @@ spec: rollbacks will succeed, and some may unrecoverably break the cluster. properties: + acceptRisks: + description: |- + acceptRisks is an optional set of names of conditional update risks that are considered acceptable. + A conditional update is performed only if all of its risks are acceptable. + This list may contain entries that apply to current, previous or future updates. + The entries therefore may not map directly to a risk in .status.conditionalUpdateRisks. + acceptRisks must not contain more than 1000 entries. + Entries in this list must be unique. + items: + description: AcceptRisk represents a risk that is considered + acceptable. + properties: + name: + description: |- + name is the name of the acceptable risk. + It must be a non-empty string and must not exceed 256 characters. + maxLength: 256 + minLength: 1 + type: string + required: + - name + type: object + maxItems: 1000 + minItems: 1 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map architecture: description: |- architecture is an optional field that indicates the desired @@ -428,6 +456,166 @@ spec: type: array x-kubernetes-list-type: atomic type: object + conditionalUpdateRisks: + description: |- + conditionalUpdateRisks contains the list of risks associated with conditionalUpdates. + When performing a conditional update, all its associated risks will be compared with the set of accepted risks in the spec.desiredUpdate.acceptRisks field. + If all risks for a conditional update are included in the spec.desiredUpdate.acceptRisks set, the conditional update can proceed, otherwise it is blocked. + The risk names in the list must be unique. + conditionalUpdateRisks must not contain more than 500 entries. + items: + description: |- + ConditionalUpdateRisk represents a reason and cluster-state + for not recommending a conditional update. + properties: + conditions: + description: |- + conditions represents the observations of the conditional update + risk's current status. Known types are: + * Applies, for whether the risk applies to the current cluster. + The condition's types in the list must be unique. + conditions must not contain more than one entry. + items: + description: Condition contains details for one aspect of + the current state of this API Resource. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, + Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + minItems: 1 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + x-kubernetes-validations: + - message: must contain a condition of type 'Applies' + rule: self.exists_one(x, x.type == 'Applies') + matchingRules: + description: |- + matchingRules is a slice of conditions for deciding which + clusters match the risk and which do not. The slice is + ordered by decreasing precedence. The cluster-version + operator will walk the slice in order, and stop after the + first it can successfully evaluate. If no condition can be + successfully evaluated, the update will not be recommended. + items: + description: |- + ClusterCondition is a union of typed cluster conditions. The 'type' + property determines which of the type-specific properties are relevant. + When evaluated on a cluster, the condition may match, not match, or + fail to evaluate. + properties: + promql: + description: promql represents a cluster condition based + on PromQL. + properties: + promql: + description: |- + promql is a PromQL query classifying clusters. This query + query should return a 1 in the match case and a 0 in the + does-not-match case. Queries which return no time + series, or which return values besides 0 or 1, are + evaluation failures. + type: string + required: + - promql + type: object + type: + description: |- + type represents the cluster-condition type. This defines + the members and semantics of any additional properties. + enum: + - Always + - PromQL + type: string + required: + - type + type: object + minItems: 1 + type: array + x-kubernetes-list-type: atomic + message: + description: |- + message provides additional information about the risk of + updating, in the event that matchingRules match the cluster + state. This is only to be consumed by humans. It may + contain Line Feed characters (U+000A), which should be + rendered as new lines. + minLength: 1 + type: string + name: + description: |- + name is the CamelCase reason for not recommending a + conditional update, in the event that matchingRules match the + cluster state. + minLength: 1 + type: string + url: + description: url contains information about this risk. + format: uri + minLength: 1 + type: string + required: + - matchingRules + - message + - name + - url + type: object + maxItems: 500 + minItems: 1 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map conditionalUpdates: description: |- conditionalUpdates contains the list of updates that may be @@ -552,6 +740,21 @@ spec: - image - version type: object + riskNames: + description: |- + riskNames represents the set of the names of conditionalUpdateRisks that are relevant to this update for some clusters. + The Applies condition of each conditionalUpdateRisks entry declares if that risk applies to this cluster. + A conditional update is accepted only if each of its risks either does not apply to the cluster or is considered acceptable by the cluster administrator. + The latter means that the risk names are included in value of the spec.desiredUpdate.acceptRisks field. + Entries must be unique and must not exceed 256 characters. + riskNames must not contain more than 500 entries. + items: + maxLength: 256 + type: string + maxItems: 500 + minItems: 1 + type: array + x-kubernetes-list-type: set risks: description: |- risks represents the range of issues associated with @@ -564,6 +767,78 @@ spec: ConditionalUpdateRisk represents a reason and cluster-state for not recommending a conditional update. properties: + conditions: + description: |- + conditions represents the observations of the conditional update + risk's current status. Known types are: + * Applies, for whether the risk applies to the current cluster. + The condition's types in the list must be unique. + conditions must not contain more than one entry. + items: + description: Condition contains details for one aspect + of the current state of this API Resource. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, + False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in + foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + minItems: 1 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + x-kubernetes-validations: + - message: must contain a condition of type 'Applies' + rule: self.exists_one(x, x.type == 'Applies') matchingRules: description: |- matchingRules is a slice of conditions for deciding which @@ -635,6 +910,7 @@ spec: - name - url type: object + maxItems: 200 minItems: 1 type: array x-kubernetes-list-map-keys: @@ -644,6 +920,7 @@ spec: - release - risks type: object + maxItems: 500 type: array x-kubernetes-list-type: atomic conditions: @@ -753,7 +1030,7 @@ spec: acceptedRisks: description: |- acceptedRisks records risks which were accepted to initiate the update. - For example, it may menition an Upgradeable=False or missing signature + For example, it may mention an Upgradeable=False or missing signature that was overridden via desiredUpdate.force, or an update that was initiated despite not being in the availableUpdates set of recommended update targets. diff --git a/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_00_cluster-version-operator_01_clusterversions-OKD.crd.yaml b/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_00_cluster-version-operator_01_clusterversions-OKD.crd.yaml index 9d19cf83a..1ae333ddc 100644 --- a/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_00_cluster-version-operator_01_clusterversions-OKD.crd.yaml +++ b/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_00_cluster-version-operator_01_clusterversions-OKD.crd.yaml @@ -584,6 +584,7 @@ spec: - name - url type: object + maxItems: 200 minItems: 1 type: array x-kubernetes-list-map-keys: @@ -593,6 +594,7 @@ spec: - release - risks type: object + maxItems: 500 type: array x-kubernetes-list-type: atomic conditions: @@ -702,7 +704,7 @@ spec: acceptedRisks: description: |- acceptedRisks records risks which were accepted to initiate the update. - For example, it may menition an Upgradeable=False or missing signature + For example, it may mention an Upgradeable=False or missing signature that was overridden via desiredUpdate.force, or an update that was initiated despite not being in the availableUpdates set of recommended update targets. diff --git a/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_00_cluster-version-operator_01_clusterversions-TechPreviewNoUpgrade.crd.yaml b/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_00_cluster-version-operator_01_clusterversions-TechPreviewNoUpgrade.crd.yaml index 376651de5..ea97687cf 100644 --- a/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_00_cluster-version-operator_01_clusterversions-TechPreviewNoUpgrade.crd.yaml +++ b/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_00_cluster-version-operator_01_clusterversions-TechPreviewNoUpgrade.crd.yaml @@ -156,6 +156,34 @@ spec: rollbacks will succeed, and some may unrecoverably break the cluster. properties: + acceptRisks: + description: |- + acceptRisks is an optional set of names of conditional update risks that are considered acceptable. + A conditional update is performed only if all of its risks are acceptable. + This list may contain entries that apply to current, previous or future updates. + The entries therefore may not map directly to a risk in .status.conditionalUpdateRisks. + acceptRisks must not contain more than 1000 entries. + Entries in this list must be unique. + items: + description: AcceptRisk represents a risk that is considered + acceptable. + properties: + name: + description: |- + name is the name of the acceptable risk. + It must be a non-empty string and must not exceed 256 characters. + maxLength: 256 + minLength: 1 + type: string + required: + - name + type: object + maxItems: 1000 + minItems: 1 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map architecture: description: |- architecture is an optional field that indicates the desired @@ -428,6 +456,166 @@ spec: type: array x-kubernetes-list-type: atomic type: object + conditionalUpdateRisks: + description: |- + conditionalUpdateRisks contains the list of risks associated with conditionalUpdates. + When performing a conditional update, all its associated risks will be compared with the set of accepted risks in the spec.desiredUpdate.acceptRisks field. + If all risks for a conditional update are included in the spec.desiredUpdate.acceptRisks set, the conditional update can proceed, otherwise it is blocked. + The risk names in the list must be unique. + conditionalUpdateRisks must not contain more than 500 entries. + items: + description: |- + ConditionalUpdateRisk represents a reason and cluster-state + for not recommending a conditional update. + properties: + conditions: + description: |- + conditions represents the observations of the conditional update + risk's current status. Known types are: + * Applies, for whether the risk applies to the current cluster. + The condition's types in the list must be unique. + conditions must not contain more than one entry. + items: + description: Condition contains details for one aspect of + the current state of this API Resource. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, + Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + minItems: 1 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + x-kubernetes-validations: + - message: must contain a condition of type 'Applies' + rule: self.exists_one(x, x.type == 'Applies') + matchingRules: + description: |- + matchingRules is a slice of conditions for deciding which + clusters match the risk and which do not. The slice is + ordered by decreasing precedence. The cluster-version + operator will walk the slice in order, and stop after the + first it can successfully evaluate. If no condition can be + successfully evaluated, the update will not be recommended. + items: + description: |- + ClusterCondition is a union of typed cluster conditions. The 'type' + property determines which of the type-specific properties are relevant. + When evaluated on a cluster, the condition may match, not match, or + fail to evaluate. + properties: + promql: + description: promql represents a cluster condition based + on PromQL. + properties: + promql: + description: |- + promql is a PromQL query classifying clusters. This query + query should return a 1 in the match case and a 0 in the + does-not-match case. Queries which return no time + series, or which return values besides 0 or 1, are + evaluation failures. + type: string + required: + - promql + type: object + type: + description: |- + type represents the cluster-condition type. This defines + the members and semantics of any additional properties. + enum: + - Always + - PromQL + type: string + required: + - type + type: object + minItems: 1 + type: array + x-kubernetes-list-type: atomic + message: + description: |- + message provides additional information about the risk of + updating, in the event that matchingRules match the cluster + state. This is only to be consumed by humans. It may + contain Line Feed characters (U+000A), which should be + rendered as new lines. + minLength: 1 + type: string + name: + description: |- + name is the CamelCase reason for not recommending a + conditional update, in the event that matchingRules match the + cluster state. + minLength: 1 + type: string + url: + description: url contains information about this risk. + format: uri + minLength: 1 + type: string + required: + - matchingRules + - message + - name + - url + type: object + maxItems: 500 + minItems: 1 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map conditionalUpdates: description: |- conditionalUpdates contains the list of updates that may be @@ -552,6 +740,21 @@ spec: - image - version type: object + riskNames: + description: |- + riskNames represents the set of the names of conditionalUpdateRisks that are relevant to this update for some clusters. + The Applies condition of each conditionalUpdateRisks entry declares if that risk applies to this cluster. + A conditional update is accepted only if each of its risks either does not apply to the cluster or is considered acceptable by the cluster administrator. + The latter means that the risk names are included in value of the spec.desiredUpdate.acceptRisks field. + Entries must be unique and must not exceed 256 characters. + riskNames must not contain more than 500 entries. + items: + maxLength: 256 + type: string + maxItems: 500 + minItems: 1 + type: array + x-kubernetes-list-type: set risks: description: |- risks represents the range of issues associated with @@ -564,6 +767,78 @@ spec: ConditionalUpdateRisk represents a reason and cluster-state for not recommending a conditional update. properties: + conditions: + description: |- + conditions represents the observations of the conditional update + risk's current status. Known types are: + * Applies, for whether the risk applies to the current cluster. + The condition's types in the list must be unique. + conditions must not contain more than one entry. + items: + description: Condition contains details for one aspect + of the current state of this API Resource. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, + False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in + foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + minItems: 1 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + x-kubernetes-validations: + - message: must contain a condition of type 'Applies' + rule: self.exists_one(x, x.type == 'Applies') matchingRules: description: |- matchingRules is a slice of conditions for deciding which @@ -635,6 +910,7 @@ spec: - name - url type: object + maxItems: 200 minItems: 1 type: array x-kubernetes-list-map-keys: @@ -644,6 +920,7 @@ spec: - release - risks type: object + maxItems: 500 type: array x-kubernetes-list-type: atomic conditions: @@ -753,7 +1030,7 @@ spec: acceptedRisks: description: |- acceptedRisks records risks which were accepted to initiate the update. - For example, it may menition an Upgradeable=False or missing signature + For example, it may mention an Upgradeable=False or missing signature that was overridden via desiredUpdate.force, or an update that was initiated despite not being in the availableUpdates set of recommended update targets. diff --git a/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-CustomNoUpgrade.crd.yaml b/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-CustomNoUpgrade.crd.yaml index f4416bf9b..86a514606 100644 --- a/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-CustomNoUpgrade.crd.yaml +++ b/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-CustomNoUpgrade.crd.yaml @@ -305,17 +305,12 @@ spec: profile as invalid configurations can be catastrophic. An example custom profile looks like this: + minTLSVersion: VersionTLS11 ciphers: - - ECDHE-ECDSA-CHACHA20-POLY1305 - - ECDHE-RSA-CHACHA20-POLY1305 - - ECDHE-RSA-AES128-GCM-SHA256 - - ECDHE-ECDSA-AES128-GCM-SHA256 - - minTLSVersion: VersionTLS11 nullable: true properties: ciphers: @@ -337,8 +332,6 @@ spec: versions 1.1, 1.2 and 1.3 (yaml): minTLSVersion: VersionTLS11 - - NOTE: currently the highest minTLSVersion allowed is VersionTLS12 enum: - VersionTLS10 - VersionTLS11 @@ -348,143 +341,96 @@ spec: type: object intermediate: description: |- - intermediate is a TLS security profile based on: - - https://wiki.mozilla.org/Security/Server_Side_TLS#Intermediate_compatibility_.28recommended.29 + intermediate is a TLS profile for use when you do not need compatibility with + legacy clients and want to remain highly secure while being compatible with + most clients currently in use. - and looks like this (yaml): + The cipher list includes TLS 1.3 ciphers for forward compatibility, followed + by the "intermediate" profile ciphers. + This profile is equivalent to a Custom profile specified as: + minTLSVersion: VersionTLS12 ciphers: - - TLS_AES_128_GCM_SHA256 - - TLS_AES_256_GCM_SHA384 - - TLS_CHACHA20_POLY1305_SHA256 - - ECDHE-ECDSA-AES128-GCM-SHA256 - - ECDHE-RSA-AES128-GCM-SHA256 - - ECDHE-ECDSA-AES256-GCM-SHA384 - - ECDHE-RSA-AES256-GCM-SHA384 - - ECDHE-ECDSA-CHACHA20-POLY1305 - - ECDHE-RSA-CHACHA20-POLY1305 - - DHE-RSA-AES128-GCM-SHA256 - - DHE-RSA-AES256-GCM-SHA384 - - minTLSVersion: VersionTLS12 nullable: true type: object modern: description: |- - modern is a TLS security profile based on: - - https://wiki.mozilla.org/Security/Server_Side_TLS#Modern_compatibility - - and looks like this (yaml): + modern is a TLS security profile for use with clients that support TLS 1.3 and + do not need backward compatibility for older clients. + This profile is equivalent to a Custom profile specified as: + minTLSVersion: VersionTLS13 ciphers: - - TLS_AES_128_GCM_SHA256 - - TLS_AES_256_GCM_SHA384 - - TLS_CHACHA20_POLY1305_SHA256 - - minTLSVersion: VersionTLS13 nullable: true type: object old: description: |- - old is a TLS security profile based on: + old is a TLS profile for use when services need to be accessed by very old + clients or libraries and should be used only as a last resort. - https://wiki.mozilla.org/Security/Server_Side_TLS#Old_backward_compatibility - - and looks like this (yaml): + The cipher list includes TLS 1.3 ciphers for forward compatibility, followed + by the "old" profile ciphers. + This profile is equivalent to a Custom profile specified as: + minTLSVersion: VersionTLS10 ciphers: - - TLS_AES_128_GCM_SHA256 - - TLS_AES_256_GCM_SHA384 - - TLS_CHACHA20_POLY1305_SHA256 - - ECDHE-ECDSA-AES128-GCM-SHA256 - - ECDHE-RSA-AES128-GCM-SHA256 - - ECDHE-ECDSA-AES256-GCM-SHA384 - - ECDHE-RSA-AES256-GCM-SHA384 - - ECDHE-ECDSA-CHACHA20-POLY1305 - - ECDHE-RSA-CHACHA20-POLY1305 - - DHE-RSA-AES128-GCM-SHA256 - - DHE-RSA-AES256-GCM-SHA384 - - DHE-RSA-CHACHA20-POLY1305 - - ECDHE-ECDSA-AES128-SHA256 - - ECDHE-RSA-AES128-SHA256 - - ECDHE-ECDSA-AES128-SHA - - ECDHE-RSA-AES128-SHA - - ECDHE-ECDSA-AES256-SHA384 - - ECDHE-RSA-AES256-SHA384 - - ECDHE-ECDSA-AES256-SHA - - ECDHE-RSA-AES256-SHA - - DHE-RSA-AES128-SHA256 - - DHE-RSA-AES256-SHA256 - - AES128-GCM-SHA256 - - AES256-GCM-SHA384 - - AES128-SHA256 - - AES256-SHA256 - - AES128-SHA - - AES256-SHA - - DES-CBC3-SHA - - minTLSVersion: VersionTLS10 nullable: true type: object type: description: |- - type is one of Old, Intermediate, Modern or Custom. Custom provides - the ability to specify individual TLS security profile parameters. - Old, Intermediate and Modern are TLS security profiles based on: - - https://wiki.mozilla.org/Security/Server_Side_TLS#Recommended_configurations + type is one of Old, Intermediate, Modern or Custom. Custom provides the + ability to specify individual TLS security profile parameters. - The profiles are intent based, so they may change over time as new ciphers are developed and existing ciphers - are found to be insecure. Depending on precisely which ciphers are available to a process, the list may be - reduced. + The profiles are currently based on version 5.0 of the Mozilla Server Side TLS + configuration guidelines (released 2019-06-28) with TLS 1.3 ciphers added for + forward compatibility. See: https://ssl-config.mozilla.org/guidelines/5.0.json - Note that the Modern profile is currently not supported because it is not - yet well adopted by common software libraries. + The profiles are intent based, so they may change over time as new ciphers are + developed and existing ciphers are found to be insecure. Depending on + precisely which ciphers are available to a process, the list may be reduced. enum: - Old - Intermediate diff --git a/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-Default.crd.yaml b/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-Default.crd.yaml index 37662cb58..505489517 100644 --- a/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-Default.crd.yaml +++ b/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-Default.crd.yaml @@ -236,17 +236,12 @@ spec: profile as invalid configurations can be catastrophic. An example custom profile looks like this: + minTLSVersion: VersionTLS11 ciphers: - - ECDHE-ECDSA-CHACHA20-POLY1305 - - ECDHE-RSA-CHACHA20-POLY1305 - - ECDHE-RSA-AES128-GCM-SHA256 - - ECDHE-ECDSA-AES128-GCM-SHA256 - - minTLSVersion: VersionTLS11 nullable: true properties: ciphers: @@ -268,8 +263,6 @@ spec: versions 1.1, 1.2 and 1.3 (yaml): minTLSVersion: VersionTLS11 - - NOTE: currently the highest minTLSVersion allowed is VersionTLS12 enum: - VersionTLS10 - VersionTLS11 @@ -279,143 +272,96 @@ spec: type: object intermediate: description: |- - intermediate is a TLS security profile based on: - - https://wiki.mozilla.org/Security/Server_Side_TLS#Intermediate_compatibility_.28recommended.29 + intermediate is a TLS profile for use when you do not need compatibility with + legacy clients and want to remain highly secure while being compatible with + most clients currently in use. - and looks like this (yaml): + The cipher list includes TLS 1.3 ciphers for forward compatibility, followed + by the "intermediate" profile ciphers. + This profile is equivalent to a Custom profile specified as: + minTLSVersion: VersionTLS12 ciphers: - - TLS_AES_128_GCM_SHA256 - - TLS_AES_256_GCM_SHA384 - - TLS_CHACHA20_POLY1305_SHA256 - - ECDHE-ECDSA-AES128-GCM-SHA256 - - ECDHE-RSA-AES128-GCM-SHA256 - - ECDHE-ECDSA-AES256-GCM-SHA384 - - ECDHE-RSA-AES256-GCM-SHA384 - - ECDHE-ECDSA-CHACHA20-POLY1305 - - ECDHE-RSA-CHACHA20-POLY1305 - - DHE-RSA-AES128-GCM-SHA256 - - DHE-RSA-AES256-GCM-SHA384 - - minTLSVersion: VersionTLS12 nullable: true type: object modern: description: |- - modern is a TLS security profile based on: - - https://wiki.mozilla.org/Security/Server_Side_TLS#Modern_compatibility - - and looks like this (yaml): + modern is a TLS security profile for use with clients that support TLS 1.3 and + do not need backward compatibility for older clients. + This profile is equivalent to a Custom profile specified as: + minTLSVersion: VersionTLS13 ciphers: - - TLS_AES_128_GCM_SHA256 - - TLS_AES_256_GCM_SHA384 - - TLS_CHACHA20_POLY1305_SHA256 - - minTLSVersion: VersionTLS13 nullable: true type: object old: description: |- - old is a TLS security profile based on: + old is a TLS profile for use when services need to be accessed by very old + clients or libraries and should be used only as a last resort. - https://wiki.mozilla.org/Security/Server_Side_TLS#Old_backward_compatibility - - and looks like this (yaml): + The cipher list includes TLS 1.3 ciphers for forward compatibility, followed + by the "old" profile ciphers. + This profile is equivalent to a Custom profile specified as: + minTLSVersion: VersionTLS10 ciphers: - - TLS_AES_128_GCM_SHA256 - - TLS_AES_256_GCM_SHA384 - - TLS_CHACHA20_POLY1305_SHA256 - - ECDHE-ECDSA-AES128-GCM-SHA256 - - ECDHE-RSA-AES128-GCM-SHA256 - - ECDHE-ECDSA-AES256-GCM-SHA384 - - ECDHE-RSA-AES256-GCM-SHA384 - - ECDHE-ECDSA-CHACHA20-POLY1305 - - ECDHE-RSA-CHACHA20-POLY1305 - - DHE-RSA-AES128-GCM-SHA256 - - DHE-RSA-AES256-GCM-SHA384 - - DHE-RSA-CHACHA20-POLY1305 - - ECDHE-ECDSA-AES128-SHA256 - - ECDHE-RSA-AES128-SHA256 - - ECDHE-ECDSA-AES128-SHA - - ECDHE-RSA-AES128-SHA - - ECDHE-ECDSA-AES256-SHA384 - - ECDHE-RSA-AES256-SHA384 - - ECDHE-ECDSA-AES256-SHA - - ECDHE-RSA-AES256-SHA - - DHE-RSA-AES128-SHA256 - - DHE-RSA-AES256-SHA256 - - AES128-GCM-SHA256 - - AES256-GCM-SHA384 - - AES128-SHA256 - - AES256-SHA256 - - AES128-SHA - - AES256-SHA - - DES-CBC3-SHA - - minTLSVersion: VersionTLS10 nullable: true type: object type: description: |- - type is one of Old, Intermediate, Modern or Custom. Custom provides - the ability to specify individual TLS security profile parameters. - Old, Intermediate and Modern are TLS security profiles based on: - - https://wiki.mozilla.org/Security/Server_Side_TLS#Recommended_configurations + type is one of Old, Intermediate, Modern or Custom. Custom provides the + ability to specify individual TLS security profile parameters. - The profiles are intent based, so they may change over time as new ciphers are developed and existing ciphers - are found to be insecure. Depending on precisely which ciphers are available to a process, the list may be - reduced. + The profiles are currently based on version 5.0 of the Mozilla Server Side TLS + configuration guidelines (released 2019-06-28) with TLS 1.3 ciphers added for + forward compatibility. See: https://ssl-config.mozilla.org/guidelines/5.0.json - Note that the Modern profile is currently not supported because it is not - yet well adopted by common software libraries. + The profiles are intent based, so they may change over time as new ciphers are + developed and existing ciphers are found to be insecure. Depending on + precisely which ciphers are available to a process, the list may be reduced. enum: - Old - Intermediate diff --git a/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-DevPreviewNoUpgrade.crd.yaml b/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-DevPreviewNoUpgrade.crd.yaml index bfeefa11f..f4dec2739 100644 --- a/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-DevPreviewNoUpgrade.crd.yaml +++ b/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-DevPreviewNoUpgrade.crd.yaml @@ -305,17 +305,12 @@ spec: profile as invalid configurations can be catastrophic. An example custom profile looks like this: + minTLSVersion: VersionTLS11 ciphers: - - ECDHE-ECDSA-CHACHA20-POLY1305 - - ECDHE-RSA-CHACHA20-POLY1305 - - ECDHE-RSA-AES128-GCM-SHA256 - - ECDHE-ECDSA-AES128-GCM-SHA256 - - minTLSVersion: VersionTLS11 nullable: true properties: ciphers: @@ -337,8 +332,6 @@ spec: versions 1.1, 1.2 and 1.3 (yaml): minTLSVersion: VersionTLS11 - - NOTE: currently the highest minTLSVersion allowed is VersionTLS12 enum: - VersionTLS10 - VersionTLS11 @@ -348,143 +341,96 @@ spec: type: object intermediate: description: |- - intermediate is a TLS security profile based on: - - https://wiki.mozilla.org/Security/Server_Side_TLS#Intermediate_compatibility_.28recommended.29 + intermediate is a TLS profile for use when you do not need compatibility with + legacy clients and want to remain highly secure while being compatible with + most clients currently in use. - and looks like this (yaml): + The cipher list includes TLS 1.3 ciphers for forward compatibility, followed + by the "intermediate" profile ciphers. + This profile is equivalent to a Custom profile specified as: + minTLSVersion: VersionTLS12 ciphers: - - TLS_AES_128_GCM_SHA256 - - TLS_AES_256_GCM_SHA384 - - TLS_CHACHA20_POLY1305_SHA256 - - ECDHE-ECDSA-AES128-GCM-SHA256 - - ECDHE-RSA-AES128-GCM-SHA256 - - ECDHE-ECDSA-AES256-GCM-SHA384 - - ECDHE-RSA-AES256-GCM-SHA384 - - ECDHE-ECDSA-CHACHA20-POLY1305 - - ECDHE-RSA-CHACHA20-POLY1305 - - DHE-RSA-AES128-GCM-SHA256 - - DHE-RSA-AES256-GCM-SHA384 - - minTLSVersion: VersionTLS12 nullable: true type: object modern: description: |- - modern is a TLS security profile based on: - - https://wiki.mozilla.org/Security/Server_Side_TLS#Modern_compatibility - - and looks like this (yaml): + modern is a TLS security profile for use with clients that support TLS 1.3 and + do not need backward compatibility for older clients. + This profile is equivalent to a Custom profile specified as: + minTLSVersion: VersionTLS13 ciphers: - - TLS_AES_128_GCM_SHA256 - - TLS_AES_256_GCM_SHA384 - - TLS_CHACHA20_POLY1305_SHA256 - - minTLSVersion: VersionTLS13 nullable: true type: object old: description: |- - old is a TLS security profile based on: + old is a TLS profile for use when services need to be accessed by very old + clients or libraries and should be used only as a last resort. - https://wiki.mozilla.org/Security/Server_Side_TLS#Old_backward_compatibility - - and looks like this (yaml): + The cipher list includes TLS 1.3 ciphers for forward compatibility, followed + by the "old" profile ciphers. + This profile is equivalent to a Custom profile specified as: + minTLSVersion: VersionTLS10 ciphers: - - TLS_AES_128_GCM_SHA256 - - TLS_AES_256_GCM_SHA384 - - TLS_CHACHA20_POLY1305_SHA256 - - ECDHE-ECDSA-AES128-GCM-SHA256 - - ECDHE-RSA-AES128-GCM-SHA256 - - ECDHE-ECDSA-AES256-GCM-SHA384 - - ECDHE-RSA-AES256-GCM-SHA384 - - ECDHE-ECDSA-CHACHA20-POLY1305 - - ECDHE-RSA-CHACHA20-POLY1305 - - DHE-RSA-AES128-GCM-SHA256 - - DHE-RSA-AES256-GCM-SHA384 - - DHE-RSA-CHACHA20-POLY1305 - - ECDHE-ECDSA-AES128-SHA256 - - ECDHE-RSA-AES128-SHA256 - - ECDHE-ECDSA-AES128-SHA - - ECDHE-RSA-AES128-SHA - - ECDHE-ECDSA-AES256-SHA384 - - ECDHE-RSA-AES256-SHA384 - - ECDHE-ECDSA-AES256-SHA - - ECDHE-RSA-AES256-SHA - - DHE-RSA-AES128-SHA256 - - DHE-RSA-AES256-SHA256 - - AES128-GCM-SHA256 - - AES256-GCM-SHA384 - - AES128-SHA256 - - AES256-SHA256 - - AES128-SHA - - AES256-SHA - - DES-CBC3-SHA - - minTLSVersion: VersionTLS10 nullable: true type: object type: description: |- - type is one of Old, Intermediate, Modern or Custom. Custom provides - the ability to specify individual TLS security profile parameters. - Old, Intermediate and Modern are TLS security profiles based on: - - https://wiki.mozilla.org/Security/Server_Side_TLS#Recommended_configurations + type is one of Old, Intermediate, Modern or Custom. Custom provides the + ability to specify individual TLS security profile parameters. - The profiles are intent based, so they may change over time as new ciphers are developed and existing ciphers - are found to be insecure. Depending on precisely which ciphers are available to a process, the list may be - reduced. + The profiles are currently based on version 5.0 of the Mozilla Server Side TLS + configuration guidelines (released 2019-06-28) with TLS 1.3 ciphers added for + forward compatibility. See: https://ssl-config.mozilla.org/guidelines/5.0.json - Note that the Modern profile is currently not supported because it is not - yet well adopted by common software libraries. + The profiles are intent based, so they may change over time as new ciphers are + developed and existing ciphers are found to be insecure. Depending on + precisely which ciphers are available to a process, the list may be reduced. enum: - Old - Intermediate diff --git a/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-OKD.crd.yaml b/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-OKD.crd.yaml index 9f50839d3..3809b7864 100644 --- a/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-OKD.crd.yaml +++ b/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-OKD.crd.yaml @@ -236,17 +236,12 @@ spec: profile as invalid configurations can be catastrophic. An example custom profile looks like this: + minTLSVersion: VersionTLS11 ciphers: - - ECDHE-ECDSA-CHACHA20-POLY1305 - - ECDHE-RSA-CHACHA20-POLY1305 - - ECDHE-RSA-AES128-GCM-SHA256 - - ECDHE-ECDSA-AES128-GCM-SHA256 - - minTLSVersion: VersionTLS11 nullable: true properties: ciphers: @@ -268,8 +263,6 @@ spec: versions 1.1, 1.2 and 1.3 (yaml): minTLSVersion: VersionTLS11 - - NOTE: currently the highest minTLSVersion allowed is VersionTLS12 enum: - VersionTLS10 - VersionTLS11 @@ -279,143 +272,96 @@ spec: type: object intermediate: description: |- - intermediate is a TLS security profile based on: - - https://wiki.mozilla.org/Security/Server_Side_TLS#Intermediate_compatibility_.28recommended.29 + intermediate is a TLS profile for use when you do not need compatibility with + legacy clients and want to remain highly secure while being compatible with + most clients currently in use. - and looks like this (yaml): + The cipher list includes TLS 1.3 ciphers for forward compatibility, followed + by the "intermediate" profile ciphers. + This profile is equivalent to a Custom profile specified as: + minTLSVersion: VersionTLS12 ciphers: - - TLS_AES_128_GCM_SHA256 - - TLS_AES_256_GCM_SHA384 - - TLS_CHACHA20_POLY1305_SHA256 - - ECDHE-ECDSA-AES128-GCM-SHA256 - - ECDHE-RSA-AES128-GCM-SHA256 - - ECDHE-ECDSA-AES256-GCM-SHA384 - - ECDHE-RSA-AES256-GCM-SHA384 - - ECDHE-ECDSA-CHACHA20-POLY1305 - - ECDHE-RSA-CHACHA20-POLY1305 - - DHE-RSA-AES128-GCM-SHA256 - - DHE-RSA-AES256-GCM-SHA384 - - minTLSVersion: VersionTLS12 nullable: true type: object modern: description: |- - modern is a TLS security profile based on: - - https://wiki.mozilla.org/Security/Server_Side_TLS#Modern_compatibility - - and looks like this (yaml): + modern is a TLS security profile for use with clients that support TLS 1.3 and + do not need backward compatibility for older clients. + This profile is equivalent to a Custom profile specified as: + minTLSVersion: VersionTLS13 ciphers: - - TLS_AES_128_GCM_SHA256 - - TLS_AES_256_GCM_SHA384 - - TLS_CHACHA20_POLY1305_SHA256 - - minTLSVersion: VersionTLS13 nullable: true type: object old: description: |- - old is a TLS security profile based on: + old is a TLS profile for use when services need to be accessed by very old + clients or libraries and should be used only as a last resort. - https://wiki.mozilla.org/Security/Server_Side_TLS#Old_backward_compatibility - - and looks like this (yaml): + The cipher list includes TLS 1.3 ciphers for forward compatibility, followed + by the "old" profile ciphers. + This profile is equivalent to a Custom profile specified as: + minTLSVersion: VersionTLS10 ciphers: - - TLS_AES_128_GCM_SHA256 - - TLS_AES_256_GCM_SHA384 - - TLS_CHACHA20_POLY1305_SHA256 - - ECDHE-ECDSA-AES128-GCM-SHA256 - - ECDHE-RSA-AES128-GCM-SHA256 - - ECDHE-ECDSA-AES256-GCM-SHA384 - - ECDHE-RSA-AES256-GCM-SHA384 - - ECDHE-ECDSA-CHACHA20-POLY1305 - - ECDHE-RSA-CHACHA20-POLY1305 - - DHE-RSA-AES128-GCM-SHA256 - - DHE-RSA-AES256-GCM-SHA384 - - DHE-RSA-CHACHA20-POLY1305 - - ECDHE-ECDSA-AES128-SHA256 - - ECDHE-RSA-AES128-SHA256 - - ECDHE-ECDSA-AES128-SHA - - ECDHE-RSA-AES128-SHA - - ECDHE-ECDSA-AES256-SHA384 - - ECDHE-RSA-AES256-SHA384 - - ECDHE-ECDSA-AES256-SHA - - ECDHE-RSA-AES256-SHA - - DHE-RSA-AES128-SHA256 - - DHE-RSA-AES256-SHA256 - - AES128-GCM-SHA256 - - AES256-GCM-SHA384 - - AES128-SHA256 - - AES256-SHA256 - - AES128-SHA - - AES256-SHA - - DES-CBC3-SHA - - minTLSVersion: VersionTLS10 nullable: true type: object type: description: |- - type is one of Old, Intermediate, Modern or Custom. Custom provides - the ability to specify individual TLS security profile parameters. - Old, Intermediate and Modern are TLS security profiles based on: - - https://wiki.mozilla.org/Security/Server_Side_TLS#Recommended_configurations + type is one of Old, Intermediate, Modern or Custom. Custom provides the + ability to specify individual TLS security profile parameters. - The profiles are intent based, so they may change over time as new ciphers are developed and existing ciphers - are found to be insecure. Depending on precisely which ciphers are available to a process, the list may be - reduced. + The profiles are currently based on version 5.0 of the Mozilla Server Side TLS + configuration guidelines (released 2019-06-28) with TLS 1.3 ciphers added for + forward compatibility. See: https://ssl-config.mozilla.org/guidelines/5.0.json - Note that the Modern profile is currently not supported because it is not - yet well adopted by common software libraries. + The profiles are intent based, so they may change over time as new ciphers are + developed and existing ciphers are found to be insecure. Depending on + precisely which ciphers are available to a process, the list may be reduced. enum: - Old - Intermediate diff --git a/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-TechPreviewNoUpgrade.crd.yaml b/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-TechPreviewNoUpgrade.crd.yaml index a49976e0d..d436a75b8 100644 --- a/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-TechPreviewNoUpgrade.crd.yaml +++ b/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-TechPreviewNoUpgrade.crd.yaml @@ -158,69 +158,6 @@ spec: description: encryption allows the configuration of encryption of resources at the datastore layer. properties: - kms: - description: |- - kms defines the configuration for the external KMS instance that manages the encryption keys, - when KMS encryption is enabled sensitive resources will be encrypted using keys managed by an - externally configured KMS instance. - - The Key Management Service (KMS) instance provides symmetric encryption and is responsible for - managing the lifecyle of the encryption keys outside of the control plane. - This allows integration with an external provider to manage the data encryption keys securely. - properties: - aws: - description: |- - aws defines the key config for using an AWS KMS instance - for the encryption. The AWS KMS instance is managed - by the user outside the purview of the control plane. - properties: - keyARN: - description: |- - keyARN specifies the Amazon Resource Name (ARN) of the AWS KMS key used for encryption. - The value must adhere to the format `arn:aws:kms:::key/`, where: - - `` is the AWS region consisting of lowercase letters and hyphens followed by a number. - - `` is a 12-digit numeric identifier for the AWS account. - - `` is a unique identifier for the KMS key, consisting of lowercase hexadecimal characters and hyphens. - maxLength: 128 - minLength: 1 - type: string - x-kubernetes-validations: - - message: keyARN must follow the format `arn:aws:kms:::key/`. - The account ID must be a 12 digit number and the region - and key ID should consist only of lowercase hexadecimal - characters and hyphens (-). - rule: self.matches('^arn:aws:kms:[a-z0-9-]+:[0-9]{12}:key/[a-f0-9-]+$') - region: - description: |- - region specifies the AWS region where the KMS instance exists, and follows the format - `--`, e.g.: `us-east-1`. - Only lowercase letters and hyphens followed by numbers are allowed. - maxLength: 64 - minLength: 1 - type: string - x-kubernetes-validations: - - message: region must be a valid AWS region, consisting - of lowercase characters, digits and hyphens (-) only. - rule: self.matches('^[a-z0-9]+(-[a-z0-9]+)*$') - required: - - keyARN - - region - type: object - type: - description: |- - type defines the kind of platform for the KMS provider. - Available provider types are AWS only. - enum: - - AWS - type: string - required: - - type - type: object - x-kubernetes-validations: - - message: aws config is required when kms provider type is AWS, - and forbidden otherwise - rule: 'has(self.type) && self.type == ''AWS'' ? has(self.aws) - : !has(self.aws)' type: description: |- type defines what encryption type should be used to encrypt resources at the datastore layer. @@ -244,11 +181,6 @@ spec: - KMS type: string type: object - x-kubernetes-validations: - - message: kms config is required when encryption type is KMS, and - forbidden otherwise - rule: 'has(self.type) && self.type == ''KMS'' ? has(self.kms) : - !has(self.kms)' servingCerts: description: |- servingCert is the TLS cert info for serving secure traffic. If not specified, operator managed certificates @@ -305,17 +237,12 @@ spec: profile as invalid configurations can be catastrophic. An example custom profile looks like this: + minTLSVersion: VersionTLS11 ciphers: - - ECDHE-ECDSA-CHACHA20-POLY1305 - - ECDHE-RSA-CHACHA20-POLY1305 - - ECDHE-RSA-AES128-GCM-SHA256 - - ECDHE-ECDSA-AES128-GCM-SHA256 - - minTLSVersion: VersionTLS11 nullable: true properties: ciphers: @@ -337,8 +264,6 @@ spec: versions 1.1, 1.2 and 1.3 (yaml): minTLSVersion: VersionTLS11 - - NOTE: currently the highest minTLSVersion allowed is VersionTLS12 enum: - VersionTLS10 - VersionTLS11 @@ -348,143 +273,96 @@ spec: type: object intermediate: description: |- - intermediate is a TLS security profile based on: - - https://wiki.mozilla.org/Security/Server_Side_TLS#Intermediate_compatibility_.28recommended.29 + intermediate is a TLS profile for use when you do not need compatibility with + legacy clients and want to remain highly secure while being compatible with + most clients currently in use. - and looks like this (yaml): + The cipher list includes TLS 1.3 ciphers for forward compatibility, followed + by the "intermediate" profile ciphers. + This profile is equivalent to a Custom profile specified as: + minTLSVersion: VersionTLS12 ciphers: - - TLS_AES_128_GCM_SHA256 - - TLS_AES_256_GCM_SHA384 - - TLS_CHACHA20_POLY1305_SHA256 - - ECDHE-ECDSA-AES128-GCM-SHA256 - - ECDHE-RSA-AES128-GCM-SHA256 - - ECDHE-ECDSA-AES256-GCM-SHA384 - - ECDHE-RSA-AES256-GCM-SHA384 - - ECDHE-ECDSA-CHACHA20-POLY1305 - - ECDHE-RSA-CHACHA20-POLY1305 - - DHE-RSA-AES128-GCM-SHA256 - - DHE-RSA-AES256-GCM-SHA384 - - minTLSVersion: VersionTLS12 nullable: true type: object modern: description: |- - modern is a TLS security profile based on: - - https://wiki.mozilla.org/Security/Server_Side_TLS#Modern_compatibility - - and looks like this (yaml): + modern is a TLS security profile for use with clients that support TLS 1.3 and + do not need backward compatibility for older clients. + This profile is equivalent to a Custom profile specified as: + minTLSVersion: VersionTLS13 ciphers: - - TLS_AES_128_GCM_SHA256 - - TLS_AES_256_GCM_SHA384 - - TLS_CHACHA20_POLY1305_SHA256 - - minTLSVersion: VersionTLS13 nullable: true type: object old: description: |- - old is a TLS security profile based on: + old is a TLS profile for use when services need to be accessed by very old + clients or libraries and should be used only as a last resort. - https://wiki.mozilla.org/Security/Server_Side_TLS#Old_backward_compatibility - - and looks like this (yaml): + The cipher list includes TLS 1.3 ciphers for forward compatibility, followed + by the "old" profile ciphers. + This profile is equivalent to a Custom profile specified as: + minTLSVersion: VersionTLS10 ciphers: - - TLS_AES_128_GCM_SHA256 - - TLS_AES_256_GCM_SHA384 - - TLS_CHACHA20_POLY1305_SHA256 - - ECDHE-ECDSA-AES128-GCM-SHA256 - - ECDHE-RSA-AES128-GCM-SHA256 - - ECDHE-ECDSA-AES256-GCM-SHA384 - - ECDHE-RSA-AES256-GCM-SHA384 - - ECDHE-ECDSA-CHACHA20-POLY1305 - - ECDHE-RSA-CHACHA20-POLY1305 - - DHE-RSA-AES128-GCM-SHA256 - - DHE-RSA-AES256-GCM-SHA384 - - DHE-RSA-CHACHA20-POLY1305 - - ECDHE-ECDSA-AES128-SHA256 - - ECDHE-RSA-AES128-SHA256 - - ECDHE-ECDSA-AES128-SHA - - ECDHE-RSA-AES128-SHA - - ECDHE-ECDSA-AES256-SHA384 - - ECDHE-RSA-AES256-SHA384 - - ECDHE-ECDSA-AES256-SHA - - ECDHE-RSA-AES256-SHA - - DHE-RSA-AES128-SHA256 - - DHE-RSA-AES256-SHA256 - - AES128-GCM-SHA256 - - AES256-GCM-SHA384 - - AES128-SHA256 - - AES256-SHA256 - - AES128-SHA - - AES256-SHA - - DES-CBC3-SHA - - minTLSVersion: VersionTLS10 nullable: true type: object type: description: |- - type is one of Old, Intermediate, Modern or Custom. Custom provides - the ability to specify individual TLS security profile parameters. - Old, Intermediate and Modern are TLS security profiles based on: - - https://wiki.mozilla.org/Security/Server_Side_TLS#Recommended_configurations + type is one of Old, Intermediate, Modern or Custom. Custom provides the + ability to specify individual TLS security profile parameters. - The profiles are intent based, so they may change over time as new ciphers are developed and existing ciphers - are found to be insecure. Depending on precisely which ciphers are available to a process, the list may be - reduced. + The profiles are currently based on version 5.0 of the Mozilla Server Side TLS + configuration guidelines (released 2019-06-28) with TLS 1.3 ciphers added for + forward compatibility. See: https://ssl-config.mozilla.org/guidelines/5.0.json - Note that the Modern profile is currently not supported because it is not - yet well adopted by common software libraries. + The profiles are intent based, so they may change over time as new ciphers are + developed and existing ciphers are found to be insecure. Depending on + precisely which ciphers are available to a process, the list may be reduced. enum: - Old - Intermediate diff --git a/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-CustomNoUpgrade.crd.yaml b/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-CustomNoUpgrade.crd.yaml new file mode 100644 index 000000000..e3c2202ea --- /dev/null +++ b/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-CustomNoUpgrade.crd.yaml @@ -0,0 +1,915 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.openshift.io: https://github.com/openshift/api/pull/470 + api.openshift.io/merged-by-featuregates: "true" + include.release.openshift.io/ibm-cloud-managed: "true" + include.release.openshift.io/self-managed-high-availability: "true" + release.openshift.io/bootstrap-required: "true" + release.openshift.io/feature-set: CustomNoUpgrade + name: authentications.config.openshift.io +spec: + group: config.openshift.io + names: + kind: Authentication + listKind: AuthenticationList + plural: authentications + singular: authentication + scope: Cluster + versions: + - name: v1 + schema: + openAPIV3Schema: + description: |- + Authentication specifies cluster-wide settings for authentication (like OAuth and + webhook token authenticators). The canonical name of an instance is `cluster`. + + Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer). + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: spec holds user settable values for configuration + properties: + oauthMetadata: + description: |- + oauthMetadata contains the discovery endpoint data for OAuth 2.0 + Authorization Server Metadata for an external OAuth server. + This discovery document can be viewed from its served location: + oc get --raw '/.well-known/oauth-authorization-server' + For further details, see the IETF Draft: + https://tools.ietf.org/html/draft-ietf-oauth-discovery-04#section-2 + If oauthMetadata.name is non-empty, this value has precedence + over any metadata reference stored in status. + The key "oauthMetadata" is used to locate the data. + If specified and the config map or expected key is not found, no metadata is served. + If the specified metadata is not valid, no metadata is served. + The namespace for this config map is openshift-config. + properties: + name: + description: name is the metadata.name of the referenced config + map + type: string + required: + - name + type: object + oidcProviders: + description: |- + oidcProviders are OIDC identity providers that can issue tokens for this cluster + Can only be set if "Type" is set to "OIDC". + + At most one provider can be configured. + items: + properties: + claimMappings: + description: claimMappings is a required field that configures + the rules to be used by the Kubernetes API server for translating + claims in a JWT token, issued by the identity provider, to + a cluster identity. + properties: + extra: + description: |- + extra is an optional field for configuring the mappings used to construct the extra attribute for the cluster identity. + When omitted, no extra attributes will be present on the cluster identity. + + key values for extra mappings must be unique. + A maximum of 32 extra attribute mappings may be provided. + items: + description: |- + ExtraMapping allows specifying a key and CEL expression to evaluate the keys' value. + It is used to create additional mappings and attributes added to a cluster identity from a provided authentication token. + properties: + key: + description: |- + key is a required field that specifies the string to use as the extra attribute key. + + key must be a domain-prefix path (e.g 'example.org/foo'). + key must not exceed 510 characters in length. + key must contain the '/' character, separating the domain and path characters. + key must not be empty. + + The domain portion of the key (string of characters prior to the '/') must be a valid RFC1123 subdomain. + It must not exceed 253 characters in length. + It must start and end with an alphanumeric character. + It must only contain lower case alphanumeric characters and '-' or '.'. + It must not use the reserved domains, or be subdomains of, "kubernetes.io", "k8s.io", and "openshift.io". + + The path portion of the key (string of characters after the '/') must not be empty and must consist of at least one alphanumeric character, percent-encoded octets, '-', '.', '_', '~', '!', '$', '&', ''', '(', ')', '*', '+', ',', ';', '=', and ':'. + It must not exceed 256 characters in length. + maxLength: 510 + minLength: 1 + type: string + x-kubernetes-validations: + - message: key must contain the '/' character + rule: self.contains('/') + - message: the domain of the key must consist of only + lower case alphanumeric characters, '-' or '.', + and must start and end with an alphanumeric character + rule: self.split('/', 2)[0].matches("^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$") + - message: the domain of the key must not exceed 253 + characters in length + rule: self.split('/', 2)[0].size() <= 253 + - message: the domain 'kubernetes.io' is reserved + for Kubernetes use + rule: self.split('/', 2)[0] != 'kubernetes.io' + - message: the subdomains '*.kubernetes.io' are reserved + for Kubernetes use + rule: '!self.split(''/'', 2)[0].endsWith(''.kubernetes.io'')' + - message: the domain 'k8s.io' is reserved for Kubernetes + use + rule: self.split('/', 2)[0] != 'k8s.io' + - message: the subdomains '*.k8s.io' are reserved + for Kubernetes use + rule: '!self.split(''/'', 2)[0].endsWith(''.k8s.io'')' + - message: the domain 'openshift.io' is reserved for + OpenShift use + rule: self.split('/', 2)[0] != 'openshift.io' + - message: the subdomains '*.openshift.io' are reserved + for OpenShift use + rule: '!self.split(''/'', 2)[0].endsWith(''.openshift.io'')' + - message: the path of the key must not be empty and + must consist of at least one alphanumeric character, + percent-encoded octets, apostrophe, '-', '.', + '_', '~', '!', '$', '&', '(', ')', '*', '+', ',', + ';', '=', and ':' + rule: self.split('/', 2)[1].matches('[A-Za-z0-9/\\-._~%!$&\'()*+;=:]+') + - message: the path of the key must not exceed 256 + characters in length + rule: self.split('/', 2)[1].size() <= 256 + valueExpression: + description: |- + valueExpression is a required field to specify the CEL expression to extract the extra attribute value from a JWT token's claims. + valueExpression must produce a string or string array value. + "", [], and null are treated as the extra mapping not being present. + Empty string values within an array are filtered out. + + CEL expressions have access to the token claims through a CEL variable, 'claims'. + 'claims' is a map of claim names to claim values. + For example, the 'sub' claim value can be accessed as 'claims.sub'. + Nested claims can be accessed using dot notation ('claims.foo.bar'). + + valueExpression must not exceed 1024 characters in length. + valueExpression must not be empty. + maxLength: 1024 + minLength: 1 + type: string + required: + - key + - valueExpression + type: object + maxItems: 32 + type: array + x-kubernetes-list-map-keys: + - key + x-kubernetes-list-type: map + groups: + description: |- + groups is an optional field that configures how the groups of a cluster identity should be constructed from the claims in a JWT token issued by the identity provider. + + When referencing a claim, if the claim is present in the JWT token, its value must be a list of groups separated by a comma (','). + + For example - '"example"' and '"exampleOne", "exampleTwo", "exampleThree"' are valid claim values. + properties: + claim: + description: claim is a required field that configures + the JWT token claim whose value is assigned to the + cluster identity field associated with this mapping. + type: string + prefix: + description: |- + prefix is an optional field that configures the prefix that will be applied to the cluster identity attribute during the process of mapping JWT claims to cluster identity attributes. + + When omitted (""), no prefix is applied to the cluster identity attribute. + + Example: if `prefix` is set to "myoidc:" and the `claim` in JWT contains an array of strings "a", "b" and "c", the mapping will result in an array of string "myoidc:a", "myoidc:b" and "myoidc:c". + type: string + required: + - claim + type: object + uid: + description: |- + uid is an optional field for configuring the claim mapping used to construct the uid for the cluster identity. + + When using uid.claim to specify the claim it must be a single string value. + When using uid.expression the expression must result in a single string value. + + When omitted, this means the user has no opinion and the platform is left to choose a default, which is subject to change over time. + + The current default is to use the 'sub' claim. + properties: + claim: + description: |- + claim is an optional field for specifying the JWT token claim that is used in the mapping. + The value of this claim will be assigned to the field in which this mapping is associated. + + Precisely one of claim or expression must be set. + claim must not be specified when expression is set. + When specified, claim must be at least 1 character in length and must not exceed 256 characters in length. + maxLength: 256 + minLength: 1 + type: string + expression: + description: |- + expression is an optional field for specifying a CEL expression that produces a string value from JWT token claims. + + CEL expressions have access to the token claims through a CEL variable, 'claims'. + 'claims' is a map of claim names to claim values. + For example, the 'sub' claim value can be accessed as 'claims.sub'. + Nested claims can be accessed using dot notation ('claims.foo.bar'). + + Precisely one of claim or expression must be set. + expression must not be specified when claim is set. + When specified, expression must be at least 1 character in length and must not exceed 1024 characters in length. + maxLength: 1024 + minLength: 1 + type: string + type: object + x-kubernetes-validations: + - message: precisely one of claim or expression must be + set + rule: 'has(self.claim) ? !has(self.expression) : has(self.expression)' + username: + description: username is a required field that configures + how the username of a cluster identity should be constructed + from the claims in a JWT token issued by the identity + provider. + properties: + claim: + description: |- + claim is a required field that configures the JWT token claim whose value is assigned to the cluster identity field associated with this mapping. + + claim must not be an empty string ("") and must not exceed 256 characters. + maxLength: 256 + minLength: 1 + type: string + prefix: + description: |- + prefix configures the prefix that should be prepended to the value of the JWT claim. + + prefix must be set when prefixPolicy is set to 'Prefix' and must be unset otherwise. + properties: + prefixString: + description: |- + prefixString is a required field that configures the prefix that will be applied to cluster identity username attribute during the process of mapping JWT claims to cluster identity attributes. + + prefixString must not be an empty string (""). + minLength: 1 + type: string + required: + - prefixString + type: object + prefixPolicy: + description: |- + prefixPolicy is an optional field that configures how a prefix should be applied to the value of the JWT claim specified in the 'claim' field. + + Allowed values are 'Prefix', 'NoPrefix', and omitted (not provided or an empty string). + + When set to 'Prefix', the value specified in the prefix field will be prepended to the value of the JWT claim. + + The prefix field must be set when prefixPolicy is 'Prefix'. + + When set to 'NoPrefix', no prefix will be prepended to the value of the JWT claim. + + When omitted, this means no opinion and the platform is left to choose any prefixes that are applied which is subject to change over time. + Currently, the platform prepends `{issuerURL}#` to the value of the JWT claim when the claim is not 'email'. + + As an example, consider the following scenario: + + `prefix` is unset, `issuerURL` is set to `https://myoidc.tld`, + the JWT claims include "username":"userA" and "email":"userA@myoidc.tld", + and `claim` is set to: + - "username": the mapped value will be "https://myoidc.tld#userA" + - "email": the mapped value will be "userA@myoidc.tld" + enum: + - "" + - NoPrefix + - Prefix + type: string + required: + - claim + type: object + x-kubernetes-validations: + - message: prefix must be set if prefixPolicy is 'Prefix', + but must remain unset otherwise + rule: 'has(self.prefixPolicy) && self.prefixPolicy == + ''Prefix'' ? (has(self.prefix) && size(self.prefix.prefixString) + > 0) : !has(self.prefix)' + required: + - username + type: object + claimValidationRules: + description: |- + claimValidationRules is an optional field that configures the rules to be used by the Kubernetes API server for validating the claims in a JWT token issued by the identity provider. + + Validation rules are joined via an AND operation. + items: + description: |- + TokenClaimValidationRule represents a validation rule based on token claims. + If type is RequiredClaim, requiredClaim must be set. + If Type is CEL, CEL must be set and RequiredClaim must be omitted. + properties: + cel: + description: |- + cel holds the CEL expression and message for validation. + Must be set when Type is "CEL", and forbidden otherwise. + properties: + expression: + description: |- + expression is a CEL expression evaluated against token claims. + expression is required, must be at least 1 character in length and must not exceed 1024 characters. + The expression must return a boolean value where 'true' signals a valid token and 'false' an invalid one. + maxLength: 1024 + minLength: 1 + type: string + message: + description: |- + message is a required human-readable message to be logged by the Kubernetes API server if the CEL expression defined in 'expression' fails. + message must be at least 1 character in length and must not exceed 256 characters. + maxLength: 256 + minLength: 1 + type: string + required: + - expression + - message + type: object + requiredClaim: + description: |- + requiredClaim allows configuring a required claim name and its expected value. + This field is required when `type` is set to RequiredClaim, and must be omitted when `type` is set to any other value. + The Kubernetes API server uses this field to validate if an incoming JWT is valid for this identity provider. + properties: + claim: + description: |- + claim is a required field that configures the name of the required claim. + When taken from the JWT claims, claim must be a string value. + + claim must not be an empty string (""). + minLength: 1 + type: string + requiredValue: + description: |- + requiredValue is a required field that configures the value that 'claim' must have when taken from the incoming JWT claims. + If the value in the JWT claims does not match, the token will be rejected for authentication. + + requiredValue must not be an empty string (""). + minLength: 1 + type: string + required: + - claim + - requiredValue + type: object + type: + description: |- + type is an optional field that configures the type of the validation rule. + + Allowed values are "RequiredClaim" and "CEL". + + When set to 'RequiredClaim', the Kubernetes API server will be configured to validate that the incoming JWT contains the required claim and that its value matches the required value. + + When set to 'CEL', the Kubernetes API server will be configured to validate the incoming JWT against the configured CEL expression. + enum: + - RequiredClaim + - CEL + type: string + required: + - type + type: object + x-kubernetes-validations: + - message: cel must be set when type is 'CEL', and forbidden + otherwise + rule: 'has(self.type) && self.type == ''CEL'' ? has(self.cel) + : !has(self.cel)' + - message: requiredClaim must be set when type is 'RequiredClaim', + and forbidden otherwise + rule: 'has(self.type) && self.type == ''RequiredClaim'' + ? has(self.requiredClaim) : !has(self.requiredClaim)' + type: array + x-kubernetes-list-type: atomic + issuer: + description: issuer is a required field that configures how + the platform interacts with the identity provider and how + tokens issued from the identity provider are evaluated by + the Kubernetes API server. + properties: + audiences: + description: |- + audiences is a required field that configures the acceptable audiences the JWT token, issued by the identity provider, must be issued to. + At least one of the entries must match the 'aud' claim in the JWT token. + + audiences must contain at least one entry and must not exceed ten entries. + items: + minLength: 1 + type: string + maxItems: 10 + minItems: 1 + type: array + x-kubernetes-list-type: set + discoveryURL: + description: |- + discoveryURL is an optional field that, if specified, overrides the default discovery endpoint used to retrieve OIDC configuration metadata. + By default, the discovery URL is derived from `issuerURL` as "{issuerURL}/.well-known/openid-configuration". + + The discoveryURL must be a valid absolute HTTPS URL. + It must not contain query parameters, user information, or fragments. + Additionally, it must differ from the value of `issuerURL` (ignoring trailing slashes). + The discoveryURL value must be at least 1 character long and no longer than 2048 characters. + maxLength: 2048 + minLength: 1 + type: string + x-kubernetes-validations: + - message: discoveryURL must be a valid URL + rule: isURL(self) + - message: discoveryURL must be a valid https URL + rule: url(self).getScheme() == 'https' + - message: discoveryURL must not contain query parameters + rule: url(self).getQuery().size() == 0 + - message: discoveryURL must not contain fragments + rule: self.matches('^[^#]*$') + - message: discoveryURL must not contain user info + rule: '!self.matches(''^https://.+:.+@.+/.*$'')' + issuerCertificateAuthority: + description: |- + issuerCertificateAuthority is an optional field that configures the certificate authority, used by the Kubernetes API server, to validate the connection to the identity provider when fetching discovery information. + + When not specified, the system trust is used. + + When specified, it must reference a ConfigMap in the openshift-config namespace containing the PEM-encoded CA certificates under the 'ca-bundle.crt' key in the data field of the ConfigMap. + properties: + name: + description: name is the metadata.name of the referenced + config map + type: string + required: + - name + type: object + issuerURL: + description: |- + issuerURL is a required field that configures the URL used to issue tokens by the identity provider. + The Kubernetes API server determines how authentication tokens should be handled by matching the 'iss' claim in the JWT to the issuerURL of configured identity providers. + + Must be at least 1 character and must not exceed 512 characters in length. + Must be a valid URL that uses the 'https' scheme and does not contain a query, fragment or user. + maxLength: 512 + minLength: 1 + type: string + x-kubernetes-validations: + - message: must be a valid URL + rule: isURL(self) + - message: must use the 'https' scheme + rule: isURL(self) && url(self).getScheme() == 'https' + - message: must not have a query + rule: isURL(self) && url(self).getQuery() == {} + - message: must not have a fragment + rule: self.find('#(.+)$') == '' + - message: must not have user info + rule: self.find('@') == '' + required: + - audiences + - issuerURL + type: object + x-kubernetes-validations: + - message: discoveryURL must be different from issuerURL + rule: 'self.?discoveryURL.orValue("").size() > 0 ? (self.issuerURL.size() + == 0 || self.discoveryURL.find(''^.+[^/]'') != self.issuerURL.find(''^.+[^/]'')) + : true' + name: + description: |- + name is a required field that configures the unique human-readable identifier associated with the identity provider. + It is used to distinguish between multiple identity providers and has no impact on token validation or authentication mechanics. + + name must not be an empty string (""). + minLength: 1 + type: string + oidcClients: + description: |- + oidcClients is an optional field that configures how on-cluster, platform clients should request tokens from the identity provider. + oidcClients must not exceed 20 entries and entries must have unique namespace/name pairs. + items: + description: OIDCClientConfig configures how platform clients + interact with identity providers as an authentication method. + properties: + clientID: + description: |- + clientID is a required field that configures the client identifier, from the identity provider, that the platform component uses for authentication requests made to the identity provider. + The identity provider must accept this identifier for platform components to be able to use the identity provider as an authentication mode. + + clientID must not be an empty string (""). + minLength: 1 + type: string + clientSecret: + description: |- + clientSecret is an optional field that configures the client secret used by the platform component when making authentication requests to the identity provider. + + When not specified, no client secret will be used when making authentication requests to the identity provider. + + When specified, clientSecret references a Secret in the 'openshift-config' namespace that contains the client secret in the 'clientSecret' key of the '.data' field. + + The client secret will be used when making authentication requests to the identity provider. + + Public clients do not require a client secret but private clients do require a client secret to work with the identity provider. + properties: + name: + description: name is the metadata.name of the referenced + secret + type: string + required: + - name + type: object + componentName: + description: |- + componentName is a required field that specifies the name of the platform component being configured to use the identity provider as an authentication mode. + + It is used in combination with componentNamespace as a unique identifier. + + componentName must not be an empty string ("") and must not exceed 256 characters in length. + maxLength: 256 + minLength: 1 + type: string + componentNamespace: + description: |- + componentNamespace is a required field that specifies the namespace in which the platform component being configured to use the identity provider as an authentication mode is running. + + It is used in combination with componentName as a unique identifier. + + componentNamespace must not be an empty string ("") and must not exceed 63 characters in length. + maxLength: 63 + minLength: 1 + type: string + extraScopes: + description: |- + extraScopes is an optional field that configures the extra scopes that should be requested by the platform component when making authentication requests to the identity provider. + This is useful if you have configured claim mappings that requires specific scopes to be requested beyond the standard OIDC scopes. + + When omitted, no additional scopes are requested. + items: + type: string + type: array + x-kubernetes-list-type: set + required: + - clientID + - componentName + - componentNamespace + type: object + maxItems: 20 + type: array + x-kubernetes-list-map-keys: + - componentNamespace + - componentName + x-kubernetes-list-type: map + userValidationRules: + description: |- + userValidationRules is an optional field that configures the set of rules used to validate the cluster user identity that was constructed via mapping token claims to user identity attributes. + Rules are CEL expressions that must evaluate to 'true' for authentication to succeed. + If any rule in the chain of rules evaluates to 'false', authentication will fail. + When specified, at least one rule must be specified and no more than 64 rules may be specified. + items: + description: |- + TokenUserValidationRule provides a CEL-based rule used to validate a token subject. + Each rule contains a CEL expression that is evaluated against the token’s claims. + properties: + expression: + description: |- + expression is a required CEL expression that performs a validation on cluster user identity attributes like username, groups, etc. + + The expression must evaluate to a boolean value. + When the expression evaluates to 'true', the cluster user identity is considered valid. + When the expression evaluates to 'false', the cluster user identity is not considered valid. + expression must be at least 1 character in length and must not exceed 1024 characters. + maxLength: 1024 + minLength: 1 + type: string + message: + description: |- + message is a required human-readable message to be logged by the Kubernetes API server if the CEL expression defined in 'expression' fails. + message must be at least 1 character in length and must not exceed 256 characters. + maxLength: 256 + minLength: 1 + type: string + required: + - expression + - message + type: object + maxItems: 64 + minItems: 1 + type: array + x-kubernetes-list-map-keys: + - expression + x-kubernetes-list-type: map + required: + - claimMappings + - issuer + - name + type: object + maxItems: 1 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + serviceAccountIssuer: + description: |- + serviceAccountIssuer is the identifier of the bound service account token + issuer. + The default is https://kubernetes.default.svc + WARNING: Updating this field will not result in immediate invalidation of all bound tokens with the + previous issuer value. Instead, the tokens issued by previous service account issuer will continue to + be trusted for a time period chosen by the platform (currently set to 24h). + This time period is subject to change over time. + This allows internal components to transition to use new service account issuer without service distruption. + type: string + type: + description: |- + type identifies the cluster managed, user facing authentication mode in use. + Specifically, it manages the component that responds to login attempts. + The default is IntegratedOAuth. + enum: + - "" + - None + - IntegratedOAuth + - OIDC + type: string + webhookTokenAuthenticator: + description: |- + webhookTokenAuthenticator configures a remote token reviewer. + These remote authentication webhooks can be used to verify bearer tokens + via the tokenreviews.authentication.k8s.io REST API. This is required to + honor bearer tokens that are provisioned by an external authentication service. + + Can only be set if "Type" is set to "None". + properties: + kubeConfig: + description: |- + kubeConfig references a secret that contains kube config file data which + describes how to access the remote webhook service. + The namespace for the referenced secret is openshift-config. + + For further details, see: + + https://kubernetes.io/docs/reference/access-authn-authz/authentication/#webhook-token-authentication + + The key "kubeConfig" is used to locate the data. + If the secret or expected key is not found, the webhook is not honored. + If the specified kube config data is not valid, the webhook is not honored. + properties: + name: + description: name is the metadata.name of the referenced secret + type: string + required: + - name + type: object + required: + - kubeConfig + type: object + webhookTokenAuthenticators: + description: webhookTokenAuthenticators is DEPRECATED, setting it + has no effect. + items: + description: |- + deprecatedWebhookTokenAuthenticator holds the necessary configuration options for a remote token authenticator. + It's the same as WebhookTokenAuthenticator but it's missing the 'required' validation on KubeConfig field. + properties: + kubeConfig: + description: |- + kubeConfig contains kube config file data which describes how to access the remote webhook service. + For further details, see: + https://kubernetes.io/docs/reference/access-authn-authz/authentication/#webhook-token-authentication + The key "kubeConfig" is used to locate the data. + If the secret or expected key is not found, the webhook is not honored. + If the specified kube config data is not valid, the webhook is not honored. + The namespace for this secret is determined by the point of use. + properties: + name: + description: name is the metadata.name of the referenced + secret + type: string + required: + - name + type: object + type: object + type: array + x-kubernetes-list-type: atomic + type: object + status: + description: status holds observed values from the cluster. They may not + be overridden. + properties: + integratedOAuthMetadata: + description: |- + integratedOAuthMetadata contains the discovery endpoint data for OAuth 2.0 + Authorization Server Metadata for the in-cluster integrated OAuth server. + This discovery document can be viewed from its served location: + oc get --raw '/.well-known/oauth-authorization-server' + For further details, see the IETF Draft: + https://tools.ietf.org/html/draft-ietf-oauth-discovery-04#section-2 + This contains the observed value based on cluster state. + An explicitly set value in spec.oauthMetadata has precedence over this field. + This field has no meaning if authentication spec.type is not set to IntegratedOAuth. + The key "oauthMetadata" is used to locate the data. + If the config map or expected key is not found, no metadata is served. + If the specified metadata is not valid, no metadata is served. + The namespace for this config map is openshift-config-managed. + properties: + name: + description: name is the metadata.name of the referenced config + map + type: string + required: + - name + type: object + oidcClients: + description: oidcClients is where participating operators place the + current OIDC client status for OIDC clients that can be customized + by the cluster-admin. + items: + description: |- + OIDCClientStatus represents the current state + of platform components and how they interact with + the configured identity providers. + properties: + componentName: + description: |- + componentName is a required field that specifies the name of the platform component using the identity provider as an authentication mode. + It is used in combination with componentNamespace as a unique identifier. + + componentName must not be an empty string ("") and must not exceed 256 characters in length. + maxLength: 256 + minLength: 1 + type: string + componentNamespace: + description: |- + componentNamespace is a required field that specifies the namespace in which the platform component using the identity provider as an authentication mode is running. + + It is used in combination with componentName as a unique identifier. + + componentNamespace must not be an empty string ("") and must not exceed 63 characters in length. + maxLength: 63 + minLength: 1 + type: string + conditions: + description: |- + conditions are used to communicate the state of the `oidcClients` entry. + + Supported conditions include Available, Degraded and Progressing. + + If Available is true, the component is successfully using the configured client. + If Degraded is true, that means something has gone wrong trying to handle the client configuration. + If Progressing is true, that means the component is taking some action related to the `oidcClients` entry. + items: + description: Condition contains details for one aspect of + the current state of this API Resource. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, + Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + consumingUsers: + description: |- + consumingUsers is an optional list of ServiceAccounts requiring read permissions on the `clientSecret` secret. + + consumingUsers must not exceed 5 entries. + items: + description: ConsumingUser is an alias for string which we + add validation to. Currently only service accounts are supported. + maxLength: 512 + minLength: 1 + pattern: ^system:serviceaccount:[a-z0-9]([-a-z0-9]*[a-z0-9])?:[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + maxItems: 5 + type: array + x-kubernetes-list-type: set + currentOIDCClients: + description: |- + currentOIDCClients is an optional list of clients that the component is currently using. + + Entries must have unique issuerURL/clientID pairs. + items: + description: |- + OIDCClientReference is a reference to a platform component + client configuration. + properties: + clientID: + description: |- + clientID is a required field that specifies the client identifier, from the identity provider, that the platform component is using for authentication requests made to the identity provider. + + clientID must not be empty. + minLength: 1 + type: string + issuerURL: + description: |- + issuerURL is a required field that specifies the URL of the identity provider that this client is configured to make requests against. + + issuerURL must use the 'https' scheme. + pattern: ^https:\/\/[^\s] + type: string + oidcProviderName: + description: |- + oidcProviderName is a required reference to the 'name' of the identity provider configured in 'oidcProviders' that this client is associated with. + + oidcProviderName must not be an empty string (""). + minLength: 1 + type: string + required: + - clientID + - issuerURL + - oidcProviderName + type: object + type: array + x-kubernetes-list-map-keys: + - issuerURL + - clientID + x-kubernetes-list-type: map + required: + - componentName + - componentNamespace + type: object + maxItems: 20 + type: array + x-kubernetes-list-map-keys: + - componentNamespace + - componentName + x-kubernetes-list-type: map + type: object + required: + - spec + type: object + x-kubernetes-validations: + - message: all oidcClients in the oidcProviders must match their componentName + and componentNamespace to either a previously configured oidcClient or + they must exist in the status.oidcClients + rule: '!has(self.spec.oidcProviders) || self.spec.oidcProviders.all(p, !has(p.oidcClients) + || p.oidcClients.all(specC, self.status.oidcClients.exists(statusC, statusC.componentNamespace + == specC.componentNamespace && statusC.componentName == specC.componentName) + || (has(oldSelf.spec.oidcProviders) && oldSelf.spec.oidcProviders.exists(oldP, + oldP.name == p.name && has(oldP.oidcClients) && oldP.oidcClients.exists(oldC, + oldC.componentNamespace == specC.componentNamespace && oldC.componentName + == specC.componentName)))))' + served: true + storage: true + subresources: + status: {} diff --git a/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications.crd.yaml b/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-Default.crd.yaml similarity index 80% rename from vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications.crd.yaml rename to vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-Default.crd.yaml index d6e1cf084..64b650232 100644 --- a/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications.crd.yaml +++ b/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-Default.crd.yaml @@ -7,6 +7,7 @@ metadata: include.release.openshift.io/ibm-cloud-managed: "true" include.release.openshift.io/self-managed-high-availability: "true" release.openshift.io/bootstrap-required: "true" + release.openshift.io/feature-set: Default name: authentications.config.openshift.io spec: group: config.openshift.io @@ -70,37 +71,33 @@ spec: type: object oidcProviders: description: |- - oidcProviders are OIDC identity providers that can issue tokens - for this cluster + oidcProviders are OIDC identity providers that can issue tokens for this cluster Can only be set if "Type" is set to "OIDC". At most one provider can be configured. items: properties: claimMappings: - description: |- - claimMappings is a required field that configures the rules to be used by - the Kubernetes API server for translating claims in a JWT token, issued - by the identity provider, to a cluster identity. + description: claimMappings is a required field that configures + the rules to be used by the Kubernetes API server for translating + claims in a JWT token, issued by the identity provider, to + a cluster identity. properties: extra: description: |- - extra is an optional field for configuring the mappings - used to construct the extra attribute for the cluster identity. + extra is an optional field for configuring the mappings used to construct the extra attribute for the cluster identity. When omitted, no extra attributes will be present on the cluster identity. + key values for extra mappings must be unique. A maximum of 32 extra attribute mappings may be provided. items: description: |- - ExtraMapping allows specifying a key and CEL expression - to evaluate the keys' value. It is used to create additional - mappings and attributes added to a cluster identity from - a provided authentication token. + ExtraMapping allows specifying a key and CEL expression to evaluate the keys' value. + It is used to create additional mappings and attributes added to a cluster identity from a provided authentication token. properties: key: description: |- - key is a required field that specifies the string - to use as the extra attribute key. + key is a required field that specifies the string to use as the extra attribute key. key must be a domain-prefix path (e.g 'example.org/foo'). key must not exceed 510 characters in length. @@ -113,8 +110,7 @@ spec: It must only contain lower case alphanumeric characters and '-' or '.'. It must not use the reserved domains, or be subdomains of, "kubernetes.io", "k8s.io", and "openshift.io". - The path portion of the key (string of characters after the '/') must not be empty and must consist of at least one - alphanumeric character, percent-encoded octets, '-', '.', '_', '~', '!', '$', '&', ''', '(', ')', '*', '+', ',', ';', '=', and ':'. + The path portion of the key (string of characters after the '/') must not be empty and must consist of at least one alphanumeric character, percent-encoded octets, '-', '.', '_', '~', '!', '$', '&', ''', '(', ')', '*', '+', ',', ';', '=', and ':'. It must not exceed 256 characters in length. maxLength: 510 minLength: 1 @@ -158,14 +154,12 @@ spec: rule: self.split('/', 2)[1].size() <= 256 valueExpression: description: |- - valueExpression is a required field to specify the CEL expression to extract - the extra attribute value from a JWT token's claims. + valueExpression is a required field to specify the CEL expression to extract the extra attribute value from a JWT token's claims. valueExpression must produce a string or string array value. "", [], and null are treated as the extra mapping not being present. Empty string values within an array are filtered out. - CEL expressions have access to the token claims - through a CEL variable, 'claims'. + CEL expressions have access to the token claims through a CEL variable, 'claims'. 'claims' is a map of claim names to claim values. For example, the 'sub' claim value can be accessed as 'claims.sub'. Nested claims can be accessed using dot notation ('claims.foo.bar'). @@ -186,76 +180,62 @@ spec: x-kubernetes-list-type: map groups: description: |- - groups is an optional field that configures how the groups of a cluster identity - should be constructed from the claims in a JWT token issued - by the identity provider. - When referencing a claim, if the claim is present in the JWT - token, its value must be a list of groups separated by a comma (','). + groups is an optional field that configures how the groups of a cluster identity should be constructed from the claims in a JWT token issued by the identity provider. + + When referencing a claim, if the claim is present in the JWT token, its value must be a list of groups separated by a comma (','). + For example - '"example"' and '"exampleOne", "exampleTwo", "exampleThree"' are valid claim values. properties: claim: - description: |- - claim is a required field that configures the JWT token - claim whose value is assigned to the cluster identity - field associated with this mapping. + description: claim is a required field that configures + the JWT token claim whose value is assigned to the + cluster identity field associated with this mapping. type: string prefix: description: |- - prefix is an optional field that configures the prefix that will be - applied to the cluster identity attribute during the process of mapping - JWT claims to cluster identity attributes. + prefix is an optional field that configures the prefix that will be applied to the cluster identity attribute during the process of mapping JWT claims to cluster identity attributes. When omitted (""), no prefix is applied to the cluster identity attribute. - Example: if `prefix` is set to "myoidc:" and the `claim` in JWT contains - an array of strings "a", "b" and "c", the mapping will result in an - array of string "myoidc:a", "myoidc:b" and "myoidc:c". + Example: if `prefix` is set to "myoidc:" and the `claim` in JWT contains an array of strings "a", "b" and "c", the mapping will result in an array of string "myoidc:a", "myoidc:b" and "myoidc:c". type: string required: - claim type: object uid: description: |- - uid is an optional field for configuring the claim mapping - used to construct the uid for the cluster identity. + uid is an optional field for configuring the claim mapping used to construct the uid for the cluster identity. When using uid.claim to specify the claim it must be a single string value. When using uid.expression the expression must result in a single string value. - When omitted, this means the user has no opinion and the platform - is left to choose a default, which is subject to change over time. + When omitted, this means the user has no opinion and the platform is left to choose a default, which is subject to change over time. + The current default is to use the 'sub' claim. properties: claim: description: |- - claim is an optional field for specifying the - JWT token claim that is used in the mapping. - The value of this claim will be assigned to - the field in which this mapping is associated. + claim is an optional field for specifying the JWT token claim that is used in the mapping. + The value of this claim will be assigned to the field in which this mapping is associated. Precisely one of claim or expression must be set. claim must not be specified when expression is set. - When specified, claim must be at least 1 character in length - and must not exceed 256 characters in length. + When specified, claim must be at least 1 character in length and must not exceed 256 characters in length. maxLength: 256 minLength: 1 type: string expression: description: |- - expression is an optional field for specifying a - CEL expression that produces a string value from - JWT token claims. + expression is an optional field for specifying a CEL expression that produces a string value from JWT token claims. - CEL expressions have access to the token claims - through a CEL variable, 'claims'. + CEL expressions have access to the token claims through a CEL variable, 'claims'. 'claims' is a map of claim names to claim values. For example, the 'sub' claim value can be accessed as 'claims.sub'. Nested claims can be accessed using dot notation ('claims.foo.bar'). Precisely one of claim or expression must be set. expression must not be specified when claim is set. - When specified, expression must be at least 1 character in length - and must not exceed 1024 characters in length. + When specified, expression must be at least 1 character in length and must not exceed 1024 characters in length. maxLength: 1024 minLength: 1 type: string @@ -265,15 +245,14 @@ spec: set rule: 'has(self.claim) ? !has(self.expression) : has(self.expression)' username: - description: |- - username is a required field that configures how the username of a cluster identity - should be constructed from the claims in a JWT token issued by the identity provider. + description: username is a required field that configures + how the username of a cluster identity should be constructed + from the claims in a JWT token issued by the identity + provider. properties: claim: description: |- - claim is a required field that configures the JWT token - claim whose value is assigned to the cluster identity - field associated with this mapping. + claim is a required field that configures the JWT token claim whose value is assigned to the cluster identity field associated with this mapping. claim must not be an empty string ("") and must not exceed 256 characters. maxLength: 256 @@ -281,16 +260,13 @@ spec: type: string prefix: description: |- - prefix configures the prefix that should be prepended to the value - of the JWT claim. + prefix configures the prefix that should be prepended to the value of the JWT claim. prefix must be set when prefixPolicy is set to 'Prefix' and must be unset otherwise. properties: prefixString: description: |- - prefixString is a required field that configures the prefix that will - be applied to cluster identity username attribute - during the process of mapping JWT claims to cluster identity attributes. + prefixString is a required field that configures the prefix that will be applied to cluster identity username attribute during the process of mapping JWT claims to cluster identity attributes. prefixString must not be an empty string (""). minLength: 1 @@ -300,23 +276,21 @@ spec: type: object prefixPolicy: description: |- - prefixPolicy is an optional field that configures how a prefix should be - applied to the value of the JWT claim specified in the 'claim' field. + prefixPolicy is an optional field that configures how a prefix should be applied to the value of the JWT claim specified in the 'claim' field. Allowed values are 'Prefix', 'NoPrefix', and omitted (not provided or an empty string). - When set to 'Prefix', the value specified in the prefix field will be - prepended to the value of the JWT claim. + When set to 'Prefix', the value specified in the prefix field will be prepended to the value of the JWT claim. + The prefix field must be set when prefixPolicy is 'Prefix'. - When set to 'NoPrefix', no prefix will be prepended to the value - of the JWT claim. + When set to 'NoPrefix', no prefix will be prepended to the value of the JWT claim. + + When omitted, this means no opinion and the platform is left to choose any prefixes that are applied which is subject to change over time. + Currently, the platform prepends `{issuerURL}#` to the value of the JWT claim when the claim is not 'email'. - When omitted, this means no opinion and the platform is left to choose - any prefixes that are applied which is subject to change over time. - Currently, the platform prepends `{issuerURL}#` to the value of the JWT claim - when the claim is not 'email'. As an example, consider the following scenario: + `prefix` is unset, `issuerURL` is set to `https://myoidc.tld`, the JWT claims include "username":"userA" and "email":"userA@myoidc.tld", and `claim` is set to: @@ -341,18 +315,20 @@ spec: type: object claimValidationRules: description: |- - claimValidationRules is an optional field that configures the rules to - be used by the Kubernetes API server for validating the claims in a JWT - token issued by the identity provider. + claimValidationRules is an optional field that configures the rules to be used by the Kubernetes API server for validating the claims in a JWT token issued by the identity provider. Validation rules are joined via an AND operation. items: + description: |- + TokenClaimValidationRule represents a validation rule based on token claims. + If type is RequiredClaim, requiredClaim must be set. + If Type is CEL, CEL must be set and RequiredClaim must be omitted. properties: requiredClaim: description: |- - requiredClaim is an optional field that configures the required claim - and value that the Kubernetes API server will use to validate if an incoming - JWT is valid for this identity provider. + requiredClaim allows configuring a required claim name and its expected value. + This field is required when `type` is set to RequiredClaim, and must be omitted when `type` is set to any other value. + The Kubernetes API server uses this field to validate if an incoming JWT is valid for this identity provider. properties: claim: description: |- @@ -364,10 +340,8 @@ spec: type: string requiredValue: description: |- - requiredValue is a required field that configures the value that 'claim' must - have when taken from the incoming JWT claims. - If the value in the JWT claims does not match, the token - will be rejected for authentication. + requiredValue is a required field that configures the value that 'claim' must have when taken from the incoming JWT claims. + If the value in the JWT claims does not match, the token will be rejected for authentication. requiredValue must not be an empty string (""). minLength: 1 @@ -377,34 +351,36 @@ spec: - requiredValue type: object type: - default: RequiredClaim description: |- type is an optional field that configures the type of the validation rule. - Allowed values are 'RequiredClaim' and omitted (not provided or an empty string). + Allowed values are "RequiredClaim" and "CEL". - When set to 'RequiredClaim', the Kubernetes API server - will be configured to validate that the incoming JWT - contains the required claim and that its value matches - the required value. + When set to 'RequiredClaim', the Kubernetes API server will be configured to validate that the incoming JWT contains the required claim and that its value matches the required value. - Defaults to 'RequiredClaim'. + When set to 'CEL', the Kubernetes API server will be configured to validate the incoming JWT against the configured CEL expression. enum: - RequiredClaim type: string + required: + - type type: object + x-kubernetes-validations: + - message: requiredClaim must be set when type is 'RequiredClaim', + and forbidden otherwise + rule: 'has(self.type) && self.type == ''RequiredClaim'' + ? has(self.requiredClaim) : !has(self.requiredClaim)' type: array x-kubernetes-list-type: atomic issuer: - description: |- - issuer is a required field that configures how the platform interacts - with the identity provider and how tokens issued from the identity provider - are evaluated by the Kubernetes API server. + description: issuer is a required field that configures how + the platform interacts with the identity provider and how + tokens issued from the identity provider are evaluated by + the Kubernetes API server. properties: audiences: description: |- - audiences is a required field that configures the acceptable audiences - the JWT token, issued by the identity provider, must be issued to. + audiences is a required field that configures the acceptable audiences the JWT token, issued by the identity provider, must be issued to. At least one of the entries must match the 'aud' claim in the JWT token. audiences must contain at least one entry and must not exceed ten entries. @@ -417,15 +393,11 @@ spec: x-kubernetes-list-type: set issuerCertificateAuthority: description: |- - issuerCertificateAuthority is an optional field that configures the - certificate authority, used by the Kubernetes API server, to validate - the connection to the identity provider when fetching discovery information. + issuerCertificateAuthority is an optional field that configures the certificate authority, used by the Kubernetes API server, to validate the connection to the identity provider when fetching discovery information. When not specified, the system trust is used. - When specified, it must reference a ConfigMap in the openshift-config - namespace containing the PEM-encoded CA certificates under the 'ca-bundle.crt' - key in the data field of the ConfigMap. + When specified, it must reference a ConfigMap in the openshift-config namespace containing the PEM-encoded CA certificates under the 'ca-bundle.crt' key in the data field of the ConfigMap. properties: name: description: name is the metadata.name of the referenced @@ -436,10 +408,8 @@ spec: type: object issuerURL: description: |- - issuerURL is a required field that configures the URL used to issue tokens - by the identity provider. - The Kubernetes API server determines how authentication tokens should be handled - by matching the 'iss' claim in the JWT to the issuerURL of configured identity providers. + issuerURL is a required field that configures the URL used to issue tokens by the identity provider. + The Kubernetes API server determines how authentication tokens should be handled by matching the 'iss' claim in the JWT to the issuerURL of configured identity providers. Must be at least 1 character and must not exceed 512 characters in length. Must be a valid URL that uses the 'https' scheme and does not contain a query, fragment or user. @@ -463,50 +433,39 @@ spec: type: object name: description: |- - name is a required field that configures the unique human-readable identifier - associated with the identity provider. - It is used to distinguish between multiple identity providers - and has no impact on token validation or authentication mechanics. + name is a required field that configures the unique human-readable identifier associated with the identity provider. + It is used to distinguish between multiple identity providers and has no impact on token validation or authentication mechanics. name must not be an empty string (""). minLength: 1 type: string oidcClients: description: |- - oidcClients is an optional field that configures how on-cluster, - platform clients should request tokens from the identity provider. + oidcClients is an optional field that configures how on-cluster, platform clients should request tokens from the identity provider. oidcClients must not exceed 20 entries and entries must have unique namespace/name pairs. items: - description: |- - OIDCClientConfig configures how platform clients - interact with identity providers as an authentication - method + description: OIDCClientConfig configures how platform clients + interact with identity providers as an authentication method. properties: clientID: description: |- - clientID is a required field that configures the client identifier, from - the identity provider, that the platform component uses for authentication - requests made to the identity provider. - The identity provider must accept this identifier for platform components - to be able to use the identity provider as an authentication mode. + clientID is a required field that configures the client identifier, from the identity provider, that the platform component uses for authentication requests made to the identity provider. + The identity provider must accept this identifier for platform components to be able to use the identity provider as an authentication mode. clientID must not be an empty string (""). minLength: 1 type: string clientSecret: description: |- - clientSecret is an optional field that configures the client secret used - by the platform component when making authentication requests to the identity provider. + clientSecret is an optional field that configures the client secret used by the platform component when making authentication requests to the identity provider. + + When not specified, no client secret will be used when making authentication requests to the identity provider. - When not specified, no client secret will be used when making authentication requests - to the identity provider. + When specified, clientSecret references a Secret in the 'openshift-config' namespace that contains the client secret in the 'clientSecret' key of the '.data' field. - When specified, clientSecret references a Secret in the 'openshift-config' - namespace that contains the client secret in the 'clientSecret' key of the '.data' field. The client secret will be used when making authentication requests to the identity provider. - Public clients do not require a client secret but private - clients do require a client secret to work with the identity provider. + Public clients do not require a client secret but private clients do require a client secret to work with the identity provider. properties: name: description: name is the metadata.name of the referenced @@ -517,8 +476,8 @@ spec: type: object componentName: description: |- - componentName is a required field that specifies the name of the platform - component being configured to use the identity provider as an authentication mode. + componentName is a required field that specifies the name of the platform component being configured to use the identity provider as an authentication mode. + It is used in combination with componentNamespace as a unique identifier. componentName must not be an empty string ("") and must not exceed 256 characters in length. @@ -527,9 +486,8 @@ spec: type: string componentNamespace: description: |- - componentNamespace is a required field that specifies the namespace in which the - platform component being configured to use the identity provider as an authentication - mode is running. + componentNamespace is a required field that specifies the namespace in which the platform component being configured to use the identity provider as an authentication mode is running. + It is used in combination with componentName as a unique identifier. componentNamespace must not be an empty string ("") and must not exceed 63 characters in length. @@ -538,11 +496,8 @@ spec: type: string extraScopes: description: |- - extraScopes is an optional field that configures the extra scopes that should - be requested by the platform component when making authentication requests to the - identity provider. - This is useful if you have configured claim mappings that requires specific - scopes to be requested beyond the standard OIDC scopes. + extraScopes is an optional field that configures the extra scopes that should be requested by the platform component when making authentication requests to the identity provider. + This is useful if you have configured claim mappings that requires specific scopes to be requested beyond the standard OIDC scopes. When omitted, no additional scopes are requested. items: @@ -681,9 +636,9 @@ spec: - name type: object oidcClients: - description: |- - oidcClients is where participating operators place the current OIDC client status - for OIDC clients that can be customized by the cluster-admin. + description: oidcClients is where participating operators place the + current OIDC client status for OIDC clients that can be customized + by the cluster-admin. items: description: |- OIDCClientStatus represents the current state @@ -692,8 +647,7 @@ spec: properties: componentName: description: |- - componentName is a required field that specifies the name of the platform - component using the identity provider as an authentication mode. + componentName is a required field that specifies the name of the platform component using the identity provider as an authentication mode. It is used in combination with componentNamespace as a unique identifier. componentName must not be an empty string ("") and must not exceed 256 characters in length. @@ -702,9 +656,8 @@ spec: type: string componentNamespace: description: |- - componentNamespace is a required field that specifies the namespace in which the - platform component using the identity provider as an authentication - mode is running. + componentNamespace is a required field that specifies the namespace in which the platform component using the identity provider as an authentication mode is running. + It is used in combination with componentName as a unique identifier. componentNamespace must not be an empty string ("") and must not exceed 63 characters in length. @@ -781,8 +734,7 @@ spec: x-kubernetes-list-type: map consumingUsers: description: |- - consumingUsers is an optional list of ServiceAccounts requiring - read permissions on the `clientSecret` secret. + consumingUsers is an optional list of ServiceAccounts requiring read permissions on the `clientSecret` secret. consumingUsers must not exceed 5 entries. items: @@ -798,6 +750,7 @@ spec: currentOIDCClients: description: |- currentOIDCClients is an optional list of clients that the component is currently using. + Entries must have unique issuerURL/clientID pairs. items: description: |- @@ -806,25 +759,21 @@ spec: properties: clientID: description: |- - clientID is a required field that specifies the client identifier, from - the identity provider, that the platform component is using for authentication - requests made to the identity provider. + clientID is a required field that specifies the client identifier, from the identity provider, that the platform component is using for authentication requests made to the identity provider. clientID must not be empty. minLength: 1 type: string issuerURL: description: |- - issuerURL is a required field that specifies the URL of the identity - provider that this client is configured to make requests against. + issuerURL is a required field that specifies the URL of the identity provider that this client is configured to make requests against. issuerURL must use the 'https' scheme. pattern: ^https:\/\/[^\s] type: string oidcProviderName: description: |- - oidcProviderName is a required reference to the 'name' of the identity provider - configured in 'oidcProviders' that this client is associated with. + oidcProviderName is a required reference to the 'name' of the identity provider configured in 'oidcProviders' that this client is associated with. oidcProviderName must not be an empty string (""). minLength: 1 diff --git a/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-DevPreviewNoUpgrade.crd.yaml b/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-DevPreviewNoUpgrade.crd.yaml new file mode 100644 index 000000000..2f4c3180d --- /dev/null +++ b/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-DevPreviewNoUpgrade.crd.yaml @@ -0,0 +1,915 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.openshift.io: https://github.com/openshift/api/pull/470 + api.openshift.io/merged-by-featuregates: "true" + include.release.openshift.io/ibm-cloud-managed: "true" + include.release.openshift.io/self-managed-high-availability: "true" + release.openshift.io/bootstrap-required: "true" + release.openshift.io/feature-set: DevPreviewNoUpgrade + name: authentications.config.openshift.io +spec: + group: config.openshift.io + names: + kind: Authentication + listKind: AuthenticationList + plural: authentications + singular: authentication + scope: Cluster + versions: + - name: v1 + schema: + openAPIV3Schema: + description: |- + Authentication specifies cluster-wide settings for authentication (like OAuth and + webhook token authenticators). The canonical name of an instance is `cluster`. + + Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer). + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: spec holds user settable values for configuration + properties: + oauthMetadata: + description: |- + oauthMetadata contains the discovery endpoint data for OAuth 2.0 + Authorization Server Metadata for an external OAuth server. + This discovery document can be viewed from its served location: + oc get --raw '/.well-known/oauth-authorization-server' + For further details, see the IETF Draft: + https://tools.ietf.org/html/draft-ietf-oauth-discovery-04#section-2 + If oauthMetadata.name is non-empty, this value has precedence + over any metadata reference stored in status. + The key "oauthMetadata" is used to locate the data. + If specified and the config map or expected key is not found, no metadata is served. + If the specified metadata is not valid, no metadata is served. + The namespace for this config map is openshift-config. + properties: + name: + description: name is the metadata.name of the referenced config + map + type: string + required: + - name + type: object + oidcProviders: + description: |- + oidcProviders are OIDC identity providers that can issue tokens for this cluster + Can only be set if "Type" is set to "OIDC". + + At most one provider can be configured. + items: + properties: + claimMappings: + description: claimMappings is a required field that configures + the rules to be used by the Kubernetes API server for translating + claims in a JWT token, issued by the identity provider, to + a cluster identity. + properties: + extra: + description: |- + extra is an optional field for configuring the mappings used to construct the extra attribute for the cluster identity. + When omitted, no extra attributes will be present on the cluster identity. + + key values for extra mappings must be unique. + A maximum of 32 extra attribute mappings may be provided. + items: + description: |- + ExtraMapping allows specifying a key and CEL expression to evaluate the keys' value. + It is used to create additional mappings and attributes added to a cluster identity from a provided authentication token. + properties: + key: + description: |- + key is a required field that specifies the string to use as the extra attribute key. + + key must be a domain-prefix path (e.g 'example.org/foo'). + key must not exceed 510 characters in length. + key must contain the '/' character, separating the domain and path characters. + key must not be empty. + + The domain portion of the key (string of characters prior to the '/') must be a valid RFC1123 subdomain. + It must not exceed 253 characters in length. + It must start and end with an alphanumeric character. + It must only contain lower case alphanumeric characters and '-' or '.'. + It must not use the reserved domains, or be subdomains of, "kubernetes.io", "k8s.io", and "openshift.io". + + The path portion of the key (string of characters after the '/') must not be empty and must consist of at least one alphanumeric character, percent-encoded octets, '-', '.', '_', '~', '!', '$', '&', ''', '(', ')', '*', '+', ',', ';', '=', and ':'. + It must not exceed 256 characters in length. + maxLength: 510 + minLength: 1 + type: string + x-kubernetes-validations: + - message: key must contain the '/' character + rule: self.contains('/') + - message: the domain of the key must consist of only + lower case alphanumeric characters, '-' or '.', + and must start and end with an alphanumeric character + rule: self.split('/', 2)[0].matches("^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$") + - message: the domain of the key must not exceed 253 + characters in length + rule: self.split('/', 2)[0].size() <= 253 + - message: the domain 'kubernetes.io' is reserved + for Kubernetes use + rule: self.split('/', 2)[0] != 'kubernetes.io' + - message: the subdomains '*.kubernetes.io' are reserved + for Kubernetes use + rule: '!self.split(''/'', 2)[0].endsWith(''.kubernetes.io'')' + - message: the domain 'k8s.io' is reserved for Kubernetes + use + rule: self.split('/', 2)[0] != 'k8s.io' + - message: the subdomains '*.k8s.io' are reserved + for Kubernetes use + rule: '!self.split(''/'', 2)[0].endsWith(''.k8s.io'')' + - message: the domain 'openshift.io' is reserved for + OpenShift use + rule: self.split('/', 2)[0] != 'openshift.io' + - message: the subdomains '*.openshift.io' are reserved + for OpenShift use + rule: '!self.split(''/'', 2)[0].endsWith(''.openshift.io'')' + - message: the path of the key must not be empty and + must consist of at least one alphanumeric character, + percent-encoded octets, apostrophe, '-', '.', + '_', '~', '!', '$', '&', '(', ')', '*', '+', ',', + ';', '=', and ':' + rule: self.split('/', 2)[1].matches('[A-Za-z0-9/\\-._~%!$&\'()*+;=:]+') + - message: the path of the key must not exceed 256 + characters in length + rule: self.split('/', 2)[1].size() <= 256 + valueExpression: + description: |- + valueExpression is a required field to specify the CEL expression to extract the extra attribute value from a JWT token's claims. + valueExpression must produce a string or string array value. + "", [], and null are treated as the extra mapping not being present. + Empty string values within an array are filtered out. + + CEL expressions have access to the token claims through a CEL variable, 'claims'. + 'claims' is a map of claim names to claim values. + For example, the 'sub' claim value can be accessed as 'claims.sub'. + Nested claims can be accessed using dot notation ('claims.foo.bar'). + + valueExpression must not exceed 1024 characters in length. + valueExpression must not be empty. + maxLength: 1024 + minLength: 1 + type: string + required: + - key + - valueExpression + type: object + maxItems: 32 + type: array + x-kubernetes-list-map-keys: + - key + x-kubernetes-list-type: map + groups: + description: |- + groups is an optional field that configures how the groups of a cluster identity should be constructed from the claims in a JWT token issued by the identity provider. + + When referencing a claim, if the claim is present in the JWT token, its value must be a list of groups separated by a comma (','). + + For example - '"example"' and '"exampleOne", "exampleTwo", "exampleThree"' are valid claim values. + properties: + claim: + description: claim is a required field that configures + the JWT token claim whose value is assigned to the + cluster identity field associated with this mapping. + type: string + prefix: + description: |- + prefix is an optional field that configures the prefix that will be applied to the cluster identity attribute during the process of mapping JWT claims to cluster identity attributes. + + When omitted (""), no prefix is applied to the cluster identity attribute. + + Example: if `prefix` is set to "myoidc:" and the `claim` in JWT contains an array of strings "a", "b" and "c", the mapping will result in an array of string "myoidc:a", "myoidc:b" and "myoidc:c". + type: string + required: + - claim + type: object + uid: + description: |- + uid is an optional field for configuring the claim mapping used to construct the uid for the cluster identity. + + When using uid.claim to specify the claim it must be a single string value. + When using uid.expression the expression must result in a single string value. + + When omitted, this means the user has no opinion and the platform is left to choose a default, which is subject to change over time. + + The current default is to use the 'sub' claim. + properties: + claim: + description: |- + claim is an optional field for specifying the JWT token claim that is used in the mapping. + The value of this claim will be assigned to the field in which this mapping is associated. + + Precisely one of claim or expression must be set. + claim must not be specified when expression is set. + When specified, claim must be at least 1 character in length and must not exceed 256 characters in length. + maxLength: 256 + minLength: 1 + type: string + expression: + description: |- + expression is an optional field for specifying a CEL expression that produces a string value from JWT token claims. + + CEL expressions have access to the token claims through a CEL variable, 'claims'. + 'claims' is a map of claim names to claim values. + For example, the 'sub' claim value can be accessed as 'claims.sub'. + Nested claims can be accessed using dot notation ('claims.foo.bar'). + + Precisely one of claim or expression must be set. + expression must not be specified when claim is set. + When specified, expression must be at least 1 character in length and must not exceed 1024 characters in length. + maxLength: 1024 + minLength: 1 + type: string + type: object + x-kubernetes-validations: + - message: precisely one of claim or expression must be + set + rule: 'has(self.claim) ? !has(self.expression) : has(self.expression)' + username: + description: username is a required field that configures + how the username of a cluster identity should be constructed + from the claims in a JWT token issued by the identity + provider. + properties: + claim: + description: |- + claim is a required field that configures the JWT token claim whose value is assigned to the cluster identity field associated with this mapping. + + claim must not be an empty string ("") and must not exceed 256 characters. + maxLength: 256 + minLength: 1 + type: string + prefix: + description: |- + prefix configures the prefix that should be prepended to the value of the JWT claim. + + prefix must be set when prefixPolicy is set to 'Prefix' and must be unset otherwise. + properties: + prefixString: + description: |- + prefixString is a required field that configures the prefix that will be applied to cluster identity username attribute during the process of mapping JWT claims to cluster identity attributes. + + prefixString must not be an empty string (""). + minLength: 1 + type: string + required: + - prefixString + type: object + prefixPolicy: + description: |- + prefixPolicy is an optional field that configures how a prefix should be applied to the value of the JWT claim specified in the 'claim' field. + + Allowed values are 'Prefix', 'NoPrefix', and omitted (not provided or an empty string). + + When set to 'Prefix', the value specified in the prefix field will be prepended to the value of the JWT claim. + + The prefix field must be set when prefixPolicy is 'Prefix'. + + When set to 'NoPrefix', no prefix will be prepended to the value of the JWT claim. + + When omitted, this means no opinion and the platform is left to choose any prefixes that are applied which is subject to change over time. + Currently, the platform prepends `{issuerURL}#` to the value of the JWT claim when the claim is not 'email'. + + As an example, consider the following scenario: + + `prefix` is unset, `issuerURL` is set to `https://myoidc.tld`, + the JWT claims include "username":"userA" and "email":"userA@myoidc.tld", + and `claim` is set to: + - "username": the mapped value will be "https://myoidc.tld#userA" + - "email": the mapped value will be "userA@myoidc.tld" + enum: + - "" + - NoPrefix + - Prefix + type: string + required: + - claim + type: object + x-kubernetes-validations: + - message: prefix must be set if prefixPolicy is 'Prefix', + but must remain unset otherwise + rule: 'has(self.prefixPolicy) && self.prefixPolicy == + ''Prefix'' ? (has(self.prefix) && size(self.prefix.prefixString) + > 0) : !has(self.prefix)' + required: + - username + type: object + claimValidationRules: + description: |- + claimValidationRules is an optional field that configures the rules to be used by the Kubernetes API server for validating the claims in a JWT token issued by the identity provider. + + Validation rules are joined via an AND operation. + items: + description: |- + TokenClaimValidationRule represents a validation rule based on token claims. + If type is RequiredClaim, requiredClaim must be set. + If Type is CEL, CEL must be set and RequiredClaim must be omitted. + properties: + cel: + description: |- + cel holds the CEL expression and message for validation. + Must be set when Type is "CEL", and forbidden otherwise. + properties: + expression: + description: |- + expression is a CEL expression evaluated against token claims. + expression is required, must be at least 1 character in length and must not exceed 1024 characters. + The expression must return a boolean value where 'true' signals a valid token and 'false' an invalid one. + maxLength: 1024 + minLength: 1 + type: string + message: + description: |- + message is a required human-readable message to be logged by the Kubernetes API server if the CEL expression defined in 'expression' fails. + message must be at least 1 character in length and must not exceed 256 characters. + maxLength: 256 + minLength: 1 + type: string + required: + - expression + - message + type: object + requiredClaim: + description: |- + requiredClaim allows configuring a required claim name and its expected value. + This field is required when `type` is set to RequiredClaim, and must be omitted when `type` is set to any other value. + The Kubernetes API server uses this field to validate if an incoming JWT is valid for this identity provider. + properties: + claim: + description: |- + claim is a required field that configures the name of the required claim. + When taken from the JWT claims, claim must be a string value. + + claim must not be an empty string (""). + minLength: 1 + type: string + requiredValue: + description: |- + requiredValue is a required field that configures the value that 'claim' must have when taken from the incoming JWT claims. + If the value in the JWT claims does not match, the token will be rejected for authentication. + + requiredValue must not be an empty string (""). + minLength: 1 + type: string + required: + - claim + - requiredValue + type: object + type: + description: |- + type is an optional field that configures the type of the validation rule. + + Allowed values are "RequiredClaim" and "CEL". + + When set to 'RequiredClaim', the Kubernetes API server will be configured to validate that the incoming JWT contains the required claim and that its value matches the required value. + + When set to 'CEL', the Kubernetes API server will be configured to validate the incoming JWT against the configured CEL expression. + enum: + - RequiredClaim + - CEL + type: string + required: + - type + type: object + x-kubernetes-validations: + - message: cel must be set when type is 'CEL', and forbidden + otherwise + rule: 'has(self.type) && self.type == ''CEL'' ? has(self.cel) + : !has(self.cel)' + - message: requiredClaim must be set when type is 'RequiredClaim', + and forbidden otherwise + rule: 'has(self.type) && self.type == ''RequiredClaim'' + ? has(self.requiredClaim) : !has(self.requiredClaim)' + type: array + x-kubernetes-list-type: atomic + issuer: + description: issuer is a required field that configures how + the platform interacts with the identity provider and how + tokens issued from the identity provider are evaluated by + the Kubernetes API server. + properties: + audiences: + description: |- + audiences is a required field that configures the acceptable audiences the JWT token, issued by the identity provider, must be issued to. + At least one of the entries must match the 'aud' claim in the JWT token. + + audiences must contain at least one entry and must not exceed ten entries. + items: + minLength: 1 + type: string + maxItems: 10 + minItems: 1 + type: array + x-kubernetes-list-type: set + discoveryURL: + description: |- + discoveryURL is an optional field that, if specified, overrides the default discovery endpoint used to retrieve OIDC configuration metadata. + By default, the discovery URL is derived from `issuerURL` as "{issuerURL}/.well-known/openid-configuration". + + The discoveryURL must be a valid absolute HTTPS URL. + It must not contain query parameters, user information, or fragments. + Additionally, it must differ from the value of `issuerURL` (ignoring trailing slashes). + The discoveryURL value must be at least 1 character long and no longer than 2048 characters. + maxLength: 2048 + minLength: 1 + type: string + x-kubernetes-validations: + - message: discoveryURL must be a valid URL + rule: isURL(self) + - message: discoveryURL must be a valid https URL + rule: url(self).getScheme() == 'https' + - message: discoveryURL must not contain query parameters + rule: url(self).getQuery().size() == 0 + - message: discoveryURL must not contain fragments + rule: self.matches('^[^#]*$') + - message: discoveryURL must not contain user info + rule: '!self.matches(''^https://.+:.+@.+/.*$'')' + issuerCertificateAuthority: + description: |- + issuerCertificateAuthority is an optional field that configures the certificate authority, used by the Kubernetes API server, to validate the connection to the identity provider when fetching discovery information. + + When not specified, the system trust is used. + + When specified, it must reference a ConfigMap in the openshift-config namespace containing the PEM-encoded CA certificates under the 'ca-bundle.crt' key in the data field of the ConfigMap. + properties: + name: + description: name is the metadata.name of the referenced + config map + type: string + required: + - name + type: object + issuerURL: + description: |- + issuerURL is a required field that configures the URL used to issue tokens by the identity provider. + The Kubernetes API server determines how authentication tokens should be handled by matching the 'iss' claim in the JWT to the issuerURL of configured identity providers. + + Must be at least 1 character and must not exceed 512 characters in length. + Must be a valid URL that uses the 'https' scheme and does not contain a query, fragment or user. + maxLength: 512 + minLength: 1 + type: string + x-kubernetes-validations: + - message: must be a valid URL + rule: isURL(self) + - message: must use the 'https' scheme + rule: isURL(self) && url(self).getScheme() == 'https' + - message: must not have a query + rule: isURL(self) && url(self).getQuery() == {} + - message: must not have a fragment + rule: self.find('#(.+)$') == '' + - message: must not have user info + rule: self.find('@') == '' + required: + - audiences + - issuerURL + type: object + x-kubernetes-validations: + - message: discoveryURL must be different from issuerURL + rule: 'self.?discoveryURL.orValue("").size() > 0 ? (self.issuerURL.size() + == 0 || self.discoveryURL.find(''^.+[^/]'') != self.issuerURL.find(''^.+[^/]'')) + : true' + name: + description: |- + name is a required field that configures the unique human-readable identifier associated with the identity provider. + It is used to distinguish between multiple identity providers and has no impact on token validation or authentication mechanics. + + name must not be an empty string (""). + minLength: 1 + type: string + oidcClients: + description: |- + oidcClients is an optional field that configures how on-cluster, platform clients should request tokens from the identity provider. + oidcClients must not exceed 20 entries and entries must have unique namespace/name pairs. + items: + description: OIDCClientConfig configures how platform clients + interact with identity providers as an authentication method. + properties: + clientID: + description: |- + clientID is a required field that configures the client identifier, from the identity provider, that the platform component uses for authentication requests made to the identity provider. + The identity provider must accept this identifier for platform components to be able to use the identity provider as an authentication mode. + + clientID must not be an empty string (""). + minLength: 1 + type: string + clientSecret: + description: |- + clientSecret is an optional field that configures the client secret used by the platform component when making authentication requests to the identity provider. + + When not specified, no client secret will be used when making authentication requests to the identity provider. + + When specified, clientSecret references a Secret in the 'openshift-config' namespace that contains the client secret in the 'clientSecret' key of the '.data' field. + + The client secret will be used when making authentication requests to the identity provider. + + Public clients do not require a client secret but private clients do require a client secret to work with the identity provider. + properties: + name: + description: name is the metadata.name of the referenced + secret + type: string + required: + - name + type: object + componentName: + description: |- + componentName is a required field that specifies the name of the platform component being configured to use the identity provider as an authentication mode. + + It is used in combination with componentNamespace as a unique identifier. + + componentName must not be an empty string ("") and must not exceed 256 characters in length. + maxLength: 256 + minLength: 1 + type: string + componentNamespace: + description: |- + componentNamespace is a required field that specifies the namespace in which the platform component being configured to use the identity provider as an authentication mode is running. + + It is used in combination with componentName as a unique identifier. + + componentNamespace must not be an empty string ("") and must not exceed 63 characters in length. + maxLength: 63 + minLength: 1 + type: string + extraScopes: + description: |- + extraScopes is an optional field that configures the extra scopes that should be requested by the platform component when making authentication requests to the identity provider. + This is useful if you have configured claim mappings that requires specific scopes to be requested beyond the standard OIDC scopes. + + When omitted, no additional scopes are requested. + items: + type: string + type: array + x-kubernetes-list-type: set + required: + - clientID + - componentName + - componentNamespace + type: object + maxItems: 20 + type: array + x-kubernetes-list-map-keys: + - componentNamespace + - componentName + x-kubernetes-list-type: map + userValidationRules: + description: |- + userValidationRules is an optional field that configures the set of rules used to validate the cluster user identity that was constructed via mapping token claims to user identity attributes. + Rules are CEL expressions that must evaluate to 'true' for authentication to succeed. + If any rule in the chain of rules evaluates to 'false', authentication will fail. + When specified, at least one rule must be specified and no more than 64 rules may be specified. + items: + description: |- + TokenUserValidationRule provides a CEL-based rule used to validate a token subject. + Each rule contains a CEL expression that is evaluated against the token’s claims. + properties: + expression: + description: |- + expression is a required CEL expression that performs a validation on cluster user identity attributes like username, groups, etc. + + The expression must evaluate to a boolean value. + When the expression evaluates to 'true', the cluster user identity is considered valid. + When the expression evaluates to 'false', the cluster user identity is not considered valid. + expression must be at least 1 character in length and must not exceed 1024 characters. + maxLength: 1024 + minLength: 1 + type: string + message: + description: |- + message is a required human-readable message to be logged by the Kubernetes API server if the CEL expression defined in 'expression' fails. + message must be at least 1 character in length and must not exceed 256 characters. + maxLength: 256 + minLength: 1 + type: string + required: + - expression + - message + type: object + maxItems: 64 + minItems: 1 + type: array + x-kubernetes-list-map-keys: + - expression + x-kubernetes-list-type: map + required: + - claimMappings + - issuer + - name + type: object + maxItems: 1 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + serviceAccountIssuer: + description: |- + serviceAccountIssuer is the identifier of the bound service account token + issuer. + The default is https://kubernetes.default.svc + WARNING: Updating this field will not result in immediate invalidation of all bound tokens with the + previous issuer value. Instead, the tokens issued by previous service account issuer will continue to + be trusted for a time period chosen by the platform (currently set to 24h). + This time period is subject to change over time. + This allows internal components to transition to use new service account issuer without service distruption. + type: string + type: + description: |- + type identifies the cluster managed, user facing authentication mode in use. + Specifically, it manages the component that responds to login attempts. + The default is IntegratedOAuth. + enum: + - "" + - None + - IntegratedOAuth + - OIDC + type: string + webhookTokenAuthenticator: + description: |- + webhookTokenAuthenticator configures a remote token reviewer. + These remote authentication webhooks can be used to verify bearer tokens + via the tokenreviews.authentication.k8s.io REST API. This is required to + honor bearer tokens that are provisioned by an external authentication service. + + Can only be set if "Type" is set to "None". + properties: + kubeConfig: + description: |- + kubeConfig references a secret that contains kube config file data which + describes how to access the remote webhook service. + The namespace for the referenced secret is openshift-config. + + For further details, see: + + https://kubernetes.io/docs/reference/access-authn-authz/authentication/#webhook-token-authentication + + The key "kubeConfig" is used to locate the data. + If the secret or expected key is not found, the webhook is not honored. + If the specified kube config data is not valid, the webhook is not honored. + properties: + name: + description: name is the metadata.name of the referenced secret + type: string + required: + - name + type: object + required: + - kubeConfig + type: object + webhookTokenAuthenticators: + description: webhookTokenAuthenticators is DEPRECATED, setting it + has no effect. + items: + description: |- + deprecatedWebhookTokenAuthenticator holds the necessary configuration options for a remote token authenticator. + It's the same as WebhookTokenAuthenticator but it's missing the 'required' validation on KubeConfig field. + properties: + kubeConfig: + description: |- + kubeConfig contains kube config file data which describes how to access the remote webhook service. + For further details, see: + https://kubernetes.io/docs/reference/access-authn-authz/authentication/#webhook-token-authentication + The key "kubeConfig" is used to locate the data. + If the secret or expected key is not found, the webhook is not honored. + If the specified kube config data is not valid, the webhook is not honored. + The namespace for this secret is determined by the point of use. + properties: + name: + description: name is the metadata.name of the referenced + secret + type: string + required: + - name + type: object + type: object + type: array + x-kubernetes-list-type: atomic + type: object + status: + description: status holds observed values from the cluster. They may not + be overridden. + properties: + integratedOAuthMetadata: + description: |- + integratedOAuthMetadata contains the discovery endpoint data for OAuth 2.0 + Authorization Server Metadata for the in-cluster integrated OAuth server. + This discovery document can be viewed from its served location: + oc get --raw '/.well-known/oauth-authorization-server' + For further details, see the IETF Draft: + https://tools.ietf.org/html/draft-ietf-oauth-discovery-04#section-2 + This contains the observed value based on cluster state. + An explicitly set value in spec.oauthMetadata has precedence over this field. + This field has no meaning if authentication spec.type is not set to IntegratedOAuth. + The key "oauthMetadata" is used to locate the data. + If the config map or expected key is not found, no metadata is served. + If the specified metadata is not valid, no metadata is served. + The namespace for this config map is openshift-config-managed. + properties: + name: + description: name is the metadata.name of the referenced config + map + type: string + required: + - name + type: object + oidcClients: + description: oidcClients is where participating operators place the + current OIDC client status for OIDC clients that can be customized + by the cluster-admin. + items: + description: |- + OIDCClientStatus represents the current state + of platform components and how they interact with + the configured identity providers. + properties: + componentName: + description: |- + componentName is a required field that specifies the name of the platform component using the identity provider as an authentication mode. + It is used in combination with componentNamespace as a unique identifier. + + componentName must not be an empty string ("") and must not exceed 256 characters in length. + maxLength: 256 + minLength: 1 + type: string + componentNamespace: + description: |- + componentNamespace is a required field that specifies the namespace in which the platform component using the identity provider as an authentication mode is running. + + It is used in combination with componentName as a unique identifier. + + componentNamespace must not be an empty string ("") and must not exceed 63 characters in length. + maxLength: 63 + minLength: 1 + type: string + conditions: + description: |- + conditions are used to communicate the state of the `oidcClients` entry. + + Supported conditions include Available, Degraded and Progressing. + + If Available is true, the component is successfully using the configured client. + If Degraded is true, that means something has gone wrong trying to handle the client configuration. + If Progressing is true, that means the component is taking some action related to the `oidcClients` entry. + items: + description: Condition contains details for one aspect of + the current state of this API Resource. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, + Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + consumingUsers: + description: |- + consumingUsers is an optional list of ServiceAccounts requiring read permissions on the `clientSecret` secret. + + consumingUsers must not exceed 5 entries. + items: + description: ConsumingUser is an alias for string which we + add validation to. Currently only service accounts are supported. + maxLength: 512 + minLength: 1 + pattern: ^system:serviceaccount:[a-z0-9]([-a-z0-9]*[a-z0-9])?:[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + maxItems: 5 + type: array + x-kubernetes-list-type: set + currentOIDCClients: + description: |- + currentOIDCClients is an optional list of clients that the component is currently using. + + Entries must have unique issuerURL/clientID pairs. + items: + description: |- + OIDCClientReference is a reference to a platform component + client configuration. + properties: + clientID: + description: |- + clientID is a required field that specifies the client identifier, from the identity provider, that the platform component is using for authentication requests made to the identity provider. + + clientID must not be empty. + minLength: 1 + type: string + issuerURL: + description: |- + issuerURL is a required field that specifies the URL of the identity provider that this client is configured to make requests against. + + issuerURL must use the 'https' scheme. + pattern: ^https:\/\/[^\s] + type: string + oidcProviderName: + description: |- + oidcProviderName is a required reference to the 'name' of the identity provider configured in 'oidcProviders' that this client is associated with. + + oidcProviderName must not be an empty string (""). + minLength: 1 + type: string + required: + - clientID + - issuerURL + - oidcProviderName + type: object + type: array + x-kubernetes-list-map-keys: + - issuerURL + - clientID + x-kubernetes-list-type: map + required: + - componentName + - componentNamespace + type: object + maxItems: 20 + type: array + x-kubernetes-list-map-keys: + - componentNamespace + - componentName + x-kubernetes-list-type: map + type: object + required: + - spec + type: object + x-kubernetes-validations: + - message: all oidcClients in the oidcProviders must match their componentName + and componentNamespace to either a previously configured oidcClient or + they must exist in the status.oidcClients + rule: '!has(self.spec.oidcProviders) || self.spec.oidcProviders.all(p, !has(p.oidcClients) + || p.oidcClients.all(specC, self.status.oidcClients.exists(statusC, statusC.componentNamespace + == specC.componentNamespace && statusC.componentName == specC.componentName) + || (has(oldSelf.spec.oidcProviders) && oldSelf.spec.oidcProviders.exists(oldP, + oldP.name == p.name && has(oldP.oidcClients) && oldP.oidcClients.exists(oldC, + oldC.componentNamespace == specC.componentNamespace && oldC.componentName + == specC.componentName)))))' + served: true + storage: true + subresources: + status: {} diff --git a/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-OKD.crd.yaml b/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-OKD.crd.yaml new file mode 100644 index 000000000..2aff1f514 --- /dev/null +++ b/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-OKD.crd.yaml @@ -0,0 +1,819 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.openshift.io: https://github.com/openshift/api/pull/470 + api.openshift.io/merged-by-featuregates: "true" + include.release.openshift.io/ibm-cloud-managed: "true" + include.release.openshift.io/self-managed-high-availability: "true" + release.openshift.io/bootstrap-required: "true" + release.openshift.io/feature-set: OKD + name: authentications.config.openshift.io +spec: + group: config.openshift.io + names: + kind: Authentication + listKind: AuthenticationList + plural: authentications + singular: authentication + scope: Cluster + versions: + - name: v1 + schema: + openAPIV3Schema: + description: |- + Authentication specifies cluster-wide settings for authentication (like OAuth and + webhook token authenticators). The canonical name of an instance is `cluster`. + + Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer). + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: spec holds user settable values for configuration + properties: + oauthMetadata: + description: |- + oauthMetadata contains the discovery endpoint data for OAuth 2.0 + Authorization Server Metadata for an external OAuth server. + This discovery document can be viewed from its served location: + oc get --raw '/.well-known/oauth-authorization-server' + For further details, see the IETF Draft: + https://tools.ietf.org/html/draft-ietf-oauth-discovery-04#section-2 + If oauthMetadata.name is non-empty, this value has precedence + over any metadata reference stored in status. + The key "oauthMetadata" is used to locate the data. + If specified and the config map or expected key is not found, no metadata is served. + If the specified metadata is not valid, no metadata is served. + The namespace for this config map is openshift-config. + properties: + name: + description: name is the metadata.name of the referenced config + map + type: string + required: + - name + type: object + oidcProviders: + description: |- + oidcProviders are OIDC identity providers that can issue tokens for this cluster + Can only be set if "Type" is set to "OIDC". + + At most one provider can be configured. + items: + properties: + claimMappings: + description: claimMappings is a required field that configures + the rules to be used by the Kubernetes API server for translating + claims in a JWT token, issued by the identity provider, to + a cluster identity. + properties: + extra: + description: |- + extra is an optional field for configuring the mappings used to construct the extra attribute for the cluster identity. + When omitted, no extra attributes will be present on the cluster identity. + + key values for extra mappings must be unique. + A maximum of 32 extra attribute mappings may be provided. + items: + description: |- + ExtraMapping allows specifying a key and CEL expression to evaluate the keys' value. + It is used to create additional mappings and attributes added to a cluster identity from a provided authentication token. + properties: + key: + description: |- + key is a required field that specifies the string to use as the extra attribute key. + + key must be a domain-prefix path (e.g 'example.org/foo'). + key must not exceed 510 characters in length. + key must contain the '/' character, separating the domain and path characters. + key must not be empty. + + The domain portion of the key (string of characters prior to the '/') must be a valid RFC1123 subdomain. + It must not exceed 253 characters in length. + It must start and end with an alphanumeric character. + It must only contain lower case alphanumeric characters and '-' or '.'. + It must not use the reserved domains, or be subdomains of, "kubernetes.io", "k8s.io", and "openshift.io". + + The path portion of the key (string of characters after the '/') must not be empty and must consist of at least one alphanumeric character, percent-encoded octets, '-', '.', '_', '~', '!', '$', '&', ''', '(', ')', '*', '+', ',', ';', '=', and ':'. + It must not exceed 256 characters in length. + maxLength: 510 + minLength: 1 + type: string + x-kubernetes-validations: + - message: key must contain the '/' character + rule: self.contains('/') + - message: the domain of the key must consist of only + lower case alphanumeric characters, '-' or '.', + and must start and end with an alphanumeric character + rule: self.split('/', 2)[0].matches("^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$") + - message: the domain of the key must not exceed 253 + characters in length + rule: self.split('/', 2)[0].size() <= 253 + - message: the domain 'kubernetes.io' is reserved + for Kubernetes use + rule: self.split('/', 2)[0] != 'kubernetes.io' + - message: the subdomains '*.kubernetes.io' are reserved + for Kubernetes use + rule: '!self.split(''/'', 2)[0].endsWith(''.kubernetes.io'')' + - message: the domain 'k8s.io' is reserved for Kubernetes + use + rule: self.split('/', 2)[0] != 'k8s.io' + - message: the subdomains '*.k8s.io' are reserved + for Kubernetes use + rule: '!self.split(''/'', 2)[0].endsWith(''.k8s.io'')' + - message: the domain 'openshift.io' is reserved for + OpenShift use + rule: self.split('/', 2)[0] != 'openshift.io' + - message: the subdomains '*.openshift.io' are reserved + for OpenShift use + rule: '!self.split(''/'', 2)[0].endsWith(''.openshift.io'')' + - message: the path of the key must not be empty and + must consist of at least one alphanumeric character, + percent-encoded octets, apostrophe, '-', '.', + '_', '~', '!', '$', '&', '(', ')', '*', '+', ',', + ';', '=', and ':' + rule: self.split('/', 2)[1].matches('[A-Za-z0-9/\\-._~%!$&\'()*+;=:]+') + - message: the path of the key must not exceed 256 + characters in length + rule: self.split('/', 2)[1].size() <= 256 + valueExpression: + description: |- + valueExpression is a required field to specify the CEL expression to extract the extra attribute value from a JWT token's claims. + valueExpression must produce a string or string array value. + "", [], and null are treated as the extra mapping not being present. + Empty string values within an array are filtered out. + + CEL expressions have access to the token claims through a CEL variable, 'claims'. + 'claims' is a map of claim names to claim values. + For example, the 'sub' claim value can be accessed as 'claims.sub'. + Nested claims can be accessed using dot notation ('claims.foo.bar'). + + valueExpression must not exceed 1024 characters in length. + valueExpression must not be empty. + maxLength: 1024 + minLength: 1 + type: string + required: + - key + - valueExpression + type: object + maxItems: 32 + type: array + x-kubernetes-list-map-keys: + - key + x-kubernetes-list-type: map + groups: + description: |- + groups is an optional field that configures how the groups of a cluster identity should be constructed from the claims in a JWT token issued by the identity provider. + + When referencing a claim, if the claim is present in the JWT token, its value must be a list of groups separated by a comma (','). + + For example - '"example"' and '"exampleOne", "exampleTwo", "exampleThree"' are valid claim values. + properties: + claim: + description: claim is a required field that configures + the JWT token claim whose value is assigned to the + cluster identity field associated with this mapping. + type: string + prefix: + description: |- + prefix is an optional field that configures the prefix that will be applied to the cluster identity attribute during the process of mapping JWT claims to cluster identity attributes. + + When omitted (""), no prefix is applied to the cluster identity attribute. + + Example: if `prefix` is set to "myoidc:" and the `claim` in JWT contains an array of strings "a", "b" and "c", the mapping will result in an array of string "myoidc:a", "myoidc:b" and "myoidc:c". + type: string + required: + - claim + type: object + uid: + description: |- + uid is an optional field for configuring the claim mapping used to construct the uid for the cluster identity. + + When using uid.claim to specify the claim it must be a single string value. + When using uid.expression the expression must result in a single string value. + + When omitted, this means the user has no opinion and the platform is left to choose a default, which is subject to change over time. + + The current default is to use the 'sub' claim. + properties: + claim: + description: |- + claim is an optional field for specifying the JWT token claim that is used in the mapping. + The value of this claim will be assigned to the field in which this mapping is associated. + + Precisely one of claim or expression must be set. + claim must not be specified when expression is set. + When specified, claim must be at least 1 character in length and must not exceed 256 characters in length. + maxLength: 256 + minLength: 1 + type: string + expression: + description: |- + expression is an optional field for specifying a CEL expression that produces a string value from JWT token claims. + + CEL expressions have access to the token claims through a CEL variable, 'claims'. + 'claims' is a map of claim names to claim values. + For example, the 'sub' claim value can be accessed as 'claims.sub'. + Nested claims can be accessed using dot notation ('claims.foo.bar'). + + Precisely one of claim or expression must be set. + expression must not be specified when claim is set. + When specified, expression must be at least 1 character in length and must not exceed 1024 characters in length. + maxLength: 1024 + minLength: 1 + type: string + type: object + x-kubernetes-validations: + - message: precisely one of claim or expression must be + set + rule: 'has(self.claim) ? !has(self.expression) : has(self.expression)' + username: + description: username is a required field that configures + how the username of a cluster identity should be constructed + from the claims in a JWT token issued by the identity + provider. + properties: + claim: + description: |- + claim is a required field that configures the JWT token claim whose value is assigned to the cluster identity field associated with this mapping. + + claim must not be an empty string ("") and must not exceed 256 characters. + maxLength: 256 + minLength: 1 + type: string + prefix: + description: |- + prefix configures the prefix that should be prepended to the value of the JWT claim. + + prefix must be set when prefixPolicy is set to 'Prefix' and must be unset otherwise. + properties: + prefixString: + description: |- + prefixString is a required field that configures the prefix that will be applied to cluster identity username attribute during the process of mapping JWT claims to cluster identity attributes. + + prefixString must not be an empty string (""). + minLength: 1 + type: string + required: + - prefixString + type: object + prefixPolicy: + description: |- + prefixPolicy is an optional field that configures how a prefix should be applied to the value of the JWT claim specified in the 'claim' field. + + Allowed values are 'Prefix', 'NoPrefix', and omitted (not provided or an empty string). + + When set to 'Prefix', the value specified in the prefix field will be prepended to the value of the JWT claim. + + The prefix field must be set when prefixPolicy is 'Prefix'. + + When set to 'NoPrefix', no prefix will be prepended to the value of the JWT claim. + + When omitted, this means no opinion and the platform is left to choose any prefixes that are applied which is subject to change over time. + Currently, the platform prepends `{issuerURL}#` to the value of the JWT claim when the claim is not 'email'. + + As an example, consider the following scenario: + + `prefix` is unset, `issuerURL` is set to `https://myoidc.tld`, + the JWT claims include "username":"userA" and "email":"userA@myoidc.tld", + and `claim` is set to: + - "username": the mapped value will be "https://myoidc.tld#userA" + - "email": the mapped value will be "userA@myoidc.tld" + enum: + - "" + - NoPrefix + - Prefix + type: string + required: + - claim + type: object + x-kubernetes-validations: + - message: prefix must be set if prefixPolicy is 'Prefix', + but must remain unset otherwise + rule: 'has(self.prefixPolicy) && self.prefixPolicy == + ''Prefix'' ? (has(self.prefix) && size(self.prefix.prefixString) + > 0) : !has(self.prefix)' + required: + - username + type: object + claimValidationRules: + description: |- + claimValidationRules is an optional field that configures the rules to be used by the Kubernetes API server for validating the claims in a JWT token issued by the identity provider. + + Validation rules are joined via an AND operation. + items: + description: |- + TokenClaimValidationRule represents a validation rule based on token claims. + If type is RequiredClaim, requiredClaim must be set. + If Type is CEL, CEL must be set and RequiredClaim must be omitted. + properties: + requiredClaim: + description: |- + requiredClaim allows configuring a required claim name and its expected value. + This field is required when `type` is set to RequiredClaim, and must be omitted when `type` is set to any other value. + The Kubernetes API server uses this field to validate if an incoming JWT is valid for this identity provider. + properties: + claim: + description: |- + claim is a required field that configures the name of the required claim. + When taken from the JWT claims, claim must be a string value. + + claim must not be an empty string (""). + minLength: 1 + type: string + requiredValue: + description: |- + requiredValue is a required field that configures the value that 'claim' must have when taken from the incoming JWT claims. + If the value in the JWT claims does not match, the token will be rejected for authentication. + + requiredValue must not be an empty string (""). + minLength: 1 + type: string + required: + - claim + - requiredValue + type: object + type: + description: |- + type is an optional field that configures the type of the validation rule. + + Allowed values are "RequiredClaim" and "CEL". + + When set to 'RequiredClaim', the Kubernetes API server will be configured to validate that the incoming JWT contains the required claim and that its value matches the required value. + + When set to 'CEL', the Kubernetes API server will be configured to validate the incoming JWT against the configured CEL expression. + enum: + - RequiredClaim + type: string + required: + - type + type: object + x-kubernetes-validations: + - message: requiredClaim must be set when type is 'RequiredClaim', + and forbidden otherwise + rule: 'has(self.type) && self.type == ''RequiredClaim'' + ? has(self.requiredClaim) : !has(self.requiredClaim)' + type: array + x-kubernetes-list-type: atomic + issuer: + description: issuer is a required field that configures how + the platform interacts with the identity provider and how + tokens issued from the identity provider are evaluated by + the Kubernetes API server. + properties: + audiences: + description: |- + audiences is a required field that configures the acceptable audiences the JWT token, issued by the identity provider, must be issued to. + At least one of the entries must match the 'aud' claim in the JWT token. + + audiences must contain at least one entry and must not exceed ten entries. + items: + minLength: 1 + type: string + maxItems: 10 + minItems: 1 + type: array + x-kubernetes-list-type: set + issuerCertificateAuthority: + description: |- + issuerCertificateAuthority is an optional field that configures the certificate authority, used by the Kubernetes API server, to validate the connection to the identity provider when fetching discovery information. + + When not specified, the system trust is used. + + When specified, it must reference a ConfigMap in the openshift-config namespace containing the PEM-encoded CA certificates under the 'ca-bundle.crt' key in the data field of the ConfigMap. + properties: + name: + description: name is the metadata.name of the referenced + config map + type: string + required: + - name + type: object + issuerURL: + description: |- + issuerURL is a required field that configures the URL used to issue tokens by the identity provider. + The Kubernetes API server determines how authentication tokens should be handled by matching the 'iss' claim in the JWT to the issuerURL of configured identity providers. + + Must be at least 1 character and must not exceed 512 characters in length. + Must be a valid URL that uses the 'https' scheme and does not contain a query, fragment or user. + maxLength: 512 + minLength: 1 + type: string + x-kubernetes-validations: + - message: must be a valid URL + rule: isURL(self) + - message: must use the 'https' scheme + rule: isURL(self) && url(self).getScheme() == 'https' + - message: must not have a query + rule: isURL(self) && url(self).getQuery() == {} + - message: must not have a fragment + rule: self.find('#(.+)$') == '' + - message: must not have user info + rule: self.find('@') == '' + required: + - audiences + - issuerURL + type: object + name: + description: |- + name is a required field that configures the unique human-readable identifier associated with the identity provider. + It is used to distinguish between multiple identity providers and has no impact on token validation or authentication mechanics. + + name must not be an empty string (""). + minLength: 1 + type: string + oidcClients: + description: |- + oidcClients is an optional field that configures how on-cluster, platform clients should request tokens from the identity provider. + oidcClients must not exceed 20 entries and entries must have unique namespace/name pairs. + items: + description: OIDCClientConfig configures how platform clients + interact with identity providers as an authentication method. + properties: + clientID: + description: |- + clientID is a required field that configures the client identifier, from the identity provider, that the platform component uses for authentication requests made to the identity provider. + The identity provider must accept this identifier for platform components to be able to use the identity provider as an authentication mode. + + clientID must not be an empty string (""). + minLength: 1 + type: string + clientSecret: + description: |- + clientSecret is an optional field that configures the client secret used by the platform component when making authentication requests to the identity provider. + + When not specified, no client secret will be used when making authentication requests to the identity provider. + + When specified, clientSecret references a Secret in the 'openshift-config' namespace that contains the client secret in the 'clientSecret' key of the '.data' field. + + The client secret will be used when making authentication requests to the identity provider. + + Public clients do not require a client secret but private clients do require a client secret to work with the identity provider. + properties: + name: + description: name is the metadata.name of the referenced + secret + type: string + required: + - name + type: object + componentName: + description: |- + componentName is a required field that specifies the name of the platform component being configured to use the identity provider as an authentication mode. + + It is used in combination with componentNamespace as a unique identifier. + + componentName must not be an empty string ("") and must not exceed 256 characters in length. + maxLength: 256 + minLength: 1 + type: string + componentNamespace: + description: |- + componentNamespace is a required field that specifies the namespace in which the platform component being configured to use the identity provider as an authentication mode is running. + + It is used in combination with componentName as a unique identifier. + + componentNamespace must not be an empty string ("") and must not exceed 63 characters in length. + maxLength: 63 + minLength: 1 + type: string + extraScopes: + description: |- + extraScopes is an optional field that configures the extra scopes that should be requested by the platform component when making authentication requests to the identity provider. + This is useful if you have configured claim mappings that requires specific scopes to be requested beyond the standard OIDC scopes. + + When omitted, no additional scopes are requested. + items: + type: string + type: array + x-kubernetes-list-type: set + required: + - clientID + - componentName + - componentNamespace + type: object + maxItems: 20 + type: array + x-kubernetes-list-map-keys: + - componentNamespace + - componentName + x-kubernetes-list-type: map + required: + - claimMappings + - issuer + - name + type: object + maxItems: 1 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + serviceAccountIssuer: + description: |- + serviceAccountIssuer is the identifier of the bound service account token + issuer. + The default is https://kubernetes.default.svc + WARNING: Updating this field will not result in immediate invalidation of all bound tokens with the + previous issuer value. Instead, the tokens issued by previous service account issuer will continue to + be trusted for a time period chosen by the platform (currently set to 24h). + This time period is subject to change over time. + This allows internal components to transition to use new service account issuer without service distruption. + type: string + type: + description: |- + type identifies the cluster managed, user facing authentication mode in use. + Specifically, it manages the component that responds to login attempts. + The default is IntegratedOAuth. + enum: + - "" + - None + - IntegratedOAuth + - OIDC + type: string + webhookTokenAuthenticator: + description: |- + webhookTokenAuthenticator configures a remote token reviewer. + These remote authentication webhooks can be used to verify bearer tokens + via the tokenreviews.authentication.k8s.io REST API. This is required to + honor bearer tokens that are provisioned by an external authentication service. + + Can only be set if "Type" is set to "None". + properties: + kubeConfig: + description: |- + kubeConfig references a secret that contains kube config file data which + describes how to access the remote webhook service. + The namespace for the referenced secret is openshift-config. + + For further details, see: + + https://kubernetes.io/docs/reference/access-authn-authz/authentication/#webhook-token-authentication + + The key "kubeConfig" is used to locate the data. + If the secret or expected key is not found, the webhook is not honored. + If the specified kube config data is not valid, the webhook is not honored. + properties: + name: + description: name is the metadata.name of the referenced secret + type: string + required: + - name + type: object + required: + - kubeConfig + type: object + webhookTokenAuthenticators: + description: webhookTokenAuthenticators is DEPRECATED, setting it + has no effect. + items: + description: |- + deprecatedWebhookTokenAuthenticator holds the necessary configuration options for a remote token authenticator. + It's the same as WebhookTokenAuthenticator but it's missing the 'required' validation on KubeConfig field. + properties: + kubeConfig: + description: |- + kubeConfig contains kube config file data which describes how to access the remote webhook service. + For further details, see: + https://kubernetes.io/docs/reference/access-authn-authz/authentication/#webhook-token-authentication + The key "kubeConfig" is used to locate the data. + If the secret or expected key is not found, the webhook is not honored. + If the specified kube config data is not valid, the webhook is not honored. + The namespace for this secret is determined by the point of use. + properties: + name: + description: name is the metadata.name of the referenced + secret + type: string + required: + - name + type: object + type: object + type: array + x-kubernetes-list-type: atomic + type: object + status: + description: status holds observed values from the cluster. They may not + be overridden. + properties: + integratedOAuthMetadata: + description: |- + integratedOAuthMetadata contains the discovery endpoint data for OAuth 2.0 + Authorization Server Metadata for the in-cluster integrated OAuth server. + This discovery document can be viewed from its served location: + oc get --raw '/.well-known/oauth-authorization-server' + For further details, see the IETF Draft: + https://tools.ietf.org/html/draft-ietf-oauth-discovery-04#section-2 + This contains the observed value based on cluster state. + An explicitly set value in spec.oauthMetadata has precedence over this field. + This field has no meaning if authentication spec.type is not set to IntegratedOAuth. + The key "oauthMetadata" is used to locate the data. + If the config map or expected key is not found, no metadata is served. + If the specified metadata is not valid, no metadata is served. + The namespace for this config map is openshift-config-managed. + properties: + name: + description: name is the metadata.name of the referenced config + map + type: string + required: + - name + type: object + oidcClients: + description: oidcClients is where participating operators place the + current OIDC client status for OIDC clients that can be customized + by the cluster-admin. + items: + description: |- + OIDCClientStatus represents the current state + of platform components and how they interact with + the configured identity providers. + properties: + componentName: + description: |- + componentName is a required field that specifies the name of the platform component using the identity provider as an authentication mode. + It is used in combination with componentNamespace as a unique identifier. + + componentName must not be an empty string ("") and must not exceed 256 characters in length. + maxLength: 256 + minLength: 1 + type: string + componentNamespace: + description: |- + componentNamespace is a required field that specifies the namespace in which the platform component using the identity provider as an authentication mode is running. + + It is used in combination with componentName as a unique identifier. + + componentNamespace must not be an empty string ("") and must not exceed 63 characters in length. + maxLength: 63 + minLength: 1 + type: string + conditions: + description: |- + conditions are used to communicate the state of the `oidcClients` entry. + + Supported conditions include Available, Degraded and Progressing. + + If Available is true, the component is successfully using the configured client. + If Degraded is true, that means something has gone wrong trying to handle the client configuration. + If Progressing is true, that means the component is taking some action related to the `oidcClients` entry. + items: + description: Condition contains details for one aspect of + the current state of this API Resource. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, + Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + consumingUsers: + description: |- + consumingUsers is an optional list of ServiceAccounts requiring read permissions on the `clientSecret` secret. + + consumingUsers must not exceed 5 entries. + items: + description: ConsumingUser is an alias for string which we + add validation to. Currently only service accounts are supported. + maxLength: 512 + minLength: 1 + pattern: ^system:serviceaccount:[a-z0-9]([-a-z0-9]*[a-z0-9])?:[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + maxItems: 5 + type: array + x-kubernetes-list-type: set + currentOIDCClients: + description: |- + currentOIDCClients is an optional list of clients that the component is currently using. + + Entries must have unique issuerURL/clientID pairs. + items: + description: |- + OIDCClientReference is a reference to a platform component + client configuration. + properties: + clientID: + description: |- + clientID is a required field that specifies the client identifier, from the identity provider, that the platform component is using for authentication requests made to the identity provider. + + clientID must not be empty. + minLength: 1 + type: string + issuerURL: + description: |- + issuerURL is a required field that specifies the URL of the identity provider that this client is configured to make requests against. + + issuerURL must use the 'https' scheme. + pattern: ^https:\/\/[^\s] + type: string + oidcProviderName: + description: |- + oidcProviderName is a required reference to the 'name' of the identity provider configured in 'oidcProviders' that this client is associated with. + + oidcProviderName must not be an empty string (""). + minLength: 1 + type: string + required: + - clientID + - issuerURL + - oidcProviderName + type: object + type: array + x-kubernetes-list-map-keys: + - issuerURL + - clientID + x-kubernetes-list-type: map + required: + - componentName + - componentNamespace + type: object + maxItems: 20 + type: array + x-kubernetes-list-map-keys: + - componentNamespace + - componentName + x-kubernetes-list-type: map + type: object + required: + - spec + type: object + x-kubernetes-validations: + - message: all oidcClients in the oidcProviders must match their componentName + and componentNamespace to either a previously configured oidcClient or + they must exist in the status.oidcClients + rule: '!has(self.spec.oidcProviders) || self.spec.oidcProviders.all(p, !has(p.oidcClients) + || p.oidcClients.all(specC, self.status.oidcClients.exists(statusC, statusC.componentNamespace + == specC.componentNamespace && statusC.componentName == specC.componentName) + || (has(oldSelf.spec.oidcProviders) && oldSelf.spec.oidcProviders.exists(oldP, + oldP.name == p.name && has(oldP.oidcClients) && oldP.oidcClients.exists(oldC, + oldC.componentNamespace == specC.componentNamespace && oldC.componentName + == specC.componentName)))))' + served: true + storage: true + subresources: + status: {} diff --git a/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-TechPreviewNoUpgrade.crd.yaml b/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-TechPreviewNoUpgrade.crd.yaml new file mode 100644 index 000000000..11281f286 --- /dev/null +++ b/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-TechPreviewNoUpgrade.crd.yaml @@ -0,0 +1,915 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.openshift.io: https://github.com/openshift/api/pull/470 + api.openshift.io/merged-by-featuregates: "true" + include.release.openshift.io/ibm-cloud-managed: "true" + include.release.openshift.io/self-managed-high-availability: "true" + release.openshift.io/bootstrap-required: "true" + release.openshift.io/feature-set: TechPreviewNoUpgrade + name: authentications.config.openshift.io +spec: + group: config.openshift.io + names: + kind: Authentication + listKind: AuthenticationList + plural: authentications + singular: authentication + scope: Cluster + versions: + - name: v1 + schema: + openAPIV3Schema: + description: |- + Authentication specifies cluster-wide settings for authentication (like OAuth and + webhook token authenticators). The canonical name of an instance is `cluster`. + + Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer). + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: spec holds user settable values for configuration + properties: + oauthMetadata: + description: |- + oauthMetadata contains the discovery endpoint data for OAuth 2.0 + Authorization Server Metadata for an external OAuth server. + This discovery document can be viewed from its served location: + oc get --raw '/.well-known/oauth-authorization-server' + For further details, see the IETF Draft: + https://tools.ietf.org/html/draft-ietf-oauth-discovery-04#section-2 + If oauthMetadata.name is non-empty, this value has precedence + over any metadata reference stored in status. + The key "oauthMetadata" is used to locate the data. + If specified and the config map or expected key is not found, no metadata is served. + If the specified metadata is not valid, no metadata is served. + The namespace for this config map is openshift-config. + properties: + name: + description: name is the metadata.name of the referenced config + map + type: string + required: + - name + type: object + oidcProviders: + description: |- + oidcProviders are OIDC identity providers that can issue tokens for this cluster + Can only be set if "Type" is set to "OIDC". + + At most one provider can be configured. + items: + properties: + claimMappings: + description: claimMappings is a required field that configures + the rules to be used by the Kubernetes API server for translating + claims in a JWT token, issued by the identity provider, to + a cluster identity. + properties: + extra: + description: |- + extra is an optional field for configuring the mappings used to construct the extra attribute for the cluster identity. + When omitted, no extra attributes will be present on the cluster identity. + + key values for extra mappings must be unique. + A maximum of 32 extra attribute mappings may be provided. + items: + description: |- + ExtraMapping allows specifying a key and CEL expression to evaluate the keys' value. + It is used to create additional mappings and attributes added to a cluster identity from a provided authentication token. + properties: + key: + description: |- + key is a required field that specifies the string to use as the extra attribute key. + + key must be a domain-prefix path (e.g 'example.org/foo'). + key must not exceed 510 characters in length. + key must contain the '/' character, separating the domain and path characters. + key must not be empty. + + The domain portion of the key (string of characters prior to the '/') must be a valid RFC1123 subdomain. + It must not exceed 253 characters in length. + It must start and end with an alphanumeric character. + It must only contain lower case alphanumeric characters and '-' or '.'. + It must not use the reserved domains, or be subdomains of, "kubernetes.io", "k8s.io", and "openshift.io". + + The path portion of the key (string of characters after the '/') must not be empty and must consist of at least one alphanumeric character, percent-encoded octets, '-', '.', '_', '~', '!', '$', '&', ''', '(', ')', '*', '+', ',', ';', '=', and ':'. + It must not exceed 256 characters in length. + maxLength: 510 + minLength: 1 + type: string + x-kubernetes-validations: + - message: key must contain the '/' character + rule: self.contains('/') + - message: the domain of the key must consist of only + lower case alphanumeric characters, '-' or '.', + and must start and end with an alphanumeric character + rule: self.split('/', 2)[0].matches("^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$") + - message: the domain of the key must not exceed 253 + characters in length + rule: self.split('/', 2)[0].size() <= 253 + - message: the domain 'kubernetes.io' is reserved + for Kubernetes use + rule: self.split('/', 2)[0] != 'kubernetes.io' + - message: the subdomains '*.kubernetes.io' are reserved + for Kubernetes use + rule: '!self.split(''/'', 2)[0].endsWith(''.kubernetes.io'')' + - message: the domain 'k8s.io' is reserved for Kubernetes + use + rule: self.split('/', 2)[0] != 'k8s.io' + - message: the subdomains '*.k8s.io' are reserved + for Kubernetes use + rule: '!self.split(''/'', 2)[0].endsWith(''.k8s.io'')' + - message: the domain 'openshift.io' is reserved for + OpenShift use + rule: self.split('/', 2)[0] != 'openshift.io' + - message: the subdomains '*.openshift.io' are reserved + for OpenShift use + rule: '!self.split(''/'', 2)[0].endsWith(''.openshift.io'')' + - message: the path of the key must not be empty and + must consist of at least one alphanumeric character, + percent-encoded octets, apostrophe, '-', '.', + '_', '~', '!', '$', '&', '(', ')', '*', '+', ',', + ';', '=', and ':' + rule: self.split('/', 2)[1].matches('[A-Za-z0-9/\\-._~%!$&\'()*+;=:]+') + - message: the path of the key must not exceed 256 + characters in length + rule: self.split('/', 2)[1].size() <= 256 + valueExpression: + description: |- + valueExpression is a required field to specify the CEL expression to extract the extra attribute value from a JWT token's claims. + valueExpression must produce a string or string array value. + "", [], and null are treated as the extra mapping not being present. + Empty string values within an array are filtered out. + + CEL expressions have access to the token claims through a CEL variable, 'claims'. + 'claims' is a map of claim names to claim values. + For example, the 'sub' claim value can be accessed as 'claims.sub'. + Nested claims can be accessed using dot notation ('claims.foo.bar'). + + valueExpression must not exceed 1024 characters in length. + valueExpression must not be empty. + maxLength: 1024 + minLength: 1 + type: string + required: + - key + - valueExpression + type: object + maxItems: 32 + type: array + x-kubernetes-list-map-keys: + - key + x-kubernetes-list-type: map + groups: + description: |- + groups is an optional field that configures how the groups of a cluster identity should be constructed from the claims in a JWT token issued by the identity provider. + + When referencing a claim, if the claim is present in the JWT token, its value must be a list of groups separated by a comma (','). + + For example - '"example"' and '"exampleOne", "exampleTwo", "exampleThree"' are valid claim values. + properties: + claim: + description: claim is a required field that configures + the JWT token claim whose value is assigned to the + cluster identity field associated with this mapping. + type: string + prefix: + description: |- + prefix is an optional field that configures the prefix that will be applied to the cluster identity attribute during the process of mapping JWT claims to cluster identity attributes. + + When omitted (""), no prefix is applied to the cluster identity attribute. + + Example: if `prefix` is set to "myoidc:" and the `claim` in JWT contains an array of strings "a", "b" and "c", the mapping will result in an array of string "myoidc:a", "myoidc:b" and "myoidc:c". + type: string + required: + - claim + type: object + uid: + description: |- + uid is an optional field for configuring the claim mapping used to construct the uid for the cluster identity. + + When using uid.claim to specify the claim it must be a single string value. + When using uid.expression the expression must result in a single string value. + + When omitted, this means the user has no opinion and the platform is left to choose a default, which is subject to change over time. + + The current default is to use the 'sub' claim. + properties: + claim: + description: |- + claim is an optional field for specifying the JWT token claim that is used in the mapping. + The value of this claim will be assigned to the field in which this mapping is associated. + + Precisely one of claim or expression must be set. + claim must not be specified when expression is set. + When specified, claim must be at least 1 character in length and must not exceed 256 characters in length. + maxLength: 256 + minLength: 1 + type: string + expression: + description: |- + expression is an optional field for specifying a CEL expression that produces a string value from JWT token claims. + + CEL expressions have access to the token claims through a CEL variable, 'claims'. + 'claims' is a map of claim names to claim values. + For example, the 'sub' claim value can be accessed as 'claims.sub'. + Nested claims can be accessed using dot notation ('claims.foo.bar'). + + Precisely one of claim or expression must be set. + expression must not be specified when claim is set. + When specified, expression must be at least 1 character in length and must not exceed 1024 characters in length. + maxLength: 1024 + minLength: 1 + type: string + type: object + x-kubernetes-validations: + - message: precisely one of claim or expression must be + set + rule: 'has(self.claim) ? !has(self.expression) : has(self.expression)' + username: + description: username is a required field that configures + how the username of a cluster identity should be constructed + from the claims in a JWT token issued by the identity + provider. + properties: + claim: + description: |- + claim is a required field that configures the JWT token claim whose value is assigned to the cluster identity field associated with this mapping. + + claim must not be an empty string ("") and must not exceed 256 characters. + maxLength: 256 + minLength: 1 + type: string + prefix: + description: |- + prefix configures the prefix that should be prepended to the value of the JWT claim. + + prefix must be set when prefixPolicy is set to 'Prefix' and must be unset otherwise. + properties: + prefixString: + description: |- + prefixString is a required field that configures the prefix that will be applied to cluster identity username attribute during the process of mapping JWT claims to cluster identity attributes. + + prefixString must not be an empty string (""). + minLength: 1 + type: string + required: + - prefixString + type: object + prefixPolicy: + description: |- + prefixPolicy is an optional field that configures how a prefix should be applied to the value of the JWT claim specified in the 'claim' field. + + Allowed values are 'Prefix', 'NoPrefix', and omitted (not provided or an empty string). + + When set to 'Prefix', the value specified in the prefix field will be prepended to the value of the JWT claim. + + The prefix field must be set when prefixPolicy is 'Prefix'. + + When set to 'NoPrefix', no prefix will be prepended to the value of the JWT claim. + + When omitted, this means no opinion and the platform is left to choose any prefixes that are applied which is subject to change over time. + Currently, the platform prepends `{issuerURL}#` to the value of the JWT claim when the claim is not 'email'. + + As an example, consider the following scenario: + + `prefix` is unset, `issuerURL` is set to `https://myoidc.tld`, + the JWT claims include "username":"userA" and "email":"userA@myoidc.tld", + and `claim` is set to: + - "username": the mapped value will be "https://myoidc.tld#userA" + - "email": the mapped value will be "userA@myoidc.tld" + enum: + - "" + - NoPrefix + - Prefix + type: string + required: + - claim + type: object + x-kubernetes-validations: + - message: prefix must be set if prefixPolicy is 'Prefix', + but must remain unset otherwise + rule: 'has(self.prefixPolicy) && self.prefixPolicy == + ''Prefix'' ? (has(self.prefix) && size(self.prefix.prefixString) + > 0) : !has(self.prefix)' + required: + - username + type: object + claimValidationRules: + description: |- + claimValidationRules is an optional field that configures the rules to be used by the Kubernetes API server for validating the claims in a JWT token issued by the identity provider. + + Validation rules are joined via an AND operation. + items: + description: |- + TokenClaimValidationRule represents a validation rule based on token claims. + If type is RequiredClaim, requiredClaim must be set. + If Type is CEL, CEL must be set and RequiredClaim must be omitted. + properties: + cel: + description: |- + cel holds the CEL expression and message for validation. + Must be set when Type is "CEL", and forbidden otherwise. + properties: + expression: + description: |- + expression is a CEL expression evaluated against token claims. + expression is required, must be at least 1 character in length and must not exceed 1024 characters. + The expression must return a boolean value where 'true' signals a valid token and 'false' an invalid one. + maxLength: 1024 + minLength: 1 + type: string + message: + description: |- + message is a required human-readable message to be logged by the Kubernetes API server if the CEL expression defined in 'expression' fails. + message must be at least 1 character in length and must not exceed 256 characters. + maxLength: 256 + minLength: 1 + type: string + required: + - expression + - message + type: object + requiredClaim: + description: |- + requiredClaim allows configuring a required claim name and its expected value. + This field is required when `type` is set to RequiredClaim, and must be omitted when `type` is set to any other value. + The Kubernetes API server uses this field to validate if an incoming JWT is valid for this identity provider. + properties: + claim: + description: |- + claim is a required field that configures the name of the required claim. + When taken from the JWT claims, claim must be a string value. + + claim must not be an empty string (""). + minLength: 1 + type: string + requiredValue: + description: |- + requiredValue is a required field that configures the value that 'claim' must have when taken from the incoming JWT claims. + If the value in the JWT claims does not match, the token will be rejected for authentication. + + requiredValue must not be an empty string (""). + minLength: 1 + type: string + required: + - claim + - requiredValue + type: object + type: + description: |- + type is an optional field that configures the type of the validation rule. + + Allowed values are "RequiredClaim" and "CEL". + + When set to 'RequiredClaim', the Kubernetes API server will be configured to validate that the incoming JWT contains the required claim and that its value matches the required value. + + When set to 'CEL', the Kubernetes API server will be configured to validate the incoming JWT against the configured CEL expression. + enum: + - RequiredClaim + - CEL + type: string + required: + - type + type: object + x-kubernetes-validations: + - message: cel must be set when type is 'CEL', and forbidden + otherwise + rule: 'has(self.type) && self.type == ''CEL'' ? has(self.cel) + : !has(self.cel)' + - message: requiredClaim must be set when type is 'RequiredClaim', + and forbidden otherwise + rule: 'has(self.type) && self.type == ''RequiredClaim'' + ? has(self.requiredClaim) : !has(self.requiredClaim)' + type: array + x-kubernetes-list-type: atomic + issuer: + description: issuer is a required field that configures how + the platform interacts with the identity provider and how + tokens issued from the identity provider are evaluated by + the Kubernetes API server. + properties: + audiences: + description: |- + audiences is a required field that configures the acceptable audiences the JWT token, issued by the identity provider, must be issued to. + At least one of the entries must match the 'aud' claim in the JWT token. + + audiences must contain at least one entry and must not exceed ten entries. + items: + minLength: 1 + type: string + maxItems: 10 + minItems: 1 + type: array + x-kubernetes-list-type: set + discoveryURL: + description: |- + discoveryURL is an optional field that, if specified, overrides the default discovery endpoint used to retrieve OIDC configuration metadata. + By default, the discovery URL is derived from `issuerURL` as "{issuerURL}/.well-known/openid-configuration". + + The discoveryURL must be a valid absolute HTTPS URL. + It must not contain query parameters, user information, or fragments. + Additionally, it must differ from the value of `issuerURL` (ignoring trailing slashes). + The discoveryURL value must be at least 1 character long and no longer than 2048 characters. + maxLength: 2048 + minLength: 1 + type: string + x-kubernetes-validations: + - message: discoveryURL must be a valid URL + rule: isURL(self) + - message: discoveryURL must be a valid https URL + rule: url(self).getScheme() == 'https' + - message: discoveryURL must not contain query parameters + rule: url(self).getQuery().size() == 0 + - message: discoveryURL must not contain fragments + rule: self.matches('^[^#]*$') + - message: discoveryURL must not contain user info + rule: '!self.matches(''^https://.+:.+@.+/.*$'')' + issuerCertificateAuthority: + description: |- + issuerCertificateAuthority is an optional field that configures the certificate authority, used by the Kubernetes API server, to validate the connection to the identity provider when fetching discovery information. + + When not specified, the system trust is used. + + When specified, it must reference a ConfigMap in the openshift-config namespace containing the PEM-encoded CA certificates under the 'ca-bundle.crt' key in the data field of the ConfigMap. + properties: + name: + description: name is the metadata.name of the referenced + config map + type: string + required: + - name + type: object + issuerURL: + description: |- + issuerURL is a required field that configures the URL used to issue tokens by the identity provider. + The Kubernetes API server determines how authentication tokens should be handled by matching the 'iss' claim in the JWT to the issuerURL of configured identity providers. + + Must be at least 1 character and must not exceed 512 characters in length. + Must be a valid URL that uses the 'https' scheme and does not contain a query, fragment or user. + maxLength: 512 + minLength: 1 + type: string + x-kubernetes-validations: + - message: must be a valid URL + rule: isURL(self) + - message: must use the 'https' scheme + rule: isURL(self) && url(self).getScheme() == 'https' + - message: must not have a query + rule: isURL(self) && url(self).getQuery() == {} + - message: must not have a fragment + rule: self.find('#(.+)$') == '' + - message: must not have user info + rule: self.find('@') == '' + required: + - audiences + - issuerURL + type: object + x-kubernetes-validations: + - message: discoveryURL must be different from issuerURL + rule: 'self.?discoveryURL.orValue("").size() > 0 ? (self.issuerURL.size() + == 0 || self.discoveryURL.find(''^.+[^/]'') != self.issuerURL.find(''^.+[^/]'')) + : true' + name: + description: |- + name is a required field that configures the unique human-readable identifier associated with the identity provider. + It is used to distinguish between multiple identity providers and has no impact on token validation or authentication mechanics. + + name must not be an empty string (""). + minLength: 1 + type: string + oidcClients: + description: |- + oidcClients is an optional field that configures how on-cluster, platform clients should request tokens from the identity provider. + oidcClients must not exceed 20 entries and entries must have unique namespace/name pairs. + items: + description: OIDCClientConfig configures how platform clients + interact with identity providers as an authentication method. + properties: + clientID: + description: |- + clientID is a required field that configures the client identifier, from the identity provider, that the platform component uses for authentication requests made to the identity provider. + The identity provider must accept this identifier for platform components to be able to use the identity provider as an authentication mode. + + clientID must not be an empty string (""). + minLength: 1 + type: string + clientSecret: + description: |- + clientSecret is an optional field that configures the client secret used by the platform component when making authentication requests to the identity provider. + + When not specified, no client secret will be used when making authentication requests to the identity provider. + + When specified, clientSecret references a Secret in the 'openshift-config' namespace that contains the client secret in the 'clientSecret' key of the '.data' field. + + The client secret will be used when making authentication requests to the identity provider. + + Public clients do not require a client secret but private clients do require a client secret to work with the identity provider. + properties: + name: + description: name is the metadata.name of the referenced + secret + type: string + required: + - name + type: object + componentName: + description: |- + componentName is a required field that specifies the name of the platform component being configured to use the identity provider as an authentication mode. + + It is used in combination with componentNamespace as a unique identifier. + + componentName must not be an empty string ("") and must not exceed 256 characters in length. + maxLength: 256 + minLength: 1 + type: string + componentNamespace: + description: |- + componentNamespace is a required field that specifies the namespace in which the platform component being configured to use the identity provider as an authentication mode is running. + + It is used in combination with componentName as a unique identifier. + + componentNamespace must not be an empty string ("") and must not exceed 63 characters in length. + maxLength: 63 + minLength: 1 + type: string + extraScopes: + description: |- + extraScopes is an optional field that configures the extra scopes that should be requested by the platform component when making authentication requests to the identity provider. + This is useful if you have configured claim mappings that requires specific scopes to be requested beyond the standard OIDC scopes. + + When omitted, no additional scopes are requested. + items: + type: string + type: array + x-kubernetes-list-type: set + required: + - clientID + - componentName + - componentNamespace + type: object + maxItems: 20 + type: array + x-kubernetes-list-map-keys: + - componentNamespace + - componentName + x-kubernetes-list-type: map + userValidationRules: + description: |- + userValidationRules is an optional field that configures the set of rules used to validate the cluster user identity that was constructed via mapping token claims to user identity attributes. + Rules are CEL expressions that must evaluate to 'true' for authentication to succeed. + If any rule in the chain of rules evaluates to 'false', authentication will fail. + When specified, at least one rule must be specified and no more than 64 rules may be specified. + items: + description: |- + TokenUserValidationRule provides a CEL-based rule used to validate a token subject. + Each rule contains a CEL expression that is evaluated against the token’s claims. + properties: + expression: + description: |- + expression is a required CEL expression that performs a validation on cluster user identity attributes like username, groups, etc. + + The expression must evaluate to a boolean value. + When the expression evaluates to 'true', the cluster user identity is considered valid. + When the expression evaluates to 'false', the cluster user identity is not considered valid. + expression must be at least 1 character in length and must not exceed 1024 characters. + maxLength: 1024 + minLength: 1 + type: string + message: + description: |- + message is a required human-readable message to be logged by the Kubernetes API server if the CEL expression defined in 'expression' fails. + message must be at least 1 character in length and must not exceed 256 characters. + maxLength: 256 + minLength: 1 + type: string + required: + - expression + - message + type: object + maxItems: 64 + minItems: 1 + type: array + x-kubernetes-list-map-keys: + - expression + x-kubernetes-list-type: map + required: + - claimMappings + - issuer + - name + type: object + maxItems: 1 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + serviceAccountIssuer: + description: |- + serviceAccountIssuer is the identifier of the bound service account token + issuer. + The default is https://kubernetes.default.svc + WARNING: Updating this field will not result in immediate invalidation of all bound tokens with the + previous issuer value. Instead, the tokens issued by previous service account issuer will continue to + be trusted for a time period chosen by the platform (currently set to 24h). + This time period is subject to change over time. + This allows internal components to transition to use new service account issuer without service distruption. + type: string + type: + description: |- + type identifies the cluster managed, user facing authentication mode in use. + Specifically, it manages the component that responds to login attempts. + The default is IntegratedOAuth. + enum: + - "" + - None + - IntegratedOAuth + - OIDC + type: string + webhookTokenAuthenticator: + description: |- + webhookTokenAuthenticator configures a remote token reviewer. + These remote authentication webhooks can be used to verify bearer tokens + via the tokenreviews.authentication.k8s.io REST API. This is required to + honor bearer tokens that are provisioned by an external authentication service. + + Can only be set if "Type" is set to "None". + properties: + kubeConfig: + description: |- + kubeConfig references a secret that contains kube config file data which + describes how to access the remote webhook service. + The namespace for the referenced secret is openshift-config. + + For further details, see: + + https://kubernetes.io/docs/reference/access-authn-authz/authentication/#webhook-token-authentication + + The key "kubeConfig" is used to locate the data. + If the secret or expected key is not found, the webhook is not honored. + If the specified kube config data is not valid, the webhook is not honored. + properties: + name: + description: name is the metadata.name of the referenced secret + type: string + required: + - name + type: object + required: + - kubeConfig + type: object + webhookTokenAuthenticators: + description: webhookTokenAuthenticators is DEPRECATED, setting it + has no effect. + items: + description: |- + deprecatedWebhookTokenAuthenticator holds the necessary configuration options for a remote token authenticator. + It's the same as WebhookTokenAuthenticator but it's missing the 'required' validation on KubeConfig field. + properties: + kubeConfig: + description: |- + kubeConfig contains kube config file data which describes how to access the remote webhook service. + For further details, see: + https://kubernetes.io/docs/reference/access-authn-authz/authentication/#webhook-token-authentication + The key "kubeConfig" is used to locate the data. + If the secret or expected key is not found, the webhook is not honored. + If the specified kube config data is not valid, the webhook is not honored. + The namespace for this secret is determined by the point of use. + properties: + name: + description: name is the metadata.name of the referenced + secret + type: string + required: + - name + type: object + type: object + type: array + x-kubernetes-list-type: atomic + type: object + status: + description: status holds observed values from the cluster. They may not + be overridden. + properties: + integratedOAuthMetadata: + description: |- + integratedOAuthMetadata contains the discovery endpoint data for OAuth 2.0 + Authorization Server Metadata for the in-cluster integrated OAuth server. + This discovery document can be viewed from its served location: + oc get --raw '/.well-known/oauth-authorization-server' + For further details, see the IETF Draft: + https://tools.ietf.org/html/draft-ietf-oauth-discovery-04#section-2 + This contains the observed value based on cluster state. + An explicitly set value in spec.oauthMetadata has precedence over this field. + This field has no meaning if authentication spec.type is not set to IntegratedOAuth. + The key "oauthMetadata" is used to locate the data. + If the config map or expected key is not found, no metadata is served. + If the specified metadata is not valid, no metadata is served. + The namespace for this config map is openshift-config-managed. + properties: + name: + description: name is the metadata.name of the referenced config + map + type: string + required: + - name + type: object + oidcClients: + description: oidcClients is where participating operators place the + current OIDC client status for OIDC clients that can be customized + by the cluster-admin. + items: + description: |- + OIDCClientStatus represents the current state + of platform components and how they interact with + the configured identity providers. + properties: + componentName: + description: |- + componentName is a required field that specifies the name of the platform component using the identity provider as an authentication mode. + It is used in combination with componentNamespace as a unique identifier. + + componentName must not be an empty string ("") and must not exceed 256 characters in length. + maxLength: 256 + minLength: 1 + type: string + componentNamespace: + description: |- + componentNamespace is a required field that specifies the namespace in which the platform component using the identity provider as an authentication mode is running. + + It is used in combination with componentName as a unique identifier. + + componentNamespace must not be an empty string ("") and must not exceed 63 characters in length. + maxLength: 63 + minLength: 1 + type: string + conditions: + description: |- + conditions are used to communicate the state of the `oidcClients` entry. + + Supported conditions include Available, Degraded and Progressing. + + If Available is true, the component is successfully using the configured client. + If Degraded is true, that means something has gone wrong trying to handle the client configuration. + If Progressing is true, that means the component is taking some action related to the `oidcClients` entry. + items: + description: Condition contains details for one aspect of + the current state of this API Resource. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, + Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + consumingUsers: + description: |- + consumingUsers is an optional list of ServiceAccounts requiring read permissions on the `clientSecret` secret. + + consumingUsers must not exceed 5 entries. + items: + description: ConsumingUser is an alias for string which we + add validation to. Currently only service accounts are supported. + maxLength: 512 + minLength: 1 + pattern: ^system:serviceaccount:[a-z0-9]([-a-z0-9]*[a-z0-9])?:[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + maxItems: 5 + type: array + x-kubernetes-list-type: set + currentOIDCClients: + description: |- + currentOIDCClients is an optional list of clients that the component is currently using. + + Entries must have unique issuerURL/clientID pairs. + items: + description: |- + OIDCClientReference is a reference to a platform component + client configuration. + properties: + clientID: + description: |- + clientID is a required field that specifies the client identifier, from the identity provider, that the platform component is using for authentication requests made to the identity provider. + + clientID must not be empty. + minLength: 1 + type: string + issuerURL: + description: |- + issuerURL is a required field that specifies the URL of the identity provider that this client is configured to make requests against. + + issuerURL must use the 'https' scheme. + pattern: ^https:\/\/[^\s] + type: string + oidcProviderName: + description: |- + oidcProviderName is a required reference to the 'name' of the identity provider configured in 'oidcProviders' that this client is associated with. + + oidcProviderName must not be an empty string (""). + minLength: 1 + type: string + required: + - clientID + - issuerURL + - oidcProviderName + type: object + type: array + x-kubernetes-list-map-keys: + - issuerURL + - clientID + x-kubernetes-list-type: map + required: + - componentName + - componentNamespace + type: object + maxItems: 20 + type: array + x-kubernetes-list-map-keys: + - componentNamespace + - componentName + x-kubernetes-list-type: map + type: object + required: + - spec + type: object + x-kubernetes-validations: + - message: all oidcClients in the oidcProviders must match their componentName + and componentNamespace to either a previously configured oidcClient or + they must exist in the status.oidcClients + rule: '!has(self.spec.oidcProviders) || self.spec.oidcProviders.all(p, !has(p.oidcClients) + || p.oidcClients.all(specC, self.status.oidcClients.exists(statusC, statusC.componentNamespace + == specC.componentNamespace && statusC.componentName == specC.componentName) + || (has(oldSelf.spec.oidcProviders) && oldSelf.spec.oidcProviders.exists(oldP, + oldP.name == p.name && has(oldP.oidcClients) && oldP.oidcClients.exists(oldC, + oldC.componentNamespace == specC.componentNamespace && oldC.componentName + == specC.componentName)))))' + served: true + storage: true + subresources: + status: {} diff --git a/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_infrastructures-CustomNoUpgrade.crd.yaml b/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_infrastructures-CustomNoUpgrade.crd.yaml index 7d200f4d6..9086d4a57 100644 --- a/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_infrastructures-CustomNoUpgrade.crd.yaml +++ b/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_infrastructures-CustomNoUpgrade.crd.yaml @@ -628,9 +628,10 @@ spec: balancers, dynamic volume provisioning, machine creation and deletion, and other integrations are enabled. If None, no infrastructure automation is enabled. Allowed values are "AWS", "Azure", "BareMetal", "GCP", "Libvirt", - "OpenStack", "VSphere", "oVirt", "KubeVirt", "EquinixMetal", "PowerVS", - "AlibabaCloud", "Nutanix" and "None". Individual components may not support all platforms, - and must handle unrecognized platforms as None if they do not support that platform. + "OpenStack", "VSphere", "oVirt", "IBMCloud", "KubeVirt", "EquinixMetal", + "PowerVS", "AlibabaCloud", "Nutanix", "External", and "None". Individual + components may not support all platforms, and must handle unrecognized + platforms as None if they do not support that platform. enum: - "" - AWS diff --git a/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_infrastructures-Default.crd.yaml b/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_infrastructures-Default.crd.yaml index 4ecbc18e9..803c48a1e 100644 --- a/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_infrastructures-Default.crd.yaml +++ b/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_infrastructures-Default.crd.yaml @@ -562,9 +562,10 @@ spec: balancers, dynamic volume provisioning, machine creation and deletion, and other integrations are enabled. If None, no infrastructure automation is enabled. Allowed values are "AWS", "Azure", "BareMetal", "GCP", "Libvirt", - "OpenStack", "VSphere", "oVirt", "KubeVirt", "EquinixMetal", "PowerVS", - "AlibabaCloud", "Nutanix" and "None". Individual components may not support all platforms, - and must handle unrecognized platforms as None if they do not support that platform. + "OpenStack", "VSphere", "oVirt", "IBMCloud", "KubeVirt", "EquinixMetal", + "PowerVS", "AlibabaCloud", "Nutanix", "External", and "None". Individual + components may not support all platforms, and must handle unrecognized + platforms as None if they do not support that platform. enum: - "" - AWS diff --git a/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_infrastructures-DevPreviewNoUpgrade.crd.yaml b/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_infrastructures-DevPreviewNoUpgrade.crd.yaml index 7308c87b8..de1a68c90 100644 --- a/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_infrastructures-DevPreviewNoUpgrade.crd.yaml +++ b/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_infrastructures-DevPreviewNoUpgrade.crd.yaml @@ -628,9 +628,10 @@ spec: balancers, dynamic volume provisioning, machine creation and deletion, and other integrations are enabled. If None, no infrastructure automation is enabled. Allowed values are "AWS", "Azure", "BareMetal", "GCP", "Libvirt", - "OpenStack", "VSphere", "oVirt", "KubeVirt", "EquinixMetal", "PowerVS", - "AlibabaCloud", "Nutanix" and "None". Individual components may not support all platforms, - and must handle unrecognized platforms as None if they do not support that platform. + "OpenStack", "VSphere", "oVirt", "IBMCloud", "KubeVirt", "EquinixMetal", + "PowerVS", "AlibabaCloud", "Nutanix", "External", and "None". Individual + components may not support all platforms, and must handle unrecognized + platforms as None if they do not support that platform. enum: - "" - AWS diff --git a/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_infrastructures-OKD.crd.yaml b/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_infrastructures-OKD.crd.yaml index ed9fb2c3b..245bc3ea6 100644 --- a/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_infrastructures-OKD.crd.yaml +++ b/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_infrastructures-OKD.crd.yaml @@ -562,9 +562,10 @@ spec: balancers, dynamic volume provisioning, machine creation and deletion, and other integrations are enabled. If None, no infrastructure automation is enabled. Allowed values are "AWS", "Azure", "BareMetal", "GCP", "Libvirt", - "OpenStack", "VSphere", "oVirt", "KubeVirt", "EquinixMetal", "PowerVS", - "AlibabaCloud", "Nutanix" and "None". Individual components may not support all platforms, - and must handle unrecognized platforms as None if they do not support that platform. + "OpenStack", "VSphere", "oVirt", "IBMCloud", "KubeVirt", "EquinixMetal", + "PowerVS", "AlibabaCloud", "Nutanix", "External", and "None". Individual + components may not support all platforms, and must handle unrecognized + platforms as None if they do not support that platform. enum: - "" - AWS diff --git a/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_infrastructures-TechPreviewNoUpgrade.crd.yaml b/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_infrastructures-TechPreviewNoUpgrade.crd.yaml index f14dd3abe..c45b7d6e8 100644 --- a/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_infrastructures-TechPreviewNoUpgrade.crd.yaml +++ b/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_infrastructures-TechPreviewNoUpgrade.crd.yaml @@ -628,9 +628,10 @@ spec: balancers, dynamic volume provisioning, machine creation and deletion, and other integrations are enabled. If None, no infrastructure automation is enabled. Allowed values are "AWS", "Azure", "BareMetal", "GCP", "Libvirt", - "OpenStack", "VSphere", "oVirt", "KubeVirt", "EquinixMetal", "PowerVS", - "AlibabaCloud", "Nutanix" and "None". Individual components may not support all platforms, - and must handle unrecognized platforms as None if they do not support that platform. + "OpenStack", "VSphere", "oVirt", "IBMCloud", "KubeVirt", "EquinixMetal", + "PowerVS", "AlibabaCloud", "Nutanix", "External", and "None". Individual + components may not support all platforms, and must handle unrecognized + platforms as None if they do not support that platform. enum: - "" - AWS diff --git a/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_insightsdatagathers-CustomNoUpgrade.crd.yaml b/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_insightsdatagathers-CustomNoUpgrade.crd.yaml index 8e7d3c392..97698ce0b 100644 --- a/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_insightsdatagathers-CustomNoUpgrade.crd.yaml +++ b/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_insightsdatagathers-CustomNoUpgrade.crd.yaml @@ -4,6 +4,7 @@ metadata: annotations: api-approved.openshift.io: https://github.com/openshift/api/pull/2448 api.openshift.io/merged-by-featuregates: "true" + capability.openshift.io/name: Insights include.release.openshift.io/ibm-cloud-managed: "true" include.release.openshift.io/self-managed-high-availability: "true" release.openshift.io/feature-set: CustomNoUpgrade diff --git a/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_insightsdatagathers-DevPreviewNoUpgrade.crd.yaml b/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_insightsdatagathers-DevPreviewNoUpgrade.crd.yaml index 0ecdc12f2..1400f1a65 100644 --- a/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_insightsdatagathers-DevPreviewNoUpgrade.crd.yaml +++ b/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_insightsdatagathers-DevPreviewNoUpgrade.crd.yaml @@ -4,6 +4,7 @@ metadata: annotations: api-approved.openshift.io: https://github.com/openshift/api/pull/2448 api.openshift.io/merged-by-featuregates: "true" + capability.openshift.io/name: Insights include.release.openshift.io/ibm-cloud-managed: "true" include.release.openshift.io/self-managed-high-availability: "true" release.openshift.io/feature-set: DevPreviewNoUpgrade diff --git a/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_insightsdatagathers-TechPreviewNoUpgrade.crd.yaml b/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_insightsdatagathers-TechPreviewNoUpgrade.crd.yaml index afaf9c37d..d53757282 100644 --- a/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_insightsdatagathers-TechPreviewNoUpgrade.crd.yaml +++ b/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_insightsdatagathers-TechPreviewNoUpgrade.crd.yaml @@ -4,6 +4,7 @@ metadata: annotations: api-approved.openshift.io: https://github.com/openshift/api/pull/2448 api.openshift.io/merged-by-featuregates: "true" + capability.openshift.io/name: Insights include.release.openshift.io/ibm-cloud-managed: "true" include.release.openshift.io/self-managed-high-availability: "true" release.openshift.io/feature-set: TechPreviewNoUpgrade diff --git a/vendor/github.com/openshift/api/config/v1/zz_generated.deepcopy.go b/vendor/github.com/openshift/api/config/v1/zz_generated.deepcopy.go index 95084cfcb..30b85b78e 100644 --- a/vendor/github.com/openshift/api/config/v1/zz_generated.deepcopy.go +++ b/vendor/github.com/openshift/api/config/v1/zz_generated.deepcopy.go @@ -316,6 +316,22 @@ func (in *AWSServiceEndpoint) DeepCopy() *AWSServiceEndpoint { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *AcceptRisk) DeepCopyInto(out *AcceptRisk) { + *out = *in + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AcceptRisk. +func (in *AcceptRisk) DeepCopy() *AcceptRisk { + if in == nil { + return nil + } + out := new(AcceptRisk) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *AdmissionConfig) DeepCopyInto(out *AdmissionConfig) { *out = *in @@ -1393,7 +1409,7 @@ func (in *ClusterVersionSpec) DeepCopyInto(out *ClusterVersionSpec) { if in.DesiredUpdate != nil { in, out := &in.DesiredUpdate, &out.DesiredUpdate *out = new(Update) - **out = **in + (*in).DeepCopyInto(*out) } if in.Capabilities != nil { in, out := &in.Capabilities, &out.Capabilities @@ -1456,6 +1472,13 @@ func (in *ClusterVersionStatus) DeepCopyInto(out *ClusterVersionStatus) { (*in)[i].DeepCopyInto(&(*out)[i]) } } + if in.ConditionalUpdateRisks != nil { + in, out := &in.ConditionalUpdateRisks, &out.ConditionalUpdateRisks + *out = make([]ConditionalUpdateRisk, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } return } @@ -1544,6 +1567,11 @@ func (in *ComponentRouteStatus) DeepCopy() *ComponentRouteStatus { func (in *ConditionalUpdate) DeepCopyInto(out *ConditionalUpdate) { *out = *in in.Release.DeepCopyInto(&out.Release) + if in.RiskNames != nil { + in, out := &in.RiskNames, &out.RiskNames + *out = make([]string, len(*in)) + copy(*out, *in) + } if in.Risks != nil { in, out := &in.Risks, &out.Risks *out = make([]ConditionalUpdateRisk, len(*in)) @@ -1574,6 +1602,13 @@ func (in *ConditionalUpdate) DeepCopy() *ConditionalUpdate { // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *ConditionalUpdateRisk) DeepCopyInto(out *ConditionalUpdateRisk) { *out = *in + if in.Conditions != nil { + in, out := &in.Conditions, &out.Conditions + *out = make([]metav1.Condition, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } if in.MatchingRules != nil { in, out := &in.MatchingRules, &out.MatchingRules *out = make([]ClusterCondition, len(*in)) @@ -2361,33 +2396,6 @@ func (in *FeatureGateTests) DeepCopy() *FeatureGateTests { return out } -// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (in *FulcioCAWithRekor) DeepCopyInto(out *FulcioCAWithRekor) { - *out = *in - if in.FulcioCAData != nil { - in, out := &in.FulcioCAData, &out.FulcioCAData - *out = make([]byte, len(*in)) - copy(*out, *in) - } - if in.RekorKeyData != nil { - in, out := &in.RekorKeyData, &out.RekorKeyData - *out = make([]byte, len(*in)) - copy(*out, *in) - } - out.FulcioSubject = in.FulcioSubject - return -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FulcioCAWithRekor. -func (in *FulcioCAWithRekor) DeepCopy() *FulcioCAWithRekor { - if in == nil { - return nil - } - out := new(FulcioCAWithRekor) - in.DeepCopyInto(out) - return out -} - // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *GCPPlatformSpec) DeepCopyInto(out *GCPPlatformSpec) { *out = *in @@ -3144,6 +3152,33 @@ func (in *ImagePolicy) DeepCopyObject() runtime.Object { return nil } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *ImagePolicyFulcioCAWithRekorRootOfTrust) DeepCopyInto(out *ImagePolicyFulcioCAWithRekorRootOfTrust) { + *out = *in + if in.FulcioCAData != nil { + in, out := &in.FulcioCAData, &out.FulcioCAData + *out = make([]byte, len(*in)) + copy(*out, *in) + } + if in.RekorKeyData != nil { + in, out := &in.RekorKeyData, &out.RekorKeyData + *out = make([]byte, len(*in)) + copy(*out, *in) + } + out.FulcioSubject = in.FulcioSubject + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ImagePolicyFulcioCAWithRekorRootOfTrust. +func (in *ImagePolicyFulcioCAWithRekorRootOfTrust) DeepCopy() *ImagePolicyFulcioCAWithRekorRootOfTrust { + if in == nil { + return nil + } + out := new(ImagePolicyFulcioCAWithRekorRootOfTrust) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *ImagePolicyList) DeepCopyInto(out *ImagePolicyList) { *out = *in @@ -3177,6 +3212,59 @@ func (in *ImagePolicyList) DeepCopyObject() runtime.Object { return nil } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *ImagePolicyPKIRootOfTrust) DeepCopyInto(out *ImagePolicyPKIRootOfTrust) { + *out = *in + if in.CertificateAuthorityRootsData != nil { + in, out := &in.CertificateAuthorityRootsData, &out.CertificateAuthorityRootsData + *out = make([]byte, len(*in)) + copy(*out, *in) + } + if in.CertificateAuthorityIntermediatesData != nil { + in, out := &in.CertificateAuthorityIntermediatesData, &out.CertificateAuthorityIntermediatesData + *out = make([]byte, len(*in)) + copy(*out, *in) + } + out.PKICertificateSubject = in.PKICertificateSubject + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ImagePolicyPKIRootOfTrust. +func (in *ImagePolicyPKIRootOfTrust) DeepCopy() *ImagePolicyPKIRootOfTrust { + if in == nil { + return nil + } + out := new(ImagePolicyPKIRootOfTrust) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *ImagePolicyPublicKeyRootOfTrust) DeepCopyInto(out *ImagePolicyPublicKeyRootOfTrust) { + *out = *in + if in.KeyData != nil { + in, out := &in.KeyData, &out.KeyData + *out = make([]byte, len(*in)) + copy(*out, *in) + } + if in.RekorKeyData != nil { + in, out := &in.RekorKeyData, &out.RekorKeyData + *out = make([]byte, len(*in)) + copy(*out, *in) + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ImagePolicyPublicKeyRootOfTrust. +func (in *ImagePolicyPublicKeyRootOfTrust) DeepCopy() *ImagePolicyPublicKeyRootOfTrust { + if in == nil { + return nil + } + out := new(ImagePolicyPublicKeyRootOfTrust) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *ImagePolicySpec) DeepCopyInto(out *ImagePolicySpec) { *out = *in @@ -3222,6 +3310,28 @@ func (in *ImagePolicyStatus) DeepCopy() *ImagePolicyStatus { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *ImageSigstoreVerificationPolicy) DeepCopyInto(out *ImageSigstoreVerificationPolicy) { + *out = *in + in.RootOfTrust.DeepCopyInto(&out.RootOfTrust) + if in.SignedIdentity != nil { + in, out := &in.SignedIdentity, &out.SignedIdentity + *out = new(PolicyIdentity) + (*in).DeepCopyInto(*out) + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ImageSigstoreVerificationPolicy. +func (in *ImageSigstoreVerificationPolicy) DeepCopy() *ImageSigstoreVerificationPolicy { + if in == nil { + return nil + } + out := new(ImageSigstoreVerificationPolicy) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *ImageSpec) DeepCopyInto(out *ImageSpec) { *out = *in @@ -4732,6 +4842,11 @@ func (in *OIDCProvider) DeepCopyInto(out *OIDCProvider) { (*in)[i].DeepCopyInto(&(*out)[i]) } } + if in.UserValidationRules != nil { + in, out := &in.UserValidationRules, &out.UserValidationRules + *out = make([]TokenUserValidationRule, len(*in)) + copy(*out, *in) + } return } @@ -5109,33 +5224,6 @@ func (in *OvirtPlatformStatus) DeepCopy() *OvirtPlatformStatus { return out } -// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (in *PKI) DeepCopyInto(out *PKI) { - *out = *in - if in.CertificateAuthorityRootsData != nil { - in, out := &in.CertificateAuthorityRootsData, &out.CertificateAuthorityRootsData - *out = make([]byte, len(*in)) - copy(*out, *in) - } - if in.CertificateAuthorityIntermediatesData != nil { - in, out := &in.CertificateAuthorityIntermediatesData, &out.CertificateAuthorityIntermediatesData - *out = make([]byte, len(*in)) - copy(*out, *in) - } - out.PKICertificateSubject = in.PKICertificateSubject - return -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PKI. -func (in *PKI) DeepCopy() *PKI { - if in == nil { - return nil - } - out := new(PKI) - in.DeepCopyInto(out) - return out -} - // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *PKICertificateSubject) DeepCopyInto(out *PKICertificateSubject) { *out = *in @@ -5357,28 +5445,6 @@ func (in *PlatformStatus) DeepCopy() *PlatformStatus { return out } -// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (in *Policy) DeepCopyInto(out *Policy) { - *out = *in - in.RootOfTrust.DeepCopyInto(&out.RootOfTrust) - if in.SignedIdentity != nil { - in, out := &in.SignedIdentity, &out.SignedIdentity - *out = new(PolicyIdentity) - (*in).DeepCopyInto(*out) - } - return -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Policy. -func (in *Policy) DeepCopy() *Policy { - if in == nil { - return nil - } - out := new(Policy) - in.DeepCopyInto(out) - return out -} - // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *PolicyFulcioSubject) DeepCopyInto(out *PolicyFulcioSubject) { *out = *in @@ -5458,17 +5524,17 @@ func (in *PolicyRootOfTrust) DeepCopyInto(out *PolicyRootOfTrust) { *out = *in if in.PublicKey != nil { in, out := &in.PublicKey, &out.PublicKey - *out = new(PublicKey) + *out = new(ImagePolicyPublicKeyRootOfTrust) (*in).DeepCopyInto(*out) } if in.FulcioCAWithRekor != nil { in, out := &in.FulcioCAWithRekor, &out.FulcioCAWithRekor - *out = new(FulcioCAWithRekor) + *out = new(ImagePolicyFulcioCAWithRekorRootOfTrust) (*in).DeepCopyInto(*out) } if in.PKI != nil { in, out := &in.PKI, &out.PKI - *out = new(PKI) + *out = new(ImagePolicyPKIRootOfTrust) (*in).DeepCopyInto(*out) } return @@ -5784,32 +5850,6 @@ func (in *ProxyStatus) DeepCopy() *ProxyStatus { return out } -// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (in *PublicKey) DeepCopyInto(out *PublicKey) { - *out = *in - if in.KeyData != nil { - in, out := &in.KeyData, &out.KeyData - *out = make([]byte, len(*in)) - copy(*out, *in) - } - if in.RekorKeyData != nil { - in, out := &in.RekorKeyData, &out.RekorKeyData - *out = make([]byte, len(*in)) - copy(*out, *in) - } - return -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PublicKey. -func (in *PublicKey) DeepCopy() *PublicKey { - if in == nil { - return nil - } - out := new(PublicKey) - in.DeepCopyInto(out) - return out -} - // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *RegistryLocation) DeepCopyInto(out *RegistryLocation) { *out = *in @@ -6405,6 +6445,22 @@ func (in *TokenClaimOrExpressionMapping) DeepCopy() *TokenClaimOrExpressionMappi return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *TokenClaimValidationCELRule) DeepCopyInto(out *TokenClaimValidationCELRule) { + *out = *in + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TokenClaimValidationCELRule. +func (in *TokenClaimValidationCELRule) DeepCopy() *TokenClaimValidationCELRule { + if in == nil { + return nil + } + out := new(TokenClaimValidationCELRule) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *TokenClaimValidationRule) DeepCopyInto(out *TokenClaimValidationRule) { *out = *in @@ -6413,6 +6469,7 @@ func (in *TokenClaimValidationRule) DeepCopyInto(out *TokenClaimValidationRule) *out = new(TokenRequiredClaim) **out = **in } + out.CEL = in.CEL return } @@ -6485,9 +6542,30 @@ func (in *TokenRequiredClaim) DeepCopy() *TokenRequiredClaim { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *TokenUserValidationRule) DeepCopyInto(out *TokenUserValidationRule) { + *out = *in + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TokenUserValidationRule. +func (in *TokenUserValidationRule) DeepCopy() *TokenUserValidationRule { + if in == nil { + return nil + } + out := new(TokenUserValidationRule) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *Update) DeepCopyInto(out *Update) { *out = *in + if in.AcceptRisks != nil { + in, out := &in.AcceptRisks, &out.AcceptRisks + *out = make([]AcceptRisk, len(*in)) + copy(*out, *in) + } return } diff --git a/vendor/github.com/openshift/api/config/v1/zz_generated.featuregated-crd-manifests.yaml b/vendor/github.com/openshift/api/config/v1/zz_generated.featuregated-crd-manifests.yaml index b113921f2..eb7c485e0 100644 --- a/vendor/github.com/openshift/api/config/v1/zz_generated.featuregated-crd-manifests.yaml +++ b/vendor/github.com/openshift/api/config/v1/zz_generated.featuregated-crd-manifests.yaml @@ -6,6 +6,7 @@ apiservers.config.openshift.io: Capability: "" Category: "" FeatureGates: + - KMSEncryption - KMSEncryptionProvider FilenameOperatorName: config-operator FilenameOperatorOrdering: "01" @@ -31,6 +32,7 @@ authentications.config.openshift.io: FeatureGates: - ExternalOIDC - ExternalOIDCWithUIDAndExtraClaimMappings + - ExternalOIDCWithUpstreamParity FilenameOperatorName: config-operator FilenameOperatorOrdering: "01" FilenameRunLevel: "0000_10" @@ -141,6 +143,7 @@ clusterversions.config.openshift.io: Capability: "" Category: "" FeatureGates: + - ClusterUpdateAcceptRisks - ImageStreamImportMode - SignatureStores FilenameOperatorName: cluster-version-operator @@ -414,7 +417,7 @@ insightsdatagathers.config.openshift.io: Annotations: {} ApprovedPRNumber: https://github.com/openshift/api/pull/2448 CRDName: insightsdatagathers.config.openshift.io - Capability: "" + Capability: Insights Category: "" FeatureGates: - InsightsConfig @@ -440,8 +443,7 @@ networks.config.openshift.io: CRDName: networks.config.openshift.io Capability: "" Category: "" - FeatureGates: - - NetworkDiagnosticsConfig + FeatureGates: [] FilenameOperatorName: config-operator FilenameOperatorOrdering: "01" FilenameRunLevel: "0000_10" diff --git a/vendor/github.com/openshift/api/config/v1/zz_generated.swagger_doc_generated.go b/vendor/github.com/openshift/api/config/v1/zz_generated.swagger_doc_generated.go index 05e411182..7f0018950 100644 --- a/vendor/github.com/openshift/api/config/v1/zz_generated.swagger_doc_generated.go +++ b/vendor/github.com/openshift/api/config/v1/zz_generated.swagger_doc_generated.go @@ -407,11 +407,11 @@ func (ExtraMapping) SwaggerDoc() map[string]string { } var map_OIDCClientConfig = map[string]string{ - "": "OIDCClientConfig configures how platform clients interact with identity providers as an authentication method", - "componentName": "componentName is a required field that specifies the name of the platform component being configured to use the identity provider as an authentication mode. It is used in combination with componentNamespace as a unique identifier.\n\ncomponentName must not be an empty string (\"\") and must not exceed 256 characters in length.", - "componentNamespace": "componentNamespace is a required field that specifies the namespace in which the platform component being configured to use the identity provider as an authentication mode is running. It is used in combination with componentName as a unique identifier.\n\ncomponentNamespace must not be an empty string (\"\") and must not exceed 63 characters in length.", + "": "OIDCClientConfig configures how platform clients interact with identity providers as an authentication method.", + "componentName": "componentName is a required field that specifies the name of the platform component being configured to use the identity provider as an authentication mode.\n\nIt is used in combination with componentNamespace as a unique identifier.\n\ncomponentName must not be an empty string (\"\") and must not exceed 256 characters in length.", + "componentNamespace": "componentNamespace is a required field that specifies the namespace in which the platform component being configured to use the identity provider as an authentication mode is running.\n\nIt is used in combination with componentName as a unique identifier.\n\ncomponentNamespace must not be an empty string (\"\") and must not exceed 63 characters in length.", "clientID": "clientID is a required field that configures the client identifier, from the identity provider, that the platform component uses for authentication requests made to the identity provider. The identity provider must accept this identifier for platform components to be able to use the identity provider as an authentication mode.\n\nclientID must not be an empty string (\"\").", - "clientSecret": "clientSecret is an optional field that configures the client secret used by the platform component when making authentication requests to the identity provider.\n\nWhen not specified, no client secret will be used when making authentication requests to the identity provider.\n\nWhen specified, clientSecret references a Secret in the 'openshift-config' namespace that contains the client secret in the 'clientSecret' key of the '.data' field. The client secret will be used when making authentication requests to the identity provider.\n\nPublic clients do not require a client secret but private clients do require a client secret to work with the identity provider.", + "clientSecret": "clientSecret is an optional field that configures the client secret used by the platform component when making authentication requests to the identity provider.\n\nWhen not specified, no client secret will be used when making authentication requests to the identity provider.\n\nWhen specified, clientSecret references a Secret in the 'openshift-config' namespace that contains the client secret in the 'clientSecret' key of the '.data' field.\n\nThe client secret will be used when making authentication requests to the identity provider.\n\nPublic clients do not require a client secret but private clients do require a client secret to work with the identity provider.", "extraScopes": "extraScopes is an optional field that configures the extra scopes that should be requested by the platform component when making authentication requests to the identity provider. This is useful if you have configured claim mappings that requires specific scopes to be requested beyond the standard OIDC scopes.\n\nWhen omitted, no additional scopes are requested.", } @@ -433,8 +433,8 @@ func (OIDCClientReference) SwaggerDoc() map[string]string { var map_OIDCClientStatus = map[string]string{ "": "OIDCClientStatus represents the current state of platform components and how they interact with the configured identity providers.", "componentName": "componentName is a required field that specifies the name of the platform component using the identity provider as an authentication mode. It is used in combination with componentNamespace as a unique identifier.\n\ncomponentName must not be an empty string (\"\") and must not exceed 256 characters in length.", - "componentNamespace": "componentNamespace is a required field that specifies the namespace in which the platform component using the identity provider as an authentication mode is running. It is used in combination with componentName as a unique identifier.\n\ncomponentNamespace must not be an empty string (\"\") and must not exceed 63 characters in length.", - "currentOIDCClients": "currentOIDCClients is an optional list of clients that the component is currently using. Entries must have unique issuerURL/clientID pairs.", + "componentNamespace": "componentNamespace is a required field that specifies the namespace in which the platform component using the identity provider as an authentication mode is running.\n\nIt is used in combination with componentName as a unique identifier.\n\ncomponentNamespace must not be an empty string (\"\") and must not exceed 63 characters in length.", + "currentOIDCClients": "currentOIDCClients is an optional list of clients that the component is currently using.\n\nEntries must have unique issuerURL/clientID pairs.", "consumingUsers": "consumingUsers is an optional list of ServiceAccounts requiring read permissions on the `clientSecret` secret.\n\nconsumingUsers must not exceed 5 entries.", "conditions": "conditions are used to communicate the state of the `oidcClients` entry.\n\nSupported conditions include Available, Degraded and Progressing.\n\nIf Available is true, the component is successfully using the configured client. If Degraded is true, that means something has gone wrong trying to handle the client configuration. If Progressing is true, that means the component is taking some action related to the `oidcClients` entry.", } @@ -449,6 +449,7 @@ var map_OIDCProvider = map[string]string{ "oidcClients": "oidcClients is an optional field that configures how on-cluster, platform clients should request tokens from the identity provider. oidcClients must not exceed 20 entries and entries must have unique namespace/name pairs.", "claimMappings": "claimMappings is a required field that configures the rules to be used by the Kubernetes API server for translating claims in a JWT token, issued by the identity provider, to a cluster identity.", "claimValidationRules": "claimValidationRules is an optional field that configures the rules to be used by the Kubernetes API server for validating the claims in a JWT token issued by the identity provider.\n\nValidation rules are joined via an AND operation.", + "userValidationRules": "userValidationRules is an optional field that configures the set of rules used to validate the cluster user identity that was constructed via mapping token claims to user identity attributes. Rules are CEL expressions that must evaluate to 'true' for authentication to succeed. If any rule in the chain of rules evaluates to 'false', authentication will fail. When specified, at least one rule must be specified and no more than 64 rules may be specified.", } func (OIDCProvider) SwaggerDoc() map[string]string { @@ -457,7 +458,7 @@ func (OIDCProvider) SwaggerDoc() map[string]string { var map_PrefixedClaimMapping = map[string]string{ "": "PrefixedClaimMapping configures a claim mapping that allows for an optional prefix.", - "prefix": "prefix is an optional field that configures the prefix that will be applied to the cluster identity attribute during the process of mapping JWT claims to cluster identity attributes.\n\nWhen omitted (\"\"), no prefix is applied to the cluster identity attribute.\n\nExample: if `prefix` is set to \"myoidc:\" and the `claim` in JWT contains an array of strings \"a\", \"b\" and \"c\", the mapping will result in an array of string \"myoidc:a\", \"myoidc:b\" and \"myoidc:c\".", + "prefix": "prefix is an optional field that configures the prefix that will be applied to the cluster identity attribute during the process of mapping JWT claims to cluster identity attributes.\n\nWhen omitted (\"\"), no prefix is applied to the cluster identity attribute.\n\nExample: if `prefix` is set to \"myoidc:\" and the `claim` in JWT contains an array of strings \"a\", \"b\" and \"c\", the mapping will result in an array of string \"myoidc:a\", \"myoidc:b\" and \"myoidc:c\".", } func (PrefixedClaimMapping) SwaggerDoc() map[string]string { @@ -475,9 +476,9 @@ func (TokenClaimMapping) SwaggerDoc() map[string]string { var map_TokenClaimMappings = map[string]string{ "username": "username is a required field that configures how the username of a cluster identity should be constructed from the claims in a JWT token issued by the identity provider.", - "groups": "groups is an optional field that configures how the groups of a cluster identity should be constructed from the claims in a JWT token issued by the identity provider. When referencing a claim, if the claim is present in the JWT token, its value must be a list of groups separated by a comma (','). For example - '\"example\"' and '\"exampleOne\", \"exampleTwo\", \"exampleThree\"' are valid claim values.", - "uid": "uid is an optional field for configuring the claim mapping used to construct the uid for the cluster identity.\n\nWhen using uid.claim to specify the claim it must be a single string value. When using uid.expression the expression must result in a single string value.\n\nWhen omitted, this means the user has no opinion and the platform is left to choose a default, which is subject to change over time. The current default is to use the 'sub' claim.", - "extra": "extra is an optional field for configuring the mappings used to construct the extra attribute for the cluster identity. When omitted, no extra attributes will be present on the cluster identity. key values for extra mappings must be unique. A maximum of 32 extra attribute mappings may be provided.", + "groups": "groups is an optional field that configures how the groups of a cluster identity should be constructed from the claims in a JWT token issued by the identity provider.\n\nWhen referencing a claim, if the claim is present in the JWT token, its value must be a list of groups separated by a comma (',').\n\nFor example - '\"example\"' and '\"exampleOne\", \"exampleTwo\", \"exampleThree\"' are valid claim values.", + "uid": "uid is an optional field for configuring the claim mapping used to construct the uid for the cluster identity.\n\nWhen using uid.claim to specify the claim it must be a single string value. When using uid.expression the expression must result in a single string value.\n\nWhen omitted, this means the user has no opinion and the platform is left to choose a default, which is subject to change over time.\n\nThe current default is to use the 'sub' claim.", + "extra": "extra is an optional field for configuring the mappings used to construct the extra attribute for the cluster identity. When omitted, no extra attributes will be present on the cluster identity.\n\nkey values for extra mappings must be unique. A maximum of 32 extra attribute mappings may be provided.", } func (TokenClaimMappings) SwaggerDoc() map[string]string { @@ -494,9 +495,20 @@ func (TokenClaimOrExpressionMapping) SwaggerDoc() map[string]string { return map_TokenClaimOrExpressionMapping } +var map_TokenClaimValidationCELRule = map[string]string{ + "expression": "expression is a CEL expression evaluated against token claims. expression is required, must be at least 1 character in length and must not exceed 1024 characters. The expression must return a boolean value where 'true' signals a valid token and 'false' an invalid one.", + "message": "message is a required human-readable message to be logged by the Kubernetes API server if the CEL expression defined in 'expression' fails. message must be at least 1 character in length and must not exceed 256 characters.", +} + +func (TokenClaimValidationCELRule) SwaggerDoc() map[string]string { + return map_TokenClaimValidationCELRule +} + var map_TokenClaimValidationRule = map[string]string{ - "type": "type is an optional field that configures the type of the validation rule.\n\nAllowed values are 'RequiredClaim' and omitted (not provided or an empty string).\n\nWhen set to 'RequiredClaim', the Kubernetes API server will be configured to validate that the incoming JWT contains the required claim and that its value matches the required value.\n\nDefaults to 'RequiredClaim'.", - "requiredClaim": "requiredClaim is an optional field that configures the required claim and value that the Kubernetes API server will use to validate if an incoming JWT is valid for this identity provider.", + "": "TokenClaimValidationRule represents a validation rule based on token claims. If type is RequiredClaim, requiredClaim must be set. If Type is CEL, CEL must be set and RequiredClaim must be omitted.", + "type": "type is an optional field that configures the type of the validation rule.\n\nAllowed values are \"RequiredClaim\" and \"CEL\".\n\nWhen set to 'RequiredClaim', the Kubernetes API server will be configured to validate that the incoming JWT contains the required claim and that its value matches the required value.\n\nWhen set to 'CEL', the Kubernetes API server will be configured to validate the incoming JWT against the configured CEL expression.", + "requiredClaim": "requiredClaim allows configuring a required claim name and its expected value. This field is required when `type` is set to RequiredClaim, and must be omitted when `type` is set to any other value. The Kubernetes API server uses this field to validate if an incoming JWT is valid for this identity provider.", + "cel": "cel holds the CEL expression and message for validation. Must be set when Type is \"CEL\", and forbidden otherwise.", } func (TokenClaimValidationRule) SwaggerDoc() map[string]string { @@ -507,6 +519,7 @@ var map_TokenIssuer = map[string]string{ "issuerURL": "issuerURL is a required field that configures the URL used to issue tokens by the identity provider. The Kubernetes API server determines how authentication tokens should be handled by matching the 'iss' claim in the JWT to the issuerURL of configured identity providers.\n\nMust be at least 1 character and must not exceed 512 characters in length. Must be a valid URL that uses the 'https' scheme and does not contain a query, fragment or user.", "audiences": "audiences is a required field that configures the acceptable audiences the JWT token, issued by the identity provider, must be issued to. At least one of the entries must match the 'aud' claim in the JWT token.\n\naudiences must contain at least one entry and must not exceed ten entries.", "issuerCertificateAuthority": "issuerCertificateAuthority is an optional field that configures the certificate authority, used by the Kubernetes API server, to validate the connection to the identity provider when fetching discovery information.\n\nWhen not specified, the system trust is used.\n\nWhen specified, it must reference a ConfigMap in the openshift-config namespace containing the PEM-encoded CA certificates under the 'ca-bundle.crt' key in the data field of the ConfigMap.", + "discoveryURL": "discoveryURL is an optional field that, if specified, overrides the default discovery endpoint used to retrieve OIDC configuration metadata. By default, the discovery URL is derived from `issuerURL` as \"{issuerURL}/.well-known/openid-configuration\".\n\nThe discoveryURL must be a valid absolute HTTPS URL. It must not contain query parameters, user information, or fragments. Additionally, it must differ from the value of `issuerURL` (ignoring trailing slashes). The discoveryURL value must be at least 1 character long and no longer than 2048 characters.", } func (TokenIssuer) SwaggerDoc() map[string]string { @@ -522,9 +535,19 @@ func (TokenRequiredClaim) SwaggerDoc() map[string]string { return map_TokenRequiredClaim } +var map_TokenUserValidationRule = map[string]string{ + "": "TokenUserValidationRule provides a CEL-based rule used to validate a token subject. Each rule contains a CEL expression that is evaluated against the token’s claims.", + "expression": "expression is a required CEL expression that performs a validation on cluster user identity attributes like username, groups, etc.\n\nThe expression must evaluate to a boolean value. When the expression evaluates to 'true', the cluster user identity is considered valid. When the expression evaluates to 'false', the cluster user identity is not considered valid. expression must be at least 1 character in length and must not exceed 1024 characters.", + "message": "message is a required human-readable message to be logged by the Kubernetes API server if the CEL expression defined in 'expression' fails. message must be at least 1 character in length and must not exceed 256 characters.", +} + +func (TokenUserValidationRule) SwaggerDoc() map[string]string { + return map_TokenUserValidationRule +} + var map_UsernameClaimMapping = map[string]string{ "claim": "claim is a required field that configures the JWT token claim whose value is assigned to the cluster identity field associated with this mapping.\n\nclaim must not be an empty string (\"\") and must not exceed 256 characters.", - "prefixPolicy": "prefixPolicy is an optional field that configures how a prefix should be applied to the value of the JWT claim specified in the 'claim' field.\n\nAllowed values are 'Prefix', 'NoPrefix', and omitted (not provided or an empty string).\n\nWhen set to 'Prefix', the value specified in the prefix field will be prepended to the value of the JWT claim. The prefix field must be set when prefixPolicy is 'Prefix'.\n\nWhen set to 'NoPrefix', no prefix will be prepended to the value of the JWT claim.\n\nWhen omitted, this means no opinion and the platform is left to choose any prefixes that are applied which is subject to change over time. Currently, the platform prepends `{issuerURL}#` to the value of the JWT claim when the claim is not 'email'. As an example, consider the following scenario:\n `prefix` is unset, `issuerURL` is set to `https://myoidc.tld`,\n the JWT claims include \"username\":\"userA\" and \"email\":\"userA@myoidc.tld\",\n and `claim` is set to:\n - \"username\": the mapped value will be \"https://myoidc.tld#userA\"\n - \"email\": the mapped value will be \"userA@myoidc.tld\"", + "prefixPolicy": "prefixPolicy is an optional field that configures how a prefix should be applied to the value of the JWT claim specified in the 'claim' field.\n\nAllowed values are 'Prefix', 'NoPrefix', and omitted (not provided or an empty string).\n\nWhen set to 'Prefix', the value specified in the prefix field will be prepended to the value of the JWT claim.\n\nThe prefix field must be set when prefixPolicy is 'Prefix'.\n\nWhen set to 'NoPrefix', no prefix will be prepended to the value of the JWT claim.\n\nWhen omitted, this means no opinion and the platform is left to choose any prefixes that are applied which is subject to change over time. Currently, the platform prepends `{issuerURL}#` to the value of the JWT claim when the claim is not 'email'.\n\nAs an example, consider the following scenario:\n\n `prefix` is unset, `issuerURL` is set to `https://myoidc.tld`,\n the JWT claims include \"username\":\"userA\" and \"email\":\"userA@myoidc.tld\",\n and `claim` is set to:\n - \"username\": the mapped value will be \"https://myoidc.tld#userA\"\n - \"email\": the mapped value will be \"userA@myoidc.tld\"", "prefix": "prefix configures the prefix that should be prepended to the value of the JWT claim.\n\nprefix must be set when prefixPolicy is set to 'Prefix' and must be unset otherwise.", } @@ -724,6 +747,15 @@ func (OperandVersion) SwaggerDoc() map[string]string { return map_OperandVersion } +var map_AcceptRisk = map[string]string{ + "": "AcceptRisk represents a risk that is considered acceptable.", + "name": "name is the name of the acceptable risk. It must be a non-empty string and must not exceed 256 characters.", +} + +func (AcceptRisk) SwaggerDoc() map[string]string { + return map_AcceptRisk +} + var map_ClusterCondition = map[string]string{ "": "ClusterCondition is a union of typed cluster conditions. The 'type' property determines which of the type-specific properties are relevant. When evaluated on a cluster, the condition may match, not match, or fail to evaluate.", "type": "type represents the cluster-condition type. This defines the members and semantics of any additional properties.", @@ -790,15 +822,16 @@ func (ClusterVersionSpec) SwaggerDoc() map[string]string { } var map_ClusterVersionStatus = map[string]string{ - "": "ClusterVersionStatus reports the status of the cluster versioning, including any upgrades that are in progress. The current field will be set to whichever version the cluster is reconciling to, and the conditions array will report whether the update succeeded, is in progress, or is failing.", - "desired": "desired is the version that the cluster is reconciling towards. If the cluster is not yet fully initialized desired will be set with the information available, which may be an image or a tag.", - "history": "history contains a list of the most recent versions applied to the cluster. This value may be empty during cluster startup, and then will be updated when a new update is being applied. The newest update is first in the list and it is ordered by recency. Updates in the history have state Completed if the rollout completed - if an update was failing or halfway applied the state will be Partial. Only a limited amount of update history is preserved.", - "observedGeneration": "observedGeneration reports which version of the spec is being synced. If this value is not equal to metadata.generation, then the desired and conditions fields may represent a previous version.", - "versionHash": "versionHash is a fingerprint of the content that the cluster will be updated with. It is used by the operator to avoid unnecessary work and is for internal use only.", - "capabilities": "capabilities describes the state of optional, core cluster components.", - "conditions": "conditions provides information about the cluster version. The condition \"Available\" is set to true if the desiredUpdate has been reached. The condition \"Progressing\" is set to true if an update is being applied. The condition \"Degraded\" is set to true if an update is currently blocked by a temporary or permanent error. Conditions are only valid for the current desiredUpdate when metadata.generation is equal to status.generation.", - "availableUpdates": "availableUpdates contains updates recommended for this cluster. Updates which appear in conditionalUpdates but not in availableUpdates may expose this cluster to known issues. This list may be empty if no updates are recommended, if the update service is unavailable, or if an invalid channel has been specified.", - "conditionalUpdates": "conditionalUpdates contains the list of updates that may be recommended for this cluster if it meets specific required conditions. Consumers interested in the set of updates that are actually recommended for this cluster should use availableUpdates. This list may be empty if no updates are recommended, if the update service is unavailable, or if an empty or invalid channel has been specified.", + "": "ClusterVersionStatus reports the status of the cluster versioning, including any upgrades that are in progress. The current field will be set to whichever version the cluster is reconciling to, and the conditions array will report whether the update succeeded, is in progress, or is failing.", + "desired": "desired is the version that the cluster is reconciling towards. If the cluster is not yet fully initialized desired will be set with the information available, which may be an image or a tag.", + "history": "history contains a list of the most recent versions applied to the cluster. This value may be empty during cluster startup, and then will be updated when a new update is being applied. The newest update is first in the list and it is ordered by recency. Updates in the history have state Completed if the rollout completed - if an update was failing or halfway applied the state will be Partial. Only a limited amount of update history is preserved.", + "observedGeneration": "observedGeneration reports which version of the spec is being synced. If this value is not equal to metadata.generation, then the desired and conditions fields may represent a previous version.", + "versionHash": "versionHash is a fingerprint of the content that the cluster will be updated with. It is used by the operator to avoid unnecessary work and is for internal use only.", + "capabilities": "capabilities describes the state of optional, core cluster components.", + "conditions": "conditions provides information about the cluster version. The condition \"Available\" is set to true if the desiredUpdate has been reached. The condition \"Progressing\" is set to true if an update is being applied. The condition \"Degraded\" is set to true if an update is currently blocked by a temporary or permanent error. Conditions are only valid for the current desiredUpdate when metadata.generation is equal to status.generation.", + "availableUpdates": "availableUpdates contains updates recommended for this cluster. Updates which appear in conditionalUpdates but not in availableUpdates may expose this cluster to known issues. This list may be empty if no updates are recommended, if the update service is unavailable, or if an invalid channel has been specified.", + "conditionalUpdates": "conditionalUpdates contains the list of updates that may be recommended for this cluster if it meets specific required conditions. Consumers interested in the set of updates that are actually recommended for this cluster should use availableUpdates. This list may be empty if no updates are recommended, if the update service is unavailable, or if an empty or invalid channel has been specified.", + "conditionalUpdateRisks": "conditionalUpdateRisks contains the list of risks associated with conditionalUpdates. When performing a conditional update, all its associated risks will be compared with the set of accepted risks in the spec.desiredUpdate.acceptRisks field. If all risks for a conditional update are included in the spec.desiredUpdate.acceptRisks set, the conditional update can proceed, otherwise it is blocked. The risk names in the list must be unique. conditionalUpdateRisks must not contain more than 500 entries.", } func (ClusterVersionStatus) SwaggerDoc() map[string]string { @@ -821,6 +854,7 @@ func (ComponentOverride) SwaggerDoc() map[string]string { var map_ConditionalUpdate = map[string]string{ "": "ConditionalUpdate represents an update which is recommended to some clusters on the version the current cluster is reconciling, but which may not be recommended for the current cluster.", "release": "release is the target of the update.", + "riskNames": "riskNames represents the set of the names of conditionalUpdateRisks that are relevant to this update for some clusters. The Applies condition of each conditionalUpdateRisks entry declares if that risk applies to this cluster. A conditional update is accepted only if each of its risks either does not apply to the cluster or is considered acceptable by the cluster administrator. The latter means that the risk names are included in value of the spec.desiredUpdate.acceptRisks field. Entries must be unique and must not exceed 256 characters. riskNames must not contain more than 500 entries.", "risks": "risks represents the range of issues associated with updating to the target release. The cluster-version operator will evaluate all entries, and only recommend the update if there is at least one entry and all entries recommend the update.", "conditions": "conditions represents the observations of the conditional update's current status. Known types are: * Recommended, for whether the update is recommended for the current cluster.", } @@ -831,6 +865,7 @@ func (ConditionalUpdate) SwaggerDoc() map[string]string { var map_ConditionalUpdateRisk = map[string]string{ "": "ConditionalUpdateRisk represents a reason and cluster-state for not recommending a conditional update.", + "conditions": "conditions represents the observations of the conditional update risk's current status. Known types are: * Applies, for whether the risk applies to the current cluster. The condition's types in the list must be unique. conditions must not contain more than one entry.", "url": "url contains information about this risk.", "name": "name is the CamelCase reason for not recommending a conditional update, in the event that matchingRules match the cluster state.", "message": "message provides additional information about the risk of updating, in the event that matchingRules match the cluster state. This is only to be consumed by humans. It may contain Line Feed characters (U+000A), which should be rendered as new lines.", @@ -879,6 +914,7 @@ var map_Update = map[string]string{ "version": "version is a semantic version identifying the update version. version is required if architecture is specified. If both version and image are set, the version extracted from the referenced image must match the specified version.", "image": "image is a container image location that contains the update. image should be used when the desired version does not exist in availableUpdates or history. When image is set, architecture cannot be specified. If both version and image are set, the version extracted from the referenced image must match the specified version.", "force": "force allows an administrator to update to an image that has failed verification or upgradeable checks that are designed to keep your cluster safe. Only use this if: * you are testing unsigned release images in short-lived test clusters or * you are working around a known bug in the cluster-version\n operator and you have verified the authenticity of the provided\n image yourself.\nThe provided image will run with full administrative access to the cluster. Do not use this flag with images that come from unknown or potentially malicious sources.", + "acceptRisks": "acceptRisks is an optional set of names of conditional update risks that are considered acceptable. A conditional update is performed only if all of its risks are acceptable. This list may contain entries that apply to current, previous or future updates. The entries therefore may not map directly to a risk in .status.conditionalUpdateRisks. acceptRisks must not contain more than 1000 entries. Entries in this list must be unique.", } func (Update) SwaggerDoc() map[string]string { @@ -893,7 +929,7 @@ var map_UpdateHistory = map[string]string{ "version": "version is a semantic version identifying the update version. If the requested image does not define a version, or if a failure occurs retrieving the image, this value may be empty.", "image": "image is a container image location that contains the update. This value is always populated.", "verified": "verified indicates whether the provided update was properly verified before it was installed. If this is false the cluster may not be trusted. Verified does not cover upgradeable checks that depend on the cluster state at the time when the update target was accepted.", - "acceptedRisks": "acceptedRisks records risks which were accepted to initiate the update. For example, it may menition an Upgradeable=False or missing signature that was overridden via desiredUpdate.force, or an update that was initiated despite not being in the availableUpdates set of recommended update targets.", + "acceptedRisks": "acceptedRisks records risks which were accepted to initiate the update. For example, it may mention an Upgradeable=False or missing signature that was overridden via desiredUpdate.force, or an update that was initiated despite not being in the availableUpdates set of recommended update targets.", } func (UpdateHistory) SwaggerDoc() map[string]string { @@ -1214,17 +1250,6 @@ func (ImageDigestMirrors) SwaggerDoc() map[string]string { return map_ImageDigestMirrors } -var map_FulcioCAWithRekor = map[string]string{ - "": "FulcioCAWithRekor defines the root of trust based on the Fulcio certificate and the Rekor public key.", - "fulcioCAData": "fulcioCAData is a required field contains inline base64-encoded data for the PEM format fulcio CA. fulcioCAData must be at most 8192 characters. ", - "rekorKeyData": "rekorKeyData is a required field contains inline base64-encoded data for the PEM format from the Rekor public key. rekorKeyData must be at most 8192 characters. ", - "fulcioSubject": "fulcioSubject is a required field specifies OIDC issuer and the email of the Fulcio authentication configuration.", -} - -func (FulcioCAWithRekor) SwaggerDoc() map[string]string { - return map_FulcioCAWithRekor -} - var map_ImagePolicy = map[string]string{ "": "ImagePolicy holds namespace-wide configuration for image signature verification\n\nCompatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).", "metadata": "metadata is the standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata", @@ -1236,6 +1261,17 @@ func (ImagePolicy) SwaggerDoc() map[string]string { return map_ImagePolicy } +var map_ImagePolicyFulcioCAWithRekorRootOfTrust = map[string]string{ + "": "ImagePolicyFulcioCAWithRekorRootOfTrust defines the root of trust based on the Fulcio certificate and the Rekor public key.", + "fulcioCAData": "fulcioCAData is a required field contains inline base64-encoded data for the PEM format fulcio CA. fulcioCAData must be at most 8192 characters. ", + "rekorKeyData": "rekorKeyData is a required field contains inline base64-encoded data for the PEM format from the Rekor public key. rekorKeyData must be at most 8192 characters. ", + "fulcioSubject": "fulcioSubject is a required field specifies OIDC issuer and the email of the Fulcio authentication configuration.", +} + +func (ImagePolicyFulcioCAWithRekorRootOfTrust) SwaggerDoc() map[string]string { + return map_ImagePolicyFulcioCAWithRekorRootOfTrust +} + var map_ImagePolicyList = map[string]string{ "": "ImagePolicyList is a list of ImagePolicy resources\n\nCompatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).", "metadata": "metadata is the standard list's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata", @@ -1246,6 +1282,27 @@ func (ImagePolicyList) SwaggerDoc() map[string]string { return map_ImagePolicyList } +var map_ImagePolicyPKIRootOfTrust = map[string]string{ + "": "ImagePolicyPKIRootOfTrust defines the root of trust based on Root CA(s) and corresponding intermediate certificates.", + "caRootsData": "caRootsData contains base64-encoded data of a certificate bundle PEM file, which contains one or more CA roots in the PEM format. The total length of the data must not exceed 8192 characters. ", + "caIntermediatesData": "caIntermediatesData contains base64-encoded data of a certificate bundle PEM file, which contains one or more intermediate certificates in the PEM format. The total length of the data must not exceed 8192 characters. caIntermediatesData requires caRootsData to be set. ", + "pkiCertificateSubject": "pkiCertificateSubject defines the requirements imposed on the subject to which the certificate was issued.", +} + +func (ImagePolicyPKIRootOfTrust) SwaggerDoc() map[string]string { + return map_ImagePolicyPKIRootOfTrust +} + +var map_ImagePolicyPublicKeyRootOfTrust = map[string]string{ + "": "ImagePolicyPublicKeyRootOfTrust defines the root of trust based on a sigstore public key.", + "keyData": "keyData is a required field contains inline base64-encoded data for the PEM format public key. keyData must be at most 8192 characters. ", + "rekorKeyData": "rekorKeyData is an optional field contains inline base64-encoded data for the PEM format from the Rekor public key. rekorKeyData must be at most 8192 characters. ", +} + +func (ImagePolicyPublicKeyRootOfTrust) SwaggerDoc() map[string]string { + return map_ImagePolicyPublicKeyRootOfTrust +} + var map_ImagePolicySpec = map[string]string{ "": "ImagePolicySpec is the specification of the ImagePolicy CRD.", "scopes": "scopes is a required field that defines the list of image identities assigned to a policy. Each item refers to a scope in a registry implementing the \"Docker Registry HTTP API V2\". Scopes matching individual images are named Docker references in the fully expanded form, either using a tag or digest. For example, docker.io/library/busybox:latest (not busybox:latest). More general scopes are prefixes of individual-image scopes, and specify a repository (by omitting the tag or digest), a repository namespace, or a registry host (by only specifying the host name and possibly a port number) or a wildcard expression starting with `*.`, for matching all subdomains (not including a port number). Wildcards are only supported for subdomain matching, and may not be used in the middle of the host, i.e. *.example.com is a valid case, but example*.*.com is not. This support no more than 256 scopes in one object. If multiple scopes match a given image, only the policy requirements for the most specific scope apply. The policy requirements for more general scopes are ignored. In addition to setting a policy appropriate for your own deployed applications, make sure that a policy on the OpenShift image repositories quay.io/openshift-release-dev/ocp-release, quay.io/openshift-release-dev/ocp-v4.0-art-dev (or on a more general scope) allows deployment of the OpenShift images required for cluster operation. If a scope is configured in both the ClusterImagePolicy and the ImagePolicy, or if the scope in ImagePolicy is nested under one of the scopes from the ClusterImagePolicy, only the policy from the ClusterImagePolicy will be applied. For additional details about the format, please refer to the document explaining the docker transport field, which can be found at: https://github.com/containers/image/blob/main/docs/containers-policy.json.5.md#docker", @@ -1264,15 +1321,14 @@ func (ImagePolicyStatus) SwaggerDoc() map[string]string { return map_ImagePolicyStatus } -var map_PKI = map[string]string{ - "": "PKI defines the root of trust based on Root CA(s) and corresponding intermediate certificates.", - "caRootsData": "caRootsData contains base64-encoded data of a certificate bundle PEM file, which contains one or more CA roots in the PEM format. The total length of the data must not exceed 8192 characters. ", - "caIntermediatesData": "caIntermediatesData contains base64-encoded data of a certificate bundle PEM file, which contains one or more intermediate certificates in the PEM format. The total length of the data must not exceed 8192 characters. caIntermediatesData requires caRootsData to be set. ", - "pkiCertificateSubject": "pkiCertificateSubject defines the requirements imposed on the subject to which the certificate was issued.", +var map_ImageSigstoreVerificationPolicy = map[string]string{ + "": "ImageSigstoreVerificationPolicy defines the verification policy for the items in the scopes list.", + "rootOfTrust": "rootOfTrust is a required field that defines the root of trust for verifying image signatures during retrieval. This allows image consumers to specify policyType and corresponding configuration of the policy, matching how the policy was generated.", + "signedIdentity": "signedIdentity is an optional field specifies what image identity the signature claims about the image. This is useful when the image identity in the signature differs from the original image spec, such as when mirror registry is configured for the image scope, the signature from the mirror registry contains the image identity of the mirror instead of the original scope. The required matchPolicy field specifies the approach used in the verification process to verify the identity in the signature and the actual image identity, the default matchPolicy is \"MatchRepoDigestOrExact\".", } -func (PKI) SwaggerDoc() map[string]string { - return map_PKI +func (ImageSigstoreVerificationPolicy) SwaggerDoc() map[string]string { + return map_ImageSigstoreVerificationPolicy } var map_PKICertificateSubject = map[string]string{ @@ -1285,16 +1341,6 @@ func (PKICertificateSubject) SwaggerDoc() map[string]string { return map_PKICertificateSubject } -var map_Policy = map[string]string{ - "": "Policy defines the verification policy for the items in the scopes list.", - "rootOfTrust": "rootOfTrust is a required field that defines the root of trust for verifying image signatures during retrieval. This allows image consumers to specify policyType and corresponding configuration of the policy, matching how the policy was generated.", - "signedIdentity": "signedIdentity is an optional field specifies what image identity the signature claims about the image. This is useful when the image identity in the signature differs from the original image spec, such as when mirror registry is configured for the image scope, the signature from the mirror registry contains the image identity of the mirror instead of the original scope. The required matchPolicy field specifies the approach used in the verification process to verify the identity in the signature and the actual image identity, the default matchPolicy is \"MatchRepoDigestOrExact\".", -} - -func (Policy) SwaggerDoc() map[string]string { - return map_Policy -} - var map_PolicyFulcioSubject = map[string]string{ "": "PolicyFulcioSubject defines the OIDC issuer and the email of the Fulcio authentication configuration.", "oidcIssuer": "oidcIssuer is a required filed contains the expected OIDC issuer. The oidcIssuer must be a valid URL and at most 2048 characters in length. It will be verified that the Fulcio-issued certificate contains a (Fulcio-defined) certificate extension pointing at this OIDC issuer URL. When Fulcio issues certificates, it includes a value based on an URL inside the client-provided ID token. Example: \"https://expected.OIDC.issuer/\"", @@ -1345,16 +1391,6 @@ func (PolicyRootOfTrust) SwaggerDoc() map[string]string { return map_PolicyRootOfTrust } -var map_PublicKey = map[string]string{ - "": "PublicKey defines the root of trust based on a sigstore public key.", - "keyData": "keyData is a required field contains inline base64-encoded data for the PEM format public key. keyData must be at most 8192 characters. ", - "rekorKeyData": "rekorKeyData is an optional field contains inline base64-encoded data for the PEM format from the Rekor public key. rekorKeyData must be at most 8192 characters. ", -} - -func (PublicKey) SwaggerDoc() map[string]string { - return map_PublicKey -} - var map_ImageTagMirrorSet = map[string]string{ "": "ImageTagMirrorSet holds cluster-wide information about how to handle registry mirror rules on using tag pull specification. When multiple policies are defined, the outcome of the behavior is defined on each field.\n\nCompatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).", "metadata": "metadata is the standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata", @@ -1888,7 +1924,7 @@ func (OvirtPlatformStatus) SwaggerDoc() map[string]string { var map_PlatformSpec = map[string]string{ "": "PlatformSpec holds the desired state specific to the underlying infrastructure provider of the current cluster. Since these are used at spec-level for the underlying cluster, it is supposed that only one of the spec structs is set.", - "type": "type is the underlying infrastructure provider for the cluster. This value controls whether infrastructure automation such as service load balancers, dynamic volume provisioning, machine creation and deletion, and other integrations are enabled. If None, no infrastructure automation is enabled. Allowed values are \"AWS\", \"Azure\", \"BareMetal\", \"GCP\", \"Libvirt\", \"OpenStack\", \"VSphere\", \"oVirt\", \"KubeVirt\", \"EquinixMetal\", \"PowerVS\", \"AlibabaCloud\", \"Nutanix\" and \"None\". Individual components may not support all platforms, and must handle unrecognized platforms as None if they do not support that platform.", + "type": "type is the underlying infrastructure provider for the cluster. This value controls whether infrastructure automation such as service load balancers, dynamic volume provisioning, machine creation and deletion, and other integrations are enabled. If None, no infrastructure automation is enabled. Allowed values are \"AWS\", \"Azure\", \"BareMetal\", \"GCP\", \"Libvirt\", \"OpenStack\", \"VSphere\", \"oVirt\", \"IBMCloud\", \"KubeVirt\", \"EquinixMetal\", \"PowerVS\", \"AlibabaCloud\", \"Nutanix\", \"External\", and \"None\". Individual components may not support all platforms, and must handle unrecognized platforms as None if they do not support that platform.", "aws": "aws contains settings specific to the Amazon Web Services infrastructure provider.", "azure": "azure contains settings specific to the Azure infrastructure provider.", "gcp": "gcp contains settings specific to the Google Cloud Platform infrastructure provider.", @@ -2943,7 +2979,7 @@ func (CustomTLSProfile) SwaggerDoc() map[string]string { } var map_IntermediateTLSProfile = map[string]string{ - "": "IntermediateTLSProfile is a TLS security profile based on: https://wiki.mozilla.org/Security/Server_Side_TLS#Intermediate_compatibility_.28default.29", + "": "IntermediateTLSProfile is a TLS security profile based on the \"intermediate\" configuration of the Mozilla Server Side TLS configuration guidelines.", } func (IntermediateTLSProfile) SwaggerDoc() map[string]string { @@ -2951,7 +2987,7 @@ func (IntermediateTLSProfile) SwaggerDoc() map[string]string { } var map_ModernTLSProfile = map[string]string{ - "": "ModernTLSProfile is a TLS security profile based on: https://wiki.mozilla.org/Security/Server_Side_TLS#Modern_compatibility", + "": "ModernTLSProfile is a TLS security profile based on the \"modern\" configuration of the Mozilla Server Side TLS configuration guidelines.", } func (ModernTLSProfile) SwaggerDoc() map[string]string { @@ -2959,7 +2995,7 @@ func (ModernTLSProfile) SwaggerDoc() map[string]string { } var map_OldTLSProfile = map[string]string{ - "": "OldTLSProfile is a TLS security profile based on: https://wiki.mozilla.org/Security/Server_Side_TLS#Old_backward_compatibility", + "": "OldTLSProfile is a TLS security profile based on the \"old\" configuration of the Mozilla Server Side TLS configuration guidelines.", } func (OldTLSProfile) SwaggerDoc() map[string]string { @@ -2969,7 +3005,7 @@ func (OldTLSProfile) SwaggerDoc() map[string]string { var map_TLSProfileSpec = map[string]string{ "": "TLSProfileSpec is the desired behavior of a TLSSecurityProfile.", "ciphers": "ciphers is used to specify the cipher algorithms that are negotiated during the TLS handshake. Operators may remove entries their operands do not support. For example, to use DES-CBC3-SHA (yaml):\n\n ciphers:\n - DES-CBC3-SHA", - "minTLSVersion": "minTLSVersion is used to specify the minimal version of the TLS protocol that is negotiated during the TLS handshake. For example, to use TLS versions 1.1, 1.2 and 1.3 (yaml):\n\n minTLSVersion: VersionTLS11\n\nNOTE: currently the highest minTLSVersion allowed is VersionTLS12", + "minTLSVersion": "minTLSVersion is used to specify the minimal version of the TLS protocol that is negotiated during the TLS handshake. For example, to use TLS versions 1.1, 1.2 and 1.3 (yaml):\n\n minTLSVersion: VersionTLS11", } func (TLSProfileSpec) SwaggerDoc() map[string]string { @@ -2978,11 +3014,11 @@ func (TLSProfileSpec) SwaggerDoc() map[string]string { var map_TLSSecurityProfile = map[string]string{ "": "TLSSecurityProfile defines the schema for a TLS security profile. This object is used by operators to apply TLS security settings to operands.", - "type": "type is one of Old, Intermediate, Modern or Custom. Custom provides the ability to specify individual TLS security profile parameters. Old, Intermediate and Modern are TLS security profiles based on:\n\nhttps://wiki.mozilla.org/Security/Server_Side_TLS#Recommended_configurations\n\nThe profiles are intent based, so they may change over time as new ciphers are developed and existing ciphers are found to be insecure. Depending on precisely which ciphers are available to a process, the list may be reduced.\n\nNote that the Modern profile is currently not supported because it is not yet well adopted by common software libraries.", - "old": "old is a TLS security profile based on:\n\nhttps://wiki.mozilla.org/Security/Server_Side_TLS#Old_backward_compatibility\n\nand looks like this (yaml):\n\n ciphers:\n\n - TLS_AES_128_GCM_SHA256\n\n - TLS_AES_256_GCM_SHA384\n\n - TLS_CHACHA20_POLY1305_SHA256\n\n - ECDHE-ECDSA-AES128-GCM-SHA256\n\n - ECDHE-RSA-AES128-GCM-SHA256\n\n - ECDHE-ECDSA-AES256-GCM-SHA384\n\n - ECDHE-RSA-AES256-GCM-SHA384\n\n - ECDHE-ECDSA-CHACHA20-POLY1305\n\n - ECDHE-RSA-CHACHA20-POLY1305\n\n - DHE-RSA-AES128-GCM-SHA256\n\n - DHE-RSA-AES256-GCM-SHA384\n\n - DHE-RSA-CHACHA20-POLY1305\n\n - ECDHE-ECDSA-AES128-SHA256\n\n - ECDHE-RSA-AES128-SHA256\n\n - ECDHE-ECDSA-AES128-SHA\n\n - ECDHE-RSA-AES128-SHA\n\n - ECDHE-ECDSA-AES256-SHA384\n\n - ECDHE-RSA-AES256-SHA384\n\n - ECDHE-ECDSA-AES256-SHA\n\n - ECDHE-RSA-AES256-SHA\n\n - DHE-RSA-AES128-SHA256\n\n - DHE-RSA-AES256-SHA256\n\n - AES128-GCM-SHA256\n\n - AES256-GCM-SHA384\n\n - AES128-SHA256\n\n - AES256-SHA256\n\n - AES128-SHA\n\n - AES256-SHA\n\n - DES-CBC3-SHA\n\n minTLSVersion: VersionTLS10", - "intermediate": "intermediate is a TLS security profile based on:\n\nhttps://wiki.mozilla.org/Security/Server_Side_TLS#Intermediate_compatibility_.28recommended.29\n\nand looks like this (yaml):\n\n ciphers:\n\n - TLS_AES_128_GCM_SHA256\n\n - TLS_AES_256_GCM_SHA384\n\n - TLS_CHACHA20_POLY1305_SHA256\n\n - ECDHE-ECDSA-AES128-GCM-SHA256\n\n - ECDHE-RSA-AES128-GCM-SHA256\n\n - ECDHE-ECDSA-AES256-GCM-SHA384\n\n - ECDHE-RSA-AES256-GCM-SHA384\n\n - ECDHE-ECDSA-CHACHA20-POLY1305\n\n - ECDHE-RSA-CHACHA20-POLY1305\n\n - DHE-RSA-AES128-GCM-SHA256\n\n - DHE-RSA-AES256-GCM-SHA384\n\n minTLSVersion: VersionTLS12", - "modern": "modern is a TLS security profile based on:\n\nhttps://wiki.mozilla.org/Security/Server_Side_TLS#Modern_compatibility\n\nand looks like this (yaml):\n\n ciphers:\n\n - TLS_AES_128_GCM_SHA256\n\n - TLS_AES_256_GCM_SHA384\n\n - TLS_CHACHA20_POLY1305_SHA256\n\n minTLSVersion: VersionTLS13", - "custom": "custom is a user-defined TLS security profile. Be extremely careful using a custom profile as invalid configurations can be catastrophic. An example custom profile looks like this:\n\n ciphers:\n\n - ECDHE-ECDSA-CHACHA20-POLY1305\n\n - ECDHE-RSA-CHACHA20-POLY1305\n\n - ECDHE-RSA-AES128-GCM-SHA256\n\n - ECDHE-ECDSA-AES128-GCM-SHA256\n\n minTLSVersion: VersionTLS11", + "type": "type is one of Old, Intermediate, Modern or Custom. Custom provides the ability to specify individual TLS security profile parameters.\n\nThe profiles are currently based on version 5.0 of the Mozilla Server Side TLS configuration guidelines (released 2019-06-28) with TLS 1.3 ciphers added for forward compatibility. See: https://ssl-config.mozilla.org/guidelines/5.0.json\n\nThe profiles are intent based, so they may change over time as new ciphers are developed and existing ciphers are found to be insecure. Depending on precisely which ciphers are available to a process, the list may be reduced.", + "old": "old is a TLS profile for use when services need to be accessed by very old clients or libraries and should be used only as a last resort.\n\nThe cipher list includes TLS 1.3 ciphers for forward compatibility, followed by the \"old\" profile ciphers.\n\nThis profile is equivalent to a Custom profile specified as:\n minTLSVersion: VersionTLS10\n ciphers:\n - TLS_AES_128_GCM_SHA256\n - TLS_AES_256_GCM_SHA384\n - TLS_CHACHA20_POLY1305_SHA256\n - ECDHE-ECDSA-AES128-GCM-SHA256\n - ECDHE-RSA-AES128-GCM-SHA256\n - ECDHE-ECDSA-AES256-GCM-SHA384\n - ECDHE-RSA-AES256-GCM-SHA384\n - ECDHE-ECDSA-CHACHA20-POLY1305\n - ECDHE-RSA-CHACHA20-POLY1305\n - DHE-RSA-AES128-GCM-SHA256\n - DHE-RSA-AES256-GCM-SHA384\n - DHE-RSA-CHACHA20-POLY1305\n - ECDHE-ECDSA-AES128-SHA256\n - ECDHE-RSA-AES128-SHA256\n - ECDHE-ECDSA-AES128-SHA\n - ECDHE-RSA-AES128-SHA\n - ECDHE-ECDSA-AES256-SHA384\n - ECDHE-RSA-AES256-SHA384\n - ECDHE-ECDSA-AES256-SHA\n - ECDHE-RSA-AES256-SHA\n - DHE-RSA-AES128-SHA256\n - DHE-RSA-AES256-SHA256\n - AES128-GCM-SHA256\n - AES256-GCM-SHA384\n - AES128-SHA256\n - AES256-SHA256\n - AES128-SHA\n - AES256-SHA\n - DES-CBC3-SHA", + "intermediate": "intermediate is a TLS profile for use when you do not need compatibility with legacy clients and want to remain highly secure while being compatible with most clients currently in use.\n\nThe cipher list includes TLS 1.3 ciphers for forward compatibility, followed by the \"intermediate\" profile ciphers.\n\nThis profile is equivalent to a Custom profile specified as:\n minTLSVersion: VersionTLS12\n ciphers:\n - TLS_AES_128_GCM_SHA256\n - TLS_AES_256_GCM_SHA384\n - TLS_CHACHA20_POLY1305_SHA256\n - ECDHE-ECDSA-AES128-GCM-SHA256\n - ECDHE-RSA-AES128-GCM-SHA256\n - ECDHE-ECDSA-AES256-GCM-SHA384\n - ECDHE-RSA-AES256-GCM-SHA384\n - ECDHE-ECDSA-CHACHA20-POLY1305\n - ECDHE-RSA-CHACHA20-POLY1305\n - DHE-RSA-AES128-GCM-SHA256\n - DHE-RSA-AES256-GCM-SHA384", + "modern": "modern is a TLS security profile for use with clients that support TLS 1.3 and do not need backward compatibility for older clients.\n\nThis profile is equivalent to a Custom profile specified as:\n minTLSVersion: VersionTLS13\n ciphers:\n - TLS_AES_128_GCM_SHA256\n - TLS_AES_256_GCM_SHA384\n - TLS_CHACHA20_POLY1305_SHA256", + "custom": "custom is a user-defined TLS security profile. Be extremely careful using a custom profile as invalid configurations can be catastrophic. An example custom profile looks like this:\n\n minTLSVersion: VersionTLS11\n ciphers:\n - ECDHE-ECDSA-CHACHA20-POLY1305\n - ECDHE-RSA-CHACHA20-POLY1305\n - ECDHE-RSA-AES128-GCM-SHA256\n - ECDHE-ECDSA-AES128-GCM-SHA256", } func (TLSSecurityProfile) SwaggerDoc() map[string]string { diff --git a/vendor/github.com/openshift/api/config/v1alpha1/register.go b/vendor/github.com/openshift/api/config/v1alpha1/register.go index 4b30ea380..c90962495 100644 --- a/vendor/github.com/openshift/api/config/v1alpha1/register.go +++ b/vendor/github.com/openshift/api/config/v1alpha1/register.go @@ -40,6 +40,8 @@ func addKnownTypes(scheme *runtime.Scheme) error { &ImagePolicyList{}, &ClusterImagePolicy{}, &ClusterImagePolicyList{}, + &CRIOCredentialProviderConfig{}, + &CRIOCredentialProviderConfigList{}, ) metav1.AddToGroupVersion(scheme, GroupVersion) return nil diff --git a/vendor/github.com/openshift/api/config/v1alpha1/types_backup.go b/vendor/github.com/openshift/api/config/v1alpha1/types_backup.go index 77df372d4..0f3da5184 100644 --- a/vendor/github.com/openshift/api/config/v1alpha1/types_backup.go +++ b/vendor/github.com/openshift/api/config/v1alpha1/types_backup.go @@ -93,7 +93,7 @@ type EtcdBackupSpec struct { PVCName string `json:"pvcName"` } -// RetentionType is the enumeration of valid retention policy types +// RetentionType is the enumeration of valid retention policy types. // +enum // +kubebuilder:validation:Enum:="RetentionNumber";"RetentionSize" type RetentionType string @@ -115,7 +115,6 @@ type RetentionPolicy struct { // The current default is RetentionNumber with 15 backups kept. // +unionDiscriminator // +required - // +kubebuilder:validation:Enum:="";"RetentionNumber";"RetentionSize" RetentionType RetentionType `json:"retentionType"` // retentionNumber configures the retention policy based on the number of backups diff --git a/vendor/github.com/openshift/api/config/v1alpha1/types_cluster_image_policy.go b/vendor/github.com/openshift/api/config/v1alpha1/types_cluster_image_policy.go index 107b9e29a..e8d7603d7 100644 --- a/vendor/github.com/openshift/api/config/v1alpha1/types_cluster_image_policy.go +++ b/vendor/github.com/openshift/api/config/v1alpha1/types_cluster_image_policy.go @@ -51,7 +51,7 @@ type ClusterImagePolicySpec struct { // policy contains configuration to allow scopes to be verified, and defines how // images not matching the verification policy will be treated. // +required - Policy Policy `json:"policy"` + Policy ImageSigstoreVerificationPolicy `json:"policy"` } // +k8s:deepcopy-gen=true diff --git a/vendor/github.com/openshift/api/config/v1alpha1/types_cluster_monitoring.go b/vendor/github.com/openshift/api/config/v1alpha1/types_cluster_monitoring.go index 0653eeb5a..29bf8ba48 100644 --- a/vendor/github.com/openshift/api/config/v1alpha1/types_cluster_monitoring.go +++ b/vendor/github.com/openshift/api/config/v1alpha1/types_cluster_monitoring.go @@ -94,6 +94,11 @@ type ClusterMonitoringSpec struct { // When omitted, this means no opinion and the platform is left to choose a reasonable default, which is subject to change over time. // +optional MetricsServerConfig MetricsServerConfig `json:"metricsServerConfig,omitempty,omitzero"` + // prometheusOperatorConfig is an optional field that can be used to configure the Prometheus Operator component. + // Specifically, it can configure how the Prometheus Operator instance is deployed, pod scheduling, and resource allocation. + // When omitted, this means no opinion and the platform is left to choose a reasonable default, which is subject to change over time. + // +optional + PrometheusOperatorConfig PrometheusOperatorConfig `json:"prometheusOperatorConfig,omitempty,omitzero"` } // UserDefinedMonitoring config for user-defined projects. @@ -185,6 +190,7 @@ type AlertmanagerCustomConfig struct { // limit: null // Maximum length for this list is 10. // Minimum length for this list is 1. + // Each resource name must be unique within this list. // +optional // +listType=map // +listMapKey=name @@ -218,8 +224,8 @@ type AlertmanagerCustomConfig struct { // When omitted, this means the user has no opinion and the platform is left // to choose reasonable defaults. These defaults are subject to change over time. // Defaults are empty/unset. - // Maximum length for this list is 10 - // Minimum length for this list is 1 + // Maximum length for this list is 10. + // Minimum length for this list is 1. // +kubebuilder:validation:MaxItems=10 // +kubebuilder:validation:MinItems=1 // +listType=atomic @@ -235,7 +241,7 @@ type AlertmanagerCustomConfig struct { // This field maps directly to the `topologySpreadConstraints` field in the Pod spec. // Default is empty list. // Maximum length for this list is 10. - // Minimum length for this list is 1 + // Minimum length for this list is 1. // Entries must have unique topologyKey and whenUnsatisfiable pairs. // +kubebuilder:validation:MaxItems=10 // +kubebuilder:validation:MinItems=1 @@ -356,8 +362,8 @@ type MetricsServerConfig struct { // When omitted, this means the user has no opinion and the platform is left // to choose reasonable defaults. These defaults are subject to change over time. // Defaults are empty/unset. - // Maximum length for this list is 10 - // Minimum length for this list is 1 + // Maximum length for this list is 10. + // Minimum length for this list is 1. // +kubebuilder:validation:MaxItems=10 // +kubebuilder:validation:MinItems=1 // +listType=atomic @@ -389,6 +395,7 @@ type MetricsServerConfig struct { // limit: null // Maximum length for this list is 10. // Minimum length for this list is 1. + // Each resource name must be unique within this list. // +optional // +listType=map // +listMapKey=name @@ -405,7 +412,91 @@ type MetricsServerConfig struct { // This field maps directly to the `topologySpreadConstraints` field in the Pod spec. // Default is empty list. // Maximum length for this list is 10. - // Minimum length for this list is 1 + // Minimum length for this list is 1. + // Entries must have unique topologyKey and whenUnsatisfiable pairs. + // +kubebuilder:validation:MaxItems=10 + // +kubebuilder:validation:MinItems=1 + // +listType=map + // +listMapKey=topologyKey + // +listMapKey=whenUnsatisfiable + // +optional + TopologySpreadConstraints []v1.TopologySpreadConstraint `json:"topologySpreadConstraints,omitempty"` +} + +// PrometheusOperatorConfig provides configuration options for the Prometheus Operator instance +// Use this configuration to control how the Prometheus Operator instance is deployed, how it logs, and how its pods are scheduled. +// +kubebuilder:validation:MinProperties=1 +type PrometheusOperatorConfig struct { + // logLevel defines the verbosity of logs emitted by Prometheus Operator. + // This field allows users to control the amount and severity of logs generated, which can be useful + // for debugging issues or reducing noise in production environments. + // Allowed values are Error, Warn, Info, and Debug. + // When set to Error, only errors will be logged. + // When set to Warn, both warnings and errors will be logged. + // When set to Info, general information, warnings, and errors will all be logged. + // When set to Debug, detailed debugging information will be logged. + // When omitted, this means no opinion and the platform is left to choose a reasonable default, that is subject to change over time. + // The current default value is `Info`. + // +optional + LogLevel LogLevel `json:"logLevel,omitempty"` + // nodeSelector defines the nodes on which the Pods are scheduled + // nodeSelector is optional. + // + // When omitted, this means the user has no opinion and the platform is left + // to choose reasonable defaults. These defaults are subject to change over time. + // The current default value is `kubernetes.io/os: linux`. + // When specified, nodeSelector must contain at least 1 entry and must not contain more than 10 entries. + // +optional + // +kubebuilder:validation:MinProperties=1 + // +kubebuilder:validation:MaxProperties=10 + NodeSelector map[string]string `json:"nodeSelector,omitempty"` + // resources defines the compute resource requests and limits for the Prometheus Operator container. + // This includes CPU, memory and HugePages constraints to help control scheduling and resource usage. + // When not specified, defaults are used by the platform. Requests cannot exceed limits. + // This field is optional. + // More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + // This is a simplified API that maps to Kubernetes ResourceRequirements. + // The current default values are: + // resources: + // - name: cpu + // request: 4m + // limit: null + // - name: memory + // request: 40Mi + // limit: null + // Maximum length for this list is 10. + // Minimum length for this list is 1. + // Each resource name must be unique within this list. + // +optional + // +listType=map + // +listMapKey=name + // +kubebuilder:validation:MaxItems=10 + // +kubebuilder:validation:MinItems=1 + Resources []ContainerResource `json:"resources,omitempty"` + // tolerations defines tolerations for the pods. + // tolerations is optional. + // + // When omitted, this means the user has no opinion and the platform is left + // to choose reasonable defaults. These defaults are subject to change over time. + // Defaults are empty/unset. + // Maximum length for this list is 10. + // Minimum length for this list is 1. + // +kubebuilder:validation:MaxItems=10 + // +kubebuilder:validation:MinItems=1 + // +listType=atomic + // +optional + Tolerations []v1.Toleration `json:"tolerations,omitempty"` + // topologySpreadConstraints defines rules for how Prometheus Operator Pods should be distributed + // across topology domains such as zones, nodes, or other user-defined labels. + // topologySpreadConstraints is optional. + // This helps improve high availability and resource efficiency by avoiding placing + // too many replicas in the same failure domain. + // + // When omitted, this means no opinion and the platform is left to choose a default, which is subject to change over time. + // This field maps directly to the `topologySpreadConstraints` field in the Pod spec. + // Default is empty list. + // Maximum length for this list is 10. + // Minimum length for this list is 1. // Entries must have unique topologyKey and whenUnsatisfiable pairs. // +kubebuilder:validation:MaxItems=10 // +kubebuilder:validation:MinItems=1 diff --git a/vendor/github.com/openshift/api/config/v1alpha1/types_crio_credential_provider_config.go b/vendor/github.com/openshift/api/config/v1alpha1/types_crio_credential_provider_config.go new file mode 100644 index 000000000..9e2e0d39d --- /dev/null +++ b/vendor/github.com/openshift/api/config/v1alpha1/types_crio_credential_provider_config.go @@ -0,0 +1,186 @@ +package v1alpha1 + +import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + +// +genclient +// +genclient:nonNamespaced +// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object + +// CRIOCredentialProviderConfig holds cluster-wide singleton resource configurations for CRI-O credential provider, the name of this instance is "cluster". CRI-O credential provider is a binary shipped with CRI-O that provides a way to obtain container image pull credentials from external sources. +// For example, it can be used to fetch mirror registry credentials from secrets resources in the cluster within the same namespace the pod will be running in. +// CRIOCredentialProviderConfig configuration specifies the pod image sources registries that should trigger the CRI-O credential provider execution, which will resolve the CRI-O mirror configurations and obtain the necessary credentials for pod creation. +// Note: Configuration changes will only take effect after the kubelet restarts, which is automatically managed by the cluster during rollout. +// +// The resource is a singleton named "cluster". +// +// Compatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support. +// +kubebuilder:object:root=true +// +kubebuilder:resource:path=criocredentialproviderconfigs,scope=Cluster +// +kubebuilder:subresource:status +// +openshift:api-approved.openshift.io=https://github.com/openshift/api/pull/2557 +// +openshift:file-pattern=cvoRunLevel=0000_10,operatorName=config-operator,operatorOrdering=01 +// +openshift:enable:FeatureGate=CRIOCredentialProviderConfig +// +openshift:compatibility-gen:level=4 +// +kubebuilder:validation:XValidation:rule="self.metadata.name == 'cluster'",message="criocredentialproviderconfig is a singleton, .metadata.name must be 'cluster'" +type CRIOCredentialProviderConfig struct { + metav1.TypeMeta `json:",inline"` + + // metadata is the standard object's metadata. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata + // +optional + metav1.ObjectMeta `json:"metadata,omitzero"` + + // spec defines the desired configuration of the CRI-O Credential Provider. + // This field is required and must be provided when creating the resource. + // +required + Spec *CRIOCredentialProviderConfigSpec `json:"spec,omitempty,omitzero"` + + // status represents the current state of the CRIOCredentialProviderConfig. + // When omitted or nil, it indicates that the status has not yet been set by the controller. + // The controller will populate this field with validation conditions and operational state. + // +optional + Status CRIOCredentialProviderConfigStatus `json:"status,omitzero,omitempty"` +} + +// CRIOCredentialProviderConfigSpec defines the desired configuration of the CRI-O Credential Provider. +// +kubebuilder:validation:MinProperties=0 +type CRIOCredentialProviderConfigSpec struct { + // matchImages is a list of string patterns used to determine whether + // the CRI-O credential provider should be invoked for a given image. This list is + // passed to the kubelet CredentialProviderConfig, and if any pattern matches + // the requested image, CRI-O credential provider will be invoked to obtain credentials for pulling + // that image or its mirrors. + // Depending on the platform, the CRI-O credential provider may be installed alongside an existing platform specific provider. + // Conflicts between the existing platform specific provider image match configuration and this list will be handled by + // the following precedence rule: credentials from built-in kubelet providers (e.g., ECR, GCR, ACR) take precedence over those + // from the CRIOCredentialProviderConfig when both match the same image. + // To avoid uncertainty, it is recommended to avoid configuring your private image patterns to overlap with + // existing platform specific provider config(e.g., the entries from https://github.com/openshift/machine-config-operator/blob/main/templates/common/aws/files/etc-kubernetes-credential-providers-ecr-credential-provider.yaml). + // You can check the resource's Status conditions + // to see if any entries were ignored due to exact matches with known built-in provider patterns. + // + // This field is optional, the items of the list must contain between 1 and 50 entries. + // The list is treated as a set, so duplicate entries are not allowed. + // + // For more details, see: + // https://kubernetes.io/docs/tasks/administer-cluster/kubelet-credential-provider/ + // https://github.com/cri-o/crio-credential-provider#architecture + // + // Each entry in matchImages is a pattern which can optionally contain a port and a path. Each entry must be no longer than 512 characters. + // Wildcards ('*') are supported for full subdomain labels, such as '*.k8s.io' or 'k8s.*.io', + // and for top-level domains, such as 'k8s.*' (which matches 'k8s.io' or 'k8s.net'). + // A global wildcard '*' (matching any domain) is not allowed. + // Wildcards may replace an entire hostname label (e.g., *.example.com), but they cannot appear within a label (e.g., f*oo.example.com) and are not allowed in the port or path. + // For example, 'example.*.com' is valid, but 'exa*mple.*.com' is not. + // Each wildcard matches only a single domain label, + // so '*.io' does **not** match '*.k8s.io'. + // + // A match exists between an image and a matchImage when all of the below are true: + // Both contain the same number of domain parts and each part matches. + // The URL path of an matchImages must be a prefix of the target image URL path. + // If the matchImages contains a port, then the port must match in the image as well. + // + // Example values of matchImages: + // - 123456789.dkr.ecr.us-east-1.amazonaws.com + // - *.azurecr.io + // - gcr.io + // - *.*.registry.io + // - registry.io:8080/path + // + // +kubebuilder:validation:MaxItems=50 + // +kubebuilder:validation:MinItems=1 + // +listType=set + // +optional + MatchImages []MatchImage `json:"matchImages,omitempty"` +} + +// MatchImage is a string pattern used to match container image registry addresses. +// It must be a valid fully qualified domain name with optional wildcard, port, and path. +// The maximum length is 512 characters. +// +// Wildcards ('*') are supported for full subdomain labels and top-level domains. +// Each entry can optionally contain a port (e.g., :8080) and a path (e.g., /path). +// Wildcards are not allowed in the port or path portions. +// +// Examples: +// - "registry.io" - matches exactly registry.io +// - "*.azurecr.io" - matches any single subdomain of azurecr.io +// - "registry.io:8080/path" - matches with specific port and path prefix +// +// +kubebuilder:validation:MaxLength=512 +// +kubebuilder:validation:MinLength=1 +// +kubebuilder:validation:XValidation:rule="self != '*'",message="global wildcard '*' is not allowed" +// +kubebuilder:validation:XValidation:rule=`self.matches('^((\\*|[a-z0-9]([a-z0-9-]*[a-z0-9])?)(\\.(\\*|[a-z0-9]([a-z0-9-]*[a-z0-9])?))*)(:[0-9]+)?(/[-a-z0-9._/]*)?$')`,message="invalid matchImages value, must be a valid fully qualified domain name in lowercase with optional wildcard, port, and path" +type MatchImage string + +// +k8s:deepcopy-gen=true +// CRIOCredentialProviderConfigStatus defines the observed state of CRIOCredentialProviderConfig +// +kubebuilder:validation:MinProperties=1 +type CRIOCredentialProviderConfigStatus struct { + // conditions represent the latest available observations of the configuration state. + // When omitted, it indicates that no conditions have been reported yet. + // The maximum number of conditions is 16. + // Conditions are stored as a map keyed by condition type, ensuring uniqueness. + // + // Expected condition types include: + // "Validated": indicates whether the matchImages configuration is valid + // +optional + // +kubebuilder:validation:MaxItems=16 + // +kubebuilder:validation:MinItems=1 + // +listType=map + // +listMapKey=type + Conditions []metav1.Condition `json:"conditions,omitempty"` +} + +// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object + +// CRIOCredentialProviderConfigList contains a list of CRIOCredentialProviderConfig resources +// +// Compatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support. +// +openshift:compatibility-gen:level=4 +type CRIOCredentialProviderConfigList struct { + metav1.TypeMeta `json:",inline"` + + // metadata is the standard list's metadata. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata + metav1.ListMeta `json:"metadata"` + + Items []CRIOCredentialProviderConfig `json:"items"` +} + +const ( + // ConditionTypeValidated is a condition type that indicates whether the CRIOCredentialProviderConfig + // matchImages configuration has been validated successfully. + // When True, all matchImage patterns are valid and have been applied. + // When False, the configuration contains errors (see Reason for details). + // Possible reasons for False status: + // - ValidationFailed: matchImages contains invalid patterns + // - ConfigurationPartiallyApplied: some matchImage entries were ignored due to conflicts + ConditionTypeValidated = "Validated" + + // ReasonValidationFailed is a condition reason used with ConditionTypeValidated=False + // to indicate that the matchImages configuration contains one or more invalid registry patterns + // that do not conform to the required format (valid FQDN with optional wildcard, port, and path). + ReasonValidationFailed = "ValidationFailed" + + // ReasonConfigurationPartiallyApplied is a condition reason used with ConditionTypeValidated=False + // to indicate that some matchImage entries were ignored due to conflicts or overlapping patterns. + // The condition message will contain details about which entries were ignored and why. + ReasonConfigurationPartiallyApplied = "ConfigurationPartiallyApplied" + + // ConditionTypeMachineConfigRendered is a condition type that indicates whether + // the CRIOCredentialProviderConfig has been successfully rendered into a + // MachineConfig object. + // When True, the corresponding MachineConfig is present in the cluster. + // When False, rendering failed. + ConditionTypeMachineConfigRendered = "MachineConfigRendered" + + // ReasonMachineConfigRenderingSucceeded is a condition reason used with ConditionTypeMachineConfigRendered=True + // to indicate that the MachineConfig was successfully created/updated in the API server. + ReasonMachineConfigRenderingSucceeded = "MachineConfigRenderingSucceeded" + + // ReasonMachineConfigRenderingFailed is a condition reason used with ConditionTypeMachineConfigRendered=False + // to indicate that the MachineConfig creation/update failed. + // The condition message will contain details about the failure. + ReasonMachineConfigRenderingFailed = "MachineConfigRenderingFailed" +) diff --git a/vendor/github.com/openshift/api/config/v1alpha1/types_image_policy.go b/vendor/github.com/openshift/api/config/v1alpha1/types_image_policy.go index 64a89e4a6..977ca3dde 100644 --- a/vendor/github.com/openshift/api/config/v1alpha1/types_image_policy.go +++ b/vendor/github.com/openshift/api/config/v1alpha1/types_image_policy.go @@ -50,7 +50,7 @@ type ImagePolicySpec struct { // policy contains configuration to allow scopes to be verified, and defines how // images not matching the verification policy will be treated. // +required - Policy Policy `json:"policy"` + Policy ImageSigstoreVerificationPolicy `json:"policy"` } // +kubebuilder:validation:XValidation:rule="size(self.split('/')[0].split('.')) == 1 ? self.split('/')[0].split('.')[0].split(':')[0] == 'localhost' : true",message="invalid image scope format, scope must contain a fully qualified domain name or 'localhost'" @@ -59,8 +59,8 @@ type ImagePolicySpec struct { // +kubebuilder:validation:MaxLength=512 type ImageScope string -// Policy defines the verification policy for the items in the scopes list. -type Policy struct { +// ImageSigstoreVerificationPolicy defines the verification policy for the items in the scopes list. +type ImageSigstoreVerificationPolicy struct { // rootOfTrust specifies the root of trust for the policy. // +required RootOfTrust PolicyRootOfTrust `json:"rootOfTrust"` @@ -84,16 +84,16 @@ type PolicyRootOfTrust struct { PolicyType PolicyType `json:"policyType"` // publicKey defines the root of trust based on a sigstore public key. // +optional - PublicKey *PublicKey `json:"publicKey,omitempty"` + PublicKey *ImagePolicyPublicKeyRootOfTrust `json:"publicKey,omitempty"` // fulcioCAWithRekor defines the root of trust based on the Fulcio certificate and the Rekor public key. // For more information about Fulcio and Rekor, please refer to the document at: // https://github.com/sigstore/fulcio and https://github.com/sigstore/rekor // +optional - FulcioCAWithRekor *FulcioCAWithRekor `json:"fulcioCAWithRekor,omitempty"` + FulcioCAWithRekor *ImagePolicyFulcioCAWithRekorRootOfTrust `json:"fulcioCAWithRekor,omitempty"` // pki defines the root of trust based on Bring Your Own Public Key Infrastructure (BYOPKI) Root CA(s) and corresponding intermediate certificates. // +optional // +openshift:enable:FeatureGate=SigstoreImageVerificationPKI - PKI *PKI `json:"pki,omitempty"` + PKI *ImagePolicyPKIRootOfTrust `json:"pki,omitempty"` } // +openshift:validation:FeatureGateAwareEnum:featureGate="",enum=PublicKey;FulcioCAWithRekor @@ -106,8 +106,8 @@ const ( PKIRootOfTrust PolicyType = "PKI" ) -// PublicKey defines the root of trust based on a sigstore public key. -type PublicKey struct { +// ImagePolicyPublicKeyRootOfTrust defines the root of trust based on a sigstore public key. +type ImagePolicyPublicKeyRootOfTrust struct { // keyData contains inline base64-encoded data for the PEM format public key. // KeyData must be at most 8192 characters. // +required @@ -120,8 +120,8 @@ type PublicKey struct { RekorKeyData []byte `json:"rekorKeyData,omitempty"` } -// FulcioCAWithRekor defines the root of trust based on the Fulcio certificate and the Rekor public key. -type FulcioCAWithRekor struct { +// ImagePolicyFulcioCAWithRekorRootOfTrust defines the root of trust based on the Fulcio certificate and the Rekor public key. +type ImagePolicyFulcioCAWithRekorRootOfTrust struct { // fulcioCAData contains inline base64-encoded data for the PEM format fulcio CA. // fulcioCAData must be at most 8192 characters. // +required @@ -151,8 +151,8 @@ type PolicyFulcioSubject struct { SignedEmail string `json:"signedEmail"` } -// PKI defines the root of trust based on Root CA(s) and corresponding intermediate certificates. -type PKI struct { +// ImagePolicyPKIRootOfTrust defines the root of trust based on Root CA(s) and corresponding intermediate certificates. +type ImagePolicyPKIRootOfTrust struct { // caRootsData contains base64-encoded data of a certificate bundle PEM file, which contains one or more CA roots in the PEM format. The total length of the data must not exceed 8192 characters. // +required // +kubebuilder:validation:MaxLength=8192 diff --git a/vendor/github.com/openshift/api/config/v1alpha1/types_insights.go b/vendor/github.com/openshift/api/config/v1alpha1/types_insights.go index 46666ae3b..bef31b905 100644 --- a/vendor/github.com/openshift/api/config/v1alpha1/types_insights.go +++ b/vendor/github.com/openshift/api/config/v1alpha1/types_insights.go @@ -16,6 +16,7 @@ import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" // +openshift:file-pattern=cvoRunLevel=0000_10,operatorName=config-operator,operatorOrdering=01 // +openshift:enable:FeatureGate=InsightsConfig // +openshift:compatibility-gen:level=4 +// +openshift:capability=Insights type InsightsDataGather struct { metav1.TypeMeta `json:",inline"` diff --git a/vendor/github.com/openshift/api/config/v1alpha1/zz_generated.deepcopy.go b/vendor/github.com/openshift/api/config/v1alpha1/zz_generated.deepcopy.go index 6549f6cbe..dc51326b9 100644 --- a/vendor/github.com/openshift/api/config/v1alpha1/zz_generated.deepcopy.go +++ b/vendor/github.com/openshift/api/config/v1alpha1/zz_generated.deepcopy.go @@ -192,6 +192,115 @@ func (in *BackupStatus) DeepCopy() *BackupStatus { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *CRIOCredentialProviderConfig) DeepCopyInto(out *CRIOCredentialProviderConfig) { + *out = *in + out.TypeMeta = in.TypeMeta + in.ObjectMeta.DeepCopyInto(&out.ObjectMeta) + if in.Spec != nil { + in, out := &in.Spec, &out.Spec + *out = new(CRIOCredentialProviderConfigSpec) + (*in).DeepCopyInto(*out) + } + in.Status.DeepCopyInto(&out.Status) + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CRIOCredentialProviderConfig. +func (in *CRIOCredentialProviderConfig) DeepCopy() *CRIOCredentialProviderConfig { + if in == nil { + return nil + } + out := new(CRIOCredentialProviderConfig) + in.DeepCopyInto(out) + return out +} + +// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. +func (in *CRIOCredentialProviderConfig) DeepCopyObject() runtime.Object { + if c := in.DeepCopy(); c != nil { + return c + } + return nil +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *CRIOCredentialProviderConfigList) DeepCopyInto(out *CRIOCredentialProviderConfigList) { + *out = *in + out.TypeMeta = in.TypeMeta + in.ListMeta.DeepCopyInto(&out.ListMeta) + if in.Items != nil { + in, out := &in.Items, &out.Items + *out = make([]CRIOCredentialProviderConfig, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CRIOCredentialProviderConfigList. +func (in *CRIOCredentialProviderConfigList) DeepCopy() *CRIOCredentialProviderConfigList { + if in == nil { + return nil + } + out := new(CRIOCredentialProviderConfigList) + in.DeepCopyInto(out) + return out +} + +// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. +func (in *CRIOCredentialProviderConfigList) DeepCopyObject() runtime.Object { + if c := in.DeepCopy(); c != nil { + return c + } + return nil +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *CRIOCredentialProviderConfigSpec) DeepCopyInto(out *CRIOCredentialProviderConfigSpec) { + *out = *in + if in.MatchImages != nil { + in, out := &in.MatchImages, &out.MatchImages + *out = make([]MatchImage, len(*in)) + copy(*out, *in) + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CRIOCredentialProviderConfigSpec. +func (in *CRIOCredentialProviderConfigSpec) DeepCopy() *CRIOCredentialProviderConfigSpec { + if in == nil { + return nil + } + out := new(CRIOCredentialProviderConfigSpec) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *CRIOCredentialProviderConfigStatus) DeepCopyInto(out *CRIOCredentialProviderConfigStatus) { + *out = *in + if in.Conditions != nil { + in, out := &in.Conditions, &out.Conditions + *out = make([]metav1.Condition, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CRIOCredentialProviderConfigStatus. +func (in *CRIOCredentialProviderConfigStatus) DeepCopy() *CRIOCredentialProviderConfigStatus { + if in == nil { + return nil + } + out := new(CRIOCredentialProviderConfigStatus) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *ClusterImagePolicy) DeepCopyInto(out *ClusterImagePolicy) { *out = *in @@ -365,6 +474,7 @@ func (in *ClusterMonitoringSpec) DeepCopyInto(out *ClusterMonitoringSpec) { out.UserDefined = in.UserDefined in.AlertmanagerConfig.DeepCopyInto(&out.AlertmanagerConfig) in.MetricsServerConfig.DeepCopyInto(&out.MetricsServerConfig) + in.PrometheusOperatorConfig.DeepCopyInto(&out.PrometheusOperatorConfig) return } @@ -429,33 +539,6 @@ func (in *EtcdBackupSpec) DeepCopy() *EtcdBackupSpec { return out } -// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (in *FulcioCAWithRekor) DeepCopyInto(out *FulcioCAWithRekor) { - *out = *in - if in.FulcioCAData != nil { - in, out := &in.FulcioCAData, &out.FulcioCAData - *out = make([]byte, len(*in)) - copy(*out, *in) - } - if in.RekorKeyData != nil { - in, out := &in.RekorKeyData, &out.RekorKeyData - *out = make([]byte, len(*in)) - copy(*out, *in) - } - out.FulcioSubject = in.FulcioSubject - return -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FulcioCAWithRekor. -func (in *FulcioCAWithRekor) DeepCopy() *FulcioCAWithRekor { - if in == nil { - return nil - } - out := new(FulcioCAWithRekor) - in.DeepCopyInto(out) - return out -} - // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *GatherConfig) DeepCopyInto(out *GatherConfig) { *out = *in @@ -510,6 +593,33 @@ func (in *ImagePolicy) DeepCopyObject() runtime.Object { return nil } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *ImagePolicyFulcioCAWithRekorRootOfTrust) DeepCopyInto(out *ImagePolicyFulcioCAWithRekorRootOfTrust) { + *out = *in + if in.FulcioCAData != nil { + in, out := &in.FulcioCAData, &out.FulcioCAData + *out = make([]byte, len(*in)) + copy(*out, *in) + } + if in.RekorKeyData != nil { + in, out := &in.RekorKeyData, &out.RekorKeyData + *out = make([]byte, len(*in)) + copy(*out, *in) + } + out.FulcioSubject = in.FulcioSubject + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ImagePolicyFulcioCAWithRekorRootOfTrust. +func (in *ImagePolicyFulcioCAWithRekorRootOfTrust) DeepCopy() *ImagePolicyFulcioCAWithRekorRootOfTrust { + if in == nil { + return nil + } + out := new(ImagePolicyFulcioCAWithRekorRootOfTrust) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *ImagePolicyList) DeepCopyInto(out *ImagePolicyList) { *out = *in @@ -543,6 +653,59 @@ func (in *ImagePolicyList) DeepCopyObject() runtime.Object { return nil } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *ImagePolicyPKIRootOfTrust) DeepCopyInto(out *ImagePolicyPKIRootOfTrust) { + *out = *in + if in.CertificateAuthorityRootsData != nil { + in, out := &in.CertificateAuthorityRootsData, &out.CertificateAuthorityRootsData + *out = make([]byte, len(*in)) + copy(*out, *in) + } + if in.CertificateAuthorityIntermediatesData != nil { + in, out := &in.CertificateAuthorityIntermediatesData, &out.CertificateAuthorityIntermediatesData + *out = make([]byte, len(*in)) + copy(*out, *in) + } + out.PKICertificateSubject = in.PKICertificateSubject + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ImagePolicyPKIRootOfTrust. +func (in *ImagePolicyPKIRootOfTrust) DeepCopy() *ImagePolicyPKIRootOfTrust { + if in == nil { + return nil + } + out := new(ImagePolicyPKIRootOfTrust) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *ImagePolicyPublicKeyRootOfTrust) DeepCopyInto(out *ImagePolicyPublicKeyRootOfTrust) { + *out = *in + if in.KeyData != nil { + in, out := &in.KeyData, &out.KeyData + *out = make([]byte, len(*in)) + copy(*out, *in) + } + if in.RekorKeyData != nil { + in, out := &in.RekorKeyData, &out.RekorKeyData + *out = make([]byte, len(*in)) + copy(*out, *in) + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ImagePolicyPublicKeyRootOfTrust. +func (in *ImagePolicyPublicKeyRootOfTrust) DeepCopy() *ImagePolicyPublicKeyRootOfTrust { + if in == nil { + return nil + } + out := new(ImagePolicyPublicKeyRootOfTrust) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *ImagePolicySpec) DeepCopyInto(out *ImagePolicySpec) { *out = *in @@ -588,6 +751,24 @@ func (in *ImagePolicyStatus) DeepCopy() *ImagePolicyStatus { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *ImageSigstoreVerificationPolicy) DeepCopyInto(out *ImageSigstoreVerificationPolicy) { + *out = *in + in.RootOfTrust.DeepCopyInto(&out.RootOfTrust) + in.SignedIdentity.DeepCopyInto(&out.SignedIdentity) + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ImageSigstoreVerificationPolicy. +func (in *ImageSigstoreVerificationPolicy) DeepCopy() *ImageSigstoreVerificationPolicy { + if in == nil { + return nil + } + out := new(ImageSigstoreVerificationPolicy) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *InsightsDataGather) DeepCopyInto(out *InsightsDataGather) { *out = *in @@ -727,33 +908,6 @@ func (in *MetricsServerConfig) DeepCopy() *MetricsServerConfig { return out } -// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (in *PKI) DeepCopyInto(out *PKI) { - *out = *in - if in.CertificateAuthorityRootsData != nil { - in, out := &in.CertificateAuthorityRootsData, &out.CertificateAuthorityRootsData - *out = make([]byte, len(*in)) - copy(*out, *in) - } - if in.CertificateAuthorityIntermediatesData != nil { - in, out := &in.CertificateAuthorityIntermediatesData, &out.CertificateAuthorityIntermediatesData - *out = make([]byte, len(*in)) - copy(*out, *in) - } - out.PKICertificateSubject = in.PKICertificateSubject - return -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PKI. -func (in *PKI) DeepCopy() *PKI { - if in == nil { - return nil - } - out := new(PKI) - in.DeepCopyInto(out) - return out -} - // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *PKICertificateSubject) DeepCopyInto(out *PKICertificateSubject) { *out = *in @@ -803,24 +957,6 @@ func (in *PersistentVolumeConfig) DeepCopy() *PersistentVolumeConfig { return out } -// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (in *Policy) DeepCopyInto(out *Policy) { - *out = *in - in.RootOfTrust.DeepCopyInto(&out.RootOfTrust) - in.SignedIdentity.DeepCopyInto(&out.SignedIdentity) - return -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Policy. -func (in *Policy) DeepCopy() *Policy { - if in == nil { - return nil - } - out := new(Policy) - in.DeepCopyInto(out) - return out -} - // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *PolicyFulcioSubject) DeepCopyInto(out *PolicyFulcioSubject) { *out = *in @@ -900,17 +1036,17 @@ func (in *PolicyRootOfTrust) DeepCopyInto(out *PolicyRootOfTrust) { *out = *in if in.PublicKey != nil { in, out := &in.PublicKey, &out.PublicKey - *out = new(PublicKey) + *out = new(ImagePolicyPublicKeyRootOfTrust) (*in).DeepCopyInto(*out) } if in.FulcioCAWithRekor != nil { in, out := &in.FulcioCAWithRekor, &out.FulcioCAWithRekor - *out = new(FulcioCAWithRekor) + *out = new(ImagePolicyFulcioCAWithRekorRootOfTrust) (*in).DeepCopyInto(*out) } if in.PKI != nil { in, out := &in.PKI, &out.PKI - *out = new(PKI) + *out = new(ImagePolicyPKIRootOfTrust) (*in).DeepCopyInto(*out) } return @@ -927,27 +1063,45 @@ func (in *PolicyRootOfTrust) DeepCopy() *PolicyRootOfTrust { } // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (in *PublicKey) DeepCopyInto(out *PublicKey) { +func (in *PrometheusOperatorConfig) DeepCopyInto(out *PrometheusOperatorConfig) { *out = *in - if in.KeyData != nil { - in, out := &in.KeyData, &out.KeyData - *out = make([]byte, len(*in)) - copy(*out, *in) + if in.NodeSelector != nil { + in, out := &in.NodeSelector, &out.NodeSelector + *out = make(map[string]string, len(*in)) + for key, val := range *in { + (*out)[key] = val + } } - if in.RekorKeyData != nil { - in, out := &in.RekorKeyData, &out.RekorKeyData - *out = make([]byte, len(*in)) - copy(*out, *in) + if in.Resources != nil { + in, out := &in.Resources, &out.Resources + *out = make([]ContainerResource, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } + if in.Tolerations != nil { + in, out := &in.Tolerations, &out.Tolerations + *out = make([]v1.Toleration, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } + if in.TopologySpreadConstraints != nil { + in, out := &in.TopologySpreadConstraints, &out.TopologySpreadConstraints + *out = make([]v1.TopologySpreadConstraint, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } } return } -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PublicKey. -func (in *PublicKey) DeepCopy() *PublicKey { +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PrometheusOperatorConfig. +func (in *PrometheusOperatorConfig) DeepCopy() *PrometheusOperatorConfig { if in == nil { return nil } - out := new(PublicKey) + out := new(PrometheusOperatorConfig) in.DeepCopyInto(out) return out } diff --git a/vendor/github.com/openshift/api/config/v1alpha1/zz_generated.featuregated-crd-manifests.yaml b/vendor/github.com/openshift/api/config/v1alpha1/zz_generated.featuregated-crd-manifests.yaml index 2f79f801d..14091b587 100644 --- a/vendor/github.com/openshift/api/config/v1alpha1/zz_generated.featuregated-crd-manifests.yaml +++ b/vendor/github.com/openshift/api/config/v1alpha1/zz_generated.featuregated-crd-manifests.yaml @@ -21,6 +21,29 @@ backups.config.openshift.io: - AutomatedEtcdBackup Version: v1alpha1 +criocredentialproviderconfigs.config.openshift.io: + Annotations: {} + ApprovedPRNumber: https://github.com/openshift/api/pull/2557 + CRDName: criocredentialproviderconfigs.config.openshift.io + Capability: "" + Category: "" + FeatureGates: + - CRIOCredentialProviderConfig + FilenameOperatorName: config-operator + FilenameOperatorOrdering: "01" + FilenameRunLevel: "0000_10" + GroupName: config.openshift.io + HasStatus: true + KindName: CRIOCredentialProviderConfig + Labels: {} + PluralName: criocredentialproviderconfigs + PrinterColumns: [] + Scope: Cluster + ShortNames: null + TopLevelFeatureGates: + - CRIOCredentialProviderConfig + Version: v1alpha1 + clusterimagepolicies.config.openshift.io: Annotations: {} ApprovedPRNumber: https://github.com/openshift/api/pull/1457 @@ -97,7 +120,7 @@ insightsdatagathers.config.openshift.io: Annotations: {} ApprovedPRNumber: https://github.com/openshift/api/pull/1245 CRDName: insightsdatagathers.config.openshift.io - Capability: "" + Capability: Insights Category: "" FeatureGates: - InsightsConfig diff --git a/vendor/github.com/openshift/api/config/v1alpha1/zz_generated.swagger_doc_generated.go b/vendor/github.com/openshift/api/config/v1alpha1/zz_generated.swagger_doc_generated.go index 6ba6ad11f..c060ce874 100644 --- a/vendor/github.com/openshift/api/config/v1alpha1/zz_generated.swagger_doc_generated.go +++ b/vendor/github.com/openshift/api/config/v1alpha1/zz_generated.swagger_doc_generated.go @@ -132,10 +132,10 @@ var map_AlertmanagerCustomConfig = map[string]string{ "": "AlertmanagerCustomConfig represents the configuration for a custom Alertmanager deployment. alertmanagerCustomConfig provides configuration options for the default Alertmanager instance that runs in the `openshift-monitoring` namespace. Use this configuration to control whether the default Alertmanager is deployed, how it logs, and how its pods are scheduled.", "logLevel": "logLevel defines the verbosity of logs emitted by Alertmanager. This field allows users to control the amount and severity of logs generated, which can be useful for debugging issues or reducing noise in production environments. Allowed values are Error, Warn, Info, and Debug. When set to Error, only errors will be logged. When set to Warn, both warnings and errors will be logged. When set to Info, general information, warnings, and errors will all be logged. When set to Debug, detailed debugging information will be logged. When omitted, this means no opinion and the platform is left to choose a reasonable default, that is subject to change over time. The current default value is `Info`.", "nodeSelector": "nodeSelector defines the nodes on which the Pods are scheduled nodeSelector is optional.\n\nWhen omitted, this means the user has no opinion and the platform is left to choose reasonable defaults. These defaults are subject to change over time. The current default value is `kubernetes.io/os: linux`.", - "resources": "resources defines the compute resource requests and limits for the Alertmanager container. This includes CPU, memory and HugePages constraints to help control scheduling and resource usage. When not specified, defaults are used by the platform. Requests cannot exceed limits. This field is optional. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ This is a simplified API that maps to Kubernetes ResourceRequirements. The current default values are:\n resources:\n - name: cpu\n request: 4m\n limit: null\n - name: memory\n request: 40Mi\n limit: null\nMaximum length for this list is 10. Minimum length for this list is 1.", + "resources": "resources defines the compute resource requests and limits for the Alertmanager container. This includes CPU, memory and HugePages constraints to help control scheduling and resource usage. When not specified, defaults are used by the platform. Requests cannot exceed limits. This field is optional. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ This is a simplified API that maps to Kubernetes ResourceRequirements. The current default values are:\n resources:\n - name: cpu\n request: 4m\n limit: null\n - name: memory\n request: 40Mi\n limit: null\nMaximum length for this list is 10. Minimum length for this list is 1. Each resource name must be unique within this list.", "secrets": "secrets defines a list of secrets that need to be mounted into the Alertmanager. The secrets must reside within the same namespace as the Alertmanager object. They will be added as volumes named secret- and mounted at /etc/alertmanager/secrets/ within the 'alertmanager' container of the Alertmanager Pods.\n\nThese secrets can be used to authenticate Alertmanager with endpoint receivers. For example, you can use secrets to: - Provide certificates for TLS authentication with receivers that require private CA certificates - Store credentials for Basic HTTP authentication with receivers that require password-based auth - Store any other authentication credentials needed by your alert receivers\n\nThis field is optional. Maximum length for this list is 10. Minimum length for this list is 1. Entries in this list must be unique.", - "tolerations": "tolerations defines tolerations for the pods. tolerations is optional.\n\nWhen omitted, this means the user has no opinion and the platform is left to choose reasonable defaults. These defaults are subject to change over time. Defaults are empty/unset. Maximum length for this list is 10 Minimum length for this list is 1", - "topologySpreadConstraints": "topologySpreadConstraints defines rules for how Alertmanager Pods should be distributed across topology domains such as zones, nodes, or other user-defined labels. topologySpreadConstraints is optional. This helps improve high availability and resource efficiency by avoiding placing too many replicas in the same failure domain.\n\nWhen omitted, this means no opinion and the platform is left to choose a default, which is subject to change over time. This field maps directly to the `topologySpreadConstraints` field in the Pod spec. Default is empty list. Maximum length for this list is 10. Minimum length for this list is 1 Entries must have unique topologyKey and whenUnsatisfiable pairs.", + "tolerations": "tolerations defines tolerations for the pods. tolerations is optional.\n\nWhen omitted, this means the user has no opinion and the platform is left to choose reasonable defaults. These defaults are subject to change over time. Defaults are empty/unset. Maximum length for this list is 10. Minimum length for this list is 1.", + "topologySpreadConstraints": "topologySpreadConstraints defines rules for how Alertmanager Pods should be distributed across topology domains such as zones, nodes, or other user-defined labels. topologySpreadConstraints is optional. This helps improve high availability and resource efficiency by avoiding placing too many replicas in the same failure domain.\n\nWhen omitted, this means no opinion and the platform is left to choose a default, which is subject to change over time. This field maps directly to the `topologySpreadConstraints` field in the Pod spec. Default is empty list. Maximum length for this list is 10. Minimum length for this list is 1. Entries must have unique topologyKey and whenUnsatisfiable pairs.", "volumeClaimTemplate": "volumeClaimTemplate Defines persistent storage for Alertmanager. Use this setting to configure the persistent volume claim, including storage class, volume size, and name. If omitted, the Pod uses ephemeral storage and alert data will not persist across restarts. This field is optional.", } @@ -174,10 +174,11 @@ func (ClusterMonitoringList) SwaggerDoc() map[string]string { } var map_ClusterMonitoringSpec = map[string]string{ - "": "ClusterMonitoringSpec defines the desired state of Cluster Monitoring Operator", - "userDefined": "userDefined set the deployment mode for user-defined monitoring in addition to the default platform monitoring. userDefined is optional. When omitted, this means no opinion and the platform is left to choose a reasonable default, which is subject to change over time. The current default value is `Disabled`.", - "alertmanagerConfig": "alertmanagerConfig allows users to configure how the default Alertmanager instance should be deployed in the `openshift-monitoring` namespace. alertmanagerConfig is optional. When omitted, this means no opinion and the platform is left to choose a reasonable default, that is subject to change over time. The current default value is `DefaultConfig`.", - "metricsServerConfig": "metricsServerConfig is an optional field that can be used to configure the Kubernetes Metrics Server that runs in the openshift-monitoring namespace. Specifically, it can configure how the Metrics Server instance is deployed, pod scheduling, its audit policy and log verbosity. When omitted, this means no opinion and the platform is left to choose a reasonable default, which is subject to change over time.", + "": "ClusterMonitoringSpec defines the desired state of Cluster Monitoring Operator", + "userDefined": "userDefined set the deployment mode for user-defined monitoring in addition to the default platform monitoring. userDefined is optional. When omitted, this means no opinion and the platform is left to choose a reasonable default, which is subject to change over time. The current default value is `Disabled`.", + "alertmanagerConfig": "alertmanagerConfig allows users to configure how the default Alertmanager instance should be deployed in the `openshift-monitoring` namespace. alertmanagerConfig is optional. When omitted, this means no opinion and the platform is left to choose a reasonable default, that is subject to change over time. The current default value is `DefaultConfig`.", + "metricsServerConfig": "metricsServerConfig is an optional field that can be used to configure the Kubernetes Metrics Server that runs in the openshift-monitoring namespace. Specifically, it can configure how the Metrics Server instance is deployed, pod scheduling, its audit policy and log verbosity. When omitted, this means no opinion and the platform is left to choose a reasonable default, which is subject to change over time.", + "prometheusOperatorConfig": "prometheusOperatorConfig is an optional field that can be used to configure the Prometheus Operator component. Specifically, it can configure how the Prometheus Operator instance is deployed, pod scheduling, and resource allocation. When omitted, this means no opinion and the platform is left to choose a reasonable default, which is subject to change over time.", } func (ClusterMonitoringSpec) SwaggerDoc() map[string]string { @@ -207,16 +208,29 @@ var map_MetricsServerConfig = map[string]string{ "": "MetricsServerConfig provides configuration options for the Metrics Server instance that runs in the `openshift-monitoring` namespace. Use this configuration to control how the Metrics Server instance is deployed, how it logs, and how its pods are scheduled.", "audit": "audit defines the audit configuration used by the Metrics Server instance. audit is optional. When omitted, this means no opinion and the platform is left to choose a reasonable default, that is subject to change over time. The current default sets audit.profile to Metadata", "nodeSelector": "nodeSelector defines the nodes on which the Pods are scheduled nodeSelector is optional.\n\nWhen omitted, this means the user has no opinion and the platform is left to choose reasonable defaults. These defaults are subject to change over time. The current default value is `kubernetes.io/os: linux`.", - "tolerations": "tolerations defines tolerations for the pods. tolerations is optional.\n\nWhen omitted, this means the user has no opinion and the platform is left to choose reasonable defaults. These defaults are subject to change over time. Defaults are empty/unset. Maximum length for this list is 10 Minimum length for this list is 1", + "tolerations": "tolerations defines tolerations for the pods. tolerations is optional.\n\nWhen omitted, this means the user has no opinion and the platform is left to choose reasonable defaults. These defaults are subject to change over time. Defaults are empty/unset. Maximum length for this list is 10. Minimum length for this list is 1.", "verbosity": "verbosity defines the verbosity of log messages for Metrics Server. Valid values are Errors, Info, Trace, TraceAll and omitted. When set to Errors, only critical messages and errors are logged. When set to Info, only basic information messages are logged. When set to Trace, information useful for general debugging is logged. When set to TraceAll, detailed information about metric scraping is logged. When omitted, this means no opinion and the platform is left to choose a reasonable default, that is subject to change over time. The current default value is `Errors`", - "resources": "resources defines the compute resource requests and limits for the Metrics Server container. This includes CPU, memory and HugePages constraints to help control scheduling and resource usage. When not specified, defaults are used by the platform. Requests cannot exceed limits. This field is optional. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ This is a simplified API that maps to Kubernetes ResourceRequirements. The current default values are:\n resources:\n - name: cpu\n request: 4m\n limit: null\n - name: memory\n request: 40Mi\n limit: null\nMaximum length for this list is 10. Minimum length for this list is 1.", - "topologySpreadConstraints": "topologySpreadConstraints defines rules for how Metrics Server Pods should be distributed across topology domains such as zones, nodes, or other user-defined labels. topologySpreadConstraints is optional. This helps improve high availability and resource efficiency by avoiding placing too many replicas in the same failure domain.\n\nWhen omitted, this means no opinion and the platform is left to choose a default, which is subject to change over time. This field maps directly to the `topologySpreadConstraints` field in the Pod spec. Default is empty list. Maximum length for this list is 10. Minimum length for this list is 1 Entries must have unique topologyKey and whenUnsatisfiable pairs.", + "resources": "resources defines the compute resource requests and limits for the Metrics Server container. This includes CPU, memory and HugePages constraints to help control scheduling and resource usage. When not specified, defaults are used by the platform. Requests cannot exceed limits. This field is optional. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ This is a simplified API that maps to Kubernetes ResourceRequirements. The current default values are:\n resources:\n - name: cpu\n request: 4m\n limit: null\n - name: memory\n request: 40Mi\n limit: null\nMaximum length for this list is 10. Minimum length for this list is 1. Each resource name must be unique within this list.", + "topologySpreadConstraints": "topologySpreadConstraints defines rules for how Metrics Server Pods should be distributed across topology domains such as zones, nodes, or other user-defined labels. topologySpreadConstraints is optional. This helps improve high availability and resource efficiency by avoiding placing too many replicas in the same failure domain.\n\nWhen omitted, this means no opinion and the platform is left to choose a default, which is subject to change over time. This field maps directly to the `topologySpreadConstraints` field in the Pod spec. Default is empty list. Maximum length for this list is 10. Minimum length for this list is 1. Entries must have unique topologyKey and whenUnsatisfiable pairs.", } func (MetricsServerConfig) SwaggerDoc() map[string]string { return map_MetricsServerConfig } +var map_PrometheusOperatorConfig = map[string]string{ + "": "PrometheusOperatorConfig provides configuration options for the Prometheus Operator instance Use this configuration to control how the Prometheus Operator instance is deployed, how it logs, and how its pods are scheduled.", + "logLevel": "logLevel defines the verbosity of logs emitted by Prometheus Operator. This field allows users to control the amount and severity of logs generated, which can be useful for debugging issues or reducing noise in production environments. Allowed values are Error, Warn, Info, and Debug. When set to Error, only errors will be logged. When set to Warn, both warnings and errors will be logged. When set to Info, general information, warnings, and errors will all be logged. When set to Debug, detailed debugging information will be logged. When omitted, this means no opinion and the platform is left to choose a reasonable default, that is subject to change over time. The current default value is `Info`.", + "nodeSelector": "nodeSelector defines the nodes on which the Pods are scheduled nodeSelector is optional.\n\nWhen omitted, this means the user has no opinion and the platform is left to choose reasonable defaults. These defaults are subject to change over time. The current default value is `kubernetes.io/os: linux`. When specified, nodeSelector must contain at least 1 entry and must not contain more than 10 entries.", + "resources": "resources defines the compute resource requests and limits for the Prometheus Operator container. This includes CPU, memory and HugePages constraints to help control scheduling and resource usage. When not specified, defaults are used by the platform. Requests cannot exceed limits. This field is optional. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ This is a simplified API that maps to Kubernetes ResourceRequirements. The current default values are:\n resources:\n - name: cpu\n request: 4m\n limit: null\n - name: memory\n request: 40Mi\n limit: null\nMaximum length for this list is 10. Minimum length for this list is 1. Each resource name must be unique within this list.", + "tolerations": "tolerations defines tolerations for the pods. tolerations is optional.\n\nWhen omitted, this means the user has no opinion and the platform is left to choose reasonable defaults. These defaults are subject to change over time. Defaults are empty/unset. Maximum length for this list is 10. Minimum length for this list is 1.", + "topologySpreadConstraints": "topologySpreadConstraints defines rules for how Prometheus Operator Pods should be distributed across topology domains such as zones, nodes, or other user-defined labels. topologySpreadConstraints is optional. This helps improve high availability and resource efficiency by avoiding placing too many replicas in the same failure domain.\n\nWhen omitted, this means no opinion and the platform is left to choose a default, which is subject to change over time. This field maps directly to the `topologySpreadConstraints` field in the Pod spec. Default is empty list. Maximum length for this list is 10. Minimum length for this list is 1. Entries must have unique topologyKey and whenUnsatisfiable pairs.", +} + +func (PrometheusOperatorConfig) SwaggerDoc() map[string]string { + return map_PrometheusOperatorConfig +} + var map_UserDefinedMonitoring = map[string]string{ "": "UserDefinedMonitoring config for user-defined projects.", "mode": "mode defines the different configurations of UserDefinedMonitoring Valid values are Disabled and NamespaceIsolated Disabled disables monitoring for user-defined projects. This restricts the default monitoring stack, installed in the openshift-monitoring project, to monitor only platform namespaces, which prevents any custom monitoring configurations or resources from being applied to user-defined namespaces. NamespaceIsolated enables monitoring for user-defined projects with namespace-scoped tenancy. This ensures that metrics, alerts, and monitoring data are isolated at the namespace level. The current default value is `Disabled`.", @@ -226,15 +240,42 @@ func (UserDefinedMonitoring) SwaggerDoc() map[string]string { return map_UserDefinedMonitoring } -var map_FulcioCAWithRekor = map[string]string{ - "": "FulcioCAWithRekor defines the root of trust based on the Fulcio certificate and the Rekor public key.", - "fulcioCAData": "fulcioCAData contains inline base64-encoded data for the PEM format fulcio CA. fulcioCAData must be at most 8192 characters.", - "rekorKeyData": "rekorKeyData contains inline base64-encoded data for the PEM format from the Rekor public key. rekorKeyData must be at most 8192 characters.", - "fulcioSubject": "fulcioSubject specifies OIDC issuer and the email of the Fulcio authentication configuration.", +var map_CRIOCredentialProviderConfig = map[string]string{ + "": "CRIOCredentialProviderConfig holds cluster-wide singleton resource configurations for CRI-O credential provider, the name of this instance is \"cluster\". CRI-O credential provider is a binary shipped with CRI-O that provides a way to obtain container image pull credentials from external sources. For example, it can be used to fetch mirror registry credentials from secrets resources in the cluster within the same namespace the pod will be running in. CRIOCredentialProviderConfig configuration specifies the pod image sources registries that should trigger the CRI-O credential provider execution, which will resolve the CRI-O mirror configurations and obtain the necessary credentials for pod creation. Note: Configuration changes will only take effect after the kubelet restarts, which is automatically managed by the cluster during rollout.\n\nThe resource is a singleton named \"cluster\".\n\nCompatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support.", + "metadata": "metadata is the standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata", + "spec": "spec defines the desired configuration of the CRI-O Credential Provider. This field is required and must be provided when creating the resource.", + "status": "status represents the current state of the CRIOCredentialProviderConfig. When omitted or nil, it indicates that the status has not yet been set by the controller. The controller will populate this field with validation conditions and operational state.", +} + +func (CRIOCredentialProviderConfig) SwaggerDoc() map[string]string { + return map_CRIOCredentialProviderConfig +} + +var map_CRIOCredentialProviderConfigList = map[string]string{ + "": "CRIOCredentialProviderConfigList contains a list of CRIOCredentialProviderConfig resources\n\nCompatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support.", + "metadata": "metadata is the standard list's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata", +} + +func (CRIOCredentialProviderConfigList) SwaggerDoc() map[string]string { + return map_CRIOCredentialProviderConfigList } -func (FulcioCAWithRekor) SwaggerDoc() map[string]string { - return map_FulcioCAWithRekor +var map_CRIOCredentialProviderConfigSpec = map[string]string{ + "": "CRIOCredentialProviderConfigSpec defines the desired configuration of the CRI-O Credential Provider.", + "matchImages": "matchImages is a list of string patterns used to determine whether the CRI-O credential provider should be invoked for a given image. This list is passed to the kubelet CredentialProviderConfig, and if any pattern matches the requested image, CRI-O credential provider will be invoked to obtain credentials for pulling that image or its mirrors. Depending on the platform, the CRI-O credential provider may be installed alongside an existing platform specific provider. Conflicts between the existing platform specific provider image match configuration and this list will be handled by the following precedence rule: credentials from built-in kubelet providers (e.g., ECR, GCR, ACR) take precedence over those from the CRIOCredentialProviderConfig when both match the same image. To avoid uncertainty, it is recommended to avoid configuring your private image patterns to overlap with existing platform specific provider config(e.g., the entries from https://github.com/openshift/machine-config-operator/blob/main/templates/common/aws/files/etc-kubernetes-credential-providers-ecr-credential-provider.yaml). You can check the resource's Status conditions to see if any entries were ignored due to exact matches with known built-in provider patterns.\n\nThis field is optional, the items of the list must contain between 1 and 50 entries. The list is treated as a set, so duplicate entries are not allowed.\n\nFor more details, see: https://kubernetes.io/docs/tasks/administer-cluster/kubelet-credential-provider/ https://github.com/cri-o/crio-credential-provider#architecture\n\nEach entry in matchImages is a pattern which can optionally contain a port and a path. Each entry must be no longer than 512 characters. Wildcards ('*') are supported for full subdomain labels, such as '*.k8s.io' or 'k8s.*.io', and for top-level domains, such as 'k8s.*' (which matches 'k8s.io' or 'k8s.net'). A global wildcard '*' (matching any domain) is not allowed. Wildcards may replace an entire hostname label (e.g., *.example.com), but they cannot appear within a label (e.g., f*oo.example.com) and are not allowed in the port or path. For example, 'example.*.com' is valid, but 'exa*mple.*.com' is not. Each wildcard matches only a single domain label, so '*.io' does **not** match '*.k8s.io'.\n\nA match exists between an image and a matchImage when all of the below are true: Both contain the same number of domain parts and each part matches. The URL path of an matchImages must be a prefix of the target image URL path. If the matchImages contains a port, then the port must match in the image as well.\n\nExample values of matchImages: - 123456789.dkr.ecr.us-east-1.amazonaws.com - *.azurecr.io - gcr.io - *.*.registry.io - registry.io:8080/path", +} + +func (CRIOCredentialProviderConfigSpec) SwaggerDoc() map[string]string { + return map_CRIOCredentialProviderConfigSpec +} + +var map_CRIOCredentialProviderConfigStatus = map[string]string{ + "": "CRIOCredentialProviderConfigStatus defines the observed state of CRIOCredentialProviderConfig", + "conditions": "conditions represent the latest available observations of the configuration state. When omitted, it indicates that no conditions have been reported yet. The maximum number of conditions is 16. Conditions are stored as a map keyed by condition type, ensuring uniqueness.\n\nExpected condition types include: \"Validated\": indicates whether the matchImages configuration is valid", +} + +func (CRIOCredentialProviderConfigStatus) SwaggerDoc() map[string]string { + return map_CRIOCredentialProviderConfigStatus } var map_ImagePolicy = map[string]string{ @@ -248,6 +289,17 @@ func (ImagePolicy) SwaggerDoc() map[string]string { return map_ImagePolicy } +var map_ImagePolicyFulcioCAWithRekorRootOfTrust = map[string]string{ + "": "ImagePolicyFulcioCAWithRekorRootOfTrust defines the root of trust based on the Fulcio certificate and the Rekor public key.", + "fulcioCAData": "fulcioCAData contains inline base64-encoded data for the PEM format fulcio CA. fulcioCAData must be at most 8192 characters.", + "rekorKeyData": "rekorKeyData contains inline base64-encoded data for the PEM format from the Rekor public key. rekorKeyData must be at most 8192 characters.", + "fulcioSubject": "fulcioSubject specifies OIDC issuer and the email of the Fulcio authentication configuration.", +} + +func (ImagePolicyFulcioCAWithRekorRootOfTrust) SwaggerDoc() map[string]string { + return map_ImagePolicyFulcioCAWithRekorRootOfTrust +} + var map_ImagePolicyList = map[string]string{ "": "ImagePolicyList is a list of ImagePolicy resources\n\nCompatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support.", "metadata": "metadata is the standard list's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata", @@ -257,6 +309,27 @@ func (ImagePolicyList) SwaggerDoc() map[string]string { return map_ImagePolicyList } +var map_ImagePolicyPKIRootOfTrust = map[string]string{ + "": "ImagePolicyPKIRootOfTrust defines the root of trust based on Root CA(s) and corresponding intermediate certificates.", + "caRootsData": "caRootsData contains base64-encoded data of a certificate bundle PEM file, which contains one or more CA roots in the PEM format. The total length of the data must not exceed 8192 characters. ", + "caIntermediatesData": "caIntermediatesData contains base64-encoded data of a certificate bundle PEM file, which contains one or more intermediate certificates in the PEM format. The total length of the data must not exceed 8192 characters. caIntermediatesData requires caRootsData to be set. ", + "pkiCertificateSubject": "pkiCertificateSubject defines the requirements imposed on the subject to which the certificate was issued.", +} + +func (ImagePolicyPKIRootOfTrust) SwaggerDoc() map[string]string { + return map_ImagePolicyPKIRootOfTrust +} + +var map_ImagePolicyPublicKeyRootOfTrust = map[string]string{ + "": "ImagePolicyPublicKeyRootOfTrust defines the root of trust based on a sigstore public key.", + "keyData": "keyData contains inline base64-encoded data for the PEM format public key. KeyData must be at most 8192 characters.", + "rekorKeyData": "rekorKeyData contains inline base64-encoded data for the PEM format from the Rekor public key. rekorKeyData must be at most 8192 characters.", +} + +func (ImagePolicyPublicKeyRootOfTrust) SwaggerDoc() map[string]string { + return map_ImagePolicyPublicKeyRootOfTrust +} + var map_ImagePolicySpec = map[string]string{ "": "ImagePolicySpec is the specification of the ImagePolicy CRD.", "scopes": "scopes defines the list of image identities assigned to a policy. Each item refers to a scope in a registry implementing the \"Docker Registry HTTP API V2\". Scopes matching individual images are named Docker references in the fully expanded form, either using a tag or digest. For example, docker.io/library/busybox:latest (not busybox:latest). More general scopes are prefixes of individual-image scopes, and specify a repository (by omitting the tag or digest), a repository namespace, or a registry host (by only specifying the host name and possibly a port number) or a wildcard expression starting with `*.`, for matching all subdomains (not including a port number). Wildcards are only supported for subdomain matching, and may not be used in the middle of the host, i.e. *.example.com is a valid case, but example*.*.com is not. If multiple scopes match a given image, only the policy requirements for the most specific scope apply. The policy requirements for more general scopes are ignored. In addition to setting a policy appropriate for your own deployed applications, make sure that a policy on the OpenShift image repositories quay.io/openshift-release-dev/ocp-release, quay.io/openshift-release-dev/ocp-v4.0-art-dev (or on a more general scope) allows deployment of the OpenShift images required for cluster operation. If a scope is configured in both the ClusterImagePolicy and the ImagePolicy, or if the scope in ImagePolicy is nested under one of the scopes from the ClusterImagePolicy, only the policy from the ClusterImagePolicy will be applied. For additional details about the format, please refer to the document explaining the docker transport field, which can be found at: https://github.com/containers/image/blob/main/docs/containers-policy.json.5.md#docker", @@ -275,15 +348,14 @@ func (ImagePolicyStatus) SwaggerDoc() map[string]string { return map_ImagePolicyStatus } -var map_PKI = map[string]string{ - "": "PKI defines the root of trust based on Root CA(s) and corresponding intermediate certificates.", - "caRootsData": "caRootsData contains base64-encoded data of a certificate bundle PEM file, which contains one or more CA roots in the PEM format. The total length of the data must not exceed 8192 characters. ", - "caIntermediatesData": "caIntermediatesData contains base64-encoded data of a certificate bundle PEM file, which contains one or more intermediate certificates in the PEM format. The total length of the data must not exceed 8192 characters. caIntermediatesData requires caRootsData to be set. ", - "pkiCertificateSubject": "pkiCertificateSubject defines the requirements imposed on the subject to which the certificate was issued.", +var map_ImageSigstoreVerificationPolicy = map[string]string{ + "": "ImageSigstoreVerificationPolicy defines the verification policy for the items in the scopes list.", + "rootOfTrust": "rootOfTrust specifies the root of trust for the policy.", + "signedIdentity": "signedIdentity specifies what image identity the signature claims about the image. The required matchPolicy field specifies the approach used in the verification process to verify the identity in the signature and the actual image identity, the default matchPolicy is \"MatchRepoDigestOrExact\".", } -func (PKI) SwaggerDoc() map[string]string { - return map_PKI +func (ImageSigstoreVerificationPolicy) SwaggerDoc() map[string]string { + return map_ImageSigstoreVerificationPolicy } var map_PKICertificateSubject = map[string]string{ @@ -296,16 +368,6 @@ func (PKICertificateSubject) SwaggerDoc() map[string]string { return map_PKICertificateSubject } -var map_Policy = map[string]string{ - "": "Policy defines the verification policy for the items in the scopes list.", - "rootOfTrust": "rootOfTrust specifies the root of trust for the policy.", - "signedIdentity": "signedIdentity specifies what image identity the signature claims about the image. The required matchPolicy field specifies the approach used in the verification process to verify the identity in the signature and the actual image identity, the default matchPolicy is \"MatchRepoDigestOrExact\".", -} - -func (Policy) SwaggerDoc() map[string]string { - return map_Policy -} - var map_PolicyFulcioSubject = map[string]string{ "": "PolicyFulcioSubject defines the OIDC issuer and the email of the Fulcio authentication configuration.", "oidcIssuer": "oidcIssuer contains the expected OIDC issuer. It will be verified that the Fulcio-issued certificate contains a (Fulcio-defined) certificate extension pointing at this OIDC issuer URL. When Fulcio issues certificates, it includes a value based on an URL inside the client-provided ID token. Example: \"https://expected.OIDC.issuer/\"", @@ -356,16 +418,6 @@ func (PolicyRootOfTrust) SwaggerDoc() map[string]string { return map_PolicyRootOfTrust } -var map_PublicKey = map[string]string{ - "": "PublicKey defines the root of trust based on a sigstore public key.", - "keyData": "keyData contains inline base64-encoded data for the PEM format public key. KeyData must be at most 8192 characters.", - "rekorKeyData": "rekorKeyData contains inline base64-encoded data for the PEM format from the Rekor public key. rekorKeyData must be at most 8192 characters.", -} - -func (PublicKey) SwaggerDoc() map[string]string { - return map_PublicKey -} - var map_GatherConfig = map[string]string{ "": "gatherConfig provides data gathering configuration options.", "dataPolicy": "dataPolicy allows user to enable additional global obfuscation of the IP addresses and base domain in the Insights archive data. Valid values are \"None\" and \"ObfuscateNetworking\". When set to None the data is not obfuscated. When set to ObfuscateNetworking the IP addresses and the cluster domain name are obfuscated. When omitted, this means no opinion and the platform is left to choose a reasonable default, which is subject to change over time.", diff --git a/vendor/github.com/openshift/api/config/v1alpha2/types_insights.go b/vendor/github.com/openshift/api/config/v1alpha2/types_insights.go index d59f5920b..fbe666249 100644 --- a/vendor/github.com/openshift/api/config/v1alpha2/types_insights.go +++ b/vendor/github.com/openshift/api/config/v1alpha2/types_insights.go @@ -16,6 +16,7 @@ import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" // +openshift:file-pattern=cvoRunLevel=0000_10,operatorName=config-operator,operatorOrdering=01 // +openshift:enable:FeatureGate=InsightsConfig // +openshift:compatibility-gen:level=4 +// +openshift:capability=Insights type InsightsDataGather struct { metav1.TypeMeta `json:",inline"` // metadata is the standard object's metadata. diff --git a/vendor/github.com/openshift/api/config/v1alpha2/zz_generated.featuregated-crd-manifests.yaml b/vendor/github.com/openshift/api/config/v1alpha2/zz_generated.featuregated-crd-manifests.yaml index 99fe308ef..1f73e723e 100644 --- a/vendor/github.com/openshift/api/config/v1alpha2/zz_generated.featuregated-crd-manifests.yaml +++ b/vendor/github.com/openshift/api/config/v1alpha2/zz_generated.featuregated-crd-manifests.yaml @@ -2,7 +2,7 @@ insightsdatagathers.config.openshift.io: Annotations: {} ApprovedPRNumber: https://github.com/openshift/api/pull/2195 CRDName: insightsdatagathers.config.openshift.io - Capability: "" + Capability: Insights Category: "" FeatureGates: - InsightsConfig diff --git a/vendor/github.com/openshift/api/console/v1/types_console_sample.go b/vendor/github.com/openshift/api/console/v1/types_console_sample.go index bd0f65696..c296059b7 100644 --- a/vendor/github.com/openshift/api/console/v1/types_console_sample.go +++ b/vendor/github.com/openshift/api/console/v1/types_console_sample.go @@ -125,7 +125,8 @@ type ConsoleSampleSpec struct { // ConsoleSampleSourceType is an enumeration of the supported sample types. // Unsupported samples types will be ignored in the web console. -// +kubebuilder:validation:Enum:=GitImport;ContainerImport +// +kubebuilder:validation:Enum:="GitImport";"ContainerImport" +// +enum type ConsoleSampleSourceType string const ( @@ -144,7 +145,6 @@ type ConsoleSampleSource struct { // type of the sample, currently supported: "GitImport";"ContainerImport" // +unionDiscriminator // +required - // +kubebuilder:validation:Enum:="GitImport";"ContainerImport" Type ConsoleSampleSourceType `json:"type"` // gitImport allows the user to import code from a git repository. diff --git a/vendor/github.com/openshift/api/etcd/README.md b/vendor/github.com/openshift/api/etcd/README.md new file mode 100644 index 000000000..b92d553df --- /dev/null +++ b/vendor/github.com/openshift/api/etcd/README.md @@ -0,0 +1,211 @@ +# etcd.openshift.io API Group + +This API group contains CRDs related to etcd cluster management in Two Node OpenShift with Fencing deployments. + +## API Versions + +### v1alpha1 + +Contains the `PacemakerCluster` custom resource for monitoring Pacemaker cluster health in Two Node OpenShift with Fencing deployments. + +#### PacemakerCluster + +- **Feature Gate**: `DualReplica` +- **Component**: `two-node-fencing` +- **Scope**: Cluster-scoped singleton resource (must be named "cluster") +- **Resource Path**: `pacemakerclusters.etcd.openshift.io` + +The `PacemakerCluster` resource provides visibility into the health and status of a Pacemaker-managed cluster. +It is periodically updated by the cluster-etcd-operator's status collector. + +### Status Subresource Design + +This resource uses the standard Kubernetes status subresource pattern (`+kubebuilder:subresource:status`). +The status collector creates the resource without status, then immediately populates it via the `/status` endpoint. + +**Why not atomic create-with-status?** + +We initially explored removing the status subresource to allow creating the resource with status in a single +atomic operation. This would ensure the resource is never observed in an incomplete state. However: + +1. The Kubernetes API server strips the `status` field from create requests when a status subresource is enabled +2. Without the subresource, we cannot use separate RBAC for spec vs status updates +3. The OpenShift API test framework assumes status subresource exists for status update tests + +The status collector performs a two-step operation: create resource, then immediately update status. +The brief window where status is empty is acceptable since the healthcheck controller handles missing status gracefully. + +### Pacemaker Resources + +A **pacemaker resource** is a unit of work managed by pacemaker. In pacemaker terminology, resources are services +or applications that pacemaker monitors, starts, stops, and moves between nodes to maintain high availability. + +For Two Node OpenShift with Fencing, we manage three resource types: +- **Kubelet**: The Kubernetes node agent and a prerequisite for etcd +- **Etcd**: The distributed key-value store +- **FencingAgent**: Used to isolate failed nodes during a quorum loss event (tracked separately) + +### Status Structure + +```yaml +status: # Optional on creation, populated via status subresource + conditions: # Required when status present (min 3 items) + - type: Healthy + - type: InService + - type: NodeCountAsExpected + lastUpdated: # Required when status present, cannot decrease + nodes: # Control-plane nodes (0-5, expects 2 for TNF) + - nodeName: # RFC 1123 subdomain name + addresses: # Required: List of node addresses (1-8 items) + - type: InternalIP # Currently only InternalIP is supported + address: # First address used for etcd peer URLs + conditions: # Required: Node-level conditions (min 9 items) + - type: Healthy + - type: Online + - type: InService + - type: Active + - type: Ready + - type: Clean + - type: Member + - type: FencingAvailable + - type: FencingHealthy + resources: # Required: Pacemaker resources on this node (min 2) + - name: Kubelet # Both Kubelet and Etcd must be present + conditions: # Required: Resource-level conditions (min 8 items) + - type: Healthy + - type: InService + - type: Managed + - type: Enabled + - type: Operational + - type: Active + - type: Started + - type: Schedulable + - name: Etcd + conditions: [...] # Same 8 conditions as Kubelet (abbreviated) + fencingAgents: # Required: Fencing agents for THIS node (1-8) + - name: # e.g., "master-0_redfish" (unique, max 300 chars) + method: # Fencing method: "Redfish" or "IPMI" + conditions: [...] # Same 8 conditions as resources (abbreviated) +``` + +### Fencing Agents + +Fencing agents are STONITH (Shoot The Other Node In The Head) devices used to isolate failed nodes. +Unlike regular pacemaker resources (Kubelet, Etcd), fencing agents are tracked separately because: + +1. **Mapping by target, not schedule**: Resources are mapped to the node where they are scheduled to run. + Fencing agents are mapped to the node they can *fence* (their target), regardless of which node + their monitoring operations are scheduled on. + +2. **Multiple agents per node**: A node can have multiple fencing agents for redundancy + (e.g., both Redfish and IPMI). Expected: 1 per node, supported: up to 8. + +3. **Health tracking via two node-level conditions**: + - **FencingAvailable**: True if at least one agent is healthy (fencing works), False if all agents unhealthy (degrades operator) + - **FencingHealthy**: True if all agents are healthy (ideal state), False if any agent is unhealthy (emits warning events) + +### Cluster-Level Conditions + +| Condition | True | False | +|-----------|------|-------| +| `Healthy` | Cluster is healthy (`ClusterHealthy`) | Cluster has issues (`ClusterUnhealthy`) | +| `InService` | In service (`InService`) | In maintenance (`InMaintenance`) | +| `NodeCountAsExpected` | Node count is as expected (`AsExpected`) | Wrong count (`InsufficientNodes`, `ExcessiveNodes`) | + +### Node-Level Conditions + +| Condition | True | False | +|-----------|------|-------| +| `Healthy` | Node is healthy (`NodeHealthy`) | Node has issues (`NodeUnhealthy`) | +| `Online` | Node is online (`Online`) | Node is offline (`Offline`) | +| `InService` | In service (`InService`) | In maintenance (`InMaintenance`) | +| `Active` | Node is active (`Active`) | Node is in standby (`Standby`) | +| `Ready` | Node is ready (`Ready`) | Node is pending (`Pending`) | +| `Clean` | Node is clean (`Clean`) | Node is unclean (`Unclean`) | +| `Member` | Node is a member (`Member`) | Not a member (`NotMember`) | +| `FencingAvailable` | At least one agent healthy (`FencingAvailable`) | All agents unhealthy (`FencingUnavailable`) - degrades operator | +| `FencingHealthy` | All agents healthy (`FencingHealthy`) | Some agents unhealthy (`FencingUnhealthy`) - emits warnings | + +### Resource-Level Conditions + +Each resource in the `resources` array and each fencing agent in the `fencingAgents` array has its own conditions. + +| Condition | True | False | +|-----------|------|-------| +| `Healthy` | Resource is healthy (`ResourceHealthy`) | Resource has issues (`ResourceUnhealthy`) | +| `InService` | In service (`InService`) | In maintenance (`InMaintenance`) | +| `Managed` | Managed by pacemaker (`Managed`) | Not managed (`Unmanaged`) | +| `Enabled` | Resource is enabled (`Enabled`) | Resource is disabled (`Disabled`) | +| `Operational` | Resource is operational (`Operational`) | Resource has failed (`Failed`) | +| `Active` | Resource is active (`Active`) | Resource is not active (`Inactive`) | +| `Started` | Resource is started (`Started`) | Resource is stopped (`Stopped`) | +| `Schedulable` | Resource is schedulable (`Schedulable`) | Resource is not schedulable (`Unschedulable`) | + +### Validation Rules + +**Resource naming:** +- Resource name must be "cluster" (singleton) + +**Node name validation:** +- Must be a lowercase RFC 1123 subdomain name +- Consists of lowercase alphanumeric characters, '-' or '.' +- Must start and end with an alphanumeric character +- Maximum 253 characters + +**Node addresses:** +- Uses `PacemakerNodeAddress` type (similar to `corev1.NodeAddress` but with IP validation) +- Currently only `InternalIP` type is supported +- Pacemaker allows multiple addresses for Corosync communication between nodes (1-8 addresses) +- The first address in the list is used for IP-based peer URLs for etcd membership +- IP validation: + - Must be a valid global unicast IPv4 or IPv6 address + - Must be in canonical form (e.g., `192.168.1.1` not `192.168.001.001`, or `2001:db8::1` not `2001:0db8::1`) + - Excludes loopback, link-local, and multicast addresses + - Maximum length is 39 characters (full IPv6 address) + +**Timestamp validation:** +- `lastUpdated` is required when status is present +- Once set, cannot be set to an earlier timestamp (validation uses `!has(oldSelf.lastUpdated)` to handle initial creation) +- Timestamps must always increase (prevents stale updates from overwriting newer data) + +**Status fields:** +- `status` - Optional on creation (pointer type), populated via status subresource +- When status is present, all fields within are required: + - `conditions` - Required array of cluster conditions (min 3 items) + - `lastUpdated` - Required timestamp for staleness detection + - `nodes` - Required array of control-plane node statuses (min 0, max 5; empty allowed for catastrophic failures) + +**Node fields (when node present):** +- `nodeName` - Required, RFC 1123 subdomain +- `addresses` - Required (min 1, max 8 items) +- `conditions` - Required (min 9 items with specific types enforced via XValidation) +- `resources` - Required (min 2 items: Kubelet and Etcd) +- `fencingAgents` - Required (min 1, max 8 items) + +**Conditions validation:** +- Cluster-level: MinItems=3 (Healthy, InService, NodeCountAsExpected) +- Node-level: MinItems=9 (Healthy, Online, InService, Active, Ready, Clean, Member, FencingAvailable, FencingHealthy) +- Resource-level: MinItems=8 (Healthy, InService, Managed, Enabled, Operational, Active, Started, Schedulable) +- Fencing agent-level: MinItems=8 (same conditions as resources) + +All condition arrays have XValidation rules to ensure specific condition types are present. + +**Resource names:** +- Valid values are: `Kubelet`, `Etcd` +- Both resources must be present in each node's `resources` array + +**Fencing agent fields:** +- `name`: Unique identifier for the fencing agent (e.g., "master-0_redfish") + - Must be unique within the `fencingAgents` array + - May contain alphanumeric characters, dots, hyphens, and underscores (`^[a-zA-Z0-9._-]+$`) + - Maximum 300 characters (provides headroom beyond 253 node name + underscore + method) +- `method`: Fencing method enum - valid values are `Redfish` or `IPMI` +- `conditions`: Required, same 8 conditions as resources + +Note: The target node is implied by the parent `PacemakerClusterNodeStatus` - fencing agents are nested under the node they can fence. + +### Usage + +The cluster-etcd-operator healthcheck controller watches this resource and updates operator conditions based on +the cluster state. The aggregate `Healthy` conditions at each level (cluster, node, resource) provide a quick +way to determine overall health. diff --git a/vendor/github.com/openshift/api/etcd/install.go b/vendor/github.com/openshift/api/etcd/install.go new file mode 100644 index 000000000..7e7474152 --- /dev/null +++ b/vendor/github.com/openshift/api/etcd/install.go @@ -0,0 +1,26 @@ +package etcd + +import ( + "k8s.io/apimachinery/pkg/runtime" + "k8s.io/apimachinery/pkg/runtime/schema" + + v1alpha1 "github.com/openshift/api/etcd/v1alpha1" +) + +const ( + GroupName = "etcd.openshift.io" +) + +var ( + schemeBuilder = runtime.NewSchemeBuilder(v1alpha1.Install) + // Install is a function which adds every version of this group to a scheme + Install = schemeBuilder.AddToScheme +) + +func Resource(resource string) schema.GroupResource { + return schema.GroupResource{Group: GroupName, Resource: resource} +} + +func Kind(kind string) schema.GroupKind { + return schema.GroupKind{Group: GroupName, Kind: kind} +} diff --git a/vendor/github.com/openshift/api/etcd/v1alpha1/Makefile b/vendor/github.com/openshift/api/etcd/v1alpha1/Makefile new file mode 100644 index 000000000..3d019662a --- /dev/null +++ b/vendor/github.com/openshift/api/etcd/v1alpha1/Makefile @@ -0,0 +1,3 @@ +.PHONY: test +test: + make -C ../../tests test GINKGO_EXTRA_ARGS=--focus="etcd.openshift.io/v1alpha1" diff --git a/vendor/github.com/openshift/api/etcd/v1alpha1/doc.go b/vendor/github.com/openshift/api/etcd/v1alpha1/doc.go new file mode 100644 index 000000000..aea92fb38 --- /dev/null +++ b/vendor/github.com/openshift/api/etcd/v1alpha1/doc.go @@ -0,0 +1,6 @@ +// +k8s:deepcopy-gen=package,register +// +k8s:defaulter-gen=TypeMeta +// +k8s:openapi-gen=true +// +openshift:featuregated-schema-gen=true +// +groupName=etcd.openshift.io +package v1alpha1 diff --git a/vendor/github.com/openshift/api/etcd/v1alpha1/register.go b/vendor/github.com/openshift/api/etcd/v1alpha1/register.go new file mode 100644 index 000000000..1dc6482f8 --- /dev/null +++ b/vendor/github.com/openshift/api/etcd/v1alpha1/register.go @@ -0,0 +1,39 @@ +package v1alpha1 + +import ( + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/apimachinery/pkg/runtime" + "k8s.io/apimachinery/pkg/runtime/schema" +) + +var ( + GroupName = "etcd.openshift.io" + GroupVersion = schema.GroupVersion{Group: GroupName, Version: "v1alpha1"} + schemeBuilder = runtime.NewSchemeBuilder(addKnownTypes) + // Install is a function which adds this version to a scheme + Install = schemeBuilder.AddToScheme + + // SchemeGroupVersion generated code relies on this name + // Deprecated + SchemeGroupVersion = GroupVersion + // AddToScheme exists solely to keep the old generators creating valid code + // DEPRECATED + AddToScheme = schemeBuilder.AddToScheme +) + +// Resource generated code relies on this being here, but it logically belongs to the group +// DEPRECATED +func Resource(resource string) schema.GroupResource { + return schema.GroupResource{Group: GroupName, Resource: resource} +} + +func addKnownTypes(scheme *runtime.Scheme) error { + metav1.AddToGroupVersion(scheme, GroupVersion) + + scheme.AddKnownTypes(GroupVersion, + &PacemakerCluster{}, + &PacemakerClusterList{}, + ) + + return nil +} diff --git a/vendor/github.com/openshift/api/etcd/v1alpha1/types_pacemakercluster.go b/vendor/github.com/openshift/api/etcd/v1alpha1/types_pacemakercluster.go new file mode 100644 index 000000000..ab06d0e39 --- /dev/null +++ b/vendor/github.com/openshift/api/etcd/v1alpha1/types_pacemakercluster.go @@ -0,0 +1,736 @@ +package v1alpha1 + +import ( + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" +) + +// PacemakerCluster is used in Two Node OpenShift with Fencing deployments to monitor the health +// of etcd running under pacemaker. + +// Cluster-level condition types for PacemakerCluster.status.conditions +const ( + // ClusterHealthyConditionType tracks the overall health of the pacemaker cluster. + // This is an aggregate condition that reflects the health of all cluster-level conditions and node health. + // Specifically, it aggregates the following conditions: + // - ClusterInServiceConditionType + // - ClusterNodeCountAsExpectedConditionType + // - NodeHealthyConditionType (for each node) + // When True, the cluster is healthy with reason "ClusterHealthy". + // When False, the cluster is unhealthy with reason "ClusterUnhealthy". + ClusterHealthyConditionType = "Healthy" + + // ClusterInServiceConditionType tracks whether the cluster is in service (not in maintenance mode). + // Maintenance mode is a cluster-wide setting that prevents pacemaker from starting or stopping resources. + // When True, the cluster is in service with reason "InService". This is the normal operating state. + // When False, the cluster is in maintenance mode with reason "InMaintenance". This is an unexpected state. + ClusterInServiceConditionType = "InService" + + // ClusterNodeCountAsExpectedConditionType tracks whether the cluster has the expected number of nodes. + // For Two Node OpenShift with Fencing, we are expecting exactly 2 nodes. + // When True, the expected number of nodes are present with reason "AsExpected". + // When False, the node count is incorrect with reason "InsufficientNodes" or "ExcessiveNodes". + ClusterNodeCountAsExpectedConditionType = "NodeCountAsExpected" +) + +// ClusterHealthy condition reasons +const ( + // ClusterHealthyReasonHealthy means the pacemaker cluster is healthy and operating normally. + ClusterHealthyReasonHealthy = "ClusterHealthy" + + // ClusterHealthyReasonUnhealthy means the pacemaker cluster has issues that need investigation. + ClusterHealthyReasonUnhealthy = "ClusterUnhealthy" +) + +// ClusterInService condition reasons +const ( + // ClusterInServiceReasonInService means the cluster is in service (not in maintenance mode). + // This is the normal operating state. + ClusterInServiceReasonInService = "InService" + + // ClusterInServiceReasonInMaintenance means the cluster is in maintenance mode. + // In maintenance mode, pacemaker will not start or stop any resources. Entering and exiting this state requires + // manual user intervention, and is unexpected during normal cluster operation. + ClusterInServiceReasonInMaintenance = "InMaintenance" +) + +// ClusterNodeCountAsExpected condition reasons +const ( + // ClusterNodeCountAsExpectedReasonAsExpected means the expected number of nodes are present. + // For Two Node OpenShift with Fencing, we are expecting exactly 2 nodes. This is the expected healthy state. + ClusterNodeCountAsExpectedReasonAsExpected = "AsExpected" + + // ClusterNodeCountAsExpectedReasonInsufficientNodes means fewer nodes than expected are present. + // For Two Node OpenShift with Fencing, this means that less than 2 nodes are present. Under normal operation, this will only happen during + // a node replacement operation. It's also possible to enter this state with manual user intervention, but + // will also require user intervention to restore normal functionality. + ClusterNodeCountAsExpectedReasonInsufficientNodes = "InsufficientNodes" + + // ClusterNodeCountAsExpectedReasonExcessiveNodes means more nodes than expected are present. + // For Two Node OpenShift with Fencing, this means more than 2 nodes are present. This should be investigated as it is unexpected and should + // never happen during normal cluster operation. It is possible to enter this state with manual user intervention, + // but will also require user intervention to restore normal functionality. + ClusterNodeCountAsExpectedReasonExcessiveNodes = "ExcessiveNodes" +) + +// Node-level condition types for PacemakerCluster.status.nodes[].conditions +const ( + // NodeHealthyConditionType tracks the overall health of a node in the pacemaker cluster. + // This is an aggregate condition that reflects the health of all node-level conditions and resource health. + // Specifically, it aggregates the following conditions: + // - NodeOnlineConditionType + // - NodeInServiceConditionType + // - NodeActiveConditionType + // - NodeReadyConditionType + // - NodeCleanConditionType + // - NodeMemberConditionType + // - NodeFencingAvailableConditionType + // - NodeFencingHealthyConditionType + // - ResourceHealthyConditionType (for each resource in the node's resources list) + // When True, the node is healthy with reason "NodeHealthy". + // When False, the node is unhealthy with reason "NodeUnhealthy". + NodeHealthyConditionType = "Healthy" + + // NodeOnlineConditionType tracks whether a node is online. + // When True, the node is online with reason "Online". This is the normal operating state. + // When False, the node is offline with reason "Offline". This can occur during reboots, failures, maintenance, or replacement. + NodeOnlineConditionType = "Online" + + // NodeInServiceConditionType tracks whether a node is in service (not in maintenance mode). + // A node in maintenance mode is ignored by pacemaker while maintenance mode is active. + // When True, the node is in service with reason "InService". This is the normal operating state. + // When False, the node is in maintenance mode with reason "InMaintenance". This is an unexpected state. + NodeInServiceConditionType = "InService" + + // NodeActiveConditionType tracks whether a node is active (not in standby mode). + // When a node enters standby mode, pacemaker moves its resources to other nodes in the cluster. + // In Two Node OpenShift with Fencing, we do not use standby mode during normal operation. + // When True, the node is active with reason "Active". This is the normal operating state. + // When False, the node is in standby mode with reason "Standby". This is an unexpected state. + NodeActiveConditionType = "Active" + + // NodeReadyConditionType tracks whether a node is ready (not in a pending state). + // A node in a pending state is in the process of joining or leaving the cluster. + // When True, the node is ready with reason "Ready". This is the normal operating state. + // When False, the node is pending with reason "Pending". This is expected to be temporary. + NodeReadyConditionType = "Ready" + + // NodeCleanConditionType tracks whether a node is in a clean state. + // An unclean state means that pacemaker was unable to confirm the node's state, which signifies issues + // in fencing, communication, or configuration. + // When True, the node is clean with reason "Clean". This is the normal operating state. + // When False, the node is unclean with reason "Unclean". This is an unexpected state. + NodeCleanConditionType = "Clean" + + // NodeMemberConditionType tracks whether a node is a member of the cluster. + // Some configurations may use remote nodes or ping nodes, which are nodes that are not members. + // For Two Node OpenShift with Fencing, we expect both nodes to be members. + // When True, the node is a member with reason "Member". This is the normal operating state. + // When False, the node is not a member with reason "NotMember". This is an unexpected state. + NodeMemberConditionType = "Member" + + // NodeFencingAvailableConditionType tracks whether a node can be fenced by at least one fencing agent. + // For Two Node OpenShift with Fencing, each node needs at least one healthy fencing agent to ensure + // that the cluster can recover from a node failure via STONITH (Shoot The Other Node In The Head). + // When True, at least one fencing agent is healthy with reason "FencingAvailable". + // When False, all fencing agents are unhealthy with reason "FencingUnavailable". This is a critical + // state that should degrade the operator. + NodeFencingAvailableConditionType = "FencingAvailable" + + // NodeFencingHealthyConditionType tracks whether all fencing agents for a node are healthy. + // This is an aggregate condition that reflects the health of all fencing agents targeting this node. + // When True, all fencing agents are healthy with reason "FencingHealthy". + // When False, one or more fencing agents are unhealthy with reason "FencingUnhealthy". Warning events + // should be emitted for failing agents, but the operator should not be degraded if FencingAvailable is True. + NodeFencingHealthyConditionType = "FencingHealthy" +) + +// NodeHealthy condition reasons +const ( + // NodeHealthyReasonHealthy means the node is healthy and operating normally. + NodeHealthyReasonHealthy = "NodeHealthy" + + // NodeHealthyReasonUnhealthy means the node has issues that need investigation. + NodeHealthyReasonUnhealthy = "NodeUnhealthy" +) + +// NodeOnline condition reasons +const ( + // NodeOnlineReasonOnline means the node is online. This is the normal operating state. + NodeOnlineReasonOnline = "Online" + + // NodeOnlineReasonOffline means the node is offline. + NodeOnlineReasonOffline = "Offline" +) + +// NodeInService condition reasons +const ( + // NodeInServiceReasonInService means the node is in service (not in maintenance mode). + // This is the normal operating state. + NodeInServiceReasonInService = "InService" + + // NodeInServiceReasonInMaintenance means the node is in maintenance mode. + // This is an unexpected state. + NodeInServiceReasonInMaintenance = "InMaintenance" +) + +// NodeActive condition reasons +const ( + // NodeActiveReasonActive means the node is active (not in standby mode). + // This is the normal operating state. + NodeActiveReasonActive = "Active" + + // NodeActiveReasonStandby means the node is in standby mode. + // This is an unexpected state. + NodeActiveReasonStandby = "Standby" +) + +// NodeReady condition reasons +const ( + // NodeReadyReasonReady means the node is ready (not in a pending state). + // This is the normal operating state. + NodeReadyReasonReady = "Ready" + + // NodeReadyReasonPending means the node is joining or leaving the cluster. + // This state is expected to be temporary. + NodeReadyReasonPending = "Pending" +) + +// NodeClean condition reasons +const ( + // NodeCleanReasonClean means the node is in a clean state. + // This is the normal operating state. + NodeCleanReasonClean = "Clean" + + // NodeCleanReasonUnclean means the node is in an unclean state. + // Pacemaker was unable to confirm the node's state, which signifies issues in fencing, communication, or configuration. + // This is an unexpected state. + NodeCleanReasonUnclean = "Unclean" +) + +// NodeMember condition reasons +const ( + // NodeMemberReasonMember means the node is a member of the cluster. + // For Two Node OpenShift with Fencing, we expect both nodes to be members. This is the normal operating state. + NodeMemberReasonMember = "Member" + + // NodeMemberReasonNotMember means the node is not a member of the cluster. + // This is an unexpected state. + NodeMemberReasonNotMember = "NotMember" +) + +// NodeFencingAvailable condition reasons +const ( + // NodeFencingAvailableReasonAvailable means at least one fencing agent for this node is healthy. + // The cluster can fence this node if needed. This is the normal operating state. + NodeFencingAvailableReasonAvailable = "FencingAvailable" + + // NodeFencingAvailableReasonUnavailable means all fencing agents for this node are unhealthy. + // The cluster cannot fence this node, which compromises high availability. + // This is a critical state that should degrade the operator. + NodeFencingAvailableReasonUnavailable = "FencingUnavailable" +) + +// NodeFencingHealthy condition reasons +const ( + // NodeFencingHealthyReasonHealthy means all fencing agents for this node are healthy. + // This is the ideal operating state with full redundancy. + NodeFencingHealthyReasonHealthy = "FencingHealthy" + + // NodeFencingHealthyReasonUnhealthy means one or more fencing agents for this node are unhealthy. + // Warning events should be emitted for failing agents, but the operator should not be degraded + // if FencingAvailable is still True. + NodeFencingHealthyReasonUnhealthy = "FencingUnhealthy" +) + +// Resource-level condition types for PacemakerCluster.status.nodes[].resources[].conditions +const ( + // ResourceHealthyConditionType tracks the overall health of a pacemaker resource. + // This is an aggregate condition that reflects the health of all resource-level conditions. + // Specifically, it aggregates the following conditions: + // - ResourceInServiceConditionType + // - ResourceManagedConditionType + // - ResourceEnabledConditionType + // - ResourceOperationalConditionType + // - ResourceActiveConditionType + // - ResourceStartedConditionType + // - ResourceSchedulableConditionType + // When True, the resource is healthy with reason "ResourceHealthy". + // When False, the resource is unhealthy with reason "ResourceUnhealthy". + ResourceHealthyConditionType = "Healthy" + + // ResourceInServiceConditionType tracks whether a resource is in service (not in maintenance mode). + // Resources in maintenance mode are not monitored or moved by pacemaker. + // In Two Node OpenShift with Fencing, we do not expect any resources to be in maintenance mode. + // When True, the resource is in service with reason "InService". This is the normal operating state. + // When False, the resource is in maintenance mode with reason "InMaintenance". This is an unexpected state. + ResourceInServiceConditionType = "InService" + + // ResourceManagedConditionType tracks whether a resource is managed by pacemaker. + // Resources that are not managed by pacemaker are effectively invisible to the pacemaker HA logic. + // For Two Node OpenShift with Fencing, all resources are expected to be managed. + // When True, the resource is managed with reason "Managed". This is the normal operating state. + // When False, the resource is not managed with reason "Unmanaged". This is an unexpected state. + ResourceManagedConditionType = "Managed" + + // ResourceEnabledConditionType tracks whether a resource is enabled. + // Resources that are disabled are stopped and not automatically managed or started by the cluster. + // In Two Node OpenShift with Fencing, we do not expect any resources to be disabled. + // When True, the resource is enabled with reason "Enabled". This is the normal operating state. + // When False, the resource is disabled with reason "Disabled". This is an unexpected state. + ResourceEnabledConditionType = "Enabled" + + // ResourceOperationalConditionType tracks whether a resource is operational (not failed). + // A failed resource is one that is not able to start or is in an error state. + // When True, the resource is operational with reason "Operational". This is the normal operating state. + // When False, the resource has failed with reason "Failed". This is an unexpected state. + ResourceOperationalConditionType = "Operational" + + // ResourceActiveConditionType tracks whether a resource is active. + // An active resource is running on a cluster node. + // In Two Node OpenShift with Fencing, all resources are expected to be active. + // When True, the resource is active with reason "Active". This is the normal operating state. + // When False, the resource is not active with reason "Inactive". This is an unexpected state. + ResourceActiveConditionType = "Active" + + // ResourceStartedConditionType tracks whether a resource is started. + // It's normal for a resource like etcd to become stopped in the event of a quorum loss event because + // the pacemaker recovery logic will fence a node and restore etcd quorum on the surviving node as a cluster-of-one. + // A resource that stays stopped for an extended period of time is an unexpected state and should be investigated. + // When True, the resource is started with reason "Started". This is the normal operating state. + // When False, the resource is not started with reason "Stopped". This is expected to be temporary. + ResourceStartedConditionType = "Started" + + // ResourceSchedulableConditionType tracks whether a resource is schedulable (not blocked). + // A resource that is not schedulable is unable to start or move to a different node. + // In Two Node OpenShift with Fencing, we do not expect any resources to be unschedulable. + // When True, the resource is schedulable with reason "Schedulable". This is the normal operating state. + // When False, the resource is not schedulable with reason "Unschedulable". This is an unexpected state. + ResourceSchedulableConditionType = "Schedulable" +) + +// ResourceHealthy condition reasons +const ( + // ResourceHealthyReasonHealthy means the resource is healthy and operating normally. + ResourceHealthyReasonHealthy = "ResourceHealthy" + + // ResourceHealthyReasonUnhealthy means the resource has issues that need investigation. + ResourceHealthyReasonUnhealthy = "ResourceUnhealthy" +) + +// ResourceInService condition reasons +const ( + // ResourceInServiceReasonInService means the resource is in service (not in maintenance mode). + // This is the normal operating state. + ResourceInServiceReasonInService = "InService" + + // ResourceInServiceReasonInMaintenance means the resource is in maintenance mode. + // Resources in maintenance mode are not monitored or moved by pacemaker. This is an unexpected state. + ResourceInServiceReasonInMaintenance = "InMaintenance" +) + +// ResourceManaged condition reasons +const ( + // ResourceManagedReasonManaged means the resource is managed by pacemaker. + // This is the normal operating state. + ResourceManagedReasonManaged = "Managed" + + // ResourceManagedReasonUnmanaged means the resource is not managed by pacemaker. + // Resources that are not managed by pacemaker are effectively invisible to the pacemaker HA logic. + // This is an unexpected state. + ResourceManagedReasonUnmanaged = "Unmanaged" +) + +// ResourceEnabled condition reasons +const ( + // ResourceEnabledReasonEnabled means the resource is enabled. + // This is the normal operating state. + ResourceEnabledReasonEnabled = "Enabled" + + // ResourceEnabledReasonDisabled means the resource is disabled. + // Resources that are disabled are stopped and not automatically managed or started by the cluster. + // This is an unexpected state. + ResourceEnabledReasonDisabled = "Disabled" +) + +// ResourceOperational condition reasons +const ( + // ResourceOperationalReasonOperational means the resource is operational (not failed). + // This is the normal operating state. + ResourceOperationalReasonOperational = "Operational" + + // ResourceOperationalReasonFailed means the resource has failed. + // A failed resource is one that is not able to start or is in an error state. This is an unexpected state. + ResourceOperationalReasonFailed = "Failed" +) + +// ResourceActive condition reasons +const ( + // ResourceActiveReasonActive means the resource is active. + // An active resource is running on a cluster node. This is the normal operating state. + ResourceActiveReasonActive = "Active" + + // ResourceActiveReasonInactive means the resource is not active. + // This is an unexpected state. + ResourceActiveReasonInactive = "Inactive" +) + +// ResourceStarted condition reasons +const ( + // ResourceStartedReasonStarted means the resource is started. + // This is the normal operating state. + ResourceStartedReasonStarted = "Started" + + // ResourceStartedReasonStopped means the resource is stopped. + // It's normal for a resource like etcd to become stopped in the event of a quorum loss event because + // the pacemaker recovery logic will fence a node and restore etcd quorum on the surviving node as a cluster-of-one. + // A resource that stays stopped for an extended period of time is an unexpected state and should be investigated. + ResourceStartedReasonStopped = "Stopped" +) + +// ResourceSchedulable condition reasons +const ( + // ResourceSchedulableReasonSchedulable means the resource is schedulable (not blocked). + // This is the normal operating state. + ResourceSchedulableReasonSchedulable = "Schedulable" + + // ResourceSchedulableReasonUnschedulable means the resource is not schedulable (blocked). + // A resource that is not schedulable is unable to start or move to a different node. This is an unexpected state. + ResourceSchedulableReasonUnschedulable = "Unschedulable" +) + +// PacemakerNodeAddressType represents the type of a node address. +// Currently only InternalIP is supported. +// +kubebuilder:validation:Enum=InternalIP +// +enum +type PacemakerNodeAddressType string + +const ( + // PacemakerNodeInternalIP is an internal IP address assigned to the node. + // This is typically the IP address used for intra-cluster communication. + PacemakerNodeInternalIP PacemakerNodeAddressType = "InternalIP" +) + +// PacemakerNodeAddress contains information for a node's address. +// This is similar to corev1.NodeAddress but adds validation for IP addresses. +type PacemakerNodeAddress struct { + // type is the type of node address. + // Currently only "InternalIP" is supported. + // +required + Type PacemakerNodeAddressType `json:"type,omitempty"` + + // address is the node address. + // For InternalIP, this must be a valid global unicast IPv4 or IPv6 address in canonical form. + // Canonical form means the shortest standard representation (e.g., "192.168.1.1" not "192.168.001.001", + // or "2001:db8::1" not "2001:0db8::1"). Maximum length is 39 characters (full IPv6 address). + // Global unicast includes private/RFC1918 addresses but excludes loopback, link-local, and multicast. + // +kubebuilder:validation:MinLength=1 + // +kubebuilder:validation:MaxLength=39 + // +kubebuilder:validation:XValidation:rule="isIP(self) && ip.isCanonical(self) && ip(self).isGlobalUnicast()",message="must be a valid global unicast IPv4 or IPv6 address in canonical form" + // +required + Address string `json:"address,omitempty"` +} + +// PacemakerClusterResourceName represents the name of a pacemaker resource. +// Fencing agents are tracked separately in the fencingAgents field. +// +kubebuilder:validation:Enum=Kubelet;Etcd +// +enum +type PacemakerClusterResourceName string + +// PacemakerClusterResourceName values +const ( + // PacemakerClusterResourceNameKubelet is the kubelet pacemaker resource. + // The kubelet resource is a prerequisite for etcd in Two Node OpenShift with Fencing deployments. + PacemakerClusterResourceNameKubelet PacemakerClusterResourceName = "Kubelet" + + // PacemakerClusterResourceNameEtcd is the etcd pacemaker resource. + // The etcd resource may temporarily transition to stopped during pacemaker quorum-recovery operations. + PacemakerClusterResourceNameEtcd PacemakerClusterResourceName = "Etcd" +) + +// FencingMethod represents the method used by a fencing agent to isolate failed nodes. +// Valid values are "Redfish" and "IPMI". +// +kubebuilder:validation:Enum=Redfish;IPMI +// +enum +type FencingMethod string + +// FencingMethod values +const ( + // FencingMethodRedfish uses Redfish, a standard RESTful API for server management. + FencingMethodRedfish FencingMethod = "Redfish" + + // FencingMethodIPMI uses IPMI (Intelligent Platform Management Interface), a hardware management interface. + FencingMethodIPMI FencingMethod = "IPMI" +) + +// +genclient +// +genclient:nonNamespaced +// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object +// PacemakerCluster represents the current state of the pacemaker cluster as reported by the pcs status command. +// PacemakerCluster is a cluster-scoped singleton resource. The name of this instance is "cluster". This +// resource provides a view into the health and status of a pacemaker-managed cluster in Two Node OpenShift with Fencing deployments. +// +// Compatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support. +// +openshift:compatibility-gen:level=4 +// +kubebuilder:object:root=true +// +kubebuilder:resource:path=pacemakerclusters,scope=Cluster,singular=pacemakercluster +// +kubebuilder:subresource:status +// +openshift:api-approved.openshift.io=https://github.com/openshift/api/pull/2544 +// +openshift:file-pattern=cvoRunLevel=0000_25,operatorName=etcd,operatorOrdering=01,operatorComponent=two-node-fencing +// +openshift:enable:FeatureGate=DualReplica +// +kubebuilder:validation:XValidation:rule="self.metadata.name == 'cluster'",message="PacemakerCluster must be named 'cluster'" +// +kubebuilder:validation:XValidation:rule="!has(oldSelf.status) || has(self.status)",message="status may not be removed once set" +type PacemakerCluster struct { + metav1.TypeMeta `json:",inline"` + + // metadata is the standard object's metadata. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata + // +required + metav1.ObjectMeta `json:"metadata,omitempty"` + + // status contains the actual pacemaker cluster status information collected from the cluster. + // The goal of this status is to be able to quickly identify if pacemaker is in a healthy state. + // In Two Node OpenShift with Fencing, a healthy pacemaker cluster has 2 nodes, both of which have healthy kubelet, etcd, and fencing resources. + // This field is optional on creation - the status collector populates it immediately after creating + // the resource via the status subresource. + // +optional + Status PacemakerClusterStatus `json:"status,omitzero"` +} + +// PacemakerClusterStatus contains the actual pacemaker cluster status information. As part of validating the status +// object, we need to ensure that the lastUpdated timestamp may not be set to an earlier timestamp than the current value. +// The validation rule checks if oldSelf has lastUpdated before comparing, to handle the initial status creation case. +// +kubebuilder:validation:XValidation:rule="!has(oldSelf.lastUpdated) || self.lastUpdated >= oldSelf.lastUpdated",message="lastUpdated may not be set to an earlier timestamp" +type PacemakerClusterStatus struct { + // conditions represent the observations of the pacemaker cluster's current state. + // Known condition types are: "Healthy", "InService", "NodeCountAsExpected". + // The "Healthy" condition is an aggregate that tracks the overall health of the cluster. + // The "InService" condition tracks whether the cluster is in service (not in maintenance mode). + // The "NodeCountAsExpected" condition tracks whether the expected number of nodes are present. + // Each of these conditions is required, so the array must contain at least 3 items. + // +listType=map + // +listMapKey=type + // +kubebuilder:validation:MinItems=3 + // +kubebuilder:validation:MaxItems=8 + // +kubebuilder:validation:XValidation:rule="self.exists(c, c.type == 'Healthy')",message="conditions must contain a condition of type Healthy" + // +kubebuilder:validation:XValidation:rule="self.exists(c, c.type == 'InService')",message="conditions must contain a condition of type InService" + // +kubebuilder:validation:XValidation:rule="self.exists(c, c.type == 'NodeCountAsExpected')",message="conditions must contain a condition of type NodeCountAsExpected" + // +required + Conditions []metav1.Condition `json:"conditions,omitempty"` + + // lastUpdated is the timestamp when this status was last updated. This is useful for identifying + // stale status reports. It must be a valid timestamp in RFC3339 format. Once set, this field cannot + // be removed and cannot be set to an earlier timestamp than the current value. + // +kubebuilder:validation:Format=date-time + // +required + LastUpdated metav1.Time `json:"lastUpdated,omitempty,omitzero"` + + // nodes provides detailed status for each control-plane node in the Pacemaker cluster. + // While Pacemaker supports up to 32 nodes, the limit is set to 5 (max OpenShift control-plane nodes). + // For Two Node OpenShift with Fencing, exactly 2 nodes are expected in a healthy cluster. + // An empty list indicates a catastrophic failure where Pacemaker reports no nodes. + // +listType=map + // +listMapKey=nodeName + // +kubebuilder:validation:MinItems=0 + // +kubebuilder:validation:MaxItems=5 + // +required + Nodes *[]PacemakerClusterNodeStatus `json:"nodes,omitempty"` +} + +// PacemakerClusterNodeStatus represents the status of a single node in the pacemaker cluster including +// the node's conditions and the health of critical resources running on that node. +type PacemakerClusterNodeStatus struct { + // conditions represent the observations of the node's current state. + // Known condition types are: "Healthy", "Online", "InService", "Active", "Ready", "Clean", "Member", + // "FencingAvailable", "FencingHealthy". + // The "Healthy" condition is an aggregate that tracks the overall health of the node. + // The "Online" condition tracks whether the node is online. + // The "InService" condition tracks whether the node is in service (not in maintenance mode). + // The "Active" condition tracks whether the node is active (not in standby mode). + // The "Ready" condition tracks whether the node is ready (not in a pending state). + // The "Clean" condition tracks whether the node is in a clean (status known) state. + // The "Member" condition tracks whether the node is a member of the cluster. + // The "FencingAvailable" condition tracks whether this node can be fenced by at least one healthy agent. + // The "FencingHealthy" condition tracks whether all fencing agents for this node are healthy. + // Each of these conditions is required, so the array must contain at least 9 items. + // +listType=map + // +listMapKey=type + // +kubebuilder:validation:MinItems=9 + // +kubebuilder:validation:MaxItems=16 + // +kubebuilder:validation:XValidation:rule="self.exists(c, c.type == 'Healthy')",message="conditions must contain a condition of type Healthy" + // +kubebuilder:validation:XValidation:rule="self.exists(c, c.type == 'Online')",message="conditions must contain a condition of type Online" + // +kubebuilder:validation:XValidation:rule="self.exists(c, c.type == 'InService')",message="conditions must contain a condition of type InService" + // +kubebuilder:validation:XValidation:rule="self.exists(c, c.type == 'Active')",message="conditions must contain a condition of type Active" + // +kubebuilder:validation:XValidation:rule="self.exists(c, c.type == 'Ready')",message="conditions must contain a condition of type Ready" + // +kubebuilder:validation:XValidation:rule="self.exists(c, c.type == 'Clean')",message="conditions must contain a condition of type Clean" + // +kubebuilder:validation:XValidation:rule="self.exists(c, c.type == 'Member')",message="conditions must contain a condition of type Member" + // +kubebuilder:validation:XValidation:rule="self.exists(c, c.type == 'FencingAvailable')",message="conditions must contain a condition of type FencingAvailable" + // +kubebuilder:validation:XValidation:rule="self.exists(c, c.type == 'FencingHealthy')",message="conditions must contain a condition of type FencingHealthy" + // +required + Conditions []metav1.Condition `json:"conditions,omitempty"` + + // nodeName is the name of the node. This is expected to match the Kubernetes node's name, which must be a lowercase + // RFC 1123 subdomain consisting of lowercase alphanumeric characters, '-' or '.', starting and ending with + // an alphanumeric character, and be at most 253 characters in length. + // +kubebuilder:validation:MinLength=1 + // +kubebuilder:validation:MaxLength=253 + // +kubebuilder:validation:XValidation:rule="!format.dns1123Subdomain().validate(self).hasValue()",message="nodeName must be a lowercase RFC 1123 subdomain consisting of lowercase alphanumeric characters, '-' or '.', and must start and end with an alphanumeric character" + // +required + NodeName string `json:"nodeName,omitempty"` + + // addresses is a list of IP addresses for the node. + // Pacemaker allows multiple IP addresses for Corosync communication between nodes. + // The first address in this list is used for IP-based peer URLs for etcd membership. + // Each address must be a valid global unicast IPv4 or IPv6 address in canonical form + // (e.g., "192.168.1.1" not "192.168.001.001", or "2001:db8::1" not "2001:0db8::1"). + // This excludes loopback, link-local, and multicast addresses. + // +listType=atomic + // +kubebuilder:validation:MinItems=1 + // +kubebuilder:validation:MaxItems=8 + // +required + Addresses []PacemakerNodeAddress `json:"addresses,omitempty"` + + // resources contains the status of pacemaker resources scheduled on this node. + // Each resource entry includes the resource name and its health conditions. + // For Two Node OpenShift with Fencing, we track Kubelet and Etcd resources per node. + // Both resources are required to be present, so the array must contain at least 2 items. + // Valid resource names are "Kubelet" and "Etcd". + // Fencing agents are tracked separately in the fencingAgents field. + // +listType=map + // +listMapKey=name + // +kubebuilder:validation:MinItems=2 + // +kubebuilder:validation:MaxItems=8 + // +kubebuilder:validation:XValidation:rule="self.exists(r, r.name == 'Kubelet')",message="resources must contain a resource named Kubelet" + // +kubebuilder:validation:XValidation:rule="self.exists(r, r.name == 'Etcd')",message="resources must contain a resource named Etcd" + // +required + Resources []PacemakerClusterResourceStatus `json:"resources,omitempty"` + + // fencingAgents contains the status of fencing agents that can fence this node. + // Unlike resources (which are scheduled to run on this node), fencing agents are mapped + // to the node they can fence (their target), not the node where monitoring operations run. + // Each fencing agent entry includes a unique name, fencing type, target node, and health conditions. + // A node is considered fence-capable if at least one fencing agent is healthy. + // Expected to have 1 fencing agent per node, but up to 8 are supported for redundancy. + // Names must be unique within this array. + // +listType=map + // +listMapKey=name + // +kubebuilder:validation:MinItems=1 + // +kubebuilder:validation:MaxItems=8 + // +kubebuilder:validation:XValidation:rule="self.all(x, self.exists_one(y, x.name == y.name))",message="fencing agent names must be unique" + // +required + FencingAgents []PacemakerClusterFencingAgentStatus `json:"fencingAgents,omitempty"` +} + +// PacemakerClusterFencingAgentStatus represents the status of a fencing agent that can fence a node. +// Fencing agents are STONITH (Shoot The Other Node In The Head) devices used to isolate failed nodes. +// Unlike regular pacemaker resources, fencing agents are mapped to their target node (the node they +// can fence), not the node where their monitoring operations are scheduled. +type PacemakerClusterFencingAgentStatus struct { + // conditions represent the observations of the fencing agent's current state. + // Known condition types are: "Healthy", "InService", "Managed", "Enabled", "Operational", + // "Active", "Started", "Schedulable". + // The "Healthy" condition is an aggregate that tracks the overall health of the fencing agent. + // The "InService" condition tracks whether the fencing agent is in service (not in maintenance mode). + // The "Managed" condition tracks whether the fencing agent is managed by pacemaker. + // The "Enabled" condition tracks whether the fencing agent is enabled. + // The "Operational" condition tracks whether the fencing agent is operational (not failed). + // The "Active" condition tracks whether the fencing agent is active (available to be used). + // The "Started" condition tracks whether the fencing agent is started. + // The "Schedulable" condition tracks whether the fencing agent is schedulable (not blocked). + // Each of these conditions is required, so the array must contain at least 8 items. + // +listType=map + // +listMapKey=type + // +kubebuilder:validation:MinItems=8 + // +kubebuilder:validation:MaxItems=16 + // +kubebuilder:validation:XValidation:rule="self.exists(c, c.type == 'Healthy')",message="conditions must contain a condition of type Healthy" + // +kubebuilder:validation:XValidation:rule="self.exists(c, c.type == 'InService')",message="conditions must contain a condition of type InService" + // +kubebuilder:validation:XValidation:rule="self.exists(c, c.type == 'Managed')",message="conditions must contain a condition of type Managed" + // +kubebuilder:validation:XValidation:rule="self.exists(c, c.type == 'Enabled')",message="conditions must contain a condition of type Enabled" + // +kubebuilder:validation:XValidation:rule="self.exists(c, c.type == 'Operational')",message="conditions must contain a condition of type Operational" + // +kubebuilder:validation:XValidation:rule="self.exists(c, c.type == 'Active')",message="conditions must contain a condition of type Active" + // +kubebuilder:validation:XValidation:rule="self.exists(c, c.type == 'Started')",message="conditions must contain a condition of type Started" + // +kubebuilder:validation:XValidation:rule="self.exists(c, c.type == 'Schedulable')",message="conditions must contain a condition of type Schedulable" + // +required + Conditions []metav1.Condition `json:"conditions,omitempty"` + + // name is the unique identifier for this fencing agent (e.g., "master-0_redfish"). + // The name must be unique within the fencingAgents array for this node. + // It may contain alphanumeric characters, dots, hyphens, and underscores. + // Maximum length is 300 characters, providing headroom beyond the typical format of + // _ (253 for RFC 1123 node name + 1 underscore + type). + // +kubebuilder:validation:MinLength=1 + // +kubebuilder:validation:MaxLength=300 + // +kubebuilder:validation:XValidation:rule="self.matches('^[a-zA-Z0-9._-]+$')",message="name must contain only alphanumeric characters, dots, hyphens, and underscores" + // +required + Name string `json:"name,omitempty"` + + // method is the fencing method used by this agent. + // Valid values are "Redfish" and "IPMI". + // Redfish is a standard RESTful API for server management. + // IPMI (Intelligent Platform Management Interface) is a hardware management interface. + // +required + Method FencingMethod `json:"method,omitempty"` +} + +// PacemakerClusterResourceStatus represents the status of a pacemaker resource scheduled on a node. +// A pacemaker resource is a unit of work managed by pacemaker. In pacemaker terminology, resources are services or +// applications that pacemaker monitors, starts, stops, and moves between nodes to maintain high availability. +// For Two Node OpenShift with Fencing, we track two resources per node: +// - Kubelet (the Kubernetes node agent and a prerequisite for etcd) +// - Etcd (the distributed key-value store) +// +// Fencing agents are tracked separately in the fencingAgents field because they are mapped to +// their target node (the node they can fence), not the node where monitoring operations are scheduled. +type PacemakerClusterResourceStatus struct { + // conditions represent the observations of the resource's current state. + // Known condition types are: "Healthy", "InService", "Managed", "Enabled", "Operational", + // "Active", "Started", "Schedulable". + // The "Healthy" condition is an aggregate that tracks the overall health of the resource. + // The "InService" condition tracks whether the resource is in service (not in maintenance mode). + // The "Managed" condition tracks whether the resource is managed by pacemaker. + // The "Enabled" condition tracks whether the resource is enabled. + // The "Operational" condition tracks whether the resource is operational (not failed). + // The "Active" condition tracks whether the resource is active (available to be used). + // The "Started" condition tracks whether the resource is started. + // The "Schedulable" condition tracks whether the resource is schedulable (not blocked). + // Each of these conditions is required, so the array must contain at least 8 items. + // +listType=map + // +listMapKey=type + // +kubebuilder:validation:MinItems=8 + // +kubebuilder:validation:MaxItems=16 + // +kubebuilder:validation:XValidation:rule="self.exists(c, c.type == 'Healthy')",message="conditions must contain a condition of type Healthy" + // +kubebuilder:validation:XValidation:rule="self.exists(c, c.type == 'InService')",message="conditions must contain a condition of type InService" + // +kubebuilder:validation:XValidation:rule="self.exists(c, c.type == 'Managed')",message="conditions must contain a condition of type Managed" + // +kubebuilder:validation:XValidation:rule="self.exists(c, c.type == 'Enabled')",message="conditions must contain a condition of type Enabled" + // +kubebuilder:validation:XValidation:rule="self.exists(c, c.type == 'Operational')",message="conditions must contain a condition of type Operational" + // +kubebuilder:validation:XValidation:rule="self.exists(c, c.type == 'Active')",message="conditions must contain a condition of type Active" + // +kubebuilder:validation:XValidation:rule="self.exists(c, c.type == 'Started')",message="conditions must contain a condition of type Started" + // +kubebuilder:validation:XValidation:rule="self.exists(c, c.type == 'Schedulable')",message="conditions must contain a condition of type Schedulable" + // +required + Conditions []metav1.Condition `json:"conditions,omitempty"` + + // name is the name of the pacemaker resource. + // Valid values are "Kubelet" and "Etcd". + // The Kubelet resource is a prerequisite for etcd in Two Node OpenShift with Fencing deployments. + // The Etcd resource may temporarily transition to stopped during pacemaker quorum-recovery operations. + // Fencing agents are tracked separately in the node's fencingAgents field. + // +required + Name PacemakerClusterResourceName `json:"name,omitempty"` +} + +// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object +// PacemakerClusterList contains a list of PacemakerCluster objects. PacemakerCluster is a cluster-scoped singleton +// resource; only one instance named "cluster" may exist. This list type exists only to satisfy Kubernetes API +// conventions. +// +// Compatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support. +// +openshift:compatibility-gen:level=4 +type PacemakerClusterList struct { + metav1.TypeMeta `json:",inline"` + + // metadata is the standard list's metadata. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata + metav1.ListMeta `json:"metadata,omitempty"` + + // items is a list of PacemakerCluster objects. + Items []PacemakerCluster `json:"items"` +} diff --git a/vendor/github.com/openshift/api/etcd/v1alpha1/zz_generated.deepcopy.go b/vendor/github.com/openshift/api/etcd/v1alpha1/zz_generated.deepcopy.go new file mode 100644 index 000000000..17bf97851 --- /dev/null +++ b/vendor/github.com/openshift/api/etcd/v1alpha1/zz_generated.deepcopy.go @@ -0,0 +1,210 @@ +//go:build !ignore_autogenerated +// +build !ignore_autogenerated + +// Code generated by codegen. DO NOT EDIT. + +package v1alpha1 + +import ( + v1 "k8s.io/apimachinery/pkg/apis/meta/v1" + runtime "k8s.io/apimachinery/pkg/runtime" +) + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *PacemakerCluster) DeepCopyInto(out *PacemakerCluster) { + *out = *in + out.TypeMeta = in.TypeMeta + in.ObjectMeta.DeepCopyInto(&out.ObjectMeta) + in.Status.DeepCopyInto(&out.Status) + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PacemakerCluster. +func (in *PacemakerCluster) DeepCopy() *PacemakerCluster { + if in == nil { + return nil + } + out := new(PacemakerCluster) + in.DeepCopyInto(out) + return out +} + +// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. +func (in *PacemakerCluster) DeepCopyObject() runtime.Object { + if c := in.DeepCopy(); c != nil { + return c + } + return nil +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *PacemakerClusterFencingAgentStatus) DeepCopyInto(out *PacemakerClusterFencingAgentStatus) { + *out = *in + if in.Conditions != nil { + in, out := &in.Conditions, &out.Conditions + *out = make([]v1.Condition, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PacemakerClusterFencingAgentStatus. +func (in *PacemakerClusterFencingAgentStatus) DeepCopy() *PacemakerClusterFencingAgentStatus { + if in == nil { + return nil + } + out := new(PacemakerClusterFencingAgentStatus) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *PacemakerClusterList) DeepCopyInto(out *PacemakerClusterList) { + *out = *in + out.TypeMeta = in.TypeMeta + in.ListMeta.DeepCopyInto(&out.ListMeta) + if in.Items != nil { + in, out := &in.Items, &out.Items + *out = make([]PacemakerCluster, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PacemakerClusterList. +func (in *PacemakerClusterList) DeepCopy() *PacemakerClusterList { + if in == nil { + return nil + } + out := new(PacemakerClusterList) + in.DeepCopyInto(out) + return out +} + +// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. +func (in *PacemakerClusterList) DeepCopyObject() runtime.Object { + if c := in.DeepCopy(); c != nil { + return c + } + return nil +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *PacemakerClusterNodeStatus) DeepCopyInto(out *PacemakerClusterNodeStatus) { + *out = *in + if in.Conditions != nil { + in, out := &in.Conditions, &out.Conditions + *out = make([]v1.Condition, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } + if in.Addresses != nil { + in, out := &in.Addresses, &out.Addresses + *out = make([]PacemakerNodeAddress, len(*in)) + copy(*out, *in) + } + if in.Resources != nil { + in, out := &in.Resources, &out.Resources + *out = make([]PacemakerClusterResourceStatus, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } + if in.FencingAgents != nil { + in, out := &in.FencingAgents, &out.FencingAgents + *out = make([]PacemakerClusterFencingAgentStatus, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PacemakerClusterNodeStatus. +func (in *PacemakerClusterNodeStatus) DeepCopy() *PacemakerClusterNodeStatus { + if in == nil { + return nil + } + out := new(PacemakerClusterNodeStatus) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *PacemakerClusterResourceStatus) DeepCopyInto(out *PacemakerClusterResourceStatus) { + *out = *in + if in.Conditions != nil { + in, out := &in.Conditions, &out.Conditions + *out = make([]v1.Condition, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PacemakerClusterResourceStatus. +func (in *PacemakerClusterResourceStatus) DeepCopy() *PacemakerClusterResourceStatus { + if in == nil { + return nil + } + out := new(PacemakerClusterResourceStatus) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *PacemakerClusterStatus) DeepCopyInto(out *PacemakerClusterStatus) { + *out = *in + if in.Conditions != nil { + in, out := &in.Conditions, &out.Conditions + *out = make([]v1.Condition, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } + in.LastUpdated.DeepCopyInto(&out.LastUpdated) + if in.Nodes != nil { + in, out := &in.Nodes, &out.Nodes + *out = new([]PacemakerClusterNodeStatus) + if **in != nil { + in, out := *in, *out + *out = make([]PacemakerClusterNodeStatus, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PacemakerClusterStatus. +func (in *PacemakerClusterStatus) DeepCopy() *PacemakerClusterStatus { + if in == nil { + return nil + } + out := new(PacemakerClusterStatus) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *PacemakerNodeAddress) DeepCopyInto(out *PacemakerNodeAddress) { + *out = *in + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PacemakerNodeAddress. +func (in *PacemakerNodeAddress) DeepCopy() *PacemakerNodeAddress { + if in == nil { + return nil + } + out := new(PacemakerNodeAddress) + in.DeepCopyInto(out) + return out +} diff --git a/vendor/github.com/openshift/api/etcd/v1alpha1/zz_generated.featuregated-crd-manifests.yaml b/vendor/github.com/openshift/api/etcd/v1alpha1/zz_generated.featuregated-crd-manifests.yaml new file mode 100644 index 000000000..f5a64682a --- /dev/null +++ b/vendor/github.com/openshift/api/etcd/v1alpha1/zz_generated.featuregated-crd-manifests.yaml @@ -0,0 +1,23 @@ +pacemakerclusters.etcd.openshift.io: + Annotations: {} + ApprovedPRNumber: https://github.com/openshift/api/pull/2544 + CRDName: pacemakerclusters.etcd.openshift.io + Capability: "" + Category: "" + FeatureGates: + - DualReplica + FilenameOperatorName: etcd + FilenameOperatorOrdering: "01" + FilenameRunLevel: "0000_25" + GroupName: etcd.openshift.io + HasStatus: true + KindName: PacemakerCluster + Labels: {} + PluralName: pacemakerclusters + PrinterColumns: [] + Scope: Cluster + ShortNames: null + TopLevelFeatureGates: + - DualReplica + Version: v1alpha1 + diff --git a/vendor/github.com/openshift/api/etcd/v1alpha1/zz_generated.swagger_doc_generated.go b/vendor/github.com/openshift/api/etcd/v1alpha1/zz_generated.swagger_doc_generated.go new file mode 100644 index 000000000..62e1c3ebd --- /dev/null +++ b/vendor/github.com/openshift/api/etcd/v1alpha1/zz_generated.swagger_doc_generated.go @@ -0,0 +1,89 @@ +package v1alpha1 + +// This file contains a collection of methods that can be used from go-restful to +// generate Swagger API documentation for its models. Please read this PR for more +// information on the implementation: https://github.com/emicklei/go-restful/pull/215 +// +// TODOs are ignored from the parser (e.g. TODO(andronat):... || TODO:...) if and only if +// they are on one line! For multiple line or blocks that you want to ignore use ---. +// Any context after a --- is ignored. +// +// Those methods can be generated by using hack/update-swagger-docs.sh + +// AUTO-GENERATED FUNCTIONS START HERE +var map_PacemakerCluster = map[string]string{ + "": "PacemakerCluster represents the current state of the pacemaker cluster as reported by the pcs status command. PacemakerCluster is a cluster-scoped singleton resource. The name of this instance is \"cluster\". This resource provides a view into the health and status of a pacemaker-managed cluster in Two Node OpenShift with Fencing deployments.\n\nCompatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support.", + "metadata": "metadata is the standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata", + "status": "status contains the actual pacemaker cluster status information collected from the cluster. The goal of this status is to be able to quickly identify if pacemaker is in a healthy state. In Two Node OpenShift with Fencing, a healthy pacemaker cluster has 2 nodes, both of which have healthy kubelet, etcd, and fencing resources. This field is optional on creation - the status collector populates it immediately after creating the resource via the status subresource.", +} + +func (PacemakerCluster) SwaggerDoc() map[string]string { + return map_PacemakerCluster +} + +var map_PacemakerClusterFencingAgentStatus = map[string]string{ + "": "PacemakerClusterFencingAgentStatus represents the status of a fencing agent that can fence a node. Fencing agents are STONITH (Shoot The Other Node In The Head) devices used to isolate failed nodes. Unlike regular pacemaker resources, fencing agents are mapped to their target node (the node they can fence), not the node where their monitoring operations are scheduled.", + "conditions": "conditions represent the observations of the fencing agent's current state. Known condition types are: \"Healthy\", \"InService\", \"Managed\", \"Enabled\", \"Operational\", \"Active\", \"Started\", \"Schedulable\". The \"Healthy\" condition is an aggregate that tracks the overall health of the fencing agent. The \"InService\" condition tracks whether the fencing agent is in service (not in maintenance mode). The \"Managed\" condition tracks whether the fencing agent is managed by pacemaker. The \"Enabled\" condition tracks whether the fencing agent is enabled. The \"Operational\" condition tracks whether the fencing agent is operational (not failed). The \"Active\" condition tracks whether the fencing agent is active (available to be used). The \"Started\" condition tracks whether the fencing agent is started. The \"Schedulable\" condition tracks whether the fencing agent is schedulable (not blocked). Each of these conditions is required, so the array must contain at least 8 items.", + "name": "name is the unique identifier for this fencing agent (e.g., \"master-0_redfish\"). The name must be unique within the fencingAgents array for this node. It may contain alphanumeric characters, dots, hyphens, and underscores. Maximum length is 300 characters, providing headroom beyond the typical format of _ (253 for RFC 1123 node name + 1 underscore + type).", + "method": "method is the fencing method used by this agent. Valid values are \"Redfish\" and \"IPMI\". Redfish is a standard RESTful API for server management. IPMI (Intelligent Platform Management Interface) is a hardware management interface.", +} + +func (PacemakerClusterFencingAgentStatus) SwaggerDoc() map[string]string { + return map_PacemakerClusterFencingAgentStatus +} + +var map_PacemakerClusterList = map[string]string{ + "": "PacemakerClusterList contains a list of PacemakerCluster objects. PacemakerCluster is a cluster-scoped singleton resource; only one instance named \"cluster\" may exist. This list type exists only to satisfy Kubernetes API conventions.\n\nCompatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support.", + "metadata": "metadata is the standard list's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata", + "items": "items is a list of PacemakerCluster objects.", +} + +func (PacemakerClusterList) SwaggerDoc() map[string]string { + return map_PacemakerClusterList +} + +var map_PacemakerClusterNodeStatus = map[string]string{ + "": "PacemakerClusterNodeStatus represents the status of a single node in the pacemaker cluster including the node's conditions and the health of critical resources running on that node.", + "conditions": "conditions represent the observations of the node's current state. Known condition types are: \"Healthy\", \"Online\", \"InService\", \"Active\", \"Ready\", \"Clean\", \"Member\", \"FencingAvailable\", \"FencingHealthy\". The \"Healthy\" condition is an aggregate that tracks the overall health of the node. The \"Online\" condition tracks whether the node is online. The \"InService\" condition tracks whether the node is in service (not in maintenance mode). The \"Active\" condition tracks whether the node is active (not in standby mode). The \"Ready\" condition tracks whether the node is ready (not in a pending state). The \"Clean\" condition tracks whether the node is in a clean (status known) state. The \"Member\" condition tracks whether the node is a member of the cluster. The \"FencingAvailable\" condition tracks whether this node can be fenced by at least one healthy agent. The \"FencingHealthy\" condition tracks whether all fencing agents for this node are healthy. Each of these conditions is required, so the array must contain at least 9 items.", + "nodeName": "nodeName is the name of the node. This is expected to match the Kubernetes node's name, which must be a lowercase RFC 1123 subdomain consisting of lowercase alphanumeric characters, '-' or '.', starting and ending with an alphanumeric character, and be at most 253 characters in length.", + "addresses": "addresses is a list of IP addresses for the node. Pacemaker allows multiple IP addresses for Corosync communication between nodes. The first address in this list is used for IP-based peer URLs for etcd membership. Each address must be a valid global unicast IPv4 or IPv6 address in canonical form (e.g., \"192.168.1.1\" not \"192.168.001.001\", or \"2001:db8::1\" not \"2001:0db8::1\"). This excludes loopback, link-local, and multicast addresses.", + "resources": "resources contains the status of pacemaker resources scheduled on this node. Each resource entry includes the resource name and its health conditions. For Two Node OpenShift with Fencing, we track Kubelet and Etcd resources per node. Both resources are required to be present, so the array must contain at least 2 items. Valid resource names are \"Kubelet\" and \"Etcd\". Fencing agents are tracked separately in the fencingAgents field.", + "fencingAgents": "fencingAgents contains the status of fencing agents that can fence this node. Unlike resources (which are scheduled to run on this node), fencing agents are mapped to the node they can fence (their target), not the node where monitoring operations run. Each fencing agent entry includes a unique name, fencing type, target node, and health conditions. A node is considered fence-capable if at least one fencing agent is healthy. Expected to have 1 fencing agent per node, but up to 8 are supported for redundancy. Names must be unique within this array.", +} + +func (PacemakerClusterNodeStatus) SwaggerDoc() map[string]string { + return map_PacemakerClusterNodeStatus +} + +var map_PacemakerClusterResourceStatus = map[string]string{ + "": "PacemakerClusterResourceStatus represents the status of a pacemaker resource scheduled on a node. A pacemaker resource is a unit of work managed by pacemaker. In pacemaker terminology, resources are services or applications that pacemaker monitors, starts, stops, and moves between nodes to maintain high availability. For Two Node OpenShift with Fencing, we track two resources per node:\n - Kubelet (the Kubernetes node agent and a prerequisite for etcd)\n - Etcd (the distributed key-value store)\n\nFencing agents are tracked separately in the fencingAgents field because they are mapped to their target node (the node they can fence), not the node where monitoring operations are scheduled.", + "conditions": "conditions represent the observations of the resource's current state. Known condition types are: \"Healthy\", \"InService\", \"Managed\", \"Enabled\", \"Operational\", \"Active\", \"Started\", \"Schedulable\". The \"Healthy\" condition is an aggregate that tracks the overall health of the resource. The \"InService\" condition tracks whether the resource is in service (not in maintenance mode). The \"Managed\" condition tracks whether the resource is managed by pacemaker. The \"Enabled\" condition tracks whether the resource is enabled. The \"Operational\" condition tracks whether the resource is operational (not failed). The \"Active\" condition tracks whether the resource is active (available to be used). The \"Started\" condition tracks whether the resource is started. The \"Schedulable\" condition tracks whether the resource is schedulable (not blocked). Each of these conditions is required, so the array must contain at least 8 items.", + "name": "name is the name of the pacemaker resource. Valid values are \"Kubelet\" and \"Etcd\". The Kubelet resource is a prerequisite for etcd in Two Node OpenShift with Fencing deployments. The Etcd resource may temporarily transition to stopped during pacemaker quorum-recovery operations. Fencing agents are tracked separately in the node's fencingAgents field.", +} + +func (PacemakerClusterResourceStatus) SwaggerDoc() map[string]string { + return map_PacemakerClusterResourceStatus +} + +var map_PacemakerClusterStatus = map[string]string{ + "": "PacemakerClusterStatus contains the actual pacemaker cluster status information. As part of validating the status object, we need to ensure that the lastUpdated timestamp may not be set to an earlier timestamp than the current value. The validation rule checks if oldSelf has lastUpdated before comparing, to handle the initial status creation case.", + "conditions": "conditions represent the observations of the pacemaker cluster's current state. Known condition types are: \"Healthy\", \"InService\", \"NodeCountAsExpected\". The \"Healthy\" condition is an aggregate that tracks the overall health of the cluster. The \"InService\" condition tracks whether the cluster is in service (not in maintenance mode). The \"NodeCountAsExpected\" condition tracks whether the expected number of nodes are present. Each of these conditions is required, so the array must contain at least 3 items.", + "lastUpdated": "lastUpdated is the timestamp when this status was last updated. This is useful for identifying stale status reports. It must be a valid timestamp in RFC3339 format. Once set, this field cannot be removed and cannot be set to an earlier timestamp than the current value.", + "nodes": "nodes provides detailed status for each control-plane node in the Pacemaker cluster. While Pacemaker supports up to 32 nodes, the limit is set to 5 (max OpenShift control-plane nodes). For Two Node OpenShift with Fencing, exactly 2 nodes are expected in a healthy cluster. An empty list indicates a catastrophic failure where Pacemaker reports no nodes.", +} + +func (PacemakerClusterStatus) SwaggerDoc() map[string]string { + return map_PacemakerClusterStatus +} + +var map_PacemakerNodeAddress = map[string]string{ + "": "PacemakerNodeAddress contains information for a node's address. This is similar to corev1.NodeAddress but adds validation for IP addresses.", + "type": "type is the type of node address. Currently only \"InternalIP\" is supported.", + "address": "address is the node address. For InternalIP, this must be a valid global unicast IPv4 or IPv6 address in canonical form. Canonical form means the shortest standard representation (e.g., \"192.168.1.1\" not \"192.168.001.001\", or \"2001:db8::1\" not \"2001:0db8::1\"). Maximum length is 39 characters (full IPv6 address). Global unicast includes private/RFC1918 addresses but excludes loopback, link-local, and multicast.", +} + +func (PacemakerNodeAddress) SwaggerDoc() map[string]string { + return map_PacemakerNodeAddress +} + +// AUTO-GENERATED FUNCTIONS END HERE diff --git a/vendor/github.com/openshift/api/features.md b/vendor/github.com/openshift/api/features.md index 6b21a4ae5..0bb1c3a09 100644 --- a/vendor/github.com/openshift/api/features.md +++ b/vendor/github.com/openshift/api/features.md @@ -5,15 +5,16 @@ | EventedPLEG| | | | | | | | | | MachineAPIOperatorDisableMachineHealthCheckController| | | | | | | | | | MultiArchInstallAzure| | | | | | | | | -| NewOLMBoxCutterRuntime| | | | | | | | | | ShortCertRotation| | | | | | | | | +| ClusterAPIComputeInstall| | | Enabled | Enabled | | | | | +| ClusterAPIControlPlaneInstall| | | Enabled | Enabled | | | | | | ClusterAPIMachineManagementVSphere| | | Enabled | Enabled | | | | | | Example2| | | Enabled | Enabled | | | | | | ExternalSnapshotMetadata| | | Enabled | Enabled | | | | | -| IngressControllerDynamicConfigurationManager| | | Enabled | Enabled | | | | | +| KMSEncryptionProvider| | | Enabled | Enabled | | | | | | NetworkConnect| | | Enabled | Enabled | | | | | +| NewOLMBoxCutterRuntime| | | | Enabled | | | | Enabled | | NewOLMCatalogdAPIV1Metas| | | | Enabled | | | | Enabled | -| NewOLMOwnSingleNamespace| | | | Enabled | | | | Enabled | | NewOLMPreflightPermissionChecks| | | | Enabled | | | | Enabled | | NoRegistryClusterInstall| | | | Enabled | | | | Enabled | | ProvisioningRequestAvailable| | | Enabled | Enabled | | | | | @@ -31,36 +32,42 @@ | BootcNodeManagement| | | Enabled | Enabled | | | Enabled | Enabled | | CBORServingAndStorage| | | Enabled | Enabled | | | Enabled | Enabled | | CRDCompatibilityRequirementOperator| | | Enabled | Enabled | | | Enabled | Enabled | +| CRIOCredentialProviderConfig| | | Enabled | Enabled | | | Enabled | Enabled | | ClientsPreferCBOR| | | Enabled | Enabled | | | Enabled | Enabled | | ClusterAPIInstallIBMCloud| | | Enabled | Enabled | | | Enabled | Enabled | | ClusterAPIMachineManagement| | | Enabled | Enabled | | | Enabled | Enabled | | ClusterMonitoringConfig| | | Enabled | Enabled | | | Enabled | Enabled | +| ClusterUpdateAcceptRisks| | | Enabled | Enabled | | | Enabled | Enabled | | ClusterVersionOperatorConfiguration| | | Enabled | Enabled | | | Enabled | Enabled | +| ConfigurablePKI| | | Enabled | Enabled | | | Enabled | Enabled | | DNSNameResolver| | | Enabled | Enabled | | | Enabled | Enabled | +| DRAPartitionableDevices| | | Enabled | Enabled | | | Enabled | Enabled | | DualReplica| | | Enabled | Enabled | | | Enabled | Enabled | | DyanmicServiceEndpointIBMCloud| | | Enabled | Enabled | | | Enabled | Enabled | +| EVPN| | | Enabled | Enabled | | | Enabled | Enabled | | EtcdBackendQuota| | | Enabled | Enabled | | | Enabled | Enabled | | EventTTL| | | Enabled | Enabled | | | Enabled | Enabled | | Example| | | Enabled | Enabled | | | Enabled | Enabled | +| ExternalOIDCWithUpstreamParity| | | Enabled | Enabled | | | Enabled | Enabled | | GCPClusterHostedDNS| | | Enabled | Enabled | | | Enabled | Enabled | | GCPCustomAPIEndpoints| | | Enabled | Enabled | | | Enabled | Enabled | | GCPCustomAPIEndpointsInstall| | | Enabled | Enabled | | | Enabled | Enabled | | GCPDualStackInstall| | | Enabled | Enabled | | | Enabled | Enabled | | HyperShiftOnlyDynamicResourceAllocation| Enabled | | Enabled | | Enabled | | Enabled | | | ImageModeStatusReporting| | | Enabled | Enabled | | | Enabled | Enabled | +| IngressControllerDynamicConfigurationManager| | | Enabled | Enabled | | | Enabled | Enabled | | InsightsConfig| | | Enabled | Enabled | | | Enabled | Enabled | | InsightsOnDemandDataGather| | | Enabled | Enabled | | | Enabled | Enabled | | IrreconcilableMachineConfig| | | Enabled | Enabled | | | Enabled | Enabled | -| KMSEncryptionProvider| | | Enabled | Enabled | | | Enabled | Enabled | +| KMSEncryption| | | Enabled | Enabled | | | Enabled | Enabled | | MachineAPIMigration| | | Enabled | Enabled | | | Enabled | Enabled | -| ManagedBootImagesCPMS| | | Enabled | Enabled | | | Enabled | Enabled | | MaxUnavailableStatefulSet| | | Enabled | Enabled | | | Enabled | Enabled | | MinimumKubeletVersion| | | Enabled | Enabled | | | Enabled | Enabled | | MixedCPUsAllocation| | | Enabled | Enabled | | | Enabled | Enabled | | MultiDiskSetup| | | Enabled | Enabled | | | Enabled | Enabled | -| MutableCSINodeAllocatableCount| | | Enabled | Enabled | | | Enabled | Enabled | | MutatingAdmissionPolicy| | | Enabled | Enabled | | | Enabled | Enabled | | NewOLM| | Enabled | | Enabled | | Enabled | | Enabled | +| NewOLMOwnSingleNamespace| | Enabled | | Enabled | | Enabled | | Enabled | | NewOLMWebhookProviderOpenshiftServiceCA| | Enabled | | Enabled | | Enabled | | Enabled | | NutanixMultiSubnets| | | Enabled | Enabled | | | Enabled | Enabled | | OSStreams| | | Enabled | Enabled | | | Enabled | Enabled | @@ -72,9 +79,6 @@ | VSphereHostVMGroupZonal| | | Enabled | Enabled | | | Enabled | Enabled | | VSphereMixedNodeEnv| | | Enabled | Enabled | | | Enabled | Enabled | | VolumeGroupSnapshot| | | Enabled | Enabled | | | Enabled | Enabled | -| AdditionalRoutingCapabilities| Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | -| AdminNetworkPolicy| Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | -| AlibabaPlatform| Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | | AzureWorkloadIdentity| Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | | BuildCSIVolumes| Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | | CPMSMachineNamePrefix| Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | @@ -92,16 +96,12 @@ | ManagedBootImages| Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | | ManagedBootImagesAWS| Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | | ManagedBootImagesAzure| Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | +| ManagedBootImagesCPMS| Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | | ManagedBootImagesvSphere| Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | | MetricsCollectionProfiles| Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | -| NetworkDiagnosticsConfig| Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | -| NetworkLiveMigration| Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | -| NetworkSegmentation| Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | +| MutableCSINodeAllocatableCount| Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | | OpenShiftPodSecurityAdmission| Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | | PinnedImages| Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | -| PreconfiguredUDNAddresses| Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | -| ProcMountType| Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | -| RouteAdvertisements| Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | | RouteExternalCertificate| Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | | ServiceAccountTokenNodeBinding| Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | | SigstoreImageVerification| Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | @@ -112,4 +112,3 @@ | UserNamespacesSupport| Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | | VSphereMultiDisk| Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | | VSphereMultiNetworks| Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | -| VolumeAttributesClass| Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | diff --git a/vendor/github.com/openshift/api/features/features.go b/vendor/github.com/openshift/api/features/features.go index 660e5758b..c460e6309 100644 --- a/vendor/github.com/openshift/api/features/features.go +++ b/vendor/github.com/openshift/api/features/features.go @@ -131,13 +131,13 @@ var ( enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade, configv1.Default, configv1.OKD). mustRegister() - FeatureGateAlibabaPlatform = newFeatureGate("AlibabaPlatform"). - reportProblemsToJiraComponent("cloud-provider"). - contactPerson("jspeed"). - productScope(ocpSpecific). - enhancementPR(legacyFeatureGateWithoutEnhancement). - enableIn(configv1.Default, configv1.OKD, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). - mustRegister() + FeatureGateCRIOCredentialProviderConfig = newFeatureGate("CRIOCredentialProviderConfig"). + reportProblemsToJiraComponent("node"). + contactPerson("QiWang"). + productScope(ocpSpecific). + enhancementPR("https://github.com/openshift/enhancements/pull/1861"). + enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). + mustRegister() FeatureGateVSphereHostVMGroupZonal = newFeatureGate("VSphereHostVMGroupZonal"). reportProblemsToJiraComponent("splat"). @@ -171,22 +171,6 @@ var ( enableIn(configv1.Default, configv1.OKD, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). mustRegister() - FeatureGateAdminNetworkPolicy = newFeatureGate("AdminNetworkPolicy"). - reportProblemsToJiraComponent("Networking/ovn-kubernetes"). - contactPerson("tssurya"). - productScope(ocpSpecific). - enhancementPR(legacyFeatureGateWithoutEnhancement). - enableIn(configv1.Default, configv1.OKD, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). - mustRegister() - - FeatureGateNetworkSegmentation = newFeatureGate("NetworkSegmentation"). - reportProblemsToJiraComponent("Networking/ovn-kubernetes"). - contactPerson("tssurya"). - productScope(ocpSpecific). - enhancementPR("https://github.com/openshift/enhancements/pull/1623"). - enableIn(configv1.Default, configv1.OKD, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). - mustRegister() - FeatureGateNetworkConnect = newFeatureGate("NetworkConnect"). reportProblemsToJiraComponent("Networking/ovn-kubernetes"). contactPerson("tssurya"). @@ -195,37 +179,13 @@ var ( enableIn(configv1.DevPreviewNoUpgrade). mustRegister() - FeatureGateAdditionalRoutingCapabilities = newFeatureGate("AdditionalRoutingCapabilities"). - reportProblemsToJiraComponent("Networking/cluster-network-operator"). - contactPerson("jcaamano"). - productScope(ocpSpecific). - enhancementPR(legacyFeatureGateWithoutEnhancement). - enableIn(configv1.Default, configv1.OKD, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). - mustRegister() - - FeatureGateRouteAdvertisements = newFeatureGate("RouteAdvertisements"). - reportProblemsToJiraComponent("Networking/ovn-kubernetes"). - contactPerson("jcaamano"). - productScope(ocpSpecific). - enhancementPR(legacyFeatureGateWithoutEnhancement). - enableIn(configv1.Default, configv1.OKD, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). - mustRegister() - - FeatureGateNetworkLiveMigration = newFeatureGate("NetworkLiveMigration"). - reportProblemsToJiraComponent("Networking/ovn-kubernetes"). - contactPerson("pliu"). - productScope(ocpSpecific). - enhancementPR(legacyFeatureGateWithoutEnhancement). - enableIn(configv1.Default, configv1.OKD, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). - mustRegister() - - FeatureGateNetworkDiagnosticsConfig = newFeatureGate("NetworkDiagnosticsConfig"). - reportProblemsToJiraComponent("Networking/cluster-network-operator"). - contactPerson("kyrtapz"). - productScope(ocpSpecific). - enhancementPR(legacyFeatureGateWithoutEnhancement). - enableIn(configv1.Default, configv1.OKD, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). - mustRegister() + FeatureGateEVPN = newFeatureGate("EVPN"). + reportProblemsToJiraComponent("Networking/ovn-kubernetes"). + contactPerson("jcaamano"). + productScope(ocpSpecific). + enhancementPR("https://github.com/openshift/enhancements/pull/1862"). + enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). + mustRegister() FeatureGateOVNObservability = newFeatureGate("OVNObservability"). reportProblemsToJiraComponent("Networking"). @@ -358,7 +318,7 @@ var ( contactPerson("djoshy"). productScope(ocpSpecific). enhancementPR("https://github.com/openshift/enhancements/pull/1818"). - enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). + enableIn(configv1.Default, configv1.OKD, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). mustRegister() FeatureGateBootImageSkewEnforcement = newFeatureGate("BootImageSkewEnforcement"). @@ -409,14 +369,6 @@ var ( enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade, configv1.Default, configv1.OKD). mustRegister() - FeatureGateVolumeAttributesClass = newFeatureGate("VolumeAttributesClass"). - reportProblemsToJiraComponent("Storage / Kubernetes External Components"). - contactPerson("dfajmon"). - productScope(kubernetes). - enhancementPR("https://github.com/kubernetes/enhancements/issues/3751"). - enableIn(configv1.Default, configv1.OKD, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). - mustRegister() - FeatureGateVolumeGroupSnapshot = newFeatureGate("VolumeGroupSnapshot"). reportProblemsToJiraComponent("Storage / Kubernetes External Components"). contactPerson("fbertina"). @@ -449,6 +401,14 @@ var ( enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade, configv1.Default, configv1.OKD). mustRegister() + FeatureGateExternalOIDCWithUpstreamParity = newFeatureGate("ExternalOIDCWithUpstreamParity"). + reportProblemsToJiraComponent("authentication"). + contactPerson("saldawam"). + productScope(ocpSpecific). + enhancementPR("https://github.com/openshift/enhancements/pull/1763"). + enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). + mustRegister() + FeatureGateExample = newFeatureGate("Example"). reportProblemsToJiraComponent("cluster-config"). contactPerson("deads"). @@ -494,7 +454,7 @@ var ( contactPerson("nschieder"). productScope(ocpSpecific). enhancementPR("https://github.com/openshift/enhancements/pull/1849"). - enableForClusterProfile(SelfManaged, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). + enableForClusterProfile(SelfManaged, configv1.Default, configv1.OKD, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). mustRegister() FeatureGateNewOLMWebhookProviderOpenshiftServiceCA = newFeatureGate("NewOLMWebhookProviderOpenshiftServiceCA"). @@ -510,6 +470,7 @@ var ( contactPerson("pegoncal"). productScope(ocpSpecific). enhancementPR("https://github.com/openshift/enhancements/pull/1890"). + enableForClusterProfile(SelfManaged, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). mustRegister() FeatureGateInsightsOnDemandDataGather = newFeatureGate("InsightsOnDemandDataGather"). @@ -610,14 +571,6 @@ var ( enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade, configv1.Default, configv1.OKD). mustRegister() - FeatureGateProcMountType = newFeatureGate("ProcMountType"). - reportProblemsToJiraComponent("Node"). - contactPerson("haircommander"). - productScope(kubernetes). - enhancementPR("https://github.com/kubernetes/enhancements/issues/4265"). - enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade, configv1.Default, configv1.OKD). - mustRegister() - FeatureGateVSphereMultiNetworks = newFeatureGate("VSphereMultiNetworks"). reportProblemsToJiraComponent("SPLAT"). contactPerson("rvanderp"). @@ -630,8 +583,8 @@ var ( reportProblemsToJiraComponent("Networking/router"). contactPerson("miciah"). productScope(ocpSpecific). - enhancementPR(legacyFeatureGateWithoutEnhancement). - enableIn(configv1.DevPreviewNoUpgrade). + enhancementPR("https://github.com/openshift/enhancements/pull/1687"). + enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). mustRegister() FeatureGateMinimumKubeletVersion = newFeatureGate("MinimumKubeletVersion"). @@ -655,9 +608,17 @@ var ( contactPerson("swghosh"). productScope(ocpSpecific). enhancementPR("https://github.com/openshift/enhancements/pull/1682"). - enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). + enableIn(configv1.DevPreviewNoUpgrade). mustRegister() + FeatureGateKMSEncryption = newFeatureGate("KMSEncryption"). + reportProblemsToJiraComponent("kube-apiserver"). + contactPerson("ardaguclu"). + productScope(ocpSpecific). + enhancementPR("https://github.com/openshift/enhancements/pull/1900"). + enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). + mustRegister() + FeatureGateHighlyAvailableArbiter = newFeatureGate("HighlyAvailableArbiter"). reportProblemsToJiraComponent("Two Node with Arbiter"). contactPerson("eggfoobar"). @@ -674,6 +635,14 @@ var ( enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). mustRegister() + FeatureGateClusterUpdateAcceptRisks = newFeatureGate("ClusterUpdateAcceptRisks"). + reportProblemsToJiraComponent("Cluster Version Operator"). + contactPerson("hongkliu"). + productScope(ocpSpecific). + enhancementPR("https://github.com/openshift/enhancements/pull/1807"). + enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). + mustRegister() + FeatureGateGCPCustomAPIEndpoints = newFeatureGate("GCPCustomAPIEndpoints"). reportProblemsToJiraComponent("Installer"). contactPerson("barbacbd"). @@ -774,14 +743,6 @@ var ( enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). mustRegister() - FeatureGatePreconfiguredUDNAddresses = newFeatureGate("PreconfiguredUDNAddresses"). - reportProblemsToJiraComponent("Networking/ovn-kubernetes"). - contactPerson("kyrtapz"). - productScope(ocpSpecific). - enhancementPR("https://github.com/openshift/enhancements/pull/1793"). - enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade, configv1.Default, configv1.OKD). - mustRegister() - FeatureGateAWSServiceLBNetworkSecurityGroup = newFeatureGate("AWSServiceLBNetworkSecurityGroup"). reportProblemsToJiraComponent("Cloud Compute / Cloud Controller Manager"). contactPerson("mtulio"). @@ -897,7 +858,7 @@ var ( contactPerson("jsafrane"). productScope(kubernetes). enhancementPR("https://github.com/kubernetes/enhancements/issues/4876"). - enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). + enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade, configv1.Default, configv1.OKD). mustRegister() FeatureGateOSStreams = newFeatureGate("OSStreams"). reportProblemsToJiraComponent("MachineConfigOperator"). @@ -937,4 +898,36 @@ var ( enhancementPR("https://github.com/kubernetes/enhancements/issues/4381"). enableForClusterProfile(Hypershift, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade, configv1.Default, configv1.OKD). mustRegister() + + FeatureGateDRAPartitionableDevices = newFeatureGate("DRAPartitionableDevices"). + reportProblemsToJiraComponent("Node"). + contactPerson("harche"). + productScope(kubernetes). + enhancementPR("https://github.com/kubernetes/enhancements/issues/4815"). + enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). + mustRegister() + + FeatureGateConfigurablePKI = newFeatureGate("ConfigurablePKI"). + reportProblemsToJiraComponent("kube-apiserver"). + contactPerson("sanchezl"). + productScope(ocpSpecific). + enhancementPR("https://github.com/openshift/enhancements/pull/1882"). + enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). + mustRegister() + + FeatureGateClusterAPIControlPlaneInstall = newFeatureGate("ClusterAPIControlPlaneInstall"). + reportProblemsToJiraComponent("Installer / openshift-installer"). + contactPerson("patrickdillon"). + productScope(ocpSpecific). + enhancementPR("https://github.com/openshift/enhancements/pull/1465"). + enableIn(configv1.DevPreviewNoUpgrade). + mustRegister() + + FeatureGateClusterAPIComputeInstall = newFeatureGate("ClusterAPIComputeInstall"). + reportProblemsToJiraComponent("Installer / openshift-installer"). + contactPerson("patrickdillon"). + productScope(ocpSpecific). + enhancementPR("https://github.com/openshift/enhancements/pull/1465"). + enableIn(configv1.DevPreviewNoUpgrade). + mustRegister() ) diff --git a/vendor/github.com/openshift/api/features/legacyfeaturegates.go b/vendor/github.com/openshift/api/features/legacyfeaturegates.go index dd11fdf66..a92c0b9bb 100644 --- a/vendor/github.com/openshift/api/features/legacyfeaturegates.go +++ b/vendor/github.com/openshift/api/features/legacyfeaturegates.go @@ -7,10 +7,6 @@ var legacyFeatureGates = sets.New( // never add to this list, if you think you have an exception ask @deads2k "AWSEFSDriverVolumeMetrics", // never add to this list, if you think you have an exception ask @deads2k - "AdditionalRoutingCapabilities", - // never add to this list, if you think you have an exception ask @deads2k - "AdminNetworkPolicy", - // never add to this list, if you think you have an exception ask @deads2k "AlibabaPlatform", // never add to this list, if you think you have an exception ask @deads2k "AutomatedEtcdBackup", @@ -79,12 +75,6 @@ var legacyFeatureGates = sets.New( // never add to this list, if you think you have an exception ask @deads2k "MultiArchInstallGCP", // never add to this list, if you think you have an exception ask @deads2k - "NetworkDiagnosticsConfig", - // never add to this list, if you think you have an exception ask @deads2k - "NetworkLiveMigration", - // never add to this list, if you think you have an exception ask @deads2k - "NetworkSegmentation", - // never add to this list, if you think you have an exception ask @deads2k "NewOLM", // never add to this list, if you think you have an exception ask @deads2k "OVNObservability", @@ -95,8 +85,6 @@ var legacyFeatureGates = sets.New( // never add to this list, if you think you have an exception ask @deads2k "PrivateHostedZoneAWS", // never add to this list, if you think you have an exception ask @deads2k - "RouteAdvertisements", - // never add to this list, if you think you have an exception ask @deads2k "RouteExternalCertificate", // never add to this list, if you think you have an exception ask @deads2k "SetEIPForNLBIngressController", diff --git a/vendor/github.com/openshift/api/install.go b/vendor/github.com/openshift/api/install.go index ea5f34970..e4574e7c4 100644 --- a/vendor/github.com/openshift/api/install.go +++ b/vendor/github.com/openshift/api/install.go @@ -55,6 +55,7 @@ import ( "github.com/openshift/api/cloudnetwork" "github.com/openshift/api/config" "github.com/openshift/api/console" + "github.com/openshift/api/etcd" "github.com/openshift/api/helm" "github.com/openshift/api/image" "github.com/openshift/api/imageregistry" @@ -91,6 +92,7 @@ var ( build.Install, config.Install, console.Install, + etcd.Install, helm.Install, image.Install, imageregistry.Install, diff --git a/vendor/github.com/openshift/api/machine/v1beta1/types_awsprovider.go b/vendor/github.com/openshift/api/machine/v1beta1/types_awsprovider.go index c6442186a..d1d5941fa 100644 --- a/vendor/github.com/openshift/api/machine/v1beta1/types_awsprovider.go +++ b/vendor/github.com/openshift/api/machine/v1beta1/types_awsprovider.go @@ -463,10 +463,11 @@ const ( // DedicatedHost represents the configuration for the usage of dedicated host. type DedicatedHost struct { // id identifies the AWS Dedicated Host on which the instance must run. - // The value must start with "h-" followed by 17 lowercase hexadecimal characters (0-9 and a-f). - // Must be exactly 19 characters in length. - // +kubebuilder:validation:XValidation:rule="self.matches('^h-[0-9a-f]{17}$')",message="hostID must start with 'h-' followed by 17 lowercase hexadecimal characters (0-9 and a-f)" - // +kubebuilder:validation:MinLength=19 + // The value must start with "h-" followed by either 8 or 17 lowercase hexadecimal characters (0-9 and a-f). + // The use of 8 lowercase hexadecimal characters is for older legacy hosts that may not have been migrated to newer format. + // Must be either 10 or 19 characters in length. + // +kubebuilder:validation:XValidation:rule="self.matches('^h-([0-9a-f]{8}|[0-9a-f]{17})$')",message="hostID must start with 'h-' followed by either 8 or 17 lowercase hexadecimal characters (0-9 and a-f)" + // +kubebuilder:validation:MinLength=10 // +kubebuilder:validation:MaxLength=19 // +required ID string `json:"id,omitempty"` diff --git a/vendor/github.com/openshift/api/machine/v1beta1/types_machine.go b/vendor/github.com/openshift/api/machine/v1beta1/types_machine.go index 33f472f92..6bfe85081 100644 --- a/vendor/github.com/openshift/api/machine/v1beta1/types_machine.go +++ b/vendor/github.com/openshift/api/machine/v1beta1/types_machine.go @@ -185,6 +185,18 @@ const ( MachineAuthorityMigrating MachineAuthority = "Migrating" ) +// SynchronizedAPI holds the last stable value of authoritativeAPI. +// +kubebuilder:validation:Enum=MachineAPI;ClusterAPI +type SynchronizedAPI string + +const ( + // MachineAPISynchronized indicates that the Machine API is the last synchronized API. + MachineAPISynchronized SynchronizedAPI = "MachineAPI" + + // ClusterAPISynchronized indicates that the Cluster API is the last synchronized API. + ClusterAPISynchronized SynchronizedAPI = "ClusterAPI" +) + // +genclient // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object @@ -317,6 +329,7 @@ type LifecycleHook struct { // MachineStatus defines the observed state of Machine // +openshift:validation:FeatureGateAwareXValidation:featureGate=MachineAPIMigration,rule="!has(oldSelf.synchronizedGeneration) || (has(self.synchronizedGeneration) && self.synchronizedGeneration >= oldSelf.synchronizedGeneration) || (oldSelf.authoritativeAPI == 'Migrating' && self.authoritativeAPI != 'Migrating')",message="synchronizedGeneration must not decrease unless authoritativeAPI is transitioning from Migrating to another value" +// +openshift:validation:FeatureGateAwareXValidation:featureGate=MachineAPIMigration,rule="has(self.authoritativeAPI) || !has(oldSelf.authoritativeAPI)",message="authoritativeAPI may not be removed once set" type MachineStatus struct { // nodeRef will point to the corresponding Node if it exists. // +optional @@ -406,6 +419,14 @@ type MachineStatus struct { // +optional AuthoritativeAPI MachineAuthority `json:"authoritativeAPI,omitempty"` + // synchronizedAPI holds the last stable value of authoritativeAPI. + // It is used to detect migration cancellation requests and to restore the resource to its previous state. + // Valid values are "MachineAPI" and "ClusterAPI". + // When omitted, the resource has not yet been reconciled by the migration controller. + // +openshift:enable:FeatureGate=MachineAPIMigration + // +optional + SynchronizedAPI SynchronizedAPI `json:"synchronizedAPI,omitempty"` + // synchronizedGeneration is the generation of the authoritative resource that the non-authoritative resource is synchronised with. // This field is set when the authoritative resource is updated and the sync controller has updated the non-authoritative resource to match. // +kubebuilder:validation:Minimum=0 diff --git a/vendor/github.com/openshift/api/machine/v1beta1/types_machineset.go b/vendor/github.com/openshift/api/machine/v1beta1/types_machineset.go index a2343dc39..be5476344 100644 --- a/vendor/github.com/openshift/api/machine/v1beta1/types_machineset.go +++ b/vendor/github.com/openshift/api/machine/v1beta1/types_machineset.go @@ -112,6 +112,7 @@ type MachineTemplateSpec struct { // MachineSetStatus defines the observed state of MachineSet // +openshift:validation:FeatureGateAwareXValidation:featureGate=MachineAPIMigration,rule="!has(oldSelf.synchronizedGeneration) || (has(self.synchronizedGeneration) && self.synchronizedGeneration >= oldSelf.synchronizedGeneration) || (oldSelf.authoritativeAPI == 'Migrating' && self.authoritativeAPI != 'Migrating')",message="synchronizedGeneration must not decrease unless authoritativeAPI is transitioning from Migrating to another value" +// +openshift:validation:FeatureGateAwareXValidation:featureGate=MachineAPIMigration,rule="has(self.authoritativeAPI) || !has(oldSelf.authoritativeAPI)",message="authoritativeAPI may not be removed once set" type MachineSetStatus struct { // replicas is the most recently observed number of replicas. // +optional @@ -168,6 +169,14 @@ type MachineSetStatus struct { // +optional AuthoritativeAPI MachineAuthority `json:"authoritativeAPI,omitempty"` + // synchronizedAPI holds the last stable value of authoritativeAPI. + // It is used to detect migration cancellation requests and to restore the resource to its previous state. + // Valid values are "MachineAPI" and "ClusterAPI". + // When omitted, the resource has not yet been reconciled by the migration controller. + // +openshift:enable:FeatureGate=MachineAPIMigration + // +optional + SynchronizedAPI SynchronizedAPI `json:"synchronizedAPI,omitempty"` + // synchronizedGeneration is the generation of the authoritative resource that the non-authoritative resource is synchronised with. // This field is set when the authoritative resource is updated and the sync controller has updated the non-authoritative resource to match. // +kubebuilder:validation:Minimum=0 diff --git a/vendor/github.com/openshift/api/machine/v1beta1/zz_generated.crd-manifests/0000_10_machine-api_01_machines-CustomNoUpgrade.crd.yaml b/vendor/github.com/openshift/api/machine/v1beta1/zz_generated.crd-manifests/0000_10_machine-api_01_machines-CustomNoUpgrade.crd.yaml index d9e0dab84..775b9ff34 100644 --- a/vendor/github.com/openshift/api/machine/v1beta1/zz_generated.crd-manifests/0000_10_machine-api_01_machines-CustomNoUpgrade.crd.yaml +++ b/vendor/github.com/openshift/api/machine/v1beta1/zz_generated.crd-manifests/0000_10_machine-api_01_machines-CustomNoUpgrade.crd.yaml @@ -567,6 +567,16 @@ spec: serialized/deserialized from this field. type: object x-kubernetes-preserve-unknown-fields: true + synchronizedAPI: + description: |- + synchronizedAPI holds the last stable value of authoritativeAPI. + It is used to detect migration cancellation requests and to restore the resource to its previous state. + Valid values are "MachineAPI" and "ClusterAPI". + When omitted, the resource has not yet been reconciled by the migration controller. + enum: + - MachineAPI + - ClusterAPI + type: string synchronizedGeneration: description: |- synchronizedGeneration is the generation of the authoritative resource that the non-authoritative resource is synchronised with. @@ -584,6 +594,8 @@ spec: && self.synchronizedGeneration >= oldSelf.synchronizedGeneration) || (oldSelf.authoritativeAPI == ''Migrating'' && self.authoritativeAPI != ''Migrating'')' + - message: authoritativeAPI may not be removed once set + rule: has(self.authoritativeAPI) || !has(oldSelf.authoritativeAPI) type: object served: true storage: true diff --git a/vendor/github.com/openshift/api/machine/v1beta1/zz_generated.crd-manifests/0000_10_machine-api_01_machines-DevPreviewNoUpgrade.crd.yaml b/vendor/github.com/openshift/api/machine/v1beta1/zz_generated.crd-manifests/0000_10_machine-api_01_machines-DevPreviewNoUpgrade.crd.yaml index 3610c1f3e..e14ed6f87 100644 --- a/vendor/github.com/openshift/api/machine/v1beta1/zz_generated.crd-manifests/0000_10_machine-api_01_machines-DevPreviewNoUpgrade.crd.yaml +++ b/vendor/github.com/openshift/api/machine/v1beta1/zz_generated.crd-manifests/0000_10_machine-api_01_machines-DevPreviewNoUpgrade.crd.yaml @@ -567,6 +567,16 @@ spec: serialized/deserialized from this field. type: object x-kubernetes-preserve-unknown-fields: true + synchronizedAPI: + description: |- + synchronizedAPI holds the last stable value of authoritativeAPI. + It is used to detect migration cancellation requests and to restore the resource to its previous state. + Valid values are "MachineAPI" and "ClusterAPI". + When omitted, the resource has not yet been reconciled by the migration controller. + enum: + - MachineAPI + - ClusterAPI + type: string synchronizedGeneration: description: |- synchronizedGeneration is the generation of the authoritative resource that the non-authoritative resource is synchronised with. @@ -584,6 +594,8 @@ spec: && self.synchronizedGeneration >= oldSelf.synchronizedGeneration) || (oldSelf.authoritativeAPI == ''Migrating'' && self.authoritativeAPI != ''Migrating'')' + - message: authoritativeAPI may not be removed once set + rule: has(self.authoritativeAPI) || !has(oldSelf.authoritativeAPI) type: object served: true storage: true diff --git a/vendor/github.com/openshift/api/machine/v1beta1/zz_generated.crd-manifests/0000_10_machine-api_01_machines-TechPreviewNoUpgrade.crd.yaml b/vendor/github.com/openshift/api/machine/v1beta1/zz_generated.crd-manifests/0000_10_machine-api_01_machines-TechPreviewNoUpgrade.crd.yaml index c26fa70b5..a91cadf51 100644 --- a/vendor/github.com/openshift/api/machine/v1beta1/zz_generated.crd-manifests/0000_10_machine-api_01_machines-TechPreviewNoUpgrade.crd.yaml +++ b/vendor/github.com/openshift/api/machine/v1beta1/zz_generated.crd-manifests/0000_10_machine-api_01_machines-TechPreviewNoUpgrade.crd.yaml @@ -567,6 +567,16 @@ spec: serialized/deserialized from this field. type: object x-kubernetes-preserve-unknown-fields: true + synchronizedAPI: + description: |- + synchronizedAPI holds the last stable value of authoritativeAPI. + It is used to detect migration cancellation requests and to restore the resource to its previous state. + Valid values are "MachineAPI" and "ClusterAPI". + When omitted, the resource has not yet been reconciled by the migration controller. + enum: + - MachineAPI + - ClusterAPI + type: string synchronizedGeneration: description: |- synchronizedGeneration is the generation of the authoritative resource that the non-authoritative resource is synchronised with. @@ -584,6 +594,8 @@ spec: && self.synchronizedGeneration >= oldSelf.synchronizedGeneration) || (oldSelf.authoritativeAPI == ''Migrating'' && self.authoritativeAPI != ''Migrating'')' + - message: authoritativeAPI may not be removed once set + rule: has(self.authoritativeAPI) || !has(oldSelf.authoritativeAPI) type: object served: true storage: true diff --git a/vendor/github.com/openshift/api/machine/v1beta1/zz_generated.crd-manifests/0000_10_machine-api_01_machinesets-CustomNoUpgrade.crd.yaml b/vendor/github.com/openshift/api/machine/v1beta1/zz_generated.crd-manifests/0000_10_machine-api_01_machinesets-CustomNoUpgrade.crd.yaml index 0809c028a..7c68b7b18 100644 --- a/vendor/github.com/openshift/api/machine/v1beta1/zz_generated.crd-manifests/0000_10_machine-api_01_machinesets-CustomNoUpgrade.crd.yaml +++ b/vendor/github.com/openshift/api/machine/v1beta1/zz_generated.crd-manifests/0000_10_machine-api_01_machinesets-CustomNoUpgrade.crd.yaml @@ -674,6 +674,16 @@ spec: description: replicas is the most recently observed number of replicas. format: int32 type: integer + synchronizedAPI: + description: |- + synchronizedAPI holds the last stable value of authoritativeAPI. + It is used to detect migration cancellation requests and to restore the resource to its previous state. + Valid values are "MachineAPI" and "ClusterAPI". + When omitted, the resource has not yet been reconciled by the migration controller. + enum: + - MachineAPI + - ClusterAPI + type: string synchronizedGeneration: description: |- synchronizedGeneration is the generation of the authoritative resource that the non-authoritative resource is synchronised with. @@ -691,6 +701,8 @@ spec: && self.synchronizedGeneration >= oldSelf.synchronizedGeneration) || (oldSelf.authoritativeAPI == ''Migrating'' && self.authoritativeAPI != ''Migrating'')' + - message: authoritativeAPI may not be removed once set + rule: has(self.authoritativeAPI) || !has(oldSelf.authoritativeAPI) type: object served: true storage: true diff --git a/vendor/github.com/openshift/api/machine/v1beta1/zz_generated.crd-manifests/0000_10_machine-api_01_machinesets-DevPreviewNoUpgrade.crd.yaml b/vendor/github.com/openshift/api/machine/v1beta1/zz_generated.crd-manifests/0000_10_machine-api_01_machinesets-DevPreviewNoUpgrade.crd.yaml index abfdbda0d..37fb42ca9 100644 --- a/vendor/github.com/openshift/api/machine/v1beta1/zz_generated.crd-manifests/0000_10_machine-api_01_machinesets-DevPreviewNoUpgrade.crd.yaml +++ b/vendor/github.com/openshift/api/machine/v1beta1/zz_generated.crd-manifests/0000_10_machine-api_01_machinesets-DevPreviewNoUpgrade.crd.yaml @@ -674,6 +674,16 @@ spec: description: replicas is the most recently observed number of replicas. format: int32 type: integer + synchronizedAPI: + description: |- + synchronizedAPI holds the last stable value of authoritativeAPI. + It is used to detect migration cancellation requests and to restore the resource to its previous state. + Valid values are "MachineAPI" and "ClusterAPI". + When omitted, the resource has not yet been reconciled by the migration controller. + enum: + - MachineAPI + - ClusterAPI + type: string synchronizedGeneration: description: |- synchronizedGeneration is the generation of the authoritative resource that the non-authoritative resource is synchronised with. @@ -691,6 +701,8 @@ spec: && self.synchronizedGeneration >= oldSelf.synchronizedGeneration) || (oldSelf.authoritativeAPI == ''Migrating'' && self.authoritativeAPI != ''Migrating'')' + - message: authoritativeAPI may not be removed once set + rule: has(self.authoritativeAPI) || !has(oldSelf.authoritativeAPI) type: object served: true storage: true diff --git a/vendor/github.com/openshift/api/machine/v1beta1/zz_generated.crd-manifests/0000_10_machine-api_01_machinesets-TechPreviewNoUpgrade.crd.yaml b/vendor/github.com/openshift/api/machine/v1beta1/zz_generated.crd-manifests/0000_10_machine-api_01_machinesets-TechPreviewNoUpgrade.crd.yaml index 0d59497ee..d93d2c15f 100644 --- a/vendor/github.com/openshift/api/machine/v1beta1/zz_generated.crd-manifests/0000_10_machine-api_01_machinesets-TechPreviewNoUpgrade.crd.yaml +++ b/vendor/github.com/openshift/api/machine/v1beta1/zz_generated.crd-manifests/0000_10_machine-api_01_machinesets-TechPreviewNoUpgrade.crd.yaml @@ -674,6 +674,16 @@ spec: description: replicas is the most recently observed number of replicas. format: int32 type: integer + synchronizedAPI: + description: |- + synchronizedAPI holds the last stable value of authoritativeAPI. + It is used to detect migration cancellation requests and to restore the resource to its previous state. + Valid values are "MachineAPI" and "ClusterAPI". + When omitted, the resource has not yet been reconciled by the migration controller. + enum: + - MachineAPI + - ClusterAPI + type: string synchronizedGeneration: description: |- synchronizedGeneration is the generation of the authoritative resource that the non-authoritative resource is synchronised with. @@ -691,6 +701,8 @@ spec: && self.synchronizedGeneration >= oldSelf.synchronizedGeneration) || (oldSelf.authoritativeAPI == ''Migrating'' && self.authoritativeAPI != ''Migrating'')' + - message: authoritativeAPI may not be removed once set + rule: has(self.authoritativeAPI) || !has(oldSelf.authoritativeAPI) type: object served: true storage: true diff --git a/vendor/github.com/openshift/api/machine/v1beta1/zz_generated.swagger_doc_generated.go b/vendor/github.com/openshift/api/machine/v1beta1/zz_generated.swagger_doc_generated.go index 903faf94b..0d043ad60 100644 --- a/vendor/github.com/openshift/api/machine/v1beta1/zz_generated.swagger_doc_generated.go +++ b/vendor/github.com/openshift/api/machine/v1beta1/zz_generated.swagger_doc_generated.go @@ -94,7 +94,7 @@ func (CPUOptions) SwaggerDoc() map[string]string { var map_DedicatedHost = map[string]string{ "": "DedicatedHost represents the configuration for the usage of dedicated host.", - "id": "id identifies the AWS Dedicated Host on which the instance must run. The value must start with \"h-\" followed by 17 lowercase hexadecimal characters (0-9 and a-f). Must be exactly 19 characters in length.", + "id": "id identifies the AWS Dedicated Host on which the instance must run. The value must start with \"h-\" followed by either 8 or 17 lowercase hexadecimal characters (0-9 and a-f). The use of 8 lowercase hexadecimal characters is for older legacy hosts that may not have been migrated to newer format. Must be either 10 or 19 characters in length.", } func (DedicatedHost) SwaggerDoc() map[string]string { @@ -626,6 +626,7 @@ var map_MachineStatus = map[string]string{ "phase": "phase represents the current phase of machine actuation. One of: Failed, Provisioning, Provisioned, Running, Deleting", "conditions": "conditions defines the current state of the Machine", "authoritativeAPI": "authoritativeAPI is the API that is authoritative for this resource. Valid values are MachineAPI, ClusterAPI and Migrating. This value is updated by the migration controller to reflect the authoritative API. Machine API and Cluster API controllers use this value to determine whether or not to reconcile the resource. When set to Migrating, the migration controller is currently performing the handover of authority from one API to the other.", + "synchronizedAPI": "synchronizedAPI holds the last stable value of authoritativeAPI. It is used to detect migration cancellation requests and to restore the resource to its previous state. Valid values are \"MachineAPI\" and \"ClusterAPI\". When omitted, the resource has not yet been reconciled by the migration controller.", "synchronizedGeneration": "synchronizedGeneration is the generation of the authoritative resource that the non-authoritative resource is synchronised with. This field is set when the authoritative resource is updated and the sync controller has updated the non-authoritative resource to match.", } @@ -729,6 +730,7 @@ var map_MachineSetStatus = map[string]string{ "errorReason": "In the event that there is a terminal problem reconciling the replicas, both ErrorReason and ErrorMessage will be set. ErrorReason will be populated with a succinct value suitable for machine interpretation, while ErrorMessage will contain a more verbose string suitable for logging and human consumption.\n\nThese fields should not be set for transitive errors that a controller faces that are expected to be fixed automatically over time (like service outages), but instead indicate that something is fundamentally wrong with the MachineTemplate's spec or the configuration of the machine controller, and that manual intervention is required. Examples of terminal errors would be invalid combinations of settings in the spec, values that are unsupported by the machine controller, or the responsible machine controller itself being critically misconfigured.\n\nAny transient errors that occur during the reconciliation of Machines can be added as events to the MachineSet object and/or logged in the controller's output.", "conditions": "conditions defines the current state of the MachineSet", "authoritativeAPI": "authoritativeAPI is the API that is authoritative for this resource. Valid values are MachineAPI, ClusterAPI and Migrating. This value is updated by the migration controller to reflect the authoritative API. Machine API and Cluster API controllers use this value to determine whether or not to reconcile the resource. When set to Migrating, the migration controller is currently performing the handover of authority from one API to the other.", + "synchronizedAPI": "synchronizedAPI holds the last stable value of authoritativeAPI. It is used to detect migration cancellation requests and to restore the resource to its previous state. Valid values are \"MachineAPI\" and \"ClusterAPI\". When omitted, the resource has not yet been reconciled by the migration controller.", "synchronizedGeneration": "synchronizedGeneration is the generation of the authoritative resource that the non-authoritative resource is synchronised with. This field is set when the authoritative resource is updated and the sync controller has updated the non-authoritative resource to match.", } diff --git a/vendor/github.com/openshift/api/openapi/generated_openapi/zz_generated.openapi.go b/vendor/github.com/openshift/api/openapi/generated_openapi/zz_generated.openapi.go index 4e9847373..b3a94e903 100644 --- a/vendor/github.com/openshift/api/openapi/generated_openapi/zz_generated.openapi.go +++ b/vendor/github.com/openshift/api/openapi/generated_openapi/zz_generated.openapi.go @@ -166,6 +166,7 @@ func GetOpenAPIDefinitions(ref common.ReferenceCallback) map[string]common.OpenA "github.com/openshift/api/config/v1.AWSPlatformStatus": schema_openshift_api_config_v1_AWSPlatformStatus(ref), "github.com/openshift/api/config/v1.AWSResourceTag": schema_openshift_api_config_v1_AWSResourceTag(ref), "github.com/openshift/api/config/v1.AWSServiceEndpoint": schema_openshift_api_config_v1_AWSServiceEndpoint(ref), + "github.com/openshift/api/config/v1.AcceptRisk": schema_openshift_api_config_v1_AcceptRisk(ref), "github.com/openshift/api/config/v1.AdmissionConfig": schema_openshift_api_config_v1_AdmissionConfig(ref), "github.com/openshift/api/config/v1.AdmissionPluginConfig": schema_openshift_api_config_v1_AdmissionPluginConfig(ref), "github.com/openshift/api/config/v1.AlibabaCloudPlatformSpec": schema_openshift_api_config_v1_AlibabaCloudPlatformSpec(ref), @@ -253,7 +254,6 @@ func GetOpenAPIDefinitions(ref common.ReferenceCallback) map[string]common.OpenA "github.com/openshift/api/config/v1.FeatureGateSpec": schema_openshift_api_config_v1_FeatureGateSpec(ref), "github.com/openshift/api/config/v1.FeatureGateStatus": schema_openshift_api_config_v1_FeatureGateStatus(ref), "github.com/openshift/api/config/v1.FeatureGateTests": schema_openshift_api_config_v1_FeatureGateTests(ref), - "github.com/openshift/api/config/v1.FulcioCAWithRekor": schema_openshift_api_config_v1_FulcioCAWithRekor(ref), "github.com/openshift/api/config/v1.GCPPlatformSpec": schema_openshift_api_config_v1_GCPPlatformSpec(ref), "github.com/openshift/api/config/v1.GCPPlatformStatus": schema_openshift_api_config_v1_GCPPlatformStatus(ref), "github.com/openshift/api/config/v1.GCPResourceLabel": schema_openshift_api_config_v1_GCPResourceLabel(ref), @@ -287,9 +287,13 @@ func GetOpenAPIDefinitions(ref common.ReferenceCallback) map[string]common.OpenA "github.com/openshift/api/config/v1.ImageLabel": schema_openshift_api_config_v1_ImageLabel(ref), "github.com/openshift/api/config/v1.ImageList": schema_openshift_api_config_v1_ImageList(ref), "github.com/openshift/api/config/v1.ImagePolicy": schema_openshift_api_config_v1_ImagePolicy(ref), + "github.com/openshift/api/config/v1.ImagePolicyFulcioCAWithRekorRootOfTrust": schema_openshift_api_config_v1_ImagePolicyFulcioCAWithRekorRootOfTrust(ref), "github.com/openshift/api/config/v1.ImagePolicyList": schema_openshift_api_config_v1_ImagePolicyList(ref), + "github.com/openshift/api/config/v1.ImagePolicyPKIRootOfTrust": schema_openshift_api_config_v1_ImagePolicyPKIRootOfTrust(ref), + "github.com/openshift/api/config/v1.ImagePolicyPublicKeyRootOfTrust": schema_openshift_api_config_v1_ImagePolicyPublicKeyRootOfTrust(ref), "github.com/openshift/api/config/v1.ImagePolicySpec": schema_openshift_api_config_v1_ImagePolicySpec(ref), "github.com/openshift/api/config/v1.ImagePolicyStatus": schema_openshift_api_config_v1_ImagePolicyStatus(ref), + "github.com/openshift/api/config/v1.ImageSigstoreVerificationPolicy": schema_openshift_api_config_v1_ImageSigstoreVerificationPolicy(ref), "github.com/openshift/api/config/v1.ImageSpec": schema_openshift_api_config_v1_ImageSpec(ref), "github.com/openshift/api/config/v1.ImageStatus": schema_openshift_api_config_v1_ImageStatus(ref), "github.com/openshift/api/config/v1.ImageTagMirrorSet": schema_openshift_api_config_v1_ImageTagMirrorSet(ref), @@ -368,13 +372,11 @@ func GetOpenAPIDefinitions(ref common.ReferenceCallback) map[string]common.OpenA "github.com/openshift/api/config/v1.OvirtPlatformLoadBalancer": schema_openshift_api_config_v1_OvirtPlatformLoadBalancer(ref), "github.com/openshift/api/config/v1.OvirtPlatformSpec": schema_openshift_api_config_v1_OvirtPlatformSpec(ref), "github.com/openshift/api/config/v1.OvirtPlatformStatus": schema_openshift_api_config_v1_OvirtPlatformStatus(ref), - "github.com/openshift/api/config/v1.PKI": schema_openshift_api_config_v1_PKI(ref), "github.com/openshift/api/config/v1.PKICertificateSubject": schema_openshift_api_config_v1_PKICertificateSubject(ref), "github.com/openshift/api/config/v1.PersistentVolumeClaimReference": schema_openshift_api_config_v1_PersistentVolumeClaimReference(ref), "github.com/openshift/api/config/v1.PersistentVolumeConfig": schema_openshift_api_config_v1_PersistentVolumeConfig(ref), "github.com/openshift/api/config/v1.PlatformSpec": schema_openshift_api_config_v1_PlatformSpec(ref), "github.com/openshift/api/config/v1.PlatformStatus": schema_openshift_api_config_v1_PlatformStatus(ref), - "github.com/openshift/api/config/v1.Policy": schema_openshift_api_config_v1_Policy(ref), "github.com/openshift/api/config/v1.PolicyFulcioSubject": schema_openshift_api_config_v1_PolicyFulcioSubject(ref), "github.com/openshift/api/config/v1.PolicyIdentity": schema_openshift_api_config_v1_PolicyIdentity(ref), "github.com/openshift/api/config/v1.PolicyMatchExactRepository": schema_openshift_api_config_v1_PolicyMatchExactRepository(ref), @@ -394,7 +396,6 @@ func GetOpenAPIDefinitions(ref common.ReferenceCallback) map[string]common.OpenA "github.com/openshift/api/config/v1.ProxyList": schema_openshift_api_config_v1_ProxyList(ref), "github.com/openshift/api/config/v1.ProxySpec": schema_openshift_api_config_v1_ProxySpec(ref), "github.com/openshift/api/config/v1.ProxyStatus": schema_openshift_api_config_v1_ProxyStatus(ref), - "github.com/openshift/api/config/v1.PublicKey": schema_openshift_api_config_v1_PublicKey(ref), "github.com/openshift/api/config/v1.RegistryLocation": schema_openshift_api_config_v1_RegistryLocation(ref), "github.com/openshift/api/config/v1.RegistrySources": schema_openshift_api_config_v1_RegistrySources(ref), "github.com/openshift/api/config/v1.Release": schema_openshift_api_config_v1_Release(ref), @@ -422,10 +423,12 @@ func GetOpenAPIDefinitions(ref common.ReferenceCallback) map[string]common.OpenA "github.com/openshift/api/config/v1.TokenClaimMapping": schema_openshift_api_config_v1_TokenClaimMapping(ref), "github.com/openshift/api/config/v1.TokenClaimMappings": schema_openshift_api_config_v1_TokenClaimMappings(ref), "github.com/openshift/api/config/v1.TokenClaimOrExpressionMapping": schema_openshift_api_config_v1_TokenClaimOrExpressionMapping(ref), + "github.com/openshift/api/config/v1.TokenClaimValidationCELRule": schema_openshift_api_config_v1_TokenClaimValidationCELRule(ref), "github.com/openshift/api/config/v1.TokenClaimValidationRule": schema_openshift_api_config_v1_TokenClaimValidationRule(ref), "github.com/openshift/api/config/v1.TokenConfig": schema_openshift_api_config_v1_TokenConfig(ref), "github.com/openshift/api/config/v1.TokenIssuer": schema_openshift_api_config_v1_TokenIssuer(ref), "github.com/openshift/api/config/v1.TokenRequiredClaim": schema_openshift_api_config_v1_TokenRequiredClaim(ref), + "github.com/openshift/api/config/v1.TokenUserValidationRule": schema_openshift_api_config_v1_TokenUserValidationRule(ref), "github.com/openshift/api/config/v1.Update": schema_openshift_api_config_v1_Update(ref), "github.com/openshift/api/config/v1.UpdateHistory": schema_openshift_api_config_v1_UpdateHistory(ref), "github.com/openshift/api/config/v1.UsernameClaimMapping": schema_openshift_api_config_v1_UsernameClaimMapping(ref), @@ -449,6 +452,10 @@ func GetOpenAPIDefinitions(ref common.ReferenceCallback) map[string]common.OpenA "github.com/openshift/api/config/v1alpha1.BackupList": schema_openshift_api_config_v1alpha1_BackupList(ref), "github.com/openshift/api/config/v1alpha1.BackupSpec": schema_openshift_api_config_v1alpha1_BackupSpec(ref), "github.com/openshift/api/config/v1alpha1.BackupStatus": schema_openshift_api_config_v1alpha1_BackupStatus(ref), + "github.com/openshift/api/config/v1alpha1.CRIOCredentialProviderConfig": schema_openshift_api_config_v1alpha1_CRIOCredentialProviderConfig(ref), + "github.com/openshift/api/config/v1alpha1.CRIOCredentialProviderConfigList": schema_openshift_api_config_v1alpha1_CRIOCredentialProviderConfigList(ref), + "github.com/openshift/api/config/v1alpha1.CRIOCredentialProviderConfigSpec": schema_openshift_api_config_v1alpha1_CRIOCredentialProviderConfigSpec(ref), + "github.com/openshift/api/config/v1alpha1.CRIOCredentialProviderConfigStatus": schema_openshift_api_config_v1alpha1_CRIOCredentialProviderConfigStatus(ref), "github.com/openshift/api/config/v1alpha1.ClusterImagePolicy": schema_openshift_api_config_v1alpha1_ClusterImagePolicy(ref), "github.com/openshift/api/config/v1alpha1.ClusterImagePolicyList": schema_openshift_api_config_v1alpha1_ClusterImagePolicyList(ref), "github.com/openshift/api/config/v1alpha1.ClusterImagePolicySpec": schema_openshift_api_config_v1alpha1_ClusterImagePolicySpec(ref), @@ -459,28 +466,29 @@ func GetOpenAPIDefinitions(ref common.ReferenceCallback) map[string]common.OpenA "github.com/openshift/api/config/v1alpha1.ClusterMonitoringStatus": schema_openshift_api_config_v1alpha1_ClusterMonitoringStatus(ref), "github.com/openshift/api/config/v1alpha1.ContainerResource": schema_openshift_api_config_v1alpha1_ContainerResource(ref), "github.com/openshift/api/config/v1alpha1.EtcdBackupSpec": schema_openshift_api_config_v1alpha1_EtcdBackupSpec(ref), - "github.com/openshift/api/config/v1alpha1.FulcioCAWithRekor": schema_openshift_api_config_v1alpha1_FulcioCAWithRekor(ref), "github.com/openshift/api/config/v1alpha1.GatherConfig": schema_openshift_api_config_v1alpha1_GatherConfig(ref), "github.com/openshift/api/config/v1alpha1.ImagePolicy": schema_openshift_api_config_v1alpha1_ImagePolicy(ref), + "github.com/openshift/api/config/v1alpha1.ImagePolicyFulcioCAWithRekorRootOfTrust": schema_openshift_api_config_v1alpha1_ImagePolicyFulcioCAWithRekorRootOfTrust(ref), "github.com/openshift/api/config/v1alpha1.ImagePolicyList": schema_openshift_api_config_v1alpha1_ImagePolicyList(ref), + "github.com/openshift/api/config/v1alpha1.ImagePolicyPKIRootOfTrust": schema_openshift_api_config_v1alpha1_ImagePolicyPKIRootOfTrust(ref), + "github.com/openshift/api/config/v1alpha1.ImagePolicyPublicKeyRootOfTrust": schema_openshift_api_config_v1alpha1_ImagePolicyPublicKeyRootOfTrust(ref), "github.com/openshift/api/config/v1alpha1.ImagePolicySpec": schema_openshift_api_config_v1alpha1_ImagePolicySpec(ref), "github.com/openshift/api/config/v1alpha1.ImagePolicyStatus": schema_openshift_api_config_v1alpha1_ImagePolicyStatus(ref), + "github.com/openshift/api/config/v1alpha1.ImageSigstoreVerificationPolicy": schema_openshift_api_config_v1alpha1_ImageSigstoreVerificationPolicy(ref), "github.com/openshift/api/config/v1alpha1.InsightsDataGather": schema_openshift_api_config_v1alpha1_InsightsDataGather(ref), "github.com/openshift/api/config/v1alpha1.InsightsDataGatherList": schema_openshift_api_config_v1alpha1_InsightsDataGatherList(ref), "github.com/openshift/api/config/v1alpha1.InsightsDataGatherSpec": schema_openshift_api_config_v1alpha1_InsightsDataGatherSpec(ref), "github.com/openshift/api/config/v1alpha1.InsightsDataGatherStatus": schema_openshift_api_config_v1alpha1_InsightsDataGatherStatus(ref), "github.com/openshift/api/config/v1alpha1.MetricsServerConfig": schema_openshift_api_config_v1alpha1_MetricsServerConfig(ref), - "github.com/openshift/api/config/v1alpha1.PKI": schema_openshift_api_config_v1alpha1_PKI(ref), "github.com/openshift/api/config/v1alpha1.PKICertificateSubject": schema_openshift_api_config_v1alpha1_PKICertificateSubject(ref), "github.com/openshift/api/config/v1alpha1.PersistentVolumeClaimReference": schema_openshift_api_config_v1alpha1_PersistentVolumeClaimReference(ref), "github.com/openshift/api/config/v1alpha1.PersistentVolumeConfig": schema_openshift_api_config_v1alpha1_PersistentVolumeConfig(ref), - "github.com/openshift/api/config/v1alpha1.Policy": schema_openshift_api_config_v1alpha1_Policy(ref), "github.com/openshift/api/config/v1alpha1.PolicyFulcioSubject": schema_openshift_api_config_v1alpha1_PolicyFulcioSubject(ref), "github.com/openshift/api/config/v1alpha1.PolicyIdentity": schema_openshift_api_config_v1alpha1_PolicyIdentity(ref), "github.com/openshift/api/config/v1alpha1.PolicyMatchExactRepository": schema_openshift_api_config_v1alpha1_PolicyMatchExactRepository(ref), "github.com/openshift/api/config/v1alpha1.PolicyMatchRemapIdentity": schema_openshift_api_config_v1alpha1_PolicyMatchRemapIdentity(ref), "github.com/openshift/api/config/v1alpha1.PolicyRootOfTrust": schema_openshift_api_config_v1alpha1_PolicyRootOfTrust(ref), - "github.com/openshift/api/config/v1alpha1.PublicKey": schema_openshift_api_config_v1alpha1_PublicKey(ref), + "github.com/openshift/api/config/v1alpha1.PrometheusOperatorConfig": schema_openshift_api_config_v1alpha1_PrometheusOperatorConfig(ref), "github.com/openshift/api/config/v1alpha1.RetentionNumberConfig": schema_openshift_api_config_v1alpha1_RetentionNumberConfig(ref), "github.com/openshift/api/config/v1alpha1.RetentionPolicy": schema_openshift_api_config_v1alpha1_RetentionPolicy(ref), "github.com/openshift/api/config/v1alpha1.RetentionSizeConfig": schema_openshift_api_config_v1alpha1_RetentionSizeConfig(ref), @@ -541,6 +549,13 @@ func GetOpenAPIDefinitions(ref common.ReferenceCallback) map[string]common.OpenA "github.com/openshift/api/console/v1.ConsoleYAMLSampleSpec": schema_openshift_api_console_v1_ConsoleYAMLSampleSpec(ref), "github.com/openshift/api/console/v1.Link": schema_openshift_api_console_v1_Link(ref), "github.com/openshift/api/console/v1.NamespaceDashboardSpec": schema_openshift_api_console_v1_NamespaceDashboardSpec(ref), + "github.com/openshift/api/etcd/v1alpha1.PacemakerCluster": schema_openshift_api_etcd_v1alpha1_PacemakerCluster(ref), + "github.com/openshift/api/etcd/v1alpha1.PacemakerClusterFencingAgentStatus": schema_openshift_api_etcd_v1alpha1_PacemakerClusterFencingAgentStatus(ref), + "github.com/openshift/api/etcd/v1alpha1.PacemakerClusterList": schema_openshift_api_etcd_v1alpha1_PacemakerClusterList(ref), + "github.com/openshift/api/etcd/v1alpha1.PacemakerClusterNodeStatus": schema_openshift_api_etcd_v1alpha1_PacemakerClusterNodeStatus(ref), + "github.com/openshift/api/etcd/v1alpha1.PacemakerClusterResourceStatus": schema_openshift_api_etcd_v1alpha1_PacemakerClusterResourceStatus(ref), + "github.com/openshift/api/etcd/v1alpha1.PacemakerClusterStatus": schema_openshift_api_etcd_v1alpha1_PacemakerClusterStatus(ref), + "github.com/openshift/api/etcd/v1alpha1.PacemakerNodeAddress": schema_openshift_api_etcd_v1alpha1_PacemakerNodeAddress(ref), "github.com/openshift/api/example/v1.CELUnion": schema_openshift_api_example_v1_CELUnion(ref), "github.com/openshift/api/example/v1.EvolvingUnion": schema_openshift_api_example_v1_EvolvingUnion(ref), "github.com/openshift/api/example/v1.FormatMarkerExamples": schema_openshift_api_example_v1_FormatMarkerExamples(ref), @@ -9368,6 +9383,27 @@ func schema_openshift_api_config_v1_AWSServiceEndpoint(ref common.ReferenceCallb } } +func schema_openshift_api_config_v1_AcceptRisk(ref common.ReferenceCallback) common.OpenAPIDefinition { + return common.OpenAPIDefinition{ + Schema: spec.Schema{ + SchemaProps: spec.SchemaProps{ + Description: "AcceptRisk represents a risk that is considered acceptable.", + Type: []string{"object"}, + Properties: map[string]spec.Schema{ + "name": { + SchemaProps: spec.SchemaProps{ + Description: "name is the name of the acceptable risk. It must be a non-empty string and must not exceed 256 characters.", + Type: []string{"string"}, + Format: "", + }, + }, + }, + Required: []string{"name"}, + }, + }, + } +} + func schema_openshift_api_config_v1_AdmissionConfig(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ @@ -10955,7 +10991,7 @@ func schema_openshift_api_config_v1_ClusterImagePolicySpec(ref common.ReferenceC SchemaProps: spec.SchemaProps{ Description: "policy is a required field that contains configuration to allow scopes to be verified, and defines how images not matching the verification policy will be treated.", Default: map[string]interface{}{}, - Ref: ref("github.com/openshift/api/config/v1.Policy"), + Ref: ref("github.com/openshift/api/config/v1.ImageSigstoreVerificationPolicy"), }, }, }, @@ -10963,7 +10999,7 @@ func schema_openshift_api_config_v1_ClusterImagePolicySpec(ref common.ReferenceC }, }, Dependencies: []string{ - "github.com/openshift/api/config/v1.Policy"}, + "github.com/openshift/api/config/v1.ImageSigstoreVerificationPolicy"}, } } @@ -11678,12 +11714,34 @@ func schema_openshift_api_config_v1_ClusterVersionStatus(ref common.ReferenceCal }, }, }, + "conditionalUpdateRisks": { + VendorExtensible: spec.VendorExtensible{ + Extensions: spec.Extensions{ + "x-kubernetes-list-map-keys": []interface{}{ + "name", + }, + "x-kubernetes-list-type": "map", + }, + }, + SchemaProps: spec.SchemaProps{ + Description: "conditionalUpdateRisks contains the list of risks associated with conditionalUpdates. When performing a conditional update, all its associated risks will be compared with the set of accepted risks in the spec.desiredUpdate.acceptRisks field. If all risks for a conditional update are included in the spec.desiredUpdate.acceptRisks set, the conditional update can proceed, otherwise it is blocked. The risk names in the list must be unique. conditionalUpdateRisks must not contain more than 500 entries.", + Type: []string{"array"}, + Items: &spec.SchemaOrArray{ + Schema: &spec.Schema{ + SchemaProps: spec.SchemaProps{ + Default: map[string]interface{}{}, + Ref: ref("github.com/openshift/api/config/v1.ConditionalUpdateRisk"), + }, + }, + }, + }, + }, }, Required: []string{"desired", "observedGeneration", "versionHash", "availableUpdates"}, }, }, Dependencies: []string{ - "github.com/openshift/api/config/v1.ClusterOperatorStatusCondition", "github.com/openshift/api/config/v1.ClusterVersionCapabilitiesStatus", "github.com/openshift/api/config/v1.ConditionalUpdate", "github.com/openshift/api/config/v1.Release", "github.com/openshift/api/config/v1.UpdateHistory"}, + "github.com/openshift/api/config/v1.ClusterOperatorStatusCondition", "github.com/openshift/api/config/v1.ClusterVersionCapabilitiesStatus", "github.com/openshift/api/config/v1.ConditionalUpdate", "github.com/openshift/api/config/v1.ConditionalUpdateRisk", "github.com/openshift/api/config/v1.Release", "github.com/openshift/api/config/v1.UpdateHistory"}, } } @@ -11908,6 +11966,26 @@ func schema_openshift_api_config_v1_ConditionalUpdate(ref common.ReferenceCallba Ref: ref("github.com/openshift/api/config/v1.Release"), }, }, + "riskNames": { + VendorExtensible: spec.VendorExtensible{ + Extensions: spec.Extensions{ + "x-kubernetes-list-type": "set", + }, + }, + SchemaProps: spec.SchemaProps{ + Description: "riskNames represents the set of the names of conditionalUpdateRisks that are relevant to this update for some clusters. The Applies condition of each conditionalUpdateRisks entry declares if that risk applies to this cluster. A conditional update is accepted only if each of its risks either does not apply to the cluster or is considered acceptable by the cluster administrator. The latter means that the risk names are included in value of the spec.desiredUpdate.acceptRisks field. Entries must be unique and must not exceed 256 characters. riskNames must not contain more than 500 entries.", + Type: []string{"array"}, + Items: &spec.SchemaOrArray{ + Schema: &spec.Schema{ + SchemaProps: spec.SchemaProps{ + Default: "", + Type: []string{"string"}, + Format: "", + }, + }, + }, + }, + }, "risks": { VendorExtensible: spec.VendorExtensible{ Extensions: spec.Extensions{ @@ -11970,6 +12048,28 @@ func schema_openshift_api_config_v1_ConditionalUpdateRisk(ref common.ReferenceCa Description: "ConditionalUpdateRisk represents a reason and cluster-state for not recommending a conditional update.", Type: []string{"object"}, Properties: map[string]spec.Schema{ + "conditions": { + VendorExtensible: spec.VendorExtensible{ + Extensions: spec.Extensions{ + "x-kubernetes-list-map-keys": []interface{}{ + "type", + }, + "x-kubernetes-list-type": "map", + }, + }, + SchemaProps: spec.SchemaProps{ + Description: "conditions represents the observations of the conditional update risk's current status. Known types are: * Applies, for whether the risk applies to the current cluster. The condition's types in the list must be unique. conditions must not contain more than one entry.", + Type: []string{"array"}, + Items: &spec.SchemaOrArray{ + Schema: &spec.Schema{ + SchemaProps: spec.SchemaProps{ + Default: map[string]interface{}{}, + Ref: ref("k8s.io/apimachinery/pkg/apis/meta/v1.Condition"), + }, + }, + }, + }, + }, "url": { SchemaProps: spec.SchemaProps{ Description: "url contains information about this risk.", @@ -12018,7 +12118,7 @@ func schema_openshift_api_config_v1_ConditionalUpdateRisk(ref common.ReferenceCa }, }, Dependencies: []string{ - "github.com/openshift/api/config/v1.ClusterCondition"}, + "github.com/openshift/api/config/v1.ClusterCondition", "k8s.io/apimachinery/pkg/apis/meta/v1.Condition"}, } } @@ -12344,7 +12444,7 @@ func schema_openshift_api_config_v1_CustomTLSProfile(ref common.ReferenceCallbac }, "minTLSVersion": { SchemaProps: spec.SchemaProps{ - Description: "minTLSVersion is used to specify the minimal version of the TLS protocol that is negotiated during the TLS handshake. For example, to use TLS versions 1.1, 1.2 and 1.3 (yaml):\n\n minTLSVersion: VersionTLS11\n\nNOTE: currently the highest minTLSVersion allowed is VersionTLS12", + Description: "minTLSVersion is used to specify the minimal version of the TLS protocol that is negotiated during the TLS handshake. For example, to use TLS versions 1.1, 1.2 and 1.3 (yaml):\n\n minTLSVersion: VersionTLS11", Default: "", Type: []string{"string"}, Format: "", @@ -13315,43 +13415,6 @@ func schema_openshift_api_config_v1_FeatureGateTests(ref common.ReferenceCallbac } } -func schema_openshift_api_config_v1_FulcioCAWithRekor(ref common.ReferenceCallback) common.OpenAPIDefinition { - return common.OpenAPIDefinition{ - Schema: spec.Schema{ - SchemaProps: spec.SchemaProps{ - Description: "FulcioCAWithRekor defines the root of trust based on the Fulcio certificate and the Rekor public key.", - Type: []string{"object"}, - Properties: map[string]spec.Schema{ - "fulcioCAData": { - SchemaProps: spec.SchemaProps{ - Description: "fulcioCAData is a required field contains inline base64-encoded data for the PEM format fulcio CA. fulcioCAData must be at most 8192 characters.", - Type: []string{"string"}, - Format: "byte", - }, - }, - "rekorKeyData": { - SchemaProps: spec.SchemaProps{ - Description: "rekorKeyData is a required field contains inline base64-encoded data for the PEM format from the Rekor public key. rekorKeyData must be at most 8192 characters.", - Type: []string{"string"}, - Format: "byte", - }, - }, - "fulcioSubject": { - SchemaProps: spec.SchemaProps{ - Description: "fulcioSubject is a required field specifies OIDC issuer and the email of the Fulcio authentication configuration.", - Default: map[string]interface{}{}, - Ref: ref("github.com/openshift/api/config/v1.PolicyFulcioSubject"), - }, - }, - }, - Required: []string{"fulcioCAData", "rekorKeyData", "fulcioSubject"}, - }, - }, - Dependencies: []string{ - "github.com/openshift/api/config/v1.PolicyFulcioSubject"}, - } -} - func schema_openshift_api_config_v1_GCPPlatformSpec(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ @@ -14906,6 +14969,43 @@ func schema_openshift_api_config_v1_ImagePolicy(ref common.ReferenceCallback) co } } +func schema_openshift_api_config_v1_ImagePolicyFulcioCAWithRekorRootOfTrust(ref common.ReferenceCallback) common.OpenAPIDefinition { + return common.OpenAPIDefinition{ + Schema: spec.Schema{ + SchemaProps: spec.SchemaProps{ + Description: "ImagePolicyFulcioCAWithRekorRootOfTrust defines the root of trust based on the Fulcio certificate and the Rekor public key.", + Type: []string{"object"}, + Properties: map[string]spec.Schema{ + "fulcioCAData": { + SchemaProps: spec.SchemaProps{ + Description: "fulcioCAData is a required field contains inline base64-encoded data for the PEM format fulcio CA. fulcioCAData must be at most 8192 characters.", + Type: []string{"string"}, + Format: "byte", + }, + }, + "rekorKeyData": { + SchemaProps: spec.SchemaProps{ + Description: "rekorKeyData is a required field contains inline base64-encoded data for the PEM format from the Rekor public key. rekorKeyData must be at most 8192 characters.", + Type: []string{"string"}, + Format: "byte", + }, + }, + "fulcioSubject": { + SchemaProps: spec.SchemaProps{ + Description: "fulcioSubject is a required field specifies OIDC issuer and the email of the Fulcio authentication configuration.", + Default: map[string]interface{}{}, + Ref: ref("github.com/openshift/api/config/v1.PolicyFulcioSubject"), + }, + }, + }, + Required: []string{"fulcioCAData", "rekorKeyData", "fulcioSubject"}, + }, + }, + Dependencies: []string{ + "github.com/openshift/api/config/v1.PolicyFulcioSubject"}, + } +} + func schema_openshift_api_config_v1_ImagePolicyList(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ @@ -14957,6 +15057,71 @@ func schema_openshift_api_config_v1_ImagePolicyList(ref common.ReferenceCallback } } +func schema_openshift_api_config_v1_ImagePolicyPKIRootOfTrust(ref common.ReferenceCallback) common.OpenAPIDefinition { + return common.OpenAPIDefinition{ + Schema: spec.Schema{ + SchemaProps: spec.SchemaProps{ + Description: "ImagePolicyPKIRootOfTrust defines the root of trust based on Root CA(s) and corresponding intermediate certificates.", + Type: []string{"object"}, + Properties: map[string]spec.Schema{ + "caRootsData": { + SchemaProps: spec.SchemaProps{ + Description: "caRootsData contains base64-encoded data of a certificate bundle PEM file, which contains one or more CA roots in the PEM format. The total length of the data must not exceed 8192 characters.", + Type: []string{"string"}, + Format: "byte", + }, + }, + "caIntermediatesData": { + SchemaProps: spec.SchemaProps{ + Description: "caIntermediatesData contains base64-encoded data of a certificate bundle PEM file, which contains one or more intermediate certificates in the PEM format. The total length of the data must not exceed 8192 characters. caIntermediatesData requires caRootsData to be set.", + Type: []string{"string"}, + Format: "byte", + }, + }, + "pkiCertificateSubject": { + SchemaProps: spec.SchemaProps{ + Description: "pkiCertificateSubject defines the requirements imposed on the subject to which the certificate was issued.", + Default: map[string]interface{}{}, + Ref: ref("github.com/openshift/api/config/v1.PKICertificateSubject"), + }, + }, + }, + Required: []string{"caRootsData", "pkiCertificateSubject"}, + }, + }, + Dependencies: []string{ + "github.com/openshift/api/config/v1.PKICertificateSubject"}, + } +} + +func schema_openshift_api_config_v1_ImagePolicyPublicKeyRootOfTrust(ref common.ReferenceCallback) common.OpenAPIDefinition { + return common.OpenAPIDefinition{ + Schema: spec.Schema{ + SchemaProps: spec.SchemaProps{ + Description: "ImagePolicyPublicKeyRootOfTrust defines the root of trust based on a sigstore public key.", + Type: []string{"object"}, + Properties: map[string]spec.Schema{ + "keyData": { + SchemaProps: spec.SchemaProps{ + Description: "keyData is a required field contains inline base64-encoded data for the PEM format public key. keyData must be at most 8192 characters.", + Type: []string{"string"}, + Format: "byte", + }, + }, + "rekorKeyData": { + SchemaProps: spec.SchemaProps{ + Description: "rekorKeyData is an optional field contains inline base64-encoded data for the PEM format from the Rekor public key. rekorKeyData must be at most 8192 characters.", + Type: []string{"string"}, + Format: "byte", + }, + }, + }, + Required: []string{"keyData"}, + }, + }, + } +} + func schema_openshift_api_config_v1_ImagePolicySpec(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ @@ -14988,7 +15153,7 @@ func schema_openshift_api_config_v1_ImagePolicySpec(ref common.ReferenceCallback SchemaProps: spec.SchemaProps{ Description: "policy is a required field that contains configuration to allow scopes to be verified, and defines how images not matching the verification policy will be treated.", Default: map[string]interface{}{}, - Ref: ref("github.com/openshift/api/config/v1.Policy"), + Ref: ref("github.com/openshift/api/config/v1.ImageSigstoreVerificationPolicy"), }, }, }, @@ -14996,7 +15161,7 @@ func schema_openshift_api_config_v1_ImagePolicySpec(ref common.ReferenceCallback }, }, Dependencies: []string{ - "github.com/openshift/api/config/v1.Policy"}, + "github.com/openshift/api/config/v1.ImageSigstoreVerificationPolicy"}, } } @@ -15036,6 +15201,35 @@ func schema_openshift_api_config_v1_ImagePolicyStatus(ref common.ReferenceCallba } } +func schema_openshift_api_config_v1_ImageSigstoreVerificationPolicy(ref common.ReferenceCallback) common.OpenAPIDefinition { + return common.OpenAPIDefinition{ + Schema: spec.Schema{ + SchemaProps: spec.SchemaProps{ + Description: "ImageSigstoreVerificationPolicy defines the verification policy for the items in the scopes list.", + Type: []string{"object"}, + Properties: map[string]spec.Schema{ + "rootOfTrust": { + SchemaProps: spec.SchemaProps{ + Description: "rootOfTrust is a required field that defines the root of trust for verifying image signatures during retrieval. This allows image consumers to specify policyType and corresponding configuration of the policy, matching how the policy was generated.", + Default: map[string]interface{}{}, + Ref: ref("github.com/openshift/api/config/v1.PolicyRootOfTrust"), + }, + }, + "signedIdentity": { + SchemaProps: spec.SchemaProps{ + Description: "signedIdentity is an optional field specifies what image identity the signature claims about the image. This is useful when the image identity in the signature differs from the original image spec, such as when mirror registry is configured for the image scope, the signature from the mirror registry contains the image identity of the mirror instead of the original scope. The required matchPolicy field specifies the approach used in the verification process to verify the identity in the signature and the actual image identity, the default matchPolicy is \"MatchRepoDigestOrExact\".", + Ref: ref("github.com/openshift/api/config/v1.PolicyIdentity"), + }, + }, + }, + Required: []string{"rootOfTrust"}, + }, + }, + Dependencies: []string{ + "github.com/openshift/api/config/v1.PolicyIdentity", "github.com/openshift/api/config/v1.PolicyRootOfTrust"}, + } +} + func schema_openshift_api_config_v1_ImageSpec(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ @@ -15950,7 +16144,7 @@ func schema_openshift_api_config_v1_IntermediateTLSProfile(ref common.ReferenceC return common.OpenAPIDefinition{ Schema: spec.Schema{ SchemaProps: spec.SchemaProps{ - Description: "IntermediateTLSProfile is a TLS security profile based on: https://wiki.mozilla.org/Security/Server_Side_TLS#Intermediate_compatibility_.28default.29", + Description: "IntermediateTLSProfile is a TLS security profile based on the \"intermediate\" configuration of the Mozilla Server Side TLS configuration guidelines.", Type: []string{"object"}, }, }, @@ -16417,7 +16611,7 @@ func schema_openshift_api_config_v1_ModernTLSProfile(ref common.ReferenceCallbac return common.OpenAPIDefinition{ Schema: spec.Schema{ SchemaProps: spec.SchemaProps{ - Description: "ModernTLSProfile is a TLS security profile based on: https://wiki.mozilla.org/Security/Server_Side_TLS#Modern_compatibility", + Description: "ModernTLSProfile is a TLS security profile based on the \"modern\" configuration of the Mozilla Server Side TLS configuration guidelines.", Type: []string{"object"}, }, }, @@ -17673,12 +17867,12 @@ func schema_openshift_api_config_v1_OIDCClientConfig(ref common.ReferenceCallbac return common.OpenAPIDefinition{ Schema: spec.Schema{ SchemaProps: spec.SchemaProps{ - Description: "OIDCClientConfig configures how platform clients interact with identity providers as an authentication method", + Description: "OIDCClientConfig configures how platform clients interact with identity providers as an authentication method.", Type: []string{"object"}, Properties: map[string]spec.Schema{ "componentName": { SchemaProps: spec.SchemaProps{ - Description: "componentName is a required field that specifies the name of the platform component being configured to use the identity provider as an authentication mode. It is used in combination with componentNamespace as a unique identifier.\n\ncomponentName must not be an empty string (\"\") and must not exceed 256 characters in length.", + Description: "componentName is a required field that specifies the name of the platform component being configured to use the identity provider as an authentication mode.\n\nIt is used in combination with componentNamespace as a unique identifier.\n\ncomponentName must not be an empty string (\"\") and must not exceed 256 characters in length.", Default: "", Type: []string{"string"}, Format: "", @@ -17686,7 +17880,7 @@ func schema_openshift_api_config_v1_OIDCClientConfig(ref common.ReferenceCallbac }, "componentNamespace": { SchemaProps: spec.SchemaProps{ - Description: "componentNamespace is a required field that specifies the namespace in which the platform component being configured to use the identity provider as an authentication mode is running. It is used in combination with componentName as a unique identifier.\n\ncomponentNamespace must not be an empty string (\"\") and must not exceed 63 characters in length.", + Description: "componentNamespace is a required field that specifies the namespace in which the platform component being configured to use the identity provider as an authentication mode is running.\n\nIt is used in combination with componentName as a unique identifier.\n\ncomponentNamespace must not be an empty string (\"\") and must not exceed 63 characters in length.", Default: "", Type: []string{"string"}, Format: "", @@ -17702,7 +17896,7 @@ func schema_openshift_api_config_v1_OIDCClientConfig(ref common.ReferenceCallbac }, "clientSecret": { SchemaProps: spec.SchemaProps{ - Description: "clientSecret is an optional field that configures the client secret used by the platform component when making authentication requests to the identity provider.\n\nWhen not specified, no client secret will be used when making authentication requests to the identity provider.\n\nWhen specified, clientSecret references a Secret in the 'openshift-config' namespace that contains the client secret in the 'clientSecret' key of the '.data' field. The client secret will be used when making authentication requests to the identity provider.\n\nPublic clients do not require a client secret but private clients do require a client secret to work with the identity provider.", + Description: "clientSecret is an optional field that configures the client secret used by the platform component when making authentication requests to the identity provider.\n\nWhen not specified, no client secret will be used when making authentication requests to the identity provider.\n\nWhen specified, clientSecret references a Secret in the 'openshift-config' namespace that contains the client secret in the 'clientSecret' key of the '.data' field.\n\nThe client secret will be used when making authentication requests to the identity provider.\n\nPublic clients do not require a client secret but private clients do require a client secret to work with the identity provider.", Default: map[string]interface{}{}, Ref: ref("github.com/openshift/api/config/v1.SecretNameReference"), }, @@ -17791,7 +17985,7 @@ func schema_openshift_api_config_v1_OIDCClientStatus(ref common.ReferenceCallbac }, "componentNamespace": { SchemaProps: spec.SchemaProps{ - Description: "componentNamespace is a required field that specifies the namespace in which the platform component using the identity provider as an authentication mode is running. It is used in combination with componentName as a unique identifier.\n\ncomponentNamespace must not be an empty string (\"\") and must not exceed 63 characters in length.", + Description: "componentNamespace is a required field that specifies the namespace in which the platform component using the identity provider as an authentication mode is running.\n\nIt is used in combination with componentName as a unique identifier.\n\ncomponentNamespace must not be an empty string (\"\") and must not exceed 63 characters in length.", Default: "", Type: []string{"string"}, Format: "", @@ -17808,7 +18002,7 @@ func schema_openshift_api_config_v1_OIDCClientStatus(ref common.ReferenceCallbac }, }, SchemaProps: spec.SchemaProps{ - Description: "currentOIDCClients is an optional list of clients that the component is currently using. Entries must have unique issuerURL/clientID pairs.", + Description: "currentOIDCClients is an optional list of clients that the component is currently using.\n\nEntries must have unique issuerURL/clientID pairs.", Type: []string{"array"}, Items: &spec.SchemaOrArray{ Schema: &spec.Schema{ @@ -17941,12 +18135,34 @@ func schema_openshift_api_config_v1_OIDCProvider(ref common.ReferenceCallback) c }, }, }, + "userValidationRules": { + VendorExtensible: spec.VendorExtensible{ + Extensions: spec.Extensions{ + "x-kubernetes-list-map-keys": []interface{}{ + "expression", + }, + "x-kubernetes-list-type": "map", + }, + }, + SchemaProps: spec.SchemaProps{ + Description: "userValidationRules is an optional field that configures the set of rules used to validate the cluster user identity that was constructed via mapping token claims to user identity attributes. Rules are CEL expressions that must evaluate to 'true' for authentication to succeed. If any rule in the chain of rules evaluates to 'false', authentication will fail. When specified, at least one rule must be specified and no more than 64 rules may be specified.", + Type: []string{"array"}, + Items: &spec.SchemaOrArray{ + Schema: &spec.Schema{ + SchemaProps: spec.SchemaProps{ + Default: map[string]interface{}{}, + Ref: ref("github.com/openshift/api/config/v1.TokenUserValidationRule"), + }, + }, + }, + }, + }, }, Required: []string{"name", "issuer", "claimMappings"}, }, }, Dependencies: []string{ - "github.com/openshift/api/config/v1.OIDCClientConfig", "github.com/openshift/api/config/v1.TokenClaimMappings", "github.com/openshift/api/config/v1.TokenClaimValidationRule", "github.com/openshift/api/config/v1.TokenIssuer"}, + "github.com/openshift/api/config/v1.OIDCClientConfig", "github.com/openshift/api/config/v1.TokenClaimMappings", "github.com/openshift/api/config/v1.TokenClaimValidationRule", "github.com/openshift/api/config/v1.TokenIssuer", "github.com/openshift/api/config/v1.TokenUserValidationRule"}, } } @@ -17999,7 +18215,7 @@ func schema_openshift_api_config_v1_OldTLSProfile(ref common.ReferenceCallback) return common.OpenAPIDefinition{ Schema: spec.Schema{ SchemaProps: spec.SchemaProps{ - Description: "OldTLSProfile is a TLS security profile based on: https://wiki.mozilla.org/Security/Server_Side_TLS#Old_backward_compatibility", + Description: "OldTLSProfile is a TLS security profile based on the \"old\" configuration of the Mozilla Server Side TLS configuration guidelines.", Type: []string{"object"}, }, }, @@ -18733,43 +18949,6 @@ func schema_openshift_api_config_v1_OvirtPlatformStatus(ref common.ReferenceCall } } -func schema_openshift_api_config_v1_PKI(ref common.ReferenceCallback) common.OpenAPIDefinition { - return common.OpenAPIDefinition{ - Schema: spec.Schema{ - SchemaProps: spec.SchemaProps{ - Description: "PKI defines the root of trust based on Root CA(s) and corresponding intermediate certificates.", - Type: []string{"object"}, - Properties: map[string]spec.Schema{ - "caRootsData": { - SchemaProps: spec.SchemaProps{ - Description: "caRootsData contains base64-encoded data of a certificate bundle PEM file, which contains one or more CA roots in the PEM format. The total length of the data must not exceed 8192 characters.", - Type: []string{"string"}, - Format: "byte", - }, - }, - "caIntermediatesData": { - SchemaProps: spec.SchemaProps{ - Description: "caIntermediatesData contains base64-encoded data of a certificate bundle PEM file, which contains one or more intermediate certificates in the PEM format. The total length of the data must not exceed 8192 characters. caIntermediatesData requires caRootsData to be set.", - Type: []string{"string"}, - Format: "byte", - }, - }, - "pkiCertificateSubject": { - SchemaProps: spec.SchemaProps{ - Description: "pkiCertificateSubject defines the requirements imposed on the subject to which the certificate was issued.", - Default: map[string]interface{}{}, - Ref: ref("github.com/openshift/api/config/v1.PKICertificateSubject"), - }, - }, - }, - Required: []string{"caRootsData", "pkiCertificateSubject"}, - }, - }, - Dependencies: []string{ - "github.com/openshift/api/config/v1.PKICertificateSubject"}, - } -} - func schema_openshift_api_config_v1_PKICertificateSubject(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ @@ -18857,7 +19036,7 @@ func schema_openshift_api_config_v1_PlatformSpec(ref common.ReferenceCallback) c Properties: map[string]spec.Schema{ "type": { SchemaProps: spec.SchemaProps{ - Description: "type is the underlying infrastructure provider for the cluster. This value controls whether infrastructure automation such as service load balancers, dynamic volume provisioning, machine creation and deletion, and other integrations are enabled. If None, no infrastructure automation is enabled. Allowed values are \"AWS\", \"Azure\", \"BareMetal\", \"GCP\", \"Libvirt\", \"OpenStack\", \"VSphere\", \"oVirt\", \"KubeVirt\", \"EquinixMetal\", \"PowerVS\", \"AlibabaCloud\", \"Nutanix\" and \"None\". Individual components may not support all platforms, and must handle unrecognized platforms as None if they do not support that platform.", + Description: "type is the underlying infrastructure provider for the cluster. This value controls whether infrastructure automation such as service load balancers, dynamic volume provisioning, machine creation and deletion, and other integrations are enabled. If None, no infrastructure automation is enabled. Allowed values are \"AWS\", \"Azure\", \"BareMetal\", \"GCP\", \"Libvirt\", \"OpenStack\", \"VSphere\", \"oVirt\", \"IBMCloud\", \"KubeVirt\", \"EquinixMetal\", \"PowerVS\", \"AlibabaCloud\", \"Nutanix\", \"External\", and \"None\". Individual components may not support all platforms, and must handle unrecognized platforms as None if they do not support that platform.", Default: "", Type: []string{"string"}, Format: "", @@ -19064,35 +19243,6 @@ func schema_openshift_api_config_v1_PlatformStatus(ref common.ReferenceCallback) } } -func schema_openshift_api_config_v1_Policy(ref common.ReferenceCallback) common.OpenAPIDefinition { - return common.OpenAPIDefinition{ - Schema: spec.Schema{ - SchemaProps: spec.SchemaProps{ - Description: "Policy defines the verification policy for the items in the scopes list.", - Type: []string{"object"}, - Properties: map[string]spec.Schema{ - "rootOfTrust": { - SchemaProps: spec.SchemaProps{ - Description: "rootOfTrust is a required field that defines the root of trust for verifying image signatures during retrieval. This allows image consumers to specify policyType and corresponding configuration of the policy, matching how the policy was generated.", - Default: map[string]interface{}{}, - Ref: ref("github.com/openshift/api/config/v1.PolicyRootOfTrust"), - }, - }, - "signedIdentity": { - SchemaProps: spec.SchemaProps{ - Description: "signedIdentity is an optional field specifies what image identity the signature claims about the image. This is useful when the image identity in the signature differs from the original image spec, such as when mirror registry is configured for the image scope, the signature from the mirror registry contains the image identity of the mirror instead of the original scope. The required matchPolicy field specifies the approach used in the verification process to verify the identity in the signature and the actual image identity, the default matchPolicy is \"MatchRepoDigestOrExact\".", - Ref: ref("github.com/openshift/api/config/v1.PolicyIdentity"), - }, - }, - }, - Required: []string{"rootOfTrust"}, - }, - }, - Dependencies: []string{ - "github.com/openshift/api/config/v1.PolicyIdentity", "github.com/openshift/api/config/v1.PolicyRootOfTrust"}, - } -} - func schema_openshift_api_config_v1_PolicyFulcioSubject(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ @@ -19240,19 +19390,19 @@ func schema_openshift_api_config_v1_PolicyRootOfTrust(ref common.ReferenceCallba "publicKey": { SchemaProps: spec.SchemaProps{ Description: "publicKey defines the root of trust configuration based on a sigstore public key. Optionally include a Rekor public key for Rekor verification. publicKey is required when policyType is PublicKey, and forbidden otherwise.", - Ref: ref("github.com/openshift/api/config/v1.PublicKey"), + Ref: ref("github.com/openshift/api/config/v1.ImagePolicyPublicKeyRootOfTrust"), }, }, "fulcioCAWithRekor": { SchemaProps: spec.SchemaProps{ Description: "fulcioCAWithRekor defines the root of trust configuration based on the Fulcio certificate and the Rekor public key. fulcioCAWithRekor is required when policyType is FulcioCAWithRekor, and forbidden otherwise For more information about Fulcio and Rekor, please refer to the document at: https://github.com/sigstore/fulcio and https://github.com/sigstore/rekor", - Ref: ref("github.com/openshift/api/config/v1.FulcioCAWithRekor"), + Ref: ref("github.com/openshift/api/config/v1.ImagePolicyFulcioCAWithRekorRootOfTrust"), }, }, "pki": { SchemaProps: spec.SchemaProps{ Description: "pki defines the root of trust configuration based on Bring Your Own Public Key Infrastructure (BYOPKI) Root CA(s) and corresponding intermediate certificates. pki is required when policyType is PKI, and forbidden otherwise.", - Ref: ref("github.com/openshift/api/config/v1.PKI"), + Ref: ref("github.com/openshift/api/config/v1.ImagePolicyPKIRootOfTrust"), }, }, }, @@ -19274,7 +19424,7 @@ func schema_openshift_api_config_v1_PolicyRootOfTrust(ref common.ReferenceCallba }, }, Dependencies: []string{ - "github.com/openshift/api/config/v1.FulcioCAWithRekor", "github.com/openshift/api/config/v1.PKI", "github.com/openshift/api/config/v1.PublicKey"}, + "github.com/openshift/api/config/v1.ImagePolicyFulcioCAWithRekorRootOfTrust", "github.com/openshift/api/config/v1.ImagePolicyPKIRootOfTrust", "github.com/openshift/api/config/v1.ImagePolicyPublicKeyRootOfTrust"}, } } @@ -19438,7 +19588,7 @@ func schema_openshift_api_config_v1_PrefixedClaimMapping(ref common.ReferenceCal }, "prefix": { SchemaProps: spec.SchemaProps{ - Description: "prefix is an optional field that configures the prefix that will be applied to the cluster identity attribute during the process of mapping JWT claims to cluster identity attributes.\n\nWhen omitted (\"\"), no prefix is applied to the cluster identity attribute.\n\nExample: if `prefix` is set to \"myoidc:\" and the `claim` in JWT contains an array of strings \"a\", \"b\" and \"c\", the mapping will result in an array of string \"myoidc:a\", \"myoidc:b\" and \"myoidc:c\".", + Description: "prefix is an optional field that configures the prefix that will be applied to the cluster identity attribute during the process of mapping JWT claims to cluster identity attributes.\n\nWhen omitted (\"\"), no prefix is applied to the cluster identity attribute.\n\nExample: if `prefix` is set to \"myoidc:\" and the `claim` in JWT contains an array of strings \"a\", \"b\" and \"c\", the mapping will result in an array of string \"myoidc:a\", \"myoidc:b\" and \"myoidc:c\".", Default: "", Type: []string{"string"}, Format: "", @@ -19828,34 +19978,6 @@ func schema_openshift_api_config_v1_ProxyStatus(ref common.ReferenceCallback) co } } -func schema_openshift_api_config_v1_PublicKey(ref common.ReferenceCallback) common.OpenAPIDefinition { - return common.OpenAPIDefinition{ - Schema: spec.Schema{ - SchemaProps: spec.SchemaProps{ - Description: "PublicKey defines the root of trust based on a sigstore public key.", - Type: []string{"object"}, - Properties: map[string]spec.Schema{ - "keyData": { - SchemaProps: spec.SchemaProps{ - Description: "keyData is a required field contains inline base64-encoded data for the PEM format public key. keyData must be at most 8192 characters.", - Type: []string{"string"}, - Format: "byte", - }, - }, - "rekorKeyData": { - SchemaProps: spec.SchemaProps{ - Description: "rekorKeyData is an optional field contains inline base64-encoded data for the PEM format from the Rekor public key. rekorKeyData must be at most 8192 characters.", - Type: []string{"string"}, - Format: "byte", - }, - }, - }, - Required: []string{"keyData"}, - }, - }, - } -} - func schema_openshift_api_config_v1_RegistryLocation(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ @@ -20776,7 +20898,7 @@ func schema_openshift_api_config_v1_TLSProfileSpec(ref common.ReferenceCallback) }, "minTLSVersion": { SchemaProps: spec.SchemaProps{ - Description: "minTLSVersion is used to specify the minimal version of the TLS protocol that is negotiated during the TLS handshake. For example, to use TLS versions 1.1, 1.2 and 1.3 (yaml):\n\n minTLSVersion: VersionTLS11\n\nNOTE: currently the highest minTLSVersion allowed is VersionTLS12", + Description: "minTLSVersion is used to specify the minimal version of the TLS protocol that is negotiated during the TLS handshake. For example, to use TLS versions 1.1, 1.2 and 1.3 (yaml):\n\n minTLSVersion: VersionTLS11", Default: "", Type: []string{"string"}, Format: "", @@ -20798,7 +20920,7 @@ func schema_openshift_api_config_v1_TLSSecurityProfile(ref common.ReferenceCallb Properties: map[string]spec.Schema{ "type": { SchemaProps: spec.SchemaProps{ - Description: "type is one of Old, Intermediate, Modern or Custom. Custom provides the ability to specify individual TLS security profile parameters. Old, Intermediate and Modern are TLS security profiles based on:\n\nhttps://wiki.mozilla.org/Security/Server_Side_TLS#Recommended_configurations\n\nThe profiles are intent based, so they may change over time as new ciphers are developed and existing ciphers are found to be insecure. Depending on precisely which ciphers are available to a process, the list may be reduced.\n\nNote that the Modern profile is currently not supported because it is not yet well adopted by common software libraries.", + Description: "type is one of Old, Intermediate, Modern or Custom. Custom provides the ability to specify individual TLS security profile parameters.\n\nThe profiles are currently based on version 5.0 of the Mozilla Server Side TLS configuration guidelines (released 2019-06-28) with TLS 1.3 ciphers added for forward compatibility. See: https://ssl-config.mozilla.org/guidelines/5.0.json\n\nThe profiles are intent based, so they may change over time as new ciphers are developed and existing ciphers are found to be insecure. Depending on precisely which ciphers are available to a process, the list may be reduced.", Default: "", Type: []string{"string"}, Format: "", @@ -20806,25 +20928,25 @@ func schema_openshift_api_config_v1_TLSSecurityProfile(ref common.ReferenceCallb }, "old": { SchemaProps: spec.SchemaProps{ - Description: "old is a TLS security profile based on:\n\nhttps://wiki.mozilla.org/Security/Server_Side_TLS#Old_backward_compatibility\n\nand looks like this (yaml):\n\n ciphers:\n\n - TLS_AES_128_GCM_SHA256\n\n - TLS_AES_256_GCM_SHA384\n\n - TLS_CHACHA20_POLY1305_SHA256\n\n - ECDHE-ECDSA-AES128-GCM-SHA256\n\n - ECDHE-RSA-AES128-GCM-SHA256\n\n - ECDHE-ECDSA-AES256-GCM-SHA384\n\n - ECDHE-RSA-AES256-GCM-SHA384\n\n - ECDHE-ECDSA-CHACHA20-POLY1305\n\n - ECDHE-RSA-CHACHA20-POLY1305\n\n - DHE-RSA-AES128-GCM-SHA256\n\n - DHE-RSA-AES256-GCM-SHA384\n\n - DHE-RSA-CHACHA20-POLY1305\n\n - ECDHE-ECDSA-AES128-SHA256\n\n - ECDHE-RSA-AES128-SHA256\n\n - ECDHE-ECDSA-AES128-SHA\n\n - ECDHE-RSA-AES128-SHA\n\n - ECDHE-ECDSA-AES256-SHA384\n\n - ECDHE-RSA-AES256-SHA384\n\n - ECDHE-ECDSA-AES256-SHA\n\n - ECDHE-RSA-AES256-SHA\n\n - DHE-RSA-AES128-SHA256\n\n - DHE-RSA-AES256-SHA256\n\n - AES128-GCM-SHA256\n\n - AES256-GCM-SHA384\n\n - AES128-SHA256\n\n - AES256-SHA256\n\n - AES128-SHA\n\n - AES256-SHA\n\n - DES-CBC3-SHA\n\n minTLSVersion: VersionTLS10", + Description: "old is a TLS profile for use when services need to be accessed by very old clients or libraries and should be used only as a last resort.\n\nThe cipher list includes TLS 1.3 ciphers for forward compatibility, followed by the \"old\" profile ciphers.\n\nThis profile is equivalent to a Custom profile specified as:\n minTLSVersion: VersionTLS10\n ciphers:\n - TLS_AES_128_GCM_SHA256\n - TLS_AES_256_GCM_SHA384\n - TLS_CHACHA20_POLY1305_SHA256\n - ECDHE-ECDSA-AES128-GCM-SHA256\n - ECDHE-RSA-AES128-GCM-SHA256\n - ECDHE-ECDSA-AES256-GCM-SHA384\n - ECDHE-RSA-AES256-GCM-SHA384\n - ECDHE-ECDSA-CHACHA20-POLY1305\n - ECDHE-RSA-CHACHA20-POLY1305\n - DHE-RSA-AES128-GCM-SHA256\n - DHE-RSA-AES256-GCM-SHA384\n - DHE-RSA-CHACHA20-POLY1305\n - ECDHE-ECDSA-AES128-SHA256\n - ECDHE-RSA-AES128-SHA256\n - ECDHE-ECDSA-AES128-SHA\n - ECDHE-RSA-AES128-SHA\n - ECDHE-ECDSA-AES256-SHA384\n - ECDHE-RSA-AES256-SHA384\n - ECDHE-ECDSA-AES256-SHA\n - ECDHE-RSA-AES256-SHA\n - DHE-RSA-AES128-SHA256\n - DHE-RSA-AES256-SHA256\n - AES128-GCM-SHA256\n - AES256-GCM-SHA384\n - AES128-SHA256\n - AES256-SHA256\n - AES128-SHA\n - AES256-SHA\n - DES-CBC3-SHA", Ref: ref("github.com/openshift/api/config/v1.OldTLSProfile"), }, }, "intermediate": { SchemaProps: spec.SchemaProps{ - Description: "intermediate is a TLS security profile based on:\n\nhttps://wiki.mozilla.org/Security/Server_Side_TLS#Intermediate_compatibility_.28recommended.29\n\nand looks like this (yaml):\n\n ciphers:\n\n - TLS_AES_128_GCM_SHA256\n\n - TLS_AES_256_GCM_SHA384\n\n - TLS_CHACHA20_POLY1305_SHA256\n\n - ECDHE-ECDSA-AES128-GCM-SHA256\n\n - ECDHE-RSA-AES128-GCM-SHA256\n\n - ECDHE-ECDSA-AES256-GCM-SHA384\n\n - ECDHE-RSA-AES256-GCM-SHA384\n\n - ECDHE-ECDSA-CHACHA20-POLY1305\n\n - ECDHE-RSA-CHACHA20-POLY1305\n\n - DHE-RSA-AES128-GCM-SHA256\n\n - DHE-RSA-AES256-GCM-SHA384\n\n minTLSVersion: VersionTLS12", + Description: "intermediate is a TLS profile for use when you do not need compatibility with legacy clients and want to remain highly secure while being compatible with most clients currently in use.\n\nThe cipher list includes TLS 1.3 ciphers for forward compatibility, followed by the \"intermediate\" profile ciphers.\n\nThis profile is equivalent to a Custom profile specified as:\n minTLSVersion: VersionTLS12\n ciphers:\n - TLS_AES_128_GCM_SHA256\n - TLS_AES_256_GCM_SHA384\n - TLS_CHACHA20_POLY1305_SHA256\n - ECDHE-ECDSA-AES128-GCM-SHA256\n - ECDHE-RSA-AES128-GCM-SHA256\n - ECDHE-ECDSA-AES256-GCM-SHA384\n - ECDHE-RSA-AES256-GCM-SHA384\n - ECDHE-ECDSA-CHACHA20-POLY1305\n - ECDHE-RSA-CHACHA20-POLY1305\n - DHE-RSA-AES128-GCM-SHA256\n - DHE-RSA-AES256-GCM-SHA384", Ref: ref("github.com/openshift/api/config/v1.IntermediateTLSProfile"), }, }, "modern": { SchemaProps: spec.SchemaProps{ - Description: "modern is a TLS security profile based on:\n\nhttps://wiki.mozilla.org/Security/Server_Side_TLS#Modern_compatibility\n\nand looks like this (yaml):\n\n ciphers:\n\n - TLS_AES_128_GCM_SHA256\n\n - TLS_AES_256_GCM_SHA384\n\n - TLS_CHACHA20_POLY1305_SHA256\n\n minTLSVersion: VersionTLS13", + Description: "modern is a TLS security profile for use with clients that support TLS 1.3 and do not need backward compatibility for older clients.\n\nThis profile is equivalent to a Custom profile specified as:\n minTLSVersion: VersionTLS13\n ciphers:\n - TLS_AES_128_GCM_SHA256\n - TLS_AES_256_GCM_SHA384\n - TLS_CHACHA20_POLY1305_SHA256", Ref: ref("github.com/openshift/api/config/v1.ModernTLSProfile"), }, }, "custom": { SchemaProps: spec.SchemaProps{ - Description: "custom is a user-defined TLS security profile. Be extremely careful using a custom profile as invalid configurations can be catastrophic. An example custom profile looks like this:\n\n ciphers:\n\n - ECDHE-ECDSA-CHACHA20-POLY1305\n\n - ECDHE-RSA-CHACHA20-POLY1305\n\n - ECDHE-RSA-AES128-GCM-SHA256\n\n - ECDHE-ECDSA-AES128-GCM-SHA256\n\n minTLSVersion: VersionTLS11", + Description: "custom is a user-defined TLS security profile. Be extremely careful using a custom profile as invalid configurations can be catastrophic. An example custom profile looks like this:\n\n minTLSVersion: VersionTLS11\n ciphers:\n - ECDHE-ECDSA-CHACHA20-POLY1305\n - ECDHE-RSA-CHACHA20-POLY1305\n - ECDHE-RSA-AES128-GCM-SHA256\n - ECDHE-ECDSA-AES128-GCM-SHA256", Ref: ref("github.com/openshift/api/config/v1.CustomTLSProfile"), }, }, @@ -21020,14 +21142,14 @@ func schema_openshift_api_config_v1_TokenClaimMappings(ref common.ReferenceCallb }, "groups": { SchemaProps: spec.SchemaProps{ - Description: "groups is an optional field that configures how the groups of a cluster identity should be constructed from the claims in a JWT token issued by the identity provider. When referencing a claim, if the claim is present in the JWT token, its value must be a list of groups separated by a comma (','). For example - '\"example\"' and '\"exampleOne\", \"exampleTwo\", \"exampleThree\"' are valid claim values.", + Description: "groups is an optional field that configures how the groups of a cluster identity should be constructed from the claims in a JWT token issued by the identity provider.\n\nWhen referencing a claim, if the claim is present in the JWT token, its value must be a list of groups separated by a comma (',').\n\nFor example - '\"example\"' and '\"exampleOne\", \"exampleTwo\", \"exampleThree\"' are valid claim values.", Default: map[string]interface{}{}, Ref: ref("github.com/openshift/api/config/v1.PrefixedClaimMapping"), }, }, "uid": { SchemaProps: spec.SchemaProps{ - Description: "uid is an optional field for configuring the claim mapping used to construct the uid for the cluster identity.\n\nWhen using uid.claim to specify the claim it must be a single string value. When using uid.expression the expression must result in a single string value.\n\nWhen omitted, this means the user has no opinion and the platform is left to choose a default, which is subject to change over time. The current default is to use the 'sub' claim.", + Description: "uid is an optional field for configuring the claim mapping used to construct the uid for the cluster identity.\n\nWhen using uid.claim to specify the claim it must be a single string value. When using uid.expression the expression must result in a single string value.\n\nWhen omitted, this means the user has no opinion and the platform is left to choose a default, which is subject to change over time.\n\nThe current default is to use the 'sub' claim.", Ref: ref("github.com/openshift/api/config/v1.TokenClaimOrExpressionMapping"), }, }, @@ -21041,7 +21163,7 @@ func schema_openshift_api_config_v1_TokenClaimMappings(ref common.ReferenceCallb }, }, SchemaProps: spec.SchemaProps{ - Description: "extra is an optional field for configuring the mappings used to construct the extra attribute for the cluster identity. When omitted, no extra attributes will be present on the cluster identity. key values for extra mappings must be unique. A maximum of 32 extra attribute mappings may be provided.", + Description: "extra is an optional field for configuring the mappings used to construct the extra attribute for the cluster identity. When omitted, no extra attributes will be present on the cluster identity.\n\nkey values for extra mappings must be unique. A maximum of 32 extra attribute mappings may be provided.", Type: []string{"array"}, Items: &spec.SchemaOrArray{ Schema: &spec.Schema{ @@ -21089,15 +21211,43 @@ func schema_openshift_api_config_v1_TokenClaimOrExpressionMapping(ref common.Ref } } -func schema_openshift_api_config_v1_TokenClaimValidationRule(ref common.ReferenceCallback) common.OpenAPIDefinition { +func schema_openshift_api_config_v1_TokenClaimValidationCELRule(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ SchemaProps: spec.SchemaProps{ Type: []string{"object"}, + Properties: map[string]spec.Schema{ + "expression": { + SchemaProps: spec.SchemaProps{ + Description: "expression is a CEL expression evaluated against token claims. expression is required, must be at least 1 character in length and must not exceed 1024 characters. The expression must return a boolean value where 'true' signals a valid token and 'false' an invalid one.", + Type: []string{"string"}, + Format: "", + }, + }, + "message": { + SchemaProps: spec.SchemaProps{ + Description: "message is a required human-readable message to be logged by the Kubernetes API server if the CEL expression defined in 'expression' fails. message must be at least 1 character in length and must not exceed 256 characters.", + Type: []string{"string"}, + Format: "", + }, + }, + }, + Required: []string{"expression", "message"}, + }, + }, + } +} + +func schema_openshift_api_config_v1_TokenClaimValidationRule(ref common.ReferenceCallback) common.OpenAPIDefinition { + return common.OpenAPIDefinition{ + Schema: spec.Schema{ + SchemaProps: spec.SchemaProps{ + Description: "TokenClaimValidationRule represents a validation rule based on token claims. If type is RequiredClaim, requiredClaim must be set. If Type is CEL, CEL must be set and RequiredClaim must be omitted.", + Type: []string{"object"}, Properties: map[string]spec.Schema{ "type": { SchemaProps: spec.SchemaProps{ - Description: "type is an optional field that configures the type of the validation rule.\n\nAllowed values are 'RequiredClaim' and omitted (not provided or an empty string).\n\nWhen set to 'RequiredClaim', the Kubernetes API server will be configured to validate that the incoming JWT contains the required claim and that its value matches the required value.\n\nDefaults to 'RequiredClaim'.", + Description: "type is an optional field that configures the type of the validation rule.\n\nAllowed values are \"RequiredClaim\" and \"CEL\".\n\nWhen set to 'RequiredClaim', the Kubernetes API server will be configured to validate that the incoming JWT contains the required claim and that its value matches the required value.\n\nWhen set to 'CEL', the Kubernetes API server will be configured to validate the incoming JWT against the configured CEL expression.", Default: "", Type: []string{"string"}, Format: "", @@ -21106,16 +21256,23 @@ func schema_openshift_api_config_v1_TokenClaimValidationRule(ref common.Referenc }, "requiredClaim": { SchemaProps: spec.SchemaProps{ - Description: "requiredClaim is an optional field that configures the required claim and value that the Kubernetes API server will use to validate if an incoming JWT is valid for this identity provider.", + Description: "requiredClaim allows configuring a required claim name and its expected value. This field is required when `type` is set to RequiredClaim, and must be omitted when `type` is set to any other value. The Kubernetes API server uses this field to validate if an incoming JWT is valid for this identity provider.", Ref: ref("github.com/openshift/api/config/v1.TokenRequiredClaim"), }, }, + "cel": { + SchemaProps: spec.SchemaProps{ + Description: "cel holds the CEL expression and message for validation. Must be set when Type is \"CEL\", and forbidden otherwise.", + Default: map[string]interface{}{}, + Ref: ref("github.com/openshift/api/config/v1.TokenClaimValidationCELRule"), + }, + }, }, Required: []string{"type"}, }, }, Dependencies: []string{ - "github.com/openshift/api/config/v1.TokenRequiredClaim"}, + "github.com/openshift/api/config/v1.TokenClaimValidationCELRule", "github.com/openshift/api/config/v1.TokenRequiredClaim"}, } } @@ -21195,6 +21352,13 @@ func schema_openshift_api_config_v1_TokenIssuer(ref common.ReferenceCallback) co Ref: ref("github.com/openshift/api/config/v1.ConfigMapNameReference"), }, }, + "discoveryURL": { + SchemaProps: spec.SchemaProps{ + Description: "discoveryURL is an optional field that, if specified, overrides the default discovery endpoint used to retrieve OIDC configuration metadata. By default, the discovery URL is derived from `issuerURL` as \"{issuerURL}/.well-known/openid-configuration\".\n\nThe discoveryURL must be a valid absolute HTTPS URL. It must not contain query parameters, user information, or fragments. Additionally, it must differ from the value of `issuerURL` (ignoring trailing slashes). The discoveryURL value must be at least 1 character long and no longer than 2048 characters.", + Type: []string{"string"}, + Format: "", + }, + }, }, Required: []string{"issuerURL", "audiences"}, }, @@ -21233,6 +21397,34 @@ func schema_openshift_api_config_v1_TokenRequiredClaim(ref common.ReferenceCallb } } +func schema_openshift_api_config_v1_TokenUserValidationRule(ref common.ReferenceCallback) common.OpenAPIDefinition { + return common.OpenAPIDefinition{ + Schema: spec.Schema{ + SchemaProps: spec.SchemaProps{ + Description: "TokenUserValidationRule provides a CEL-based rule used to validate a token subject. Each rule contains a CEL expression that is evaluated against the token’s claims.", + Type: []string{"object"}, + Properties: map[string]spec.Schema{ + "expression": { + SchemaProps: spec.SchemaProps{ + Description: "expression is a required CEL expression that performs a validation on cluster user identity attributes like username, groups, etc.\n\nThe expression must evaluate to a boolean value. When the expression evaluates to 'true', the cluster user identity is considered valid. When the expression evaluates to 'false', the cluster user identity is not considered valid. expression must be at least 1 character in length and must not exceed 1024 characters.", + Type: []string{"string"}, + Format: "", + }, + }, + "message": { + SchemaProps: spec.SchemaProps{ + Description: "message is a required human-readable message to be logged by the Kubernetes API server if the CEL expression defined in 'expression' fails. message must be at least 1 character in length and must not exceed 256 characters.", + Type: []string{"string"}, + Format: "", + }, + }, + }, + Required: []string{"expression", "message"}, + }, + }, + } +} + func schema_openshift_api_config_v1_Update(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ @@ -21272,9 +21464,33 @@ func schema_openshift_api_config_v1_Update(ref common.ReferenceCallback) common. Format: "", }, }, + "acceptRisks": { + VendorExtensible: spec.VendorExtensible{ + Extensions: spec.Extensions{ + "x-kubernetes-list-map-keys": []interface{}{ + "name", + }, + "x-kubernetes-list-type": "map", + }, + }, + SchemaProps: spec.SchemaProps{ + Description: "acceptRisks is an optional set of names of conditional update risks that are considered acceptable. A conditional update is performed only if all of its risks are acceptable. This list may contain entries that apply to current, previous or future updates. The entries therefore may not map directly to a risk in .status.conditionalUpdateRisks. acceptRisks must not contain more than 1000 entries. Entries in this list must be unique.", + Type: []string{"array"}, + Items: &spec.SchemaOrArray{ + Schema: &spec.Schema{ + SchemaProps: spec.SchemaProps{ + Default: map[string]interface{}{}, + Ref: ref("github.com/openshift/api/config/v1.AcceptRisk"), + }, + }, + }, + }, + }, }, }, }, + Dependencies: []string{ + "github.com/openshift/api/config/v1.AcceptRisk"}, } } @@ -21331,7 +21547,7 @@ func schema_openshift_api_config_v1_UpdateHistory(ref common.ReferenceCallback) }, "acceptedRisks": { SchemaProps: spec.SchemaProps{ - Description: "acceptedRisks records risks which were accepted to initiate the update. For example, it may menition an Upgradeable=False or missing signature that was overridden via desiredUpdate.force, or an update that was initiated despite not being in the availableUpdates set of recommended update targets.", + Description: "acceptedRisks records risks which were accepted to initiate the update. For example, it may mention an Upgradeable=False or missing signature that was overridden via desiredUpdate.force, or an update that was initiated despite not being in the availableUpdates set of recommended update targets.", Type: []string{"string"}, Format: "", }, @@ -21361,7 +21577,7 @@ func schema_openshift_api_config_v1_UsernameClaimMapping(ref common.ReferenceCal }, "prefixPolicy": { SchemaProps: spec.SchemaProps{ - Description: "prefixPolicy is an optional field that configures how a prefix should be applied to the value of the JWT claim specified in the 'claim' field.\n\nAllowed values are 'Prefix', 'NoPrefix', and omitted (not provided or an empty string).\n\nWhen set to 'Prefix', the value specified in the prefix field will be prepended to the value of the JWT claim. The prefix field must be set when prefixPolicy is 'Prefix'.\n\nWhen set to 'NoPrefix', no prefix will be prepended to the value of the JWT claim.\n\nWhen omitted, this means no opinion and the platform is left to choose any prefixes that are applied which is subject to change over time. Currently, the platform prepends `{issuerURL}#` to the value of the JWT claim when the claim is not 'email'. As an example, consider the following scenario:\n `prefix` is unset, `issuerURL` is set to `https://myoidc.tld`,\n the JWT claims include \"username\":\"userA\" and \"email\":\"userA@myoidc.tld\",\n and `claim` is set to:\n - \"username\": the mapped value will be \"https://myoidc.tld#userA\"\n - \"email\": the mapped value will be \"userA@myoidc.tld\"", + Description: "prefixPolicy is an optional field that configures how a prefix should be applied to the value of the JWT claim specified in the 'claim' field.\n\nAllowed values are 'Prefix', 'NoPrefix', and omitted (not provided or an empty string).\n\nWhen set to 'Prefix', the value specified in the prefix field will be prepended to the value of the JWT claim.\n\nThe prefix field must be set when prefixPolicy is 'Prefix'.\n\nWhen set to 'NoPrefix', no prefix will be prepended to the value of the JWT claim.\n\nWhen omitted, this means no opinion and the platform is left to choose any prefixes that are applied which is subject to change over time. Currently, the platform prepends `{issuerURL}#` to the value of the JWT claim when the claim is not 'email'.\n\nAs an example, consider the following scenario:\n\n `prefix` is unset, `issuerURL` is set to `https://myoidc.tld`,\n the JWT claims include \"username\":\"userA\" and \"email\":\"userA@myoidc.tld\",\n and `claim` is set to:\n - \"username\": the mapped value will be \"https://myoidc.tld#userA\"\n - \"email\": the mapped value will be \"userA@myoidc.tld\"", Default: "", Type: []string{"string"}, Format: "", @@ -22175,7 +22391,7 @@ func schema_openshift_api_config_v1alpha1_AlertmanagerCustomConfig(ref common.Re }, }, SchemaProps: spec.SchemaProps{ - Description: "resources defines the compute resource requests and limits for the Alertmanager container. This includes CPU, memory and HugePages constraints to help control scheduling and resource usage. When not specified, defaults are used by the platform. Requests cannot exceed limits. This field is optional. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ This is a simplified API that maps to Kubernetes ResourceRequirements. The current default values are:\n resources:\n - name: cpu\n request: 4m\n limit: null\n - name: memory\n request: 40Mi\n limit: null\nMaximum length for this list is 10. Minimum length for this list is 1.", + Description: "resources defines the compute resource requests and limits for the Alertmanager container. This includes CPU, memory and HugePages constraints to help control scheduling and resource usage. When not specified, defaults are used by the platform. Requests cannot exceed limits. This field is optional. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ This is a simplified API that maps to Kubernetes ResourceRequirements. The current default values are:\n resources:\n - name: cpu\n request: 4m\n limit: null\n - name: memory\n request: 40Mi\n limit: null\nMaximum length for this list is 10. Minimum length for this list is 1. Each resource name must be unique within this list.", Type: []string{"array"}, Items: &spec.SchemaOrArray{ Schema: &spec.Schema{ @@ -22214,7 +22430,7 @@ func schema_openshift_api_config_v1alpha1_AlertmanagerCustomConfig(ref common.Re }, }, SchemaProps: spec.SchemaProps{ - Description: "tolerations defines tolerations for the pods. tolerations is optional.\n\nWhen omitted, this means the user has no opinion and the platform is left to choose reasonable defaults. These defaults are subject to change over time. Defaults are empty/unset. Maximum length for this list is 10 Minimum length for this list is 1", + Description: "tolerations defines tolerations for the pods. tolerations is optional.\n\nWhen omitted, this means the user has no opinion and the platform is left to choose reasonable defaults. These defaults are subject to change over time. Defaults are empty/unset. Maximum length for this list is 10. Minimum length for this list is 1.", Type: []string{"array"}, Items: &spec.SchemaOrArray{ Schema: &spec.Schema{ @@ -22237,7 +22453,7 @@ func schema_openshift_api_config_v1alpha1_AlertmanagerCustomConfig(ref common.Re }, }, SchemaProps: spec.SchemaProps{ - Description: "topologySpreadConstraints defines rules for how Alertmanager Pods should be distributed across topology domains such as zones, nodes, or other user-defined labels. topologySpreadConstraints is optional. This helps improve high availability and resource efficiency by avoiding placing too many replicas in the same failure domain.\n\nWhen omitted, this means no opinion and the platform is left to choose a default, which is subject to change over time. This field maps directly to the `topologySpreadConstraints` field in the Pod spec. Default is empty list. Maximum length for this list is 10. Minimum length for this list is 1 Entries must have unique topologyKey and whenUnsatisfiable pairs.", + Description: "topologySpreadConstraints defines rules for how Alertmanager Pods should be distributed across topology domains such as zones, nodes, or other user-defined labels. topologySpreadConstraints is optional. This helps improve high availability and resource efficiency by avoiding placing too many replicas in the same failure domain.\n\nWhen omitted, this means no opinion and the platform is left to choose a default, which is subject to change over time. This field maps directly to the `topologySpreadConstraints` field in the Pod spec. Default is empty list. Maximum length for this list is 10. Minimum length for this list is 1. Entries must have unique topologyKey and whenUnsatisfiable pairs.", Type: []string{"array"}, Items: &spec.SchemaOrArray{ Schema: &spec.Schema{ @@ -22417,6 +22633,176 @@ func schema_openshift_api_config_v1alpha1_BackupStatus(ref common.ReferenceCallb } } +func schema_openshift_api_config_v1alpha1_CRIOCredentialProviderConfig(ref common.ReferenceCallback) common.OpenAPIDefinition { + return common.OpenAPIDefinition{ + Schema: spec.Schema{ + SchemaProps: spec.SchemaProps{ + Description: "CRIOCredentialProviderConfig holds cluster-wide singleton resource configurations for CRI-O credential provider, the name of this instance is \"cluster\". CRI-O credential provider is a binary shipped with CRI-O that provides a way to obtain container image pull credentials from external sources. For example, it can be used to fetch mirror registry credentials from secrets resources in the cluster within the same namespace the pod will be running in. CRIOCredentialProviderConfig configuration specifies the pod image sources registries that should trigger the CRI-O credential provider execution, which will resolve the CRI-O mirror configurations and obtain the necessary credentials for pod creation. Note: Configuration changes will only take effect after the kubelet restarts, which is automatically managed by the cluster during rollout.\n\nThe resource is a singleton named \"cluster\".\n\nCompatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support.", + Type: []string{"object"}, + Properties: map[string]spec.Schema{ + "kind": { + SchemaProps: spec.SchemaProps{ + Description: "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", + Type: []string{"string"}, + Format: "", + }, + }, + "apiVersion": { + SchemaProps: spec.SchemaProps{ + Description: "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", + Type: []string{"string"}, + Format: "", + }, + }, + "metadata": { + SchemaProps: spec.SchemaProps{ + Description: "metadata is the standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata", + Default: map[string]interface{}{}, + Ref: ref("k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"), + }, + }, + "spec": { + SchemaProps: spec.SchemaProps{ + Description: "spec defines the desired configuration of the CRI-O Credential Provider. This field is required and must be provided when creating the resource.", + Ref: ref("github.com/openshift/api/config/v1alpha1.CRIOCredentialProviderConfigSpec"), + }, + }, + "status": { + SchemaProps: spec.SchemaProps{ + Description: "status represents the current state of the CRIOCredentialProviderConfig. When omitted or nil, it indicates that the status has not yet been set by the controller. The controller will populate this field with validation conditions and operational state.", + Default: map[string]interface{}{}, + Ref: ref("github.com/openshift/api/config/v1alpha1.CRIOCredentialProviderConfigStatus"), + }, + }, + }, + Required: []string{"spec"}, + }, + }, + Dependencies: []string{ + "github.com/openshift/api/config/v1alpha1.CRIOCredentialProviderConfigSpec", "github.com/openshift/api/config/v1alpha1.CRIOCredentialProviderConfigStatus", "k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"}, + } +} + +func schema_openshift_api_config_v1alpha1_CRIOCredentialProviderConfigList(ref common.ReferenceCallback) common.OpenAPIDefinition { + return common.OpenAPIDefinition{ + Schema: spec.Schema{ + SchemaProps: spec.SchemaProps{ + Description: "CRIOCredentialProviderConfigList contains a list of CRIOCredentialProviderConfig resources\n\nCompatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support.", + Type: []string{"object"}, + Properties: map[string]spec.Schema{ + "kind": { + SchemaProps: spec.SchemaProps{ + Description: "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", + Type: []string{"string"}, + Format: "", + }, + }, + "apiVersion": { + SchemaProps: spec.SchemaProps{ + Description: "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", + Type: []string{"string"}, + Format: "", + }, + }, + "metadata": { + SchemaProps: spec.SchemaProps{ + Description: "metadata is the standard list's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata", + Default: map[string]interface{}{}, + Ref: ref("k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"), + }, + }, + "items": { + SchemaProps: spec.SchemaProps{ + Type: []string{"array"}, + Items: &spec.SchemaOrArray{ + Schema: &spec.Schema{ + SchemaProps: spec.SchemaProps{ + Default: map[string]interface{}{}, + Ref: ref("github.com/openshift/api/config/v1alpha1.CRIOCredentialProviderConfig"), + }, + }, + }, + }, + }, + }, + Required: []string{"metadata", "items"}, + }, + }, + Dependencies: []string{ + "github.com/openshift/api/config/v1alpha1.CRIOCredentialProviderConfig", "k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"}, + } +} + +func schema_openshift_api_config_v1alpha1_CRIOCredentialProviderConfigSpec(ref common.ReferenceCallback) common.OpenAPIDefinition { + return common.OpenAPIDefinition{ + Schema: spec.Schema{ + SchemaProps: spec.SchemaProps{ + Description: "CRIOCredentialProviderConfigSpec defines the desired configuration of the CRI-O Credential Provider.", + Type: []string{"object"}, + Properties: map[string]spec.Schema{ + "matchImages": { + VendorExtensible: spec.VendorExtensible{ + Extensions: spec.Extensions{ + "x-kubernetes-list-type": "set", + }, + }, + SchemaProps: spec.SchemaProps{ + Description: "matchImages is a list of string patterns used to determine whether the CRI-O credential provider should be invoked for a given image. This list is passed to the kubelet CredentialProviderConfig, and if any pattern matches the requested image, CRI-O credential provider will be invoked to obtain credentials for pulling that image or its mirrors. Depending on the platform, the CRI-O credential provider may be installed alongside an existing platform specific provider. Conflicts between the existing platform specific provider image match configuration and this list will be handled by the following precedence rule: credentials from built-in kubelet providers (e.g., ECR, GCR, ACR) take precedence over those from the CRIOCredentialProviderConfig when both match the same image. To avoid uncertainty, it is recommended to avoid configuring your private image patterns to overlap with existing platform specific provider config(e.g., the entries from https://github.com/openshift/machine-config-operator/blob/main/templates/common/aws/files/etc-kubernetes-credential-providers-ecr-credential-provider.yaml). You can check the resource's Status conditions to see if any entries were ignored due to exact matches with known built-in provider patterns.\n\nThis field is optional, the items of the list must contain between 1 and 50 entries. The list is treated as a set, so duplicate entries are not allowed.\n\nFor more details, see: https://kubernetes.io/docs/tasks/administer-cluster/kubelet-credential-provider/ https://github.com/cri-o/crio-credential-provider#architecture\n\nEach entry in matchImages is a pattern which can optionally contain a port and a path. Each entry must be no longer than 512 characters. Wildcards ('*') are supported for full subdomain labels, such as '*.k8s.io' or 'k8s.*.io', and for top-level domains, such as 'k8s.*' (which matches 'k8s.io' or 'k8s.net'). A global wildcard '*' (matching any domain) is not allowed. Wildcards may replace an entire hostname label (e.g., *.example.com), but they cannot appear within a label (e.g., f*oo.example.com) and are not allowed in the port or path. For example, 'example.*.com' is valid, but 'exa*mple.*.com' is not. Each wildcard matches only a single domain label, so '*.io' does **not** match '*.k8s.io'.\n\nA match exists between an image and a matchImage when all of the below are true: Both contain the same number of domain parts and each part matches. The URL path of an matchImages must be a prefix of the target image URL path. If the matchImages contains a port, then the port must match in the image as well.\n\nExample values of matchImages: - 123456789.dkr.ecr.us-east-1.amazonaws.com - *.azurecr.io - gcr.io - *.*.registry.io - registry.io:8080/path", + Type: []string{"array"}, + Items: &spec.SchemaOrArray{ + Schema: &spec.Schema{ + SchemaProps: spec.SchemaProps{ + Default: "", + Type: []string{"string"}, + Format: "", + }, + }, + }, + }, + }, + }, + }, + }, + } +} + +func schema_openshift_api_config_v1alpha1_CRIOCredentialProviderConfigStatus(ref common.ReferenceCallback) common.OpenAPIDefinition { + return common.OpenAPIDefinition{ + Schema: spec.Schema{ + SchemaProps: spec.SchemaProps{ + Description: "CRIOCredentialProviderConfigStatus defines the observed state of CRIOCredentialProviderConfig", + Type: []string{"object"}, + Properties: map[string]spec.Schema{ + "conditions": { + VendorExtensible: spec.VendorExtensible{ + Extensions: spec.Extensions{ + "x-kubernetes-list-map-keys": []interface{}{ + "type", + }, + "x-kubernetes-list-type": "map", + }, + }, + SchemaProps: spec.SchemaProps{ + Description: "conditions represent the latest available observations of the configuration state. When omitted, it indicates that no conditions have been reported yet. The maximum number of conditions is 16. Conditions are stored as a map keyed by condition type, ensuring uniqueness.\n\nExpected condition types include: \"Validated\": indicates whether the matchImages configuration is valid", + Type: []string{"array"}, + Items: &spec.SchemaOrArray{ + Schema: &spec.Schema{ + SchemaProps: spec.SchemaProps{ + Default: map[string]interface{}{}, + Ref: ref("k8s.io/apimachinery/pkg/apis/meta/v1.Condition"), + }, + }, + }, + }, + }, + }, + }, + }, + Dependencies: []string{ + "k8s.io/apimachinery/pkg/apis/meta/v1.Condition"}, + } +} + func schema_openshift_api_config_v1alpha1_ClusterImagePolicy(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ @@ -22549,7 +22935,7 @@ func schema_openshift_api_config_v1alpha1_ClusterImagePolicySpec(ref common.Refe SchemaProps: spec.SchemaProps{ Description: "policy contains configuration to allow scopes to be verified, and defines how images not matching the verification policy will be treated.", Default: map[string]interface{}{}, - Ref: ref("github.com/openshift/api/config/v1alpha1.Policy"), + Ref: ref("github.com/openshift/api/config/v1alpha1.ImageSigstoreVerificationPolicy"), }, }, }, @@ -22557,7 +22943,7 @@ func schema_openshift_api_config_v1alpha1_ClusterImagePolicySpec(ref common.Refe }, }, Dependencies: []string{ - "github.com/openshift/api/config/v1alpha1.Policy"}, + "github.com/openshift/api/config/v1alpha1.ImageSigstoreVerificationPolicy"}, } } @@ -22726,11 +23112,18 @@ func schema_openshift_api_config_v1alpha1_ClusterMonitoringSpec(ref common.Refer Ref: ref("github.com/openshift/api/config/v1alpha1.MetricsServerConfig"), }, }, + "prometheusOperatorConfig": { + SchemaProps: spec.SchemaProps{ + Description: "prometheusOperatorConfig is an optional field that can be used to configure the Prometheus Operator component. Specifically, it can configure how the Prometheus Operator instance is deployed, pod scheduling, and resource allocation. When omitted, this means no opinion and the platform is left to choose a reasonable default, which is subject to change over time.", + Default: map[string]interface{}{}, + Ref: ref("github.com/openshift/api/config/v1alpha1.PrometheusOperatorConfig"), + }, + }, }, }, }, Dependencies: []string{ - "github.com/openshift/api/config/v1alpha1.AlertmanagerConfig", "github.com/openshift/api/config/v1alpha1.MetricsServerConfig", "github.com/openshift/api/config/v1alpha1.UserDefinedMonitoring"}, + "github.com/openshift/api/config/v1alpha1.AlertmanagerConfig", "github.com/openshift/api/config/v1alpha1.MetricsServerConfig", "github.com/openshift/api/config/v1alpha1.PrometheusOperatorConfig", "github.com/openshift/api/config/v1alpha1.UserDefinedMonitoring"}, } } @@ -22826,43 +23219,6 @@ func schema_openshift_api_config_v1alpha1_EtcdBackupSpec(ref common.ReferenceCal } } -func schema_openshift_api_config_v1alpha1_FulcioCAWithRekor(ref common.ReferenceCallback) common.OpenAPIDefinition { - return common.OpenAPIDefinition{ - Schema: spec.Schema{ - SchemaProps: spec.SchemaProps{ - Description: "FulcioCAWithRekor defines the root of trust based on the Fulcio certificate and the Rekor public key.", - Type: []string{"object"}, - Properties: map[string]spec.Schema{ - "fulcioCAData": { - SchemaProps: spec.SchemaProps{ - Description: "fulcioCAData contains inline base64-encoded data for the PEM format fulcio CA. fulcioCAData must be at most 8192 characters.", - Type: []string{"string"}, - Format: "byte", - }, - }, - "rekorKeyData": { - SchemaProps: spec.SchemaProps{ - Description: "rekorKeyData contains inline base64-encoded data for the PEM format from the Rekor public key. rekorKeyData must be at most 8192 characters.", - Type: []string{"string"}, - Format: "byte", - }, - }, - "fulcioSubject": { - SchemaProps: spec.SchemaProps{ - Description: "fulcioSubject specifies OIDC issuer and the email of the Fulcio authentication configuration.", - Default: map[string]interface{}{}, - Ref: ref("github.com/openshift/api/config/v1alpha1.PolicyFulcioSubject"), - }, - }, - }, - Required: []string{"fulcioCAData", "rekorKeyData", "fulcioSubject"}, - }, - }, - Dependencies: []string{ - "github.com/openshift/api/config/v1alpha1.PolicyFulcioSubject"}, - } -} - func schema_openshift_api_config_v1alpha1_GatherConfig(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ @@ -22957,6 +23313,43 @@ func schema_openshift_api_config_v1alpha1_ImagePolicy(ref common.ReferenceCallba } } +func schema_openshift_api_config_v1alpha1_ImagePolicyFulcioCAWithRekorRootOfTrust(ref common.ReferenceCallback) common.OpenAPIDefinition { + return common.OpenAPIDefinition{ + Schema: spec.Schema{ + SchemaProps: spec.SchemaProps{ + Description: "ImagePolicyFulcioCAWithRekorRootOfTrust defines the root of trust based on the Fulcio certificate and the Rekor public key.", + Type: []string{"object"}, + Properties: map[string]spec.Schema{ + "fulcioCAData": { + SchemaProps: spec.SchemaProps{ + Description: "fulcioCAData contains inline base64-encoded data for the PEM format fulcio CA. fulcioCAData must be at most 8192 characters.", + Type: []string{"string"}, + Format: "byte", + }, + }, + "rekorKeyData": { + SchemaProps: spec.SchemaProps{ + Description: "rekorKeyData contains inline base64-encoded data for the PEM format from the Rekor public key. rekorKeyData must be at most 8192 characters.", + Type: []string{"string"}, + Format: "byte", + }, + }, + "fulcioSubject": { + SchemaProps: spec.SchemaProps{ + Description: "fulcioSubject specifies OIDC issuer and the email of the Fulcio authentication configuration.", + Default: map[string]interface{}{}, + Ref: ref("github.com/openshift/api/config/v1alpha1.PolicyFulcioSubject"), + }, + }, + }, + Required: []string{"fulcioCAData", "rekorKeyData", "fulcioSubject"}, + }, + }, + Dependencies: []string{ + "github.com/openshift/api/config/v1alpha1.PolicyFulcioSubject"}, + } +} + func schema_openshift_api_config_v1alpha1_ImagePolicyList(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ @@ -23007,6 +23400,71 @@ func schema_openshift_api_config_v1alpha1_ImagePolicyList(ref common.ReferenceCa } } +func schema_openshift_api_config_v1alpha1_ImagePolicyPKIRootOfTrust(ref common.ReferenceCallback) common.OpenAPIDefinition { + return common.OpenAPIDefinition{ + Schema: spec.Schema{ + SchemaProps: spec.SchemaProps{ + Description: "ImagePolicyPKIRootOfTrust defines the root of trust based on Root CA(s) and corresponding intermediate certificates.", + Type: []string{"object"}, + Properties: map[string]spec.Schema{ + "caRootsData": { + SchemaProps: spec.SchemaProps{ + Description: "caRootsData contains base64-encoded data of a certificate bundle PEM file, which contains one or more CA roots in the PEM format. The total length of the data must not exceed 8192 characters.", + Type: []string{"string"}, + Format: "byte", + }, + }, + "caIntermediatesData": { + SchemaProps: spec.SchemaProps{ + Description: "caIntermediatesData contains base64-encoded data of a certificate bundle PEM file, which contains one or more intermediate certificates in the PEM format. The total length of the data must not exceed 8192 characters. caIntermediatesData requires caRootsData to be set.", + Type: []string{"string"}, + Format: "byte", + }, + }, + "pkiCertificateSubject": { + SchemaProps: spec.SchemaProps{ + Description: "pkiCertificateSubject defines the requirements imposed on the subject to which the certificate was issued.", + Default: map[string]interface{}{}, + Ref: ref("github.com/openshift/api/config/v1alpha1.PKICertificateSubject"), + }, + }, + }, + Required: []string{"caRootsData", "pkiCertificateSubject"}, + }, + }, + Dependencies: []string{ + "github.com/openshift/api/config/v1alpha1.PKICertificateSubject"}, + } +} + +func schema_openshift_api_config_v1alpha1_ImagePolicyPublicKeyRootOfTrust(ref common.ReferenceCallback) common.OpenAPIDefinition { + return common.OpenAPIDefinition{ + Schema: spec.Schema{ + SchemaProps: spec.SchemaProps{ + Description: "ImagePolicyPublicKeyRootOfTrust defines the root of trust based on a sigstore public key.", + Type: []string{"object"}, + Properties: map[string]spec.Schema{ + "keyData": { + SchemaProps: spec.SchemaProps{ + Description: "keyData contains inline base64-encoded data for the PEM format public key. KeyData must be at most 8192 characters.", + Type: []string{"string"}, + Format: "byte", + }, + }, + "rekorKeyData": { + SchemaProps: spec.SchemaProps{ + Description: "rekorKeyData contains inline base64-encoded data for the PEM format from the Rekor public key. rekorKeyData must be at most 8192 characters.", + Type: []string{"string"}, + Format: "byte", + }, + }, + }, + Required: []string{"keyData"}, + }, + }, + } +} + func schema_openshift_api_config_v1alpha1_ImagePolicySpec(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ @@ -23038,7 +23496,7 @@ func schema_openshift_api_config_v1alpha1_ImagePolicySpec(ref common.ReferenceCa SchemaProps: spec.SchemaProps{ Description: "policy contains configuration to allow scopes to be verified, and defines how images not matching the verification policy will be treated.", Default: map[string]interface{}{}, - Ref: ref("github.com/openshift/api/config/v1alpha1.Policy"), + Ref: ref("github.com/openshift/api/config/v1alpha1.ImageSigstoreVerificationPolicy"), }, }, }, @@ -23046,7 +23504,7 @@ func schema_openshift_api_config_v1alpha1_ImagePolicySpec(ref common.ReferenceCa }, }, Dependencies: []string{ - "github.com/openshift/api/config/v1alpha1.Policy"}, + "github.com/openshift/api/config/v1alpha1.ImageSigstoreVerificationPolicy"}, } } @@ -23086,6 +23544,36 @@ func schema_openshift_api_config_v1alpha1_ImagePolicyStatus(ref common.Reference } } +func schema_openshift_api_config_v1alpha1_ImageSigstoreVerificationPolicy(ref common.ReferenceCallback) common.OpenAPIDefinition { + return common.OpenAPIDefinition{ + Schema: spec.Schema{ + SchemaProps: spec.SchemaProps{ + Description: "ImageSigstoreVerificationPolicy defines the verification policy for the items in the scopes list.", + Type: []string{"object"}, + Properties: map[string]spec.Schema{ + "rootOfTrust": { + SchemaProps: spec.SchemaProps{ + Description: "rootOfTrust specifies the root of trust for the policy.", + Default: map[string]interface{}{}, + Ref: ref("github.com/openshift/api/config/v1alpha1.PolicyRootOfTrust"), + }, + }, + "signedIdentity": { + SchemaProps: spec.SchemaProps{ + Description: "signedIdentity specifies what image identity the signature claims about the image. The required matchPolicy field specifies the approach used in the verification process to verify the identity in the signature and the actual image identity, the default matchPolicy is \"MatchRepoDigestOrExact\".", + Default: map[string]interface{}{}, + Ref: ref("github.com/openshift/api/config/v1alpha1.PolicyIdentity"), + }, + }, + }, + Required: []string{"rootOfTrust"}, + }, + }, + Dependencies: []string{ + "github.com/openshift/api/config/v1alpha1.PolicyIdentity", "github.com/openshift/api/config/v1alpha1.PolicyRootOfTrust"}, + } +} + func schema_openshift_api_config_v1alpha1_InsightsDataGather(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ @@ -23255,7 +23743,7 @@ func schema_openshift_api_config_v1alpha1_MetricsServerConfig(ref common.Referen }, }, SchemaProps: spec.SchemaProps{ - Description: "tolerations defines tolerations for the pods. tolerations is optional.\n\nWhen omitted, this means the user has no opinion and the platform is left to choose reasonable defaults. These defaults are subject to change over time. Defaults are empty/unset. Maximum length for this list is 10 Minimum length for this list is 1", + Description: "tolerations defines tolerations for the pods. tolerations is optional.\n\nWhen omitted, this means the user has no opinion and the platform is left to choose reasonable defaults. These defaults are subject to change over time. Defaults are empty/unset. Maximum length for this list is 10. Minimum length for this list is 1.", Type: []string{"array"}, Items: &spec.SchemaOrArray{ Schema: &spec.Schema{ @@ -23284,7 +23772,7 @@ func schema_openshift_api_config_v1alpha1_MetricsServerConfig(ref common.Referen }, }, SchemaProps: spec.SchemaProps{ - Description: "resources defines the compute resource requests and limits for the Metrics Server container. This includes CPU, memory and HugePages constraints to help control scheduling and resource usage. When not specified, defaults are used by the platform. Requests cannot exceed limits. This field is optional. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ This is a simplified API that maps to Kubernetes ResourceRequirements. The current default values are:\n resources:\n - name: cpu\n request: 4m\n limit: null\n - name: memory\n request: 40Mi\n limit: null\nMaximum length for this list is 10. Minimum length for this list is 1.", + Description: "resources defines the compute resource requests and limits for the Metrics Server container. This includes CPU, memory and HugePages constraints to help control scheduling and resource usage. When not specified, defaults are used by the platform. Requests cannot exceed limits. This field is optional. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ This is a simplified API that maps to Kubernetes ResourceRequirements. The current default values are:\n resources:\n - name: cpu\n request: 4m\n limit: null\n - name: memory\n request: 40Mi\n limit: null\nMaximum length for this list is 10. Minimum length for this list is 1. Each resource name must be unique within this list.", Type: []string{"array"}, Items: &spec.SchemaOrArray{ Schema: &spec.Schema{ @@ -23307,7 +23795,7 @@ func schema_openshift_api_config_v1alpha1_MetricsServerConfig(ref common.Referen }, }, SchemaProps: spec.SchemaProps{ - Description: "topologySpreadConstraints defines rules for how Metrics Server Pods should be distributed across topology domains such as zones, nodes, or other user-defined labels. topologySpreadConstraints is optional. This helps improve high availability and resource efficiency by avoiding placing too many replicas in the same failure domain.\n\nWhen omitted, this means no opinion and the platform is left to choose a default, which is subject to change over time. This field maps directly to the `topologySpreadConstraints` field in the Pod spec. Default is empty list. Maximum length for this list is 10. Minimum length for this list is 1 Entries must have unique topologyKey and whenUnsatisfiable pairs.", + Description: "topologySpreadConstraints defines rules for how Metrics Server Pods should be distributed across topology domains such as zones, nodes, or other user-defined labels. topologySpreadConstraints is optional. This helps improve high availability and resource efficiency by avoiding placing too many replicas in the same failure domain.\n\nWhen omitted, this means no opinion and the platform is left to choose a default, which is subject to change over time. This field maps directly to the `topologySpreadConstraints` field in the Pod spec. Default is empty list. Maximum length for this list is 10. Minimum length for this list is 1. Entries must have unique topologyKey and whenUnsatisfiable pairs.", Type: []string{"array"}, Items: &spec.SchemaOrArray{ Schema: &spec.Schema{ @@ -23327,43 +23815,6 @@ func schema_openshift_api_config_v1alpha1_MetricsServerConfig(ref common.Referen } } -func schema_openshift_api_config_v1alpha1_PKI(ref common.ReferenceCallback) common.OpenAPIDefinition { - return common.OpenAPIDefinition{ - Schema: spec.Schema{ - SchemaProps: spec.SchemaProps{ - Description: "PKI defines the root of trust based on Root CA(s) and corresponding intermediate certificates.", - Type: []string{"object"}, - Properties: map[string]spec.Schema{ - "caRootsData": { - SchemaProps: spec.SchemaProps{ - Description: "caRootsData contains base64-encoded data of a certificate bundle PEM file, which contains one or more CA roots in the PEM format. The total length of the data must not exceed 8192 characters.", - Type: []string{"string"}, - Format: "byte", - }, - }, - "caIntermediatesData": { - SchemaProps: spec.SchemaProps{ - Description: "caIntermediatesData contains base64-encoded data of a certificate bundle PEM file, which contains one or more intermediate certificates in the PEM format. The total length of the data must not exceed 8192 characters. caIntermediatesData requires caRootsData to be set.", - Type: []string{"string"}, - Format: "byte", - }, - }, - "pkiCertificateSubject": { - SchemaProps: spec.SchemaProps{ - Description: "pkiCertificateSubject defines the requirements imposed on the subject to which the certificate was issued.", - Default: map[string]interface{}{}, - Ref: ref("github.com/openshift/api/config/v1alpha1.PKICertificateSubject"), - }, - }, - }, - Required: []string{"caRootsData", "pkiCertificateSubject"}, - }, - }, - Dependencies: []string{ - "github.com/openshift/api/config/v1alpha1.PKICertificateSubject"}, - } -} - func schema_openshift_api_config_v1alpha1_PKICertificateSubject(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ @@ -23443,36 +23894,6 @@ func schema_openshift_api_config_v1alpha1_PersistentVolumeConfig(ref common.Refe } } -func schema_openshift_api_config_v1alpha1_Policy(ref common.ReferenceCallback) common.OpenAPIDefinition { - return common.OpenAPIDefinition{ - Schema: spec.Schema{ - SchemaProps: spec.SchemaProps{ - Description: "Policy defines the verification policy for the items in the scopes list.", - Type: []string{"object"}, - Properties: map[string]spec.Schema{ - "rootOfTrust": { - SchemaProps: spec.SchemaProps{ - Description: "rootOfTrust specifies the root of trust for the policy.", - Default: map[string]interface{}{}, - Ref: ref("github.com/openshift/api/config/v1alpha1.PolicyRootOfTrust"), - }, - }, - "signedIdentity": { - SchemaProps: spec.SchemaProps{ - Description: "signedIdentity specifies what image identity the signature claims about the image. The required matchPolicy field specifies the approach used in the verification process to verify the identity in the signature and the actual image identity, the default matchPolicy is \"MatchRepoDigestOrExact\".", - Default: map[string]interface{}{}, - Ref: ref("github.com/openshift/api/config/v1alpha1.PolicyIdentity"), - }, - }, - }, - Required: []string{"rootOfTrust"}, - }, - }, - Dependencies: []string{ - "github.com/openshift/api/config/v1alpha1.PolicyIdentity", "github.com/openshift/api/config/v1alpha1.PolicyRootOfTrust"}, - } -} - func schema_openshift_api_config_v1alpha1_PolicyFulcioSubject(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ @@ -23620,19 +24041,19 @@ func schema_openshift_api_config_v1alpha1_PolicyRootOfTrust(ref common.Reference "publicKey": { SchemaProps: spec.SchemaProps{ Description: "publicKey defines the root of trust based on a sigstore public key.", - Ref: ref("github.com/openshift/api/config/v1alpha1.PublicKey"), + Ref: ref("github.com/openshift/api/config/v1alpha1.ImagePolicyPublicKeyRootOfTrust"), }, }, "fulcioCAWithRekor": { SchemaProps: spec.SchemaProps{ Description: "fulcioCAWithRekor defines the root of trust based on the Fulcio certificate and the Rekor public key. For more information about Fulcio and Rekor, please refer to the document at: https://github.com/sigstore/fulcio and https://github.com/sigstore/rekor", - Ref: ref("github.com/openshift/api/config/v1alpha1.FulcioCAWithRekor"), + Ref: ref("github.com/openshift/api/config/v1alpha1.ImagePolicyFulcioCAWithRekorRootOfTrust"), }, }, "pki": { SchemaProps: spec.SchemaProps{ Description: "pki defines the root of trust based on Bring Your Own Public Key Infrastructure (BYOPKI) Root CA(s) and corresponding intermediate certificates.", - Ref: ref("github.com/openshift/api/config/v1alpha1.PKI"), + Ref: ref("github.com/openshift/api/config/v1alpha1.ImagePolicyPKIRootOfTrust"), }, }, }, @@ -23654,35 +24075,109 @@ func schema_openshift_api_config_v1alpha1_PolicyRootOfTrust(ref common.Reference }, }, Dependencies: []string{ - "github.com/openshift/api/config/v1alpha1.FulcioCAWithRekor", "github.com/openshift/api/config/v1alpha1.PKI", "github.com/openshift/api/config/v1alpha1.PublicKey"}, + "github.com/openshift/api/config/v1alpha1.ImagePolicyFulcioCAWithRekorRootOfTrust", "github.com/openshift/api/config/v1alpha1.ImagePolicyPKIRootOfTrust", "github.com/openshift/api/config/v1alpha1.ImagePolicyPublicKeyRootOfTrust"}, } } -func schema_openshift_api_config_v1alpha1_PublicKey(ref common.ReferenceCallback) common.OpenAPIDefinition { +func schema_openshift_api_config_v1alpha1_PrometheusOperatorConfig(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ SchemaProps: spec.SchemaProps{ - Description: "PublicKey defines the root of trust based on a sigstore public key.", + Description: "PrometheusOperatorConfig provides configuration options for the Prometheus Operator instance Use this configuration to control how the Prometheus Operator instance is deployed, how it logs, and how its pods are scheduled.", Type: []string{"object"}, Properties: map[string]spec.Schema{ - "keyData": { + "logLevel": { SchemaProps: spec.SchemaProps{ - Description: "keyData contains inline base64-encoded data for the PEM format public key. KeyData must be at most 8192 characters.", + Description: "logLevel defines the verbosity of logs emitted by Prometheus Operator. This field allows users to control the amount and severity of logs generated, which can be useful for debugging issues or reducing noise in production environments. Allowed values are Error, Warn, Info, and Debug. When set to Error, only errors will be logged. When set to Warn, both warnings and errors will be logged. When set to Info, general information, warnings, and errors will all be logged. When set to Debug, detailed debugging information will be logged. When omitted, this means no opinion and the platform is left to choose a reasonable default, that is subject to change over time. The current default value is `Info`.", Type: []string{"string"}, - Format: "byte", + Format: "", }, }, - "rekorKeyData": { + "nodeSelector": { SchemaProps: spec.SchemaProps{ - Description: "rekorKeyData contains inline base64-encoded data for the PEM format from the Rekor public key. rekorKeyData must be at most 8192 characters.", - Type: []string{"string"}, - Format: "byte", + Description: "nodeSelector defines the nodes on which the Pods are scheduled nodeSelector is optional.\n\nWhen omitted, this means the user has no opinion and the platform is left to choose reasonable defaults. These defaults are subject to change over time. The current default value is `kubernetes.io/os: linux`. When specified, nodeSelector must contain at least 1 entry and must not contain more than 10 entries.", + Type: []string{"object"}, + AdditionalProperties: &spec.SchemaOrBool{ + Allows: true, + Schema: &spec.Schema{ + SchemaProps: spec.SchemaProps{ + Default: "", + Type: []string{"string"}, + Format: "", + }, + }, + }, + }, + }, + "resources": { + VendorExtensible: spec.VendorExtensible{ + Extensions: spec.Extensions{ + "x-kubernetes-list-map-keys": []interface{}{ + "name", + }, + "x-kubernetes-list-type": "map", + }, + }, + SchemaProps: spec.SchemaProps{ + Description: "resources defines the compute resource requests and limits for the Prometheus Operator container. This includes CPU, memory and HugePages constraints to help control scheduling and resource usage. When not specified, defaults are used by the platform. Requests cannot exceed limits. This field is optional. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ This is a simplified API that maps to Kubernetes ResourceRequirements. The current default values are:\n resources:\n - name: cpu\n request: 4m\n limit: null\n - name: memory\n request: 40Mi\n limit: null\nMaximum length for this list is 10. Minimum length for this list is 1. Each resource name must be unique within this list.", + Type: []string{"array"}, + Items: &spec.SchemaOrArray{ + Schema: &spec.Schema{ + SchemaProps: spec.SchemaProps{ + Default: map[string]interface{}{}, + Ref: ref("github.com/openshift/api/config/v1alpha1.ContainerResource"), + }, + }, + }, + }, + }, + "tolerations": { + VendorExtensible: spec.VendorExtensible{ + Extensions: spec.Extensions{ + "x-kubernetes-list-type": "atomic", + }, + }, + SchemaProps: spec.SchemaProps{ + Description: "tolerations defines tolerations for the pods. tolerations is optional.\n\nWhen omitted, this means the user has no opinion and the platform is left to choose reasonable defaults. These defaults are subject to change over time. Defaults are empty/unset. Maximum length for this list is 10. Minimum length for this list is 1.", + Type: []string{"array"}, + Items: &spec.SchemaOrArray{ + Schema: &spec.Schema{ + SchemaProps: spec.SchemaProps{ + Default: map[string]interface{}{}, + Ref: ref("k8s.io/api/core/v1.Toleration"), + }, + }, + }, + }, + }, + "topologySpreadConstraints": { + VendorExtensible: spec.VendorExtensible{ + Extensions: spec.Extensions{ + "x-kubernetes-list-map-keys": []interface{}{ + "topologyKey", + "whenUnsatisfiable", + }, + "x-kubernetes-list-type": "map", + }, + }, + SchemaProps: spec.SchemaProps{ + Description: "topologySpreadConstraints defines rules for how Prometheus Operator Pods should be distributed across topology domains such as zones, nodes, or other user-defined labels. topologySpreadConstraints is optional. This helps improve high availability and resource efficiency by avoiding placing too many replicas in the same failure domain.\n\nWhen omitted, this means no opinion and the platform is left to choose a default, which is subject to change over time. This field maps directly to the `topologySpreadConstraints` field in the Pod spec. Default is empty list. Maximum length for this list is 10. Minimum length for this list is 1. Entries must have unique topologyKey and whenUnsatisfiable pairs.", + Type: []string{"array"}, + Items: &spec.SchemaOrArray{ + Schema: &spec.Schema{ + SchemaProps: spec.SchemaProps{ + Default: map[string]interface{}{}, + Ref: ref("k8s.io/api/core/v1.TopologySpreadConstraint"), + }, + }, + }, }, }, }, - Required: []string{"keyData"}, }, }, + Dependencies: []string{ + "github.com/openshift/api/config/v1alpha1.ContainerResource", "k8s.io/api/core/v1.Toleration", "k8s.io/api/core/v1.TopologySpreadConstraint"}, } } @@ -25834,10 +26329,11 @@ func schema_openshift_api_console_v1_ConsoleSampleSource(ref common.ReferenceCal Properties: map[string]spec.Schema{ "type": { SchemaProps: spec.SchemaProps{ - Description: "type of the sample, currently supported: \"GitImport\";\"ContainerImport\"", + Description: "type of the sample, currently supported: \"GitImport\";\"ContainerImport\"\n\nPossible enum values:\n - `\"ContainerImport\"` A sample that let the user import a container image.\n - `\"GitImport\"` A sample that let the user import code from a git repository.", Default: "", Type: []string{"string"}, Format: "", + Enum: []interface{}{"ContainerImport", "GitImport"}, }, }, "gitImport": { @@ -25993,26 +26489,294 @@ func schema_openshift_api_console_v1_ConsoleYAMLSample(ref common.ReferenceCallb Ref: ref("k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"), }, }, - "spec": { + "spec": { + SchemaProps: spec.SchemaProps{ + Default: map[string]interface{}{}, + Ref: ref("github.com/openshift/api/console/v1.ConsoleYAMLSampleSpec"), + }, + }, + }, + Required: []string{"metadata", "spec"}, + }, + }, + Dependencies: []string{ + "github.com/openshift/api/console/v1.ConsoleYAMLSampleSpec", "k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"}, + } +} + +func schema_openshift_api_console_v1_ConsoleYAMLSampleList(ref common.ReferenceCallback) common.OpenAPIDefinition { + return common.OpenAPIDefinition{ + Schema: spec.Schema{ + SchemaProps: spec.SchemaProps{ + Description: "Compatibility level 2: Stable within a major release for a minimum of 9 months or 3 minor releases (whichever is longer).", + Type: []string{"object"}, + Properties: map[string]spec.Schema{ + "kind": { + SchemaProps: spec.SchemaProps{ + Description: "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", + Type: []string{"string"}, + Format: "", + }, + }, + "apiVersion": { + SchemaProps: spec.SchemaProps{ + Description: "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", + Type: []string{"string"}, + Format: "", + }, + }, + "metadata": { + SchemaProps: spec.SchemaProps{ + Description: "metadata is the standard list's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata", + Default: map[string]interface{}{}, + Ref: ref("k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"), + }, + }, + "items": { + SchemaProps: spec.SchemaProps{ + Type: []string{"array"}, + Items: &spec.SchemaOrArray{ + Schema: &spec.Schema{ + SchemaProps: spec.SchemaProps{ + Default: map[string]interface{}{}, + Ref: ref("github.com/openshift/api/console/v1.ConsoleYAMLSample"), + }, + }, + }, + }, + }, + }, + Required: []string{"metadata", "items"}, + }, + }, + Dependencies: []string{ + "github.com/openshift/api/console/v1.ConsoleYAMLSample", "k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"}, + } +} + +func schema_openshift_api_console_v1_ConsoleYAMLSampleSpec(ref common.ReferenceCallback) common.OpenAPIDefinition { + return common.OpenAPIDefinition{ + Schema: spec.Schema{ + SchemaProps: spec.SchemaProps{ + Description: "ConsoleYAMLSampleSpec is the desired YAML sample configuration. Samples will appear with their descriptions in a samples sidebar when creating a resources in the web console.", + Type: []string{"object"}, + Properties: map[string]spec.Schema{ + "targetResource": { + SchemaProps: spec.SchemaProps{ + Description: "targetResource contains apiVersion and kind of the resource YAML sample is representating.", + Default: map[string]interface{}{}, + Ref: ref("k8s.io/apimachinery/pkg/apis/meta/v1.TypeMeta"), + }, + }, + "title": { + SchemaProps: spec.SchemaProps{ + Description: "title of the YAML sample.", + Default: "", + Type: []string{"string"}, + Format: "", + }, + }, + "description": { + SchemaProps: spec.SchemaProps{ + Description: "description of the YAML sample.", + Default: "", + Type: []string{"string"}, + Format: "", + }, + }, + "yaml": { + SchemaProps: spec.SchemaProps{ + Description: "yaml is the YAML sample to display.", + Default: "", + Type: []string{"string"}, + Format: "", + }, + }, + "snippet": { + SchemaProps: spec.SchemaProps{ + Description: "snippet indicates that the YAML sample is not the full YAML resource definition, but a fragment that can be inserted into the existing YAML document at the user's cursor.", + Default: false, + Type: []string{"boolean"}, + Format: "", + }, + }, + }, + Required: []string{"targetResource", "title", "description", "yaml"}, + }, + }, + Dependencies: []string{ + "k8s.io/apimachinery/pkg/apis/meta/v1.TypeMeta"}, + } +} + +func schema_openshift_api_console_v1_Link(ref common.ReferenceCallback) common.OpenAPIDefinition { + return common.OpenAPIDefinition{ + Schema: spec.Schema{ + SchemaProps: spec.SchemaProps{ + Description: "Represents a standard link that could be generated in HTML", + Type: []string{"object"}, + Properties: map[string]spec.Schema{ + "text": { + SchemaProps: spec.SchemaProps{ + Description: "text is the display text for the link", + Default: "", + Type: []string{"string"}, + Format: "", + }, + }, + "href": { + SchemaProps: spec.SchemaProps{ + Description: "href is the absolute URL for the link. Must use https:// for web URLs or mailto: for email links.", + Default: "", + Type: []string{"string"}, + Format: "", + }, + }, + }, + Required: []string{"text", "href"}, + }, + }, + } +} + +func schema_openshift_api_console_v1_NamespaceDashboardSpec(ref common.ReferenceCallback) common.OpenAPIDefinition { + return common.OpenAPIDefinition{ + Schema: spec.Schema{ + SchemaProps: spec.SchemaProps{ + Description: "NamespaceDashboardSpec is a specification of namespaces in which the dashboard link should appear. If both namespaces and namespaceSelector are specified, the link will appear in namespaces that match either", + Type: []string{"object"}, + Properties: map[string]spec.Schema{ + "namespaces": { + SchemaProps: spec.SchemaProps{ + Description: "namespaces is an array of namespace names in which the dashboard link should appear.", + Type: []string{"array"}, + Items: &spec.SchemaOrArray{ + Schema: &spec.Schema{ + SchemaProps: spec.SchemaProps{ + Default: "", + Type: []string{"string"}, + Format: "", + }, + }, + }, + }, + }, + "namespaceSelector": { + SchemaProps: spec.SchemaProps{ + Description: "namespaceSelector is used to select the Namespaces that should contain dashboard link by label. If the namespace labels match, dashboard link will be shown for the namespaces.", + Ref: ref("k8s.io/apimachinery/pkg/apis/meta/v1.LabelSelector"), + }, + }, + }, + }, + }, + Dependencies: []string{ + "k8s.io/apimachinery/pkg/apis/meta/v1.LabelSelector"}, + } +} + +func schema_openshift_api_etcd_v1alpha1_PacemakerCluster(ref common.ReferenceCallback) common.OpenAPIDefinition { + return common.OpenAPIDefinition{ + Schema: spec.Schema{ + SchemaProps: spec.SchemaProps{ + Description: "PacemakerCluster represents the current state of the pacemaker cluster as reported by the pcs status command. PacemakerCluster is a cluster-scoped singleton resource. The name of this instance is \"cluster\". This resource provides a view into the health and status of a pacemaker-managed cluster in Two Node OpenShift with Fencing deployments.\n\nCompatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support.", + Type: []string{"object"}, + Properties: map[string]spec.Schema{ + "kind": { + SchemaProps: spec.SchemaProps{ + Description: "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", + Type: []string{"string"}, + Format: "", + }, + }, + "apiVersion": { + SchemaProps: spec.SchemaProps{ + Description: "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", + Type: []string{"string"}, + Format: "", + }, + }, + "metadata": { + SchemaProps: spec.SchemaProps{ + Description: "metadata is the standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata", + Default: map[string]interface{}{}, + Ref: ref("k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"), + }, + }, + "status": { SchemaProps: spec.SchemaProps{ - Default: map[string]interface{}{}, - Ref: ref("github.com/openshift/api/console/v1.ConsoleYAMLSampleSpec"), + Description: "status contains the actual pacemaker cluster status information collected from the cluster. The goal of this status is to be able to quickly identify if pacemaker is in a healthy state. In Two Node OpenShift with Fencing, a healthy pacemaker cluster has 2 nodes, both of which have healthy kubelet, etcd, and fencing resources. This field is optional on creation - the status collector populates it immediately after creating the resource via the status subresource.", + Default: map[string]interface{}{}, + Ref: ref("github.com/openshift/api/etcd/v1alpha1.PacemakerClusterStatus"), }, }, }, - Required: []string{"metadata", "spec"}, + Required: []string{"metadata"}, }, }, Dependencies: []string{ - "github.com/openshift/api/console/v1.ConsoleYAMLSampleSpec", "k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"}, + "github.com/openshift/api/etcd/v1alpha1.PacemakerClusterStatus", "k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"}, } } -func schema_openshift_api_console_v1_ConsoleYAMLSampleList(ref common.ReferenceCallback) common.OpenAPIDefinition { +func schema_openshift_api_etcd_v1alpha1_PacemakerClusterFencingAgentStatus(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ SchemaProps: spec.SchemaProps{ - Description: "Compatibility level 2: Stable within a major release for a minimum of 9 months or 3 minor releases (whichever is longer).", + Description: "PacemakerClusterFencingAgentStatus represents the status of a fencing agent that can fence a node. Fencing agents are STONITH (Shoot The Other Node In The Head) devices used to isolate failed nodes. Unlike regular pacemaker resources, fencing agents are mapped to their target node (the node they can fence), not the node where their monitoring operations are scheduled.", + Type: []string{"object"}, + Properties: map[string]spec.Schema{ + "conditions": { + VendorExtensible: spec.VendorExtensible{ + Extensions: spec.Extensions{ + "x-kubernetes-list-map-keys": []interface{}{ + "type", + }, + "x-kubernetes-list-type": "map", + }, + }, + SchemaProps: spec.SchemaProps{ + Description: "conditions represent the observations of the fencing agent's current state. Known condition types are: \"Healthy\", \"InService\", \"Managed\", \"Enabled\", \"Operational\", \"Active\", \"Started\", \"Schedulable\". The \"Healthy\" condition is an aggregate that tracks the overall health of the fencing agent. The \"InService\" condition tracks whether the fencing agent is in service (not in maintenance mode). The \"Managed\" condition tracks whether the fencing agent is managed by pacemaker. The \"Enabled\" condition tracks whether the fencing agent is enabled. The \"Operational\" condition tracks whether the fencing agent is operational (not failed). The \"Active\" condition tracks whether the fencing agent is active (available to be used). The \"Started\" condition tracks whether the fencing agent is started. The \"Schedulable\" condition tracks whether the fencing agent is schedulable (not blocked). Each of these conditions is required, so the array must contain at least 8 items.", + Type: []string{"array"}, + Items: &spec.SchemaOrArray{ + Schema: &spec.Schema{ + SchemaProps: spec.SchemaProps{ + Default: map[string]interface{}{}, + Ref: ref("k8s.io/apimachinery/pkg/apis/meta/v1.Condition"), + }, + }, + }, + }, + }, + "name": { + SchemaProps: spec.SchemaProps{ + Description: "name is the unique identifier for this fencing agent (e.g., \"master-0_redfish\"). The name must be unique within the fencingAgents array for this node. It may contain alphanumeric characters, dots, hyphens, and underscores. Maximum length is 300 characters, providing headroom beyond the typical format of _ (253 for RFC 1123 node name + 1 underscore + type).", + Type: []string{"string"}, + Format: "", + }, + }, + "method": { + SchemaProps: spec.SchemaProps{ + Description: "method is the fencing method used by this agent. Valid values are \"Redfish\" and \"IPMI\". Redfish is a standard RESTful API for server management. IPMI (Intelligent Platform Management Interface) is a hardware management interface.\n\nPossible enum values:\n - `\"IPMI\"` uses IPMI (Intelligent Platform Management Interface), a hardware management interface.\n - `\"Redfish\"` uses Redfish, a standard RESTful API for server management.", + Type: []string{"string"}, + Format: "", + Enum: []interface{}{"IPMI", "Redfish"}, + }, + }, + }, + Required: []string{"conditions", "name", "method"}, + }, + }, + Dependencies: []string{ + "k8s.io/apimachinery/pkg/apis/meta/v1.Condition"}, + } +} + +func schema_openshift_api_etcd_v1alpha1_PacemakerClusterList(ref common.ReferenceCallback) common.OpenAPIDefinition { + return common.OpenAPIDefinition{ + Schema: spec.Schema{ + SchemaProps: spec.SchemaProps{ + Description: "PacemakerClusterList contains a list of PacemakerCluster objects. PacemakerCluster is a cluster-scoped singleton resource; only one instance named \"cluster\" may exist. This list type exists only to satisfy Kubernetes API conventions.\n\nCompatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support.", Type: []string{"object"}, Properties: map[string]spec.Schema{ "kind": { @@ -26038,144 +26802,273 @@ func schema_openshift_api_console_v1_ConsoleYAMLSampleList(ref common.ReferenceC }, "items": { SchemaProps: spec.SchemaProps{ - Type: []string{"array"}, + Description: "items is a list of PacemakerCluster objects.", + Type: []string{"array"}, Items: &spec.SchemaOrArray{ Schema: &spec.Schema{ SchemaProps: spec.SchemaProps{ Default: map[string]interface{}{}, - Ref: ref("github.com/openshift/api/console/v1.ConsoleYAMLSample"), + Ref: ref("github.com/openshift/api/etcd/v1alpha1.PacemakerCluster"), }, }, }, }, }, }, - Required: []string{"metadata", "items"}, + Required: []string{"items"}, }, }, Dependencies: []string{ - "github.com/openshift/api/console/v1.ConsoleYAMLSample", "k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"}, + "github.com/openshift/api/etcd/v1alpha1.PacemakerCluster", "k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"}, } } -func schema_openshift_api_console_v1_ConsoleYAMLSampleSpec(ref common.ReferenceCallback) common.OpenAPIDefinition { +func schema_openshift_api_etcd_v1alpha1_PacemakerClusterNodeStatus(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ SchemaProps: spec.SchemaProps{ - Description: "ConsoleYAMLSampleSpec is the desired YAML sample configuration. Samples will appear with their descriptions in a samples sidebar when creating a resources in the web console.", + Description: "PacemakerClusterNodeStatus represents the status of a single node in the pacemaker cluster including the node's conditions and the health of critical resources running on that node.", Type: []string{"object"}, Properties: map[string]spec.Schema{ - "targetResource": { + "conditions": { + VendorExtensible: spec.VendorExtensible{ + Extensions: spec.Extensions{ + "x-kubernetes-list-map-keys": []interface{}{ + "type", + }, + "x-kubernetes-list-type": "map", + }, + }, SchemaProps: spec.SchemaProps{ - Description: "targetResource contains apiVersion and kind of the resource YAML sample is representating.", - Default: map[string]interface{}{}, - Ref: ref("k8s.io/apimachinery/pkg/apis/meta/v1.TypeMeta"), + Description: "conditions represent the observations of the node's current state. Known condition types are: \"Healthy\", \"Online\", \"InService\", \"Active\", \"Ready\", \"Clean\", \"Member\", \"FencingAvailable\", \"FencingHealthy\". The \"Healthy\" condition is an aggregate that tracks the overall health of the node. The \"Online\" condition tracks whether the node is online. The \"InService\" condition tracks whether the node is in service (not in maintenance mode). The \"Active\" condition tracks whether the node is active (not in standby mode). The \"Ready\" condition tracks whether the node is ready (not in a pending state). The \"Clean\" condition tracks whether the node is in a clean (status known) state. The \"Member\" condition tracks whether the node is a member of the cluster. The \"FencingAvailable\" condition tracks whether this node can be fenced by at least one healthy agent. The \"FencingHealthy\" condition tracks whether all fencing agents for this node are healthy. Each of these conditions is required, so the array must contain at least 9 items.", + Type: []string{"array"}, + Items: &spec.SchemaOrArray{ + Schema: &spec.Schema{ + SchemaProps: spec.SchemaProps{ + Default: map[string]interface{}{}, + Ref: ref("k8s.io/apimachinery/pkg/apis/meta/v1.Condition"), + }, + }, + }, }, }, - "title": { + "nodeName": { SchemaProps: spec.SchemaProps{ - Description: "title of the YAML sample.", - Default: "", + Description: "nodeName is the name of the node. This is expected to match the Kubernetes node's name, which must be a lowercase RFC 1123 subdomain consisting of lowercase alphanumeric characters, '-' or '.', starting and ending with an alphanumeric character, and be at most 253 characters in length.", Type: []string{"string"}, Format: "", }, }, - "description": { + "addresses": { + VendorExtensible: spec.VendorExtensible{ + Extensions: spec.Extensions{ + "x-kubernetes-list-type": "atomic", + }, + }, SchemaProps: spec.SchemaProps{ - Description: "description of the YAML sample.", - Default: "", - Type: []string{"string"}, - Format: "", + Description: "addresses is a list of IP addresses for the node. Pacemaker allows multiple IP addresses for Corosync communication between nodes. The first address in this list is used for IP-based peer URLs for etcd membership. Each address must be a valid global unicast IPv4 or IPv6 address in canonical form (e.g., \"192.168.1.1\" not \"192.168.001.001\", or \"2001:db8::1\" not \"2001:0db8::1\"). This excludes loopback, link-local, and multicast addresses.", + Type: []string{"array"}, + Items: &spec.SchemaOrArray{ + Schema: &spec.Schema{ + SchemaProps: spec.SchemaProps{ + Default: map[string]interface{}{}, + Ref: ref("github.com/openshift/api/etcd/v1alpha1.PacemakerNodeAddress"), + }, + }, + }, }, }, - "yaml": { + "resources": { + VendorExtensible: spec.VendorExtensible{ + Extensions: spec.Extensions{ + "x-kubernetes-list-map-keys": []interface{}{ + "name", + }, + "x-kubernetes-list-type": "map", + }, + }, SchemaProps: spec.SchemaProps{ - Description: "yaml is the YAML sample to display.", - Default: "", - Type: []string{"string"}, - Format: "", + Description: "resources contains the status of pacemaker resources scheduled on this node. Each resource entry includes the resource name and its health conditions. For Two Node OpenShift with Fencing, we track Kubelet and Etcd resources per node. Both resources are required to be present, so the array must contain at least 2 items. Valid resource names are \"Kubelet\" and \"Etcd\". Fencing agents are tracked separately in the fencingAgents field.", + Type: []string{"array"}, + Items: &spec.SchemaOrArray{ + Schema: &spec.Schema{ + SchemaProps: spec.SchemaProps{ + Default: map[string]interface{}{}, + Ref: ref("github.com/openshift/api/etcd/v1alpha1.PacemakerClusterResourceStatus"), + }, + }, + }, }, }, - "snippet": { + "fencingAgents": { + VendorExtensible: spec.VendorExtensible{ + Extensions: spec.Extensions{ + "x-kubernetes-list-map-keys": []interface{}{ + "name", + }, + "x-kubernetes-list-type": "map", + }, + }, SchemaProps: spec.SchemaProps{ - Description: "snippet indicates that the YAML sample is not the full YAML resource definition, but a fragment that can be inserted into the existing YAML document at the user's cursor.", - Default: false, - Type: []string{"boolean"}, - Format: "", + Description: "fencingAgents contains the status of fencing agents that can fence this node. Unlike resources (which are scheduled to run on this node), fencing agents are mapped to the node they can fence (their target), not the node where monitoring operations run. Each fencing agent entry includes a unique name, fencing type, target node, and health conditions. A node is considered fence-capable if at least one fencing agent is healthy. Expected to have 1 fencing agent per node, but up to 8 are supported for redundancy. Names must be unique within this array.", + Type: []string{"array"}, + Items: &spec.SchemaOrArray{ + Schema: &spec.Schema{ + SchemaProps: spec.SchemaProps{ + Default: map[string]interface{}{}, + Ref: ref("github.com/openshift/api/etcd/v1alpha1.PacemakerClusterFencingAgentStatus"), + }, + }, + }, }, }, }, - Required: []string{"targetResource", "title", "description", "yaml"}, + Required: []string{"conditions", "nodeName", "addresses", "resources", "fencingAgents"}, }, }, Dependencies: []string{ - "k8s.io/apimachinery/pkg/apis/meta/v1.TypeMeta"}, + "github.com/openshift/api/etcd/v1alpha1.PacemakerClusterFencingAgentStatus", "github.com/openshift/api/etcd/v1alpha1.PacemakerClusterResourceStatus", "github.com/openshift/api/etcd/v1alpha1.PacemakerNodeAddress", "k8s.io/apimachinery/pkg/apis/meta/v1.Condition"}, } } -func schema_openshift_api_console_v1_Link(ref common.ReferenceCallback) common.OpenAPIDefinition { +func schema_openshift_api_etcd_v1alpha1_PacemakerClusterResourceStatus(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ SchemaProps: spec.SchemaProps{ - Description: "Represents a standard link that could be generated in HTML", + Description: "PacemakerClusterResourceStatus represents the status of a pacemaker resource scheduled on a node. A pacemaker resource is a unit of work managed by pacemaker. In pacemaker terminology, resources are services or applications that pacemaker monitors, starts, stops, and moves between nodes to maintain high availability. For Two Node OpenShift with Fencing, we track two resources per node:\n - Kubelet (the Kubernetes node agent and a prerequisite for etcd)\n - Etcd (the distributed key-value store)\n\nFencing agents are tracked separately in the fencingAgents field because they are mapped to their target node (the node they can fence), not the node where monitoring operations are scheduled.", Type: []string{"object"}, Properties: map[string]spec.Schema{ - "text": { + "conditions": { + VendorExtensible: spec.VendorExtensible{ + Extensions: spec.Extensions{ + "x-kubernetes-list-map-keys": []interface{}{ + "type", + }, + "x-kubernetes-list-type": "map", + }, + }, SchemaProps: spec.SchemaProps{ - Description: "text is the display text for the link", - Default: "", - Type: []string{"string"}, - Format: "", + Description: "conditions represent the observations of the resource's current state. Known condition types are: \"Healthy\", \"InService\", \"Managed\", \"Enabled\", \"Operational\", \"Active\", \"Started\", \"Schedulable\". The \"Healthy\" condition is an aggregate that tracks the overall health of the resource. The \"InService\" condition tracks whether the resource is in service (not in maintenance mode). The \"Managed\" condition tracks whether the resource is managed by pacemaker. The \"Enabled\" condition tracks whether the resource is enabled. The \"Operational\" condition tracks whether the resource is operational (not failed). The \"Active\" condition tracks whether the resource is active (available to be used). The \"Started\" condition tracks whether the resource is started. The \"Schedulable\" condition tracks whether the resource is schedulable (not blocked). Each of these conditions is required, so the array must contain at least 8 items.", + Type: []string{"array"}, + Items: &spec.SchemaOrArray{ + Schema: &spec.Schema{ + SchemaProps: spec.SchemaProps{ + Default: map[string]interface{}{}, + Ref: ref("k8s.io/apimachinery/pkg/apis/meta/v1.Condition"), + }, + }, + }, }, }, - "href": { + "name": { SchemaProps: spec.SchemaProps{ - Description: "href is the absolute URL for the link. Must use https:// for web URLs or mailto: for email links.", - Default: "", + Description: "name is the name of the pacemaker resource. Valid values are \"Kubelet\" and \"Etcd\". The Kubelet resource is a prerequisite for etcd in Two Node OpenShift with Fencing deployments. The Etcd resource may temporarily transition to stopped during pacemaker quorum-recovery operations. Fencing agents are tracked separately in the node's fencingAgents field.\n\nPossible enum values:\n - `\"Etcd\"` is the etcd pacemaker resource. The etcd resource may temporarily transition to stopped during pacemaker quorum-recovery operations.\n - `\"Kubelet\"` is the kubelet pacemaker resource. The kubelet resource is a prerequisite for etcd in Two Node OpenShift with Fencing deployments.", Type: []string{"string"}, Format: "", + Enum: []interface{}{"Etcd", "Kubelet"}, }, }, }, - Required: []string{"text", "href"}, + Required: []string{"conditions", "name"}, }, }, + Dependencies: []string{ + "k8s.io/apimachinery/pkg/apis/meta/v1.Condition"}, } } -func schema_openshift_api_console_v1_NamespaceDashboardSpec(ref common.ReferenceCallback) common.OpenAPIDefinition { +func schema_openshift_api_etcd_v1alpha1_PacemakerClusterStatus(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ SchemaProps: spec.SchemaProps{ - Description: "NamespaceDashboardSpec is a specification of namespaces in which the dashboard link should appear. If both namespaces and namespaceSelector are specified, the link will appear in namespaces that match either", + Description: "PacemakerClusterStatus contains the actual pacemaker cluster status information. As part of validating the status object, we need to ensure that the lastUpdated timestamp may not be set to an earlier timestamp than the current value. The validation rule checks if oldSelf has lastUpdated before comparing, to handle the initial status creation case.", Type: []string{"object"}, Properties: map[string]spec.Schema{ - "namespaces": { + "conditions": { + VendorExtensible: spec.VendorExtensible{ + Extensions: spec.Extensions{ + "x-kubernetes-list-map-keys": []interface{}{ + "type", + }, + "x-kubernetes-list-type": "map", + }, + }, SchemaProps: spec.SchemaProps{ - Description: "namespaces is an array of namespace names in which the dashboard link should appear.", + Description: "conditions represent the observations of the pacemaker cluster's current state. Known condition types are: \"Healthy\", \"InService\", \"NodeCountAsExpected\". The \"Healthy\" condition is an aggregate that tracks the overall health of the cluster. The \"InService\" condition tracks whether the cluster is in service (not in maintenance mode). The \"NodeCountAsExpected\" condition tracks whether the expected number of nodes are present. Each of these conditions is required, so the array must contain at least 3 items.", Type: []string{"array"}, Items: &spec.SchemaOrArray{ Schema: &spec.Schema{ SchemaProps: spec.SchemaProps{ - Default: "", - Type: []string{"string"}, - Format: "", + Default: map[string]interface{}{}, + Ref: ref("k8s.io/apimachinery/pkg/apis/meta/v1.Condition"), }, }, }, }, }, - "namespaceSelector": { + "lastUpdated": { SchemaProps: spec.SchemaProps{ - Description: "namespaceSelector is used to select the Namespaces that should contain dashboard link by label. If the namespace labels match, dashboard link will be shown for the namespaces.", - Ref: ref("k8s.io/apimachinery/pkg/apis/meta/v1.LabelSelector"), + Description: "lastUpdated is the timestamp when this status was last updated. This is useful for identifying stale status reports. It must be a valid timestamp in RFC3339 format. Once set, this field cannot be removed and cannot be set to an earlier timestamp than the current value.", + Ref: ref("k8s.io/apimachinery/pkg/apis/meta/v1.Time"), + }, + }, + "nodes": { + VendorExtensible: spec.VendorExtensible{ + Extensions: spec.Extensions{ + "x-kubernetes-list-map-keys": []interface{}{ + "nodeName", + }, + "x-kubernetes-list-type": "map", + }, + }, + SchemaProps: spec.SchemaProps{ + Description: "nodes provides detailed status for each control-plane node in the Pacemaker cluster. While Pacemaker supports up to 32 nodes, the limit is set to 5 (max OpenShift control-plane nodes). For Two Node OpenShift with Fencing, exactly 2 nodes are expected in a healthy cluster. An empty list indicates a catastrophic failure where Pacemaker reports no nodes.", + Type: []string{"array"}, + Items: &spec.SchemaOrArray{ + Schema: &spec.Schema{ + SchemaProps: spec.SchemaProps{ + Default: map[string]interface{}{}, + Ref: ref("github.com/openshift/api/etcd/v1alpha1.PacemakerClusterNodeStatus"), + }, + }, + }, }, }, }, + Required: []string{"conditions", "lastUpdated", "nodes"}, }, }, Dependencies: []string{ - "k8s.io/apimachinery/pkg/apis/meta/v1.LabelSelector"}, + "github.com/openshift/api/etcd/v1alpha1.PacemakerClusterNodeStatus", "k8s.io/apimachinery/pkg/apis/meta/v1.Condition", "k8s.io/apimachinery/pkg/apis/meta/v1.Time"}, + } +} + +func schema_openshift_api_etcd_v1alpha1_PacemakerNodeAddress(ref common.ReferenceCallback) common.OpenAPIDefinition { + return common.OpenAPIDefinition{ + Schema: spec.Schema{ + SchemaProps: spec.SchemaProps{ + Description: "PacemakerNodeAddress contains information for a node's address. This is similar to corev1.NodeAddress but adds validation for IP addresses.", + Type: []string{"object"}, + Properties: map[string]spec.Schema{ + "type": { + SchemaProps: spec.SchemaProps{ + Description: "type is the type of node address. Currently only \"InternalIP\" is supported.\n\nPossible enum values:\n - `\"InternalIP\"` is an internal IP address assigned to the node. This is typically the IP address used for intra-cluster communication.", + Type: []string{"string"}, + Format: "", + Enum: []interface{}{"InternalIP"}, + }, + }, + "address": { + SchemaProps: spec.SchemaProps{ + Description: "address is the node address. For InternalIP, this must be a valid global unicast IPv4 or IPv6 address in canonical form. Canonical form means the shortest standard representation (e.g., \"192.168.1.1\" not \"192.168.001.001\", or \"2001:db8::1\" not \"2001:0db8::1\"). Maximum length is 39 characters (full IPv6 address). Global unicast includes private/RFC1918 addresses but excludes loopback, link-local, and multicast.", + Type: []string{"string"}, + Format: "", + }, + }, + }, + Required: []string{"type", "address"}, + }, + }, } } @@ -40973,7 +41866,7 @@ func schema_openshift_api_machine_v1beta1_DedicatedHost(ref common.ReferenceCall Properties: map[string]spec.Schema{ "id": { SchemaProps: spec.SchemaProps{ - Description: "id identifies the AWS Dedicated Host on which the instance must run. The value must start with \"h-\" followed by 17 lowercase hexadecimal characters (0-9 and a-f). Must be exactly 19 characters in length.", + Description: "id identifies the AWS Dedicated Host on which the instance must run. The value must start with \"h-\" followed by either 8 or 17 lowercase hexadecimal characters (0-9 and a-f). The use of 8 lowercase hexadecimal characters is for older legacy hosts that may not have been migrated to newer format. Must be either 10 or 19 characters in length.", Type: []string{"string"}, Format: "", }, @@ -42607,6 +43500,13 @@ func schema_openshift_api_machine_v1beta1_MachineSetStatus(ref common.ReferenceC Format: "", }, }, + "synchronizedAPI": { + SchemaProps: spec.SchemaProps{ + Description: "synchronizedAPI holds the last stable value of authoritativeAPI. It is used to detect migration cancellation requests and to restore the resource to its previous state. Valid values are \"MachineAPI\" and \"ClusterAPI\". When omitted, the resource has not yet been reconciled by the migration controller.", + Type: []string{"string"}, + Format: "", + }, + }, "synchronizedGeneration": { SchemaProps: spec.SchemaProps{ Description: "synchronizedGeneration is the generation of the authoritative resource that the non-authoritative resource is synchronised with. This field is set when the authoritative resource is updated and the sync controller has updated the non-authoritative resource to match.", @@ -42792,6 +43692,13 @@ func schema_openshift_api_machine_v1beta1_MachineStatus(ref common.ReferenceCall Format: "", }, }, + "synchronizedAPI": { + SchemaProps: spec.SchemaProps{ + Description: "synchronizedAPI holds the last stable value of authoritativeAPI. It is used to detect migration cancellation requests and to restore the resource to its previous state. Valid values are \"MachineAPI\" and \"ClusterAPI\". When omitted, the resource has not yet been reconciled by the migration controller.", + Type: []string{"string"}, + Format: "", + }, + }, "synchronizedGeneration": { SchemaProps: spec.SchemaProps{ Description: "synchronizedGeneration is the generation of the authoritative resource that the non-authoritative resource is synchronised with. This field is set when the authoritative resource is updated and the sync controller has updated the non-authoritative resource to match.", @@ -49749,7 +50656,7 @@ func schema_openshift_api_operator_v1_Capability(ref common.ReferenceCallback) c Properties: map[string]spec.Schema{ "name": { SchemaProps: spec.SchemaProps{ - Description: "name is the unique name of a capability. Available capabilities are LightspeedButton and GettingStartedBanner.", + Description: "name is the unique name of a capability. Available capabilities are LightspeedButton, GettingStartedBanner, and GuidedTour.", Default: "", Type: []string{"string"}, Format: "", @@ -50849,7 +51756,7 @@ func schema_openshift_api_operator_v1_ConsoleCustomization(ref common.ReferenceC }, }, SchemaProps: spec.SchemaProps{ - Description: "capabilities defines an array of capabilities that can be interacted with in the console UI. Each capability defines a visual state that can be interacted with the console to render in the UI. Available capabilities are LightspeedButton and GettingStartedBanner. Each of the available capabilities may appear only once in the list.", + Description: "capabilities defines an array of capabilities that can be interacted with in the console UI. Each capability defines a visual state that can be interacted with the console to render in the UI. Available capabilities are LightspeedButton, GettingStartedBanner, and GuidedTour. Each of the available capabilities may appear only once in the list.", Type: []string{"array"}, Items: &spec.SchemaOrArray{ Schema: &spec.Schema{ diff --git a/vendor/github.com/openshift/api/operator/v1/types_console.go b/vendor/github.com/openshift/api/operator/v1/types_console.go index e030a65c8..35795b2b7 100644 --- a/vendor/github.com/openshift/api/operator/v1/types_console.go +++ b/vendor/github.com/openshift/api/operator/v1/types_console.go @@ -107,6 +107,9 @@ const ( // gettingStartedBanner is the name of the 'Getting started resources' banner in the console UI Overview page. GettingStartedBanner ConsoleCapabilityName = "GettingStartedBanner" + + // guidedTour is the name of the 'Guided Tour' feature in console UI. + GuidedTour ConsoleCapabilityName = "GuidedTour" ) // CapabilityState defines the state of the capability in the console UI. @@ -134,8 +137,8 @@ type CapabilityVisibility struct { // Capabilities contains set of UI capabilities and their state in the console UI. type Capability struct { // name is the unique name of a capability. - // Available capabilities are LightspeedButton and GettingStartedBanner. - // +kubebuilder:validation:Enum:="LightspeedButton";"GettingStartedBanner" + // Available capabilities are LightspeedButton, GettingStartedBanner, and GuidedTour. + // +kubebuilder:validation:Enum:="LightspeedButton";"GettingStartedBanner";"GuidedTour" // +required Name ConsoleCapabilityName `json:"name"` // visibility defines the visibility state of the capability. @@ -281,10 +284,10 @@ type ConsoleCustomization struct { // capabilities defines an array of capabilities that can be interacted with in the console UI. // Each capability defines a visual state that can be interacted with the console to render in the UI. - // Available capabilities are LightspeedButton and GettingStartedBanner. + // Available capabilities are LightspeedButton, GettingStartedBanner, and GuidedTour. // Each of the available capabilities may appear only once in the list. // +kubebuilder:validation:MinItems=1 - // +kubebuilder:validation:MaxItems=2 + // +kubebuilder:validation:MaxItems=3 // +listType=map // +listMapKey=name // +optional diff --git a/vendor/github.com/openshift/api/operator/v1/types_machineconfiguration.go b/vendor/github.com/openshift/api/operator/v1/types_machineconfiguration.go index c6bcd22bc..f5836af0f 100644 --- a/vendor/github.com/openshift/api/operator/v1/types_machineconfiguration.go +++ b/vendor/github.com/openshift/api/operator/v1/types_machineconfiguration.go @@ -18,7 +18,8 @@ import ( // Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer). // +openshift:compatibility-gen:level=1 // +openshift:validation:FeatureGateAwareXValidation:featureGate=BootImageSkewEnforcement,rule="self.?status.bootImageSkewEnforcementStatus.mode.orValue(\"\") == 'Automatic' ? self.?spec.managedBootImages.hasValue() || self.?status.managedBootImagesStatus.hasValue() : true",message="when skew enforcement is in Automatic mode, a boot image configuration is required" -// +openshift:validation:FeatureGateAwareXValidation:featureGate=BootImageSkewEnforcement,rule="self.?status.bootImageSkewEnforcementStatus.mode.orValue(\"\") == 'Automatic' ? !(self.?spec.managedBootImages.machineManagers.hasValue()) || self.spec.managedBootImages.machineManagers.exists(m, m.selection.mode == 'All' && m.resource == 'machinesets' && m.apiGroup == 'machine.openshift.io') : true",message="when skew enforcement is in Automatic mode, managedBootImages must contain a MachineManager opting in all MachineAPI MachineSets" +// +openshift:validation:FeatureGateAwareXValidation:featureGate=BootImageSkewEnforcement,rule="self.?status.bootImageSkewEnforcementStatus.mode.orValue(\"\") == 'Automatic' ? !(self.?spec.managedBootImages.machineManagers.hasValue()) || size(self.spec.managedBootImages.machineManagers) > 0 : true",message="when skew enforcement is in Automatic mode, managedBootImages.machineManagers must not be an empty list" +// +openshift:validation:FeatureGateAwareXValidation:featureGate=BootImageSkewEnforcement,rule="self.?status.bootImageSkewEnforcementStatus.mode.orValue(\"\") == 'Automatic' ? !(self.?spec.managedBootImages.machineManagers.hasValue()) || !self.spec.managedBootImages.machineManagers.exists(m, m.resource == 'machinesets' && m.apiGroup == 'machine.openshift.io') || self.spec.managedBootImages.machineManagers.exists(m, m.resource == 'machinesets' && m.apiGroup == 'machine.openshift.io' && m.selection.mode == 'All') : true",message="when skew enforcement is in Automatic mode, any MachineAPI MachineSet MachineManager must use selection mode 'All'" // +openshift:validation:FeatureGateAwareXValidation:featureGate=BootImageSkewEnforcement,rule="self.?status.bootImageSkewEnforcementStatus.mode.orValue(\"\") == 'Automatic' ? !(self.?status.managedBootImagesStatus.machineManagers.hasValue()) || self.status.managedBootImagesStatus.machineManagers.exists(m, m.selection.mode == 'All' && m.resource == 'machinesets' && m.apiGroup == 'machine.openshift.io'): true",message="when skew enforcement is in Automatic mode, managedBootImagesStatus must contain a MachineManager opting in all MachineAPI MachineSets" type MachineConfiguration struct { metav1.TypeMeta `json:",inline"` diff --git a/vendor/github.com/openshift/api/operator/v1/types_network.go b/vendor/github.com/openshift/api/operator/v1/types_network.go index 111240eec..1cf56f549 100644 --- a/vendor/github.com/openshift/api/operator/v1/types_network.go +++ b/vendor/github.com/openshift/api/operator/v1/types_network.go @@ -54,7 +54,7 @@ type NetworkList struct { // NetworkSpec is the top-level network configuration object. // +kubebuilder:validation:XValidation:rule="!has(self.defaultNetwork) || !has(self.defaultNetwork.ovnKubernetesConfig) || !has(self.defaultNetwork.ovnKubernetesConfig.gatewayConfig) || !has(self.defaultNetwork.ovnKubernetesConfig.gatewayConfig.ipForwarding) || self.defaultNetwork.ovnKubernetesConfig.gatewayConfig.ipForwarding == oldSelf.defaultNetwork.ovnKubernetesConfig.gatewayConfig.ipForwarding || self.defaultNetwork.ovnKubernetesConfig.gatewayConfig.ipForwarding == 'Restricted' || self.defaultNetwork.ovnKubernetesConfig.gatewayConfig.ipForwarding == 'Global'",message="invalid value for IPForwarding, valid values are 'Restricted' or 'Global'" -// +openshift:validation:FeatureGateAwareXValidation:featureGate=RouteAdvertisements,rule="(has(self.additionalRoutingCapabilities) && ('FRR' in self.additionalRoutingCapabilities.providers)) || !has(self.defaultNetwork) || !has(self.defaultNetwork.ovnKubernetesConfig) || !has(self.defaultNetwork.ovnKubernetesConfig.routeAdvertisements) || self.defaultNetwork.ovnKubernetesConfig.routeAdvertisements != 'Enabled'",message="Route advertisements cannot be Enabled if 'FRR' routing capability provider is not available" +// +kubebuilder:validation:XValidation:rule="(has(self.additionalRoutingCapabilities) && ('FRR' in self.additionalRoutingCapabilities.providers)) || !has(self.defaultNetwork) || !has(self.defaultNetwork.ovnKubernetesConfig) || !has(self.defaultNetwork.ovnKubernetesConfig.routeAdvertisements) || self.defaultNetwork.ovnKubernetesConfig.routeAdvertisements != 'Enabled'",message="Route advertisements cannot be Enabled if 'FRR' routing capability provider is not available" type NetworkSpec struct { OperatorSpec `json:",inline"` @@ -136,7 +136,6 @@ type NetworkSpec struct { // capabilities acquired through the enablement of these components but may // require specific configuration on their side to do so; refer to their // respective documentation and configuration options. - // +openshift:enable:FeatureGate=AdditionalRoutingCapabilities // +optional AdditionalRoutingCapabilities *AdditionalRoutingCapabilities `json:"additionalRoutingCapabilities,omitempty"` } @@ -157,7 +156,7 @@ const ( ) // NetworkMigration represents the cluster network migration configuration. -// +openshift:validation:FeatureGateAwareXValidation:featureGate=NetworkLiveMigration,rule="!has(self.mtu) || !has(self.networkType) || self.networkType == \"\" || has(self.mode) && self.mode == 'Live'",message="networkType migration in mode other than 'Live' may not be configured at the same time as mtu migration" +// +kubebuilder:validation:XValidation:rule="!has(self.mtu) || !has(self.networkType) || self.networkType == \"\" || has(self.mode) && self.mode == 'Live'",message="networkType migration in mode other than 'Live' may not be configured at the same time as mtu migration" type NetworkMigration struct { // mtu contains the MTU migration configuration. Set this to allow changing // the MTU values for the default network. If unset, the operation of @@ -465,7 +464,6 @@ type OVNKubernetesConfig struct { // means the user has no opinion and the platform is left to choose // reasonable defaults. These defaults are subject to change over time. The // current default is "Disabled". - // +openshift:enable:FeatureGate=RouteAdvertisements // +optional RouteAdvertisements RouteAdvertisementsEnablement `json:"routeAdvertisements,omitempty"` } diff --git a/vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_50_console_01_consoles.crd.yaml b/vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_50_console_01_consoles.crd.yaml index a18cf575e..f6f31fb40 100644 --- a/vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_50_console_01_consoles.crd.yaml +++ b/vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_50_console_01_consoles.crd.yaml @@ -88,7 +88,7 @@ spec: description: |- capabilities defines an array of capabilities that can be interacted with in the console UI. Each capability defines a visual state that can be interacted with the console to render in the UI. - Available capabilities are LightspeedButton and GettingStartedBanner. + Available capabilities are LightspeedButton, GettingStartedBanner, and GuidedTour. Each of the available capabilities may appear only once in the list. items: description: Capabilities contains set of UI capabilities and @@ -97,10 +97,11 @@ spec: name: description: |- name is the unique name of a capability. - Available capabilities are LightspeedButton and GettingStartedBanner. + Available capabilities are LightspeedButton, GettingStartedBanner, and GuidedTour. enum: - LightspeedButton - GettingStartedBanner + - GuidedTour type: string visibility: description: visibility defines the visibility state of @@ -122,7 +123,7 @@ spec: - name - visibility type: object - maxItems: 2 + maxItems: 3 minItems: 1 type: array x-kubernetes-list-map-keys: diff --git a/vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_50_ingress_00_ingresscontrollers.crd.yaml b/vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_50_ingress_00_ingresscontrollers.crd.yaml index d37991c45..fa03ef576 100644 --- a/vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_50_ingress_00_ingresscontrollers.crd.yaml +++ b/vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_50_ingress_00_ingresscontrollers.crd.yaml @@ -1994,17 +1994,12 @@ spec: profile as invalid configurations can be catastrophic. An example custom profile looks like this: + minTLSVersion: VersionTLS11 ciphers: - - ECDHE-ECDSA-CHACHA20-POLY1305 - - ECDHE-RSA-CHACHA20-POLY1305 - - ECDHE-RSA-AES128-GCM-SHA256 - - ECDHE-ECDSA-AES128-GCM-SHA256 - - minTLSVersion: VersionTLS11 nullable: true properties: ciphers: @@ -2026,8 +2021,6 @@ spec: versions 1.1, 1.2 and 1.3 (yaml): minTLSVersion: VersionTLS11 - - NOTE: currently the highest minTLSVersion allowed is VersionTLS12 enum: - VersionTLS10 - VersionTLS11 @@ -2037,143 +2030,96 @@ spec: type: object intermediate: description: |- - intermediate is a TLS security profile based on: - - https://wiki.mozilla.org/Security/Server_Side_TLS#Intermediate_compatibility_.28recommended.29 + intermediate is a TLS profile for use when you do not need compatibility with + legacy clients and want to remain highly secure while being compatible with + most clients currently in use. - and looks like this (yaml): + The cipher list includes TLS 1.3 ciphers for forward compatibility, followed + by the "intermediate" profile ciphers. + This profile is equivalent to a Custom profile specified as: + minTLSVersion: VersionTLS12 ciphers: - - TLS_AES_128_GCM_SHA256 - - TLS_AES_256_GCM_SHA384 - - TLS_CHACHA20_POLY1305_SHA256 - - ECDHE-ECDSA-AES128-GCM-SHA256 - - ECDHE-RSA-AES128-GCM-SHA256 - - ECDHE-ECDSA-AES256-GCM-SHA384 - - ECDHE-RSA-AES256-GCM-SHA384 - - ECDHE-ECDSA-CHACHA20-POLY1305 - - ECDHE-RSA-CHACHA20-POLY1305 - - DHE-RSA-AES128-GCM-SHA256 - - DHE-RSA-AES256-GCM-SHA384 - - minTLSVersion: VersionTLS12 nullable: true type: object modern: description: |- - modern is a TLS security profile based on: - - https://wiki.mozilla.org/Security/Server_Side_TLS#Modern_compatibility - - and looks like this (yaml): + modern is a TLS security profile for use with clients that support TLS 1.3 and + do not need backward compatibility for older clients. + This profile is equivalent to a Custom profile specified as: + minTLSVersion: VersionTLS13 ciphers: - - TLS_AES_128_GCM_SHA256 - - TLS_AES_256_GCM_SHA384 - - TLS_CHACHA20_POLY1305_SHA256 - - minTLSVersion: VersionTLS13 nullable: true type: object old: description: |- - old is a TLS security profile based on: + old is a TLS profile for use when services need to be accessed by very old + clients or libraries and should be used only as a last resort. - https://wiki.mozilla.org/Security/Server_Side_TLS#Old_backward_compatibility - - and looks like this (yaml): + The cipher list includes TLS 1.3 ciphers for forward compatibility, followed + by the "old" profile ciphers. + This profile is equivalent to a Custom profile specified as: + minTLSVersion: VersionTLS10 ciphers: - - TLS_AES_128_GCM_SHA256 - - TLS_AES_256_GCM_SHA384 - - TLS_CHACHA20_POLY1305_SHA256 - - ECDHE-ECDSA-AES128-GCM-SHA256 - - ECDHE-RSA-AES128-GCM-SHA256 - - ECDHE-ECDSA-AES256-GCM-SHA384 - - ECDHE-RSA-AES256-GCM-SHA384 - - ECDHE-ECDSA-CHACHA20-POLY1305 - - ECDHE-RSA-CHACHA20-POLY1305 - - DHE-RSA-AES128-GCM-SHA256 - - DHE-RSA-AES256-GCM-SHA384 - - DHE-RSA-CHACHA20-POLY1305 - - ECDHE-ECDSA-AES128-SHA256 - - ECDHE-RSA-AES128-SHA256 - - ECDHE-ECDSA-AES128-SHA - - ECDHE-RSA-AES128-SHA - - ECDHE-ECDSA-AES256-SHA384 - - ECDHE-RSA-AES256-SHA384 - - ECDHE-ECDSA-AES256-SHA - - ECDHE-RSA-AES256-SHA - - DHE-RSA-AES128-SHA256 - - DHE-RSA-AES256-SHA256 - - AES128-GCM-SHA256 - - AES256-GCM-SHA384 - - AES128-SHA256 - - AES256-SHA256 - - AES128-SHA - - AES256-SHA - - DES-CBC3-SHA - - minTLSVersion: VersionTLS10 nullable: true type: object type: description: |- - type is one of Old, Intermediate, Modern or Custom. Custom provides - the ability to specify individual TLS security profile parameters. - Old, Intermediate and Modern are TLS security profiles based on: + type is one of Old, Intermediate, Modern or Custom. Custom provides the + ability to specify individual TLS security profile parameters. - https://wiki.mozilla.org/Security/Server_Side_TLS#Recommended_configurations + The profiles are currently based on version 5.0 of the Mozilla Server Side TLS + configuration guidelines (released 2019-06-28) with TLS 1.3 ciphers added for + forward compatibility. See: https://ssl-config.mozilla.org/guidelines/5.0.json - The profiles are intent based, so they may change over time as new ciphers are developed and existing ciphers - are found to be insecure. Depending on precisely which ciphers are available to a process, the list may be - reduced. - - Note that the Modern profile is currently not supported because it is not - yet well adopted by common software libraries. + The profiles are intent based, so they may change over time as new ciphers are + developed and existing ciphers are found to be insecure. Depending on + precisely which ciphers are available to a process, the list may be reduced. enum: - Old - Intermediate @@ -3323,8 +3269,6 @@ spec: versions 1.1, 1.2 and 1.3 (yaml): minTLSVersion: VersionTLS11 - - NOTE: currently the highest minTLSVersion allowed is VersionTLS12 enum: - VersionTLS10 - VersionTLS11 diff --git a/vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_70_network_01_networks.crd.yaml b/vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_70_network_01_networks.crd.yaml index 7a41655bd..60459deca 100644 --- a/vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_70_network_01_networks.crd.yaml +++ b/vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_70_network_01_networks.crd.yaml @@ -914,13 +914,6 @@ spec: type: boolean type: object x-kubernetes-validations: - - message: Route advertisements cannot be Enabled if 'FRR' routing capability - provider is not available - rule: (has(self.additionalRoutingCapabilities) && ('FRR' in self.additionalRoutingCapabilities.providers)) - || !has(self.defaultNetwork) || !has(self.defaultNetwork.ovnKubernetesConfig) - || !has(self.defaultNetwork.ovnKubernetesConfig.routeAdvertisements) - || self.defaultNetwork.ovnKubernetesConfig.routeAdvertisements != - 'Enabled' - message: invalid value for IPForwarding, valid values are 'Restricted' or 'Global' rule: '!has(self.defaultNetwork) || !has(self.defaultNetwork.ovnKubernetesConfig) @@ -931,6 +924,13 @@ spec: || self.defaultNetwork.ovnKubernetesConfig.gatewayConfig.ipForwarding == ''Restricted'' || self.defaultNetwork.ovnKubernetesConfig.gatewayConfig.ipForwarding == ''Global''' + - message: Route advertisements cannot be Enabled if 'FRR' routing capability + provider is not available + rule: (has(self.additionalRoutingCapabilities) && ('FRR' in self.additionalRoutingCapabilities.providers)) + || !has(self.defaultNetwork) || !has(self.defaultNetwork.ovnKubernetesConfig) + || !has(self.defaultNetwork.ovnKubernetesConfig.routeAdvertisements) + || self.defaultNetwork.ovnKubernetesConfig.routeAdvertisements != + 'Enabled' status: description: |- NetworkStatus is detailed operator status, which is distilled diff --git a/vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_80_machine-config_01_machineconfigurations-CustomNoUpgrade.crd.yaml b/vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_80_machine-config_01_machineconfigurations-CustomNoUpgrade.crd.yaml index c165fca6b..831b51975 100644 --- a/vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_80_machine-config_01_machineconfigurations-CustomNoUpgrade.crd.yaml +++ b/vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_80_machine-config_01_machineconfigurations-CustomNoUpgrade.crd.yaml @@ -1524,12 +1524,19 @@ spec: rule: 'self.?status.bootImageSkewEnforcementStatus.mode.orValue("") == ''Automatic'' ? self.?spec.managedBootImages.hasValue() || self.?status.managedBootImagesStatus.hasValue() : true' - - message: when skew enforcement is in Automatic mode, managedBootImages must - contain a MachineManager opting in all MachineAPI MachineSets + - message: when skew enforcement is in Automatic mode, managedBootImages.machineManagers + must not be an empty list rule: 'self.?status.bootImageSkewEnforcementStatus.mode.orValue("") == ''Automatic'' - ? !(self.?spec.managedBootImages.machineManagers.hasValue()) || self.spec.managedBootImages.machineManagers.exists(m, - m.selection.mode == ''All'' && m.resource == ''machinesets'' && m.apiGroup - == ''machine.openshift.io'') : true' + ? !(self.?spec.managedBootImages.machineManagers.hasValue()) || size(self.spec.managedBootImages.machineManagers) + > 0 : true' + - message: when skew enforcement is in Automatic mode, any MachineAPI MachineSet + MachineManager must use selection mode 'All' + rule: 'self.?status.bootImageSkewEnforcementStatus.mode.orValue("") == ''Automatic'' + ? !(self.?spec.managedBootImages.machineManagers.hasValue()) || !self.spec.managedBootImages.machineManagers.exists(m, + m.resource == ''machinesets'' && m.apiGroup == ''machine.openshift.io'') + || self.spec.managedBootImages.machineManagers.exists(m, m.resource == + ''machinesets'' && m.apiGroup == ''machine.openshift.io'' && m.selection.mode + == ''All'') : true' - message: when skew enforcement is in Automatic mode, managedBootImagesStatus must contain a MachineManager opting in all MachineAPI MachineSets rule: 'self.?status.bootImageSkewEnforcementStatus.mode.orValue("") == ''Automatic'' diff --git a/vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_80_machine-config_01_machineconfigurations-Default.crd.yaml b/vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_80_machine-config_01_machineconfigurations-Default.crd.yaml index 3de28dcdf..2e65e97c8 100644 --- a/vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_80_machine-config_01_machineconfigurations-Default.crd.yaml +++ b/vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_80_machine-config_01_machineconfigurations-Default.crd.yaml @@ -108,6 +108,7 @@ spec: controlplanemachinesets means that the machine manager will only register resources of the kind ControlPlaneMachineSet. enum: - machinesets + - controlplanemachinesets type: string selection: description: selection allows granular control of the machine @@ -197,6 +198,11 @@ spec: - resource - selection type: object + x-kubernetes-validations: + - message: Only All or None selection mode is permitted for + ControlPlaneMachineSets + rule: self.resource != 'controlplanemachinesets' || self.selection.mode + == 'All' || self.selection.mode == 'None' maxItems: 5 type: array x-kubernetes-list-map-keys: @@ -741,6 +747,7 @@ spec: controlplanemachinesets means that the machine manager will only register resources of the kind ControlPlaneMachineSet. enum: - machinesets + - controlplanemachinesets type: string selection: description: selection allows granular control of the machine @@ -830,6 +837,11 @@ spec: - resource - selection type: object + x-kubernetes-validations: + - message: Only All or None selection mode is permitted for + ControlPlaneMachineSets + rule: self.resource != 'controlplanemachinesets' || self.selection.mode + == 'All' || self.selection.mode == 'None' maxItems: 5 type: array x-kubernetes-list-map-keys: diff --git a/vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_80_machine-config_01_machineconfigurations-DevPreviewNoUpgrade.crd.yaml b/vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_80_machine-config_01_machineconfigurations-DevPreviewNoUpgrade.crd.yaml index 544168f41..201cee1f8 100644 --- a/vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_80_machine-config_01_machineconfigurations-DevPreviewNoUpgrade.crd.yaml +++ b/vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_80_machine-config_01_machineconfigurations-DevPreviewNoUpgrade.crd.yaml @@ -1524,12 +1524,19 @@ spec: rule: 'self.?status.bootImageSkewEnforcementStatus.mode.orValue("") == ''Automatic'' ? self.?spec.managedBootImages.hasValue() || self.?status.managedBootImagesStatus.hasValue() : true' - - message: when skew enforcement is in Automatic mode, managedBootImages must - contain a MachineManager opting in all MachineAPI MachineSets + - message: when skew enforcement is in Automatic mode, managedBootImages.machineManagers + must not be an empty list rule: 'self.?status.bootImageSkewEnforcementStatus.mode.orValue("") == ''Automatic'' - ? !(self.?spec.managedBootImages.machineManagers.hasValue()) || self.spec.managedBootImages.machineManagers.exists(m, - m.selection.mode == ''All'' && m.resource == ''machinesets'' && m.apiGroup - == ''machine.openshift.io'') : true' + ? !(self.?spec.managedBootImages.machineManagers.hasValue()) || size(self.spec.managedBootImages.machineManagers) + > 0 : true' + - message: when skew enforcement is in Automatic mode, any MachineAPI MachineSet + MachineManager must use selection mode 'All' + rule: 'self.?status.bootImageSkewEnforcementStatus.mode.orValue("") == ''Automatic'' + ? !(self.?spec.managedBootImages.machineManagers.hasValue()) || !self.spec.managedBootImages.machineManagers.exists(m, + m.resource == ''machinesets'' && m.apiGroup == ''machine.openshift.io'') + || self.spec.managedBootImages.machineManagers.exists(m, m.resource == + ''machinesets'' && m.apiGroup == ''machine.openshift.io'' && m.selection.mode + == ''All'') : true' - message: when skew enforcement is in Automatic mode, managedBootImagesStatus must contain a MachineManager opting in all MachineAPI MachineSets rule: 'self.?status.bootImageSkewEnforcementStatus.mode.orValue("") == ''Automatic'' diff --git a/vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_80_machine-config_01_machineconfigurations-OKD.crd.yaml b/vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_80_machine-config_01_machineconfigurations-OKD.crd.yaml index 6c763ea47..1d1600228 100644 --- a/vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_80_machine-config_01_machineconfigurations-OKD.crd.yaml +++ b/vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_80_machine-config_01_machineconfigurations-OKD.crd.yaml @@ -108,6 +108,7 @@ spec: controlplanemachinesets means that the machine manager will only register resources of the kind ControlPlaneMachineSet. enum: - machinesets + - controlplanemachinesets type: string selection: description: selection allows granular control of the machine @@ -197,6 +198,11 @@ spec: - resource - selection type: object + x-kubernetes-validations: + - message: Only All or None selection mode is permitted for + ControlPlaneMachineSets + rule: self.resource != 'controlplanemachinesets' || self.selection.mode + == 'All' || self.selection.mode == 'None' maxItems: 5 type: array x-kubernetes-list-map-keys: @@ -741,6 +747,7 @@ spec: controlplanemachinesets means that the machine manager will only register resources of the kind ControlPlaneMachineSet. enum: - machinesets + - controlplanemachinesets type: string selection: description: selection allows granular control of the machine @@ -830,6 +837,11 @@ spec: - resource - selection type: object + x-kubernetes-validations: + - message: Only All or None selection mode is permitted for + ControlPlaneMachineSets + rule: self.resource != 'controlplanemachinesets' || self.selection.mode + == 'All' || self.selection.mode == 'None' maxItems: 5 type: array x-kubernetes-list-map-keys: diff --git a/vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_80_machine-config_01_machineconfigurations-TechPreviewNoUpgrade.crd.yaml b/vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_80_machine-config_01_machineconfigurations-TechPreviewNoUpgrade.crd.yaml index 0cc415a58..0e521a757 100644 --- a/vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_80_machine-config_01_machineconfigurations-TechPreviewNoUpgrade.crd.yaml +++ b/vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_80_machine-config_01_machineconfigurations-TechPreviewNoUpgrade.crd.yaml @@ -1524,12 +1524,19 @@ spec: rule: 'self.?status.bootImageSkewEnforcementStatus.mode.orValue("") == ''Automatic'' ? self.?spec.managedBootImages.hasValue() || self.?status.managedBootImagesStatus.hasValue() : true' - - message: when skew enforcement is in Automatic mode, managedBootImages must - contain a MachineManager opting in all MachineAPI MachineSets + - message: when skew enforcement is in Automatic mode, managedBootImages.machineManagers + must not be an empty list rule: 'self.?status.bootImageSkewEnforcementStatus.mode.orValue("") == ''Automatic'' - ? !(self.?spec.managedBootImages.machineManagers.hasValue()) || self.spec.managedBootImages.machineManagers.exists(m, - m.selection.mode == ''All'' && m.resource == ''machinesets'' && m.apiGroup - == ''machine.openshift.io'') : true' + ? !(self.?spec.managedBootImages.machineManagers.hasValue()) || size(self.spec.managedBootImages.machineManagers) + > 0 : true' + - message: when skew enforcement is in Automatic mode, any MachineAPI MachineSet + MachineManager must use selection mode 'All' + rule: 'self.?status.bootImageSkewEnforcementStatus.mode.orValue("") == ''Automatic'' + ? !(self.?spec.managedBootImages.machineManagers.hasValue()) || !self.spec.managedBootImages.machineManagers.exists(m, + m.resource == ''machinesets'' && m.apiGroup == ''machine.openshift.io'') + || self.spec.managedBootImages.machineManagers.exists(m, m.resource == + ''machinesets'' && m.apiGroup == ''machine.openshift.io'' && m.selection.mode + == ''All'') : true' - message: when skew enforcement is in Automatic mode, managedBootImagesStatus must contain a MachineManager opting in all MachineAPI MachineSets rule: 'self.?status.bootImageSkewEnforcementStatus.mode.orValue("") == ''Automatic'' diff --git a/vendor/github.com/openshift/api/operator/v1/zz_generated.featuregated-crd-manifests.yaml b/vendor/github.com/openshift/api/operator/v1/zz_generated.featuregated-crd-manifests.yaml index e7c94e286..51a758804 100644 --- a/vendor/github.com/openshift/api/operator/v1/zz_generated.featuregated-crd-manifests.yaml +++ b/vendor/github.com/openshift/api/operator/v1/zz_generated.featuregated-crd-manifests.yaml @@ -327,10 +327,7 @@ networks.operator.openshift.io: CRDName: networks.operator.openshift.io Capability: "" Category: "" - FeatureGates: - - AdditionalRoutingCapabilities - - NetworkLiveMigration - - RouteAdvertisements + FeatureGates: [] FilenameOperatorName: network FilenameOperatorOrdering: "01" FilenameRunLevel: "0000_70" diff --git a/vendor/github.com/openshift/api/operator/v1/zz_generated.swagger_doc_generated.go b/vendor/github.com/openshift/api/operator/v1/zz_generated.swagger_doc_generated.go index 06096a6c8..64aac26eb 100644 --- a/vendor/github.com/openshift/api/operator/v1/zz_generated.swagger_doc_generated.go +++ b/vendor/github.com/openshift/api/operator/v1/zz_generated.swagger_doc_generated.go @@ -210,7 +210,7 @@ func (AddPage) SwaggerDoc() map[string]string { var map_Capability = map[string]string{ "": "Capabilities contains set of UI capabilities and their state in the console UI.", - "name": "name is the unique name of a capability. Available capabilities are LightspeedButton and GettingStartedBanner.", + "name": "name is the unique name of a capability. Available capabilities are LightspeedButton, GettingStartedBanner, and GuidedTour.", "visibility": "visibility defines the visibility state of the capability.", } @@ -259,7 +259,7 @@ func (ConsoleConfigRoute) SwaggerDoc() map[string]string { var map_ConsoleCustomization = map[string]string{ "": "ConsoleCustomization defines a list of optional configuration for the console UI. Ensure that Logos and CustomLogoFile cannot be set at the same time.", "logos": "logos is used to replace the OpenShift Masthead and Favicon logos in the console UI with custom logos. logos is an optional field that allows a list of logos. Only one of logos or customLogoFile can be set at a time. If logos is set, customLogoFile must be unset. When specified, there must be at least one entry and no more than 2 entries. Each type must appear only once in the list.", - "capabilities": "capabilities defines an array of capabilities that can be interacted with in the console UI. Each capability defines a visual state that can be interacted with the console to render in the UI. Available capabilities are LightspeedButton and GettingStartedBanner. Each of the available capabilities may appear only once in the list.", + "capabilities": "capabilities defines an array of capabilities that can be interacted with in the console UI. Each capability defines a visual state that can be interacted with the console to render in the UI. Available capabilities are LightspeedButton, GettingStartedBanner, and GuidedTour. Each of the available capabilities may appear only once in the list.", "brand": "brand is the default branding of the web console which can be overridden by providing the brand field. There is a limited set of specific brand options. This field controls elements of the console such as the logo. Invalid value will prevent a console rollout.", "documentationBaseURL": "documentationBaseURL links to external documentation are shown in various sections of the web console. Providing documentationBaseURL will override the default documentation URL. Invalid value will prevent a console rollout.", "customProductName": "customProductName is the name that will be displayed in page titles, logo alt text, and the about dialog instead of the normal OpenShift product name.", diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/acceptrisk.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/acceptrisk.go new file mode 100644 index 000000000..dba8a77ed --- /dev/null +++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/acceptrisk.go @@ -0,0 +1,23 @@ +// Code generated by applyconfiguration-gen. DO NOT EDIT. + +package v1 + +// AcceptRiskApplyConfiguration represents a declarative configuration of the AcceptRisk type for use +// with apply. +type AcceptRiskApplyConfiguration struct { + Name *string `json:"name,omitempty"` +} + +// AcceptRiskApplyConfiguration constructs a declarative configuration of the AcceptRisk type for use with +// apply. +func AcceptRisk() *AcceptRiskApplyConfiguration { + return &AcceptRiskApplyConfiguration{} +} + +// WithName sets the Name field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the Name field is set to the value of the last call. +func (b *AcceptRiskApplyConfiguration) WithName(value string) *AcceptRiskApplyConfiguration { + b.Name = &value + return b +} diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/clusterimagepolicyspec.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/clusterimagepolicyspec.go index 6c86d66d4..8cee680f2 100644 --- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/clusterimagepolicyspec.go +++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/clusterimagepolicyspec.go @@ -9,8 +9,8 @@ import ( // ClusterImagePolicySpecApplyConfiguration represents a declarative configuration of the ClusterImagePolicySpec type for use // with apply. type ClusterImagePolicySpecApplyConfiguration struct { - Scopes []configv1.ImageScope `json:"scopes,omitempty"` - Policy *PolicyApplyConfiguration `json:"policy,omitempty"` + Scopes []configv1.ImageScope `json:"scopes,omitempty"` + Policy *ImageSigstoreVerificationPolicyApplyConfiguration `json:"policy,omitempty"` } // ClusterImagePolicySpecApplyConfiguration constructs a declarative configuration of the ClusterImagePolicySpec type for use with @@ -32,7 +32,7 @@ func (b *ClusterImagePolicySpecApplyConfiguration) WithScopes(values ...configv1 // WithPolicy sets the Policy field in the declarative configuration to the given value // and returns the receiver, so that objects can be built by chaining "With" function invocations. // If called multiple times, the Policy field is set to the value of the last call. -func (b *ClusterImagePolicySpecApplyConfiguration) WithPolicy(value *PolicyApplyConfiguration) *ClusterImagePolicySpecApplyConfiguration { +func (b *ClusterImagePolicySpecApplyConfiguration) WithPolicy(value *ImageSigstoreVerificationPolicyApplyConfiguration) *ClusterImagePolicySpecApplyConfiguration { b.Policy = value return b } diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/clusterversionstatus.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/clusterversionstatus.go index e966cf424..4d44643d4 100644 --- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/clusterversionstatus.go +++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/clusterversionstatus.go @@ -5,14 +5,15 @@ package v1 // ClusterVersionStatusApplyConfiguration represents a declarative configuration of the ClusterVersionStatus type for use // with apply. type ClusterVersionStatusApplyConfiguration struct { - Desired *ReleaseApplyConfiguration `json:"desired,omitempty"` - History []UpdateHistoryApplyConfiguration `json:"history,omitempty"` - ObservedGeneration *int64 `json:"observedGeneration,omitempty"` - VersionHash *string `json:"versionHash,omitempty"` - Capabilities *ClusterVersionCapabilitiesStatusApplyConfiguration `json:"capabilities,omitempty"` - Conditions []ClusterOperatorStatusConditionApplyConfiguration `json:"conditions,omitempty"` - AvailableUpdates []ReleaseApplyConfiguration `json:"availableUpdates,omitempty"` - ConditionalUpdates []ConditionalUpdateApplyConfiguration `json:"conditionalUpdates,omitempty"` + Desired *ReleaseApplyConfiguration `json:"desired,omitempty"` + History []UpdateHistoryApplyConfiguration `json:"history,omitempty"` + ObservedGeneration *int64 `json:"observedGeneration,omitempty"` + VersionHash *string `json:"versionHash,omitempty"` + Capabilities *ClusterVersionCapabilitiesStatusApplyConfiguration `json:"capabilities,omitempty"` + Conditions []ClusterOperatorStatusConditionApplyConfiguration `json:"conditions,omitempty"` + AvailableUpdates []ReleaseApplyConfiguration `json:"availableUpdates,omitempty"` + ConditionalUpdates []ConditionalUpdateApplyConfiguration `json:"conditionalUpdates,omitempty"` + ConditionalUpdateRisks []ConditionalUpdateRiskApplyConfiguration `json:"conditionalUpdateRisks,omitempty"` } // ClusterVersionStatusApplyConfiguration constructs a declarative configuration of the ClusterVersionStatus type for use with @@ -104,3 +105,16 @@ func (b *ClusterVersionStatusApplyConfiguration) WithConditionalUpdates(values . } return b } + +// WithConditionalUpdateRisks adds the given value to the ConditionalUpdateRisks field in the declarative configuration +// and returns the receiver, so that objects can be build by chaining "With" function invocations. +// If called multiple times, values provided by each call will be appended to the ConditionalUpdateRisks field. +func (b *ClusterVersionStatusApplyConfiguration) WithConditionalUpdateRisks(values ...*ConditionalUpdateRiskApplyConfiguration) *ClusterVersionStatusApplyConfiguration { + for i := range values { + if values[i] == nil { + panic("nil value passed to WithConditionalUpdateRisks") + } + b.ConditionalUpdateRisks = append(b.ConditionalUpdateRisks, *values[i]) + } + return b +} diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/conditionalupdate.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/conditionalupdate.go index f183fc6e2..8bffb192c 100644 --- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/conditionalupdate.go +++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/conditionalupdate.go @@ -10,6 +10,7 @@ import ( // with apply. type ConditionalUpdateApplyConfiguration struct { Release *ReleaseApplyConfiguration `json:"release,omitempty"` + RiskNames []string `json:"riskNames,omitempty"` Risks []ConditionalUpdateRiskApplyConfiguration `json:"risks,omitempty"` Conditions []metav1.ConditionApplyConfiguration `json:"conditions,omitempty"` } @@ -28,6 +29,16 @@ func (b *ConditionalUpdateApplyConfiguration) WithRelease(value *ReleaseApplyCon return b } +// WithRiskNames adds the given value to the RiskNames field in the declarative configuration +// and returns the receiver, so that objects can be build by chaining "With" function invocations. +// If called multiple times, values provided by each call will be appended to the RiskNames field. +func (b *ConditionalUpdateApplyConfiguration) WithRiskNames(values ...string) *ConditionalUpdateApplyConfiguration { + for i := range values { + b.RiskNames = append(b.RiskNames, values[i]) + } + return b +} + // WithRisks adds the given value to the Risks field in the declarative configuration // and returns the receiver, so that objects can be build by chaining "With" function invocations. // If called multiple times, values provided by each call will be appended to the Risks field. diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/conditionalupdaterisk.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/conditionalupdaterisk.go index 6debb6e62..fdfc14ebf 100644 --- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/conditionalupdaterisk.go +++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/conditionalupdaterisk.go @@ -2,9 +2,14 @@ package v1 +import ( + metav1 "k8s.io/client-go/applyconfigurations/meta/v1" +) + // ConditionalUpdateRiskApplyConfiguration represents a declarative configuration of the ConditionalUpdateRisk type for use // with apply. type ConditionalUpdateRiskApplyConfiguration struct { + Conditions []metav1.ConditionApplyConfiguration `json:"conditions,omitempty"` URL *string `json:"url,omitempty"` Name *string `json:"name,omitempty"` Message *string `json:"message,omitempty"` @@ -17,6 +22,19 @@ func ConditionalUpdateRisk() *ConditionalUpdateRiskApplyConfiguration { return &ConditionalUpdateRiskApplyConfiguration{} } +// WithConditions adds the given value to the Conditions field in the declarative configuration +// and returns the receiver, so that objects can be build by chaining "With" function invocations. +// If called multiple times, values provided by each call will be appended to the Conditions field. +func (b *ConditionalUpdateRiskApplyConfiguration) WithConditions(values ...*metav1.ConditionApplyConfiguration) *ConditionalUpdateRiskApplyConfiguration { + for i := range values { + if values[i] == nil { + panic("nil value passed to WithConditions") + } + b.Conditions = append(b.Conditions, *values[i]) + } + return b +} + // WithURL sets the URL field in the declarative configuration to the given value // and returns the receiver, so that objects can be built by chaining "With" function invocations. // If called multiple times, the URL field is set to the value of the last call. diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/fulciocawithrekor.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/imagepolicyfulciocawithrekorrootoftrust.go similarity index 57% rename from vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/fulciocawithrekor.go rename to vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/imagepolicyfulciocawithrekorrootoftrust.go index 48b553580..a4c831fca 100644 --- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/fulciocawithrekor.go +++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/imagepolicyfulciocawithrekorrootoftrust.go @@ -2,24 +2,24 @@ package v1 -// FulcioCAWithRekorApplyConfiguration represents a declarative configuration of the FulcioCAWithRekor type for use +// ImagePolicyFulcioCAWithRekorRootOfTrustApplyConfiguration represents a declarative configuration of the ImagePolicyFulcioCAWithRekorRootOfTrust type for use // with apply. -type FulcioCAWithRekorApplyConfiguration struct { +type ImagePolicyFulcioCAWithRekorRootOfTrustApplyConfiguration struct { FulcioCAData []byte `json:"fulcioCAData,omitempty"` RekorKeyData []byte `json:"rekorKeyData,omitempty"` FulcioSubject *PolicyFulcioSubjectApplyConfiguration `json:"fulcioSubject,omitempty"` } -// FulcioCAWithRekorApplyConfiguration constructs a declarative configuration of the FulcioCAWithRekor type for use with +// ImagePolicyFulcioCAWithRekorRootOfTrustApplyConfiguration constructs a declarative configuration of the ImagePolicyFulcioCAWithRekorRootOfTrust type for use with // apply. -func FulcioCAWithRekor() *FulcioCAWithRekorApplyConfiguration { - return &FulcioCAWithRekorApplyConfiguration{} +func ImagePolicyFulcioCAWithRekorRootOfTrust() *ImagePolicyFulcioCAWithRekorRootOfTrustApplyConfiguration { + return &ImagePolicyFulcioCAWithRekorRootOfTrustApplyConfiguration{} } // WithFulcioCAData adds the given value to the FulcioCAData field in the declarative configuration // and returns the receiver, so that objects can be build by chaining "With" function invocations. // If called multiple times, values provided by each call will be appended to the FulcioCAData field. -func (b *FulcioCAWithRekorApplyConfiguration) WithFulcioCAData(values ...byte) *FulcioCAWithRekorApplyConfiguration { +func (b *ImagePolicyFulcioCAWithRekorRootOfTrustApplyConfiguration) WithFulcioCAData(values ...byte) *ImagePolicyFulcioCAWithRekorRootOfTrustApplyConfiguration { for i := range values { b.FulcioCAData = append(b.FulcioCAData, values[i]) } @@ -29,7 +29,7 @@ func (b *FulcioCAWithRekorApplyConfiguration) WithFulcioCAData(values ...byte) * // WithRekorKeyData adds the given value to the RekorKeyData field in the declarative configuration // and returns the receiver, so that objects can be build by chaining "With" function invocations. // If called multiple times, values provided by each call will be appended to the RekorKeyData field. -func (b *FulcioCAWithRekorApplyConfiguration) WithRekorKeyData(values ...byte) *FulcioCAWithRekorApplyConfiguration { +func (b *ImagePolicyFulcioCAWithRekorRootOfTrustApplyConfiguration) WithRekorKeyData(values ...byte) *ImagePolicyFulcioCAWithRekorRootOfTrustApplyConfiguration { for i := range values { b.RekorKeyData = append(b.RekorKeyData, values[i]) } @@ -39,7 +39,7 @@ func (b *FulcioCAWithRekorApplyConfiguration) WithRekorKeyData(values ...byte) * // WithFulcioSubject sets the FulcioSubject field in the declarative configuration to the given value // and returns the receiver, so that objects can be built by chaining "With" function invocations. // If called multiple times, the FulcioSubject field is set to the value of the last call. -func (b *FulcioCAWithRekorApplyConfiguration) WithFulcioSubject(value *PolicyFulcioSubjectApplyConfiguration) *FulcioCAWithRekorApplyConfiguration { +func (b *ImagePolicyFulcioCAWithRekorRootOfTrustApplyConfiguration) WithFulcioSubject(value *PolicyFulcioSubjectApplyConfiguration) *ImagePolicyFulcioCAWithRekorRootOfTrustApplyConfiguration { b.FulcioSubject = value return b } diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/pki.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/imagepolicypkirootoftrust.go similarity index 65% rename from vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/pki.go rename to vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/imagepolicypkirootoftrust.go index 65f27edf8..9a0c257b7 100644 --- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/pki.go +++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/imagepolicypkirootoftrust.go @@ -2,24 +2,24 @@ package v1 -// PKIApplyConfiguration represents a declarative configuration of the PKI type for use +// ImagePolicyPKIRootOfTrustApplyConfiguration represents a declarative configuration of the ImagePolicyPKIRootOfTrust type for use // with apply. -type PKIApplyConfiguration struct { +type ImagePolicyPKIRootOfTrustApplyConfiguration struct { CertificateAuthorityRootsData []byte `json:"caRootsData,omitempty"` CertificateAuthorityIntermediatesData []byte `json:"caIntermediatesData,omitempty"` PKICertificateSubject *PKICertificateSubjectApplyConfiguration `json:"pkiCertificateSubject,omitempty"` } -// PKIApplyConfiguration constructs a declarative configuration of the PKI type for use with +// ImagePolicyPKIRootOfTrustApplyConfiguration constructs a declarative configuration of the ImagePolicyPKIRootOfTrust type for use with // apply. -func PKI() *PKIApplyConfiguration { - return &PKIApplyConfiguration{} +func ImagePolicyPKIRootOfTrust() *ImagePolicyPKIRootOfTrustApplyConfiguration { + return &ImagePolicyPKIRootOfTrustApplyConfiguration{} } // WithCertificateAuthorityRootsData adds the given value to the CertificateAuthorityRootsData field in the declarative configuration // and returns the receiver, so that objects can be build by chaining "With" function invocations. // If called multiple times, values provided by each call will be appended to the CertificateAuthorityRootsData field. -func (b *PKIApplyConfiguration) WithCertificateAuthorityRootsData(values ...byte) *PKIApplyConfiguration { +func (b *ImagePolicyPKIRootOfTrustApplyConfiguration) WithCertificateAuthorityRootsData(values ...byte) *ImagePolicyPKIRootOfTrustApplyConfiguration { for i := range values { b.CertificateAuthorityRootsData = append(b.CertificateAuthorityRootsData, values[i]) } @@ -29,7 +29,7 @@ func (b *PKIApplyConfiguration) WithCertificateAuthorityRootsData(values ...byte // WithCertificateAuthorityIntermediatesData adds the given value to the CertificateAuthorityIntermediatesData field in the declarative configuration // and returns the receiver, so that objects can be build by chaining "With" function invocations. // If called multiple times, values provided by each call will be appended to the CertificateAuthorityIntermediatesData field. -func (b *PKIApplyConfiguration) WithCertificateAuthorityIntermediatesData(values ...byte) *PKIApplyConfiguration { +func (b *ImagePolicyPKIRootOfTrustApplyConfiguration) WithCertificateAuthorityIntermediatesData(values ...byte) *ImagePolicyPKIRootOfTrustApplyConfiguration { for i := range values { b.CertificateAuthorityIntermediatesData = append(b.CertificateAuthorityIntermediatesData, values[i]) } @@ -39,7 +39,7 @@ func (b *PKIApplyConfiguration) WithCertificateAuthorityIntermediatesData(values // WithPKICertificateSubject sets the PKICertificateSubject field in the declarative configuration to the given value // and returns the receiver, so that objects can be built by chaining "With" function invocations. // If called multiple times, the PKICertificateSubject field is set to the value of the last call. -func (b *PKIApplyConfiguration) WithPKICertificateSubject(value *PKICertificateSubjectApplyConfiguration) *PKIApplyConfiguration { +func (b *ImagePolicyPKIRootOfTrustApplyConfiguration) WithPKICertificateSubject(value *PKICertificateSubjectApplyConfiguration) *ImagePolicyPKIRootOfTrustApplyConfiguration { b.PKICertificateSubject = value return b } diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/publickey.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/imagepolicypublickeyrootoftrust.go similarity index 54% rename from vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/publickey.go rename to vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/imagepolicypublickeyrootoftrust.go index c1073e882..a14457309 100644 --- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/publickey.go +++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/imagepolicypublickeyrootoftrust.go @@ -2,23 +2,23 @@ package v1 -// PublicKeyApplyConfiguration represents a declarative configuration of the PublicKey type for use +// ImagePolicyPublicKeyRootOfTrustApplyConfiguration represents a declarative configuration of the ImagePolicyPublicKeyRootOfTrust type for use // with apply. -type PublicKeyApplyConfiguration struct { +type ImagePolicyPublicKeyRootOfTrustApplyConfiguration struct { KeyData []byte `json:"keyData,omitempty"` RekorKeyData []byte `json:"rekorKeyData,omitempty"` } -// PublicKeyApplyConfiguration constructs a declarative configuration of the PublicKey type for use with +// ImagePolicyPublicKeyRootOfTrustApplyConfiguration constructs a declarative configuration of the ImagePolicyPublicKeyRootOfTrust type for use with // apply. -func PublicKey() *PublicKeyApplyConfiguration { - return &PublicKeyApplyConfiguration{} +func ImagePolicyPublicKeyRootOfTrust() *ImagePolicyPublicKeyRootOfTrustApplyConfiguration { + return &ImagePolicyPublicKeyRootOfTrustApplyConfiguration{} } // WithKeyData adds the given value to the KeyData field in the declarative configuration // and returns the receiver, so that objects can be build by chaining "With" function invocations. // If called multiple times, values provided by each call will be appended to the KeyData field. -func (b *PublicKeyApplyConfiguration) WithKeyData(values ...byte) *PublicKeyApplyConfiguration { +func (b *ImagePolicyPublicKeyRootOfTrustApplyConfiguration) WithKeyData(values ...byte) *ImagePolicyPublicKeyRootOfTrustApplyConfiguration { for i := range values { b.KeyData = append(b.KeyData, values[i]) } @@ -28,7 +28,7 @@ func (b *PublicKeyApplyConfiguration) WithKeyData(values ...byte) *PublicKeyAppl // WithRekorKeyData adds the given value to the RekorKeyData field in the declarative configuration // and returns the receiver, so that objects can be build by chaining "With" function invocations. // If called multiple times, values provided by each call will be appended to the RekorKeyData field. -func (b *PublicKeyApplyConfiguration) WithRekorKeyData(values ...byte) *PublicKeyApplyConfiguration { +func (b *ImagePolicyPublicKeyRootOfTrustApplyConfiguration) WithRekorKeyData(values ...byte) *ImagePolicyPublicKeyRootOfTrustApplyConfiguration { for i := range values { b.RekorKeyData = append(b.RekorKeyData, values[i]) } diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/imagepolicyspec.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/imagepolicyspec.go index b75165c8d..321196469 100644 --- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/imagepolicyspec.go +++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/imagepolicyspec.go @@ -9,8 +9,8 @@ import ( // ImagePolicySpecApplyConfiguration represents a declarative configuration of the ImagePolicySpec type for use // with apply. type ImagePolicySpecApplyConfiguration struct { - Scopes []configv1.ImageScope `json:"scopes,omitempty"` - Policy *PolicyApplyConfiguration `json:"policy,omitempty"` + Scopes []configv1.ImageScope `json:"scopes,omitempty"` + Policy *ImageSigstoreVerificationPolicyApplyConfiguration `json:"policy,omitempty"` } // ImagePolicySpecApplyConfiguration constructs a declarative configuration of the ImagePolicySpec type for use with @@ -32,7 +32,7 @@ func (b *ImagePolicySpecApplyConfiguration) WithScopes(values ...configv1.ImageS // WithPolicy sets the Policy field in the declarative configuration to the given value // and returns the receiver, so that objects can be built by chaining "With" function invocations. // If called multiple times, the Policy field is set to the value of the last call. -func (b *ImagePolicySpecApplyConfiguration) WithPolicy(value *PolicyApplyConfiguration) *ImagePolicySpecApplyConfiguration { +func (b *ImagePolicySpecApplyConfiguration) WithPolicy(value *ImageSigstoreVerificationPolicyApplyConfiguration) *ImagePolicySpecApplyConfiguration { b.Policy = value return b } diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/policy.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/imagesigstoreverificationpolicy.go similarity index 52% rename from vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/policy.go rename to vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/imagesigstoreverificationpolicy.go index 3e29510bf..6f0d5d2e7 100644 --- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/policy.go +++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/imagesigstoreverificationpolicy.go @@ -2,23 +2,23 @@ package v1 -// PolicyApplyConfiguration represents a declarative configuration of the Policy type for use +// ImageSigstoreVerificationPolicyApplyConfiguration represents a declarative configuration of the ImageSigstoreVerificationPolicy type for use // with apply. -type PolicyApplyConfiguration struct { +type ImageSigstoreVerificationPolicyApplyConfiguration struct { RootOfTrust *PolicyRootOfTrustApplyConfiguration `json:"rootOfTrust,omitempty"` SignedIdentity *PolicyIdentityApplyConfiguration `json:"signedIdentity,omitempty"` } -// PolicyApplyConfiguration constructs a declarative configuration of the Policy type for use with +// ImageSigstoreVerificationPolicyApplyConfiguration constructs a declarative configuration of the ImageSigstoreVerificationPolicy type for use with // apply. -func Policy() *PolicyApplyConfiguration { - return &PolicyApplyConfiguration{} +func ImageSigstoreVerificationPolicy() *ImageSigstoreVerificationPolicyApplyConfiguration { + return &ImageSigstoreVerificationPolicyApplyConfiguration{} } // WithRootOfTrust sets the RootOfTrust field in the declarative configuration to the given value // and returns the receiver, so that objects can be built by chaining "With" function invocations. // If called multiple times, the RootOfTrust field is set to the value of the last call. -func (b *PolicyApplyConfiguration) WithRootOfTrust(value *PolicyRootOfTrustApplyConfiguration) *PolicyApplyConfiguration { +func (b *ImageSigstoreVerificationPolicyApplyConfiguration) WithRootOfTrust(value *PolicyRootOfTrustApplyConfiguration) *ImageSigstoreVerificationPolicyApplyConfiguration { b.RootOfTrust = value return b } @@ -26,7 +26,7 @@ func (b *PolicyApplyConfiguration) WithRootOfTrust(value *PolicyRootOfTrustApply // WithSignedIdentity sets the SignedIdentity field in the declarative configuration to the given value // and returns the receiver, so that objects can be built by chaining "With" function invocations. // If called multiple times, the SignedIdentity field is set to the value of the last call. -func (b *PolicyApplyConfiguration) WithSignedIdentity(value *PolicyIdentityApplyConfiguration) *PolicyApplyConfiguration { +func (b *ImageSigstoreVerificationPolicyApplyConfiguration) WithSignedIdentity(value *PolicyIdentityApplyConfiguration) *ImageSigstoreVerificationPolicyApplyConfiguration { b.SignedIdentity = value return b } diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/oidcprovider.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/oidcprovider.go index 7d9300367..4f5aec3a5 100644 --- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/oidcprovider.go +++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/oidcprovider.go @@ -10,6 +10,7 @@ type OIDCProviderApplyConfiguration struct { OIDCClients []OIDCClientConfigApplyConfiguration `json:"oidcClients,omitempty"` ClaimMappings *TokenClaimMappingsApplyConfiguration `json:"claimMappings,omitempty"` ClaimValidationRules []TokenClaimValidationRuleApplyConfiguration `json:"claimValidationRules,omitempty"` + UserValidationRules []TokenUserValidationRuleApplyConfiguration `json:"userValidationRules,omitempty"` } // OIDCProviderApplyConfiguration constructs a declarative configuration of the OIDCProvider type for use with @@ -67,3 +68,16 @@ func (b *OIDCProviderApplyConfiguration) WithClaimValidationRules(values ...*Tok } return b } + +// WithUserValidationRules adds the given value to the UserValidationRules field in the declarative configuration +// and returns the receiver, so that objects can be build by chaining "With" function invocations. +// If called multiple times, values provided by each call will be appended to the UserValidationRules field. +func (b *OIDCProviderApplyConfiguration) WithUserValidationRules(values ...*TokenUserValidationRuleApplyConfiguration) *OIDCProviderApplyConfiguration { + for i := range values { + if values[i] == nil { + panic("nil value passed to WithUserValidationRules") + } + b.UserValidationRules = append(b.UserValidationRules, *values[i]) + } + return b +} diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/policyrootoftrust.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/policyrootoftrust.go index f1ff91ffb..6b3e46f47 100644 --- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/policyrootoftrust.go +++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/policyrootoftrust.go @@ -9,10 +9,10 @@ import ( // PolicyRootOfTrustApplyConfiguration represents a declarative configuration of the PolicyRootOfTrust type for use // with apply. type PolicyRootOfTrustApplyConfiguration struct { - PolicyType *configv1.PolicyType `json:"policyType,omitempty"` - PublicKey *PublicKeyApplyConfiguration `json:"publicKey,omitempty"` - FulcioCAWithRekor *FulcioCAWithRekorApplyConfiguration `json:"fulcioCAWithRekor,omitempty"` - PKI *PKIApplyConfiguration `json:"pki,omitempty"` + PolicyType *configv1.PolicyType `json:"policyType,omitempty"` + PublicKey *ImagePolicyPublicKeyRootOfTrustApplyConfiguration `json:"publicKey,omitempty"` + FulcioCAWithRekor *ImagePolicyFulcioCAWithRekorRootOfTrustApplyConfiguration `json:"fulcioCAWithRekor,omitempty"` + PKI *ImagePolicyPKIRootOfTrustApplyConfiguration `json:"pki,omitempty"` } // PolicyRootOfTrustApplyConfiguration constructs a declarative configuration of the PolicyRootOfTrust type for use with @@ -32,7 +32,7 @@ func (b *PolicyRootOfTrustApplyConfiguration) WithPolicyType(value configv1.Poli // WithPublicKey sets the PublicKey field in the declarative configuration to the given value // and returns the receiver, so that objects can be built by chaining "With" function invocations. // If called multiple times, the PublicKey field is set to the value of the last call. -func (b *PolicyRootOfTrustApplyConfiguration) WithPublicKey(value *PublicKeyApplyConfiguration) *PolicyRootOfTrustApplyConfiguration { +func (b *PolicyRootOfTrustApplyConfiguration) WithPublicKey(value *ImagePolicyPublicKeyRootOfTrustApplyConfiguration) *PolicyRootOfTrustApplyConfiguration { b.PublicKey = value return b } @@ -40,7 +40,7 @@ func (b *PolicyRootOfTrustApplyConfiguration) WithPublicKey(value *PublicKeyAppl // WithFulcioCAWithRekor sets the FulcioCAWithRekor field in the declarative configuration to the given value // and returns the receiver, so that objects can be built by chaining "With" function invocations. // If called multiple times, the FulcioCAWithRekor field is set to the value of the last call. -func (b *PolicyRootOfTrustApplyConfiguration) WithFulcioCAWithRekor(value *FulcioCAWithRekorApplyConfiguration) *PolicyRootOfTrustApplyConfiguration { +func (b *PolicyRootOfTrustApplyConfiguration) WithFulcioCAWithRekor(value *ImagePolicyFulcioCAWithRekorRootOfTrustApplyConfiguration) *PolicyRootOfTrustApplyConfiguration { b.FulcioCAWithRekor = value return b } @@ -48,7 +48,7 @@ func (b *PolicyRootOfTrustApplyConfiguration) WithFulcioCAWithRekor(value *Fulci // WithPKI sets the PKI field in the declarative configuration to the given value // and returns the receiver, so that objects can be built by chaining "With" function invocations. // If called multiple times, the PKI field is set to the value of the last call. -func (b *PolicyRootOfTrustApplyConfiguration) WithPKI(value *PKIApplyConfiguration) *PolicyRootOfTrustApplyConfiguration { +func (b *PolicyRootOfTrustApplyConfiguration) WithPKI(value *ImagePolicyPKIRootOfTrustApplyConfiguration) *PolicyRootOfTrustApplyConfiguration { b.PKI = value return b } diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/tokenclaimvalidationcelrule.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/tokenclaimvalidationcelrule.go new file mode 100644 index 000000000..8dda73db1 --- /dev/null +++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/tokenclaimvalidationcelrule.go @@ -0,0 +1,32 @@ +// Code generated by applyconfiguration-gen. DO NOT EDIT. + +package v1 + +// TokenClaimValidationCELRuleApplyConfiguration represents a declarative configuration of the TokenClaimValidationCELRule type for use +// with apply. +type TokenClaimValidationCELRuleApplyConfiguration struct { + Expression *string `json:"expression,omitempty"` + Message *string `json:"message,omitempty"` +} + +// TokenClaimValidationCELRuleApplyConfiguration constructs a declarative configuration of the TokenClaimValidationCELRule type for use with +// apply. +func TokenClaimValidationCELRule() *TokenClaimValidationCELRuleApplyConfiguration { + return &TokenClaimValidationCELRuleApplyConfiguration{} +} + +// WithExpression sets the Expression field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the Expression field is set to the value of the last call. +func (b *TokenClaimValidationCELRuleApplyConfiguration) WithExpression(value string) *TokenClaimValidationCELRuleApplyConfiguration { + b.Expression = &value + return b +} + +// WithMessage sets the Message field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the Message field is set to the value of the last call. +func (b *TokenClaimValidationCELRuleApplyConfiguration) WithMessage(value string) *TokenClaimValidationCELRuleApplyConfiguration { + b.Message = &value + return b +} diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/tokenclaimvalidationrule.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/tokenclaimvalidationrule.go index 74e9f6109..c8b0c6005 100644 --- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/tokenclaimvalidationrule.go +++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/tokenclaimvalidationrule.go @@ -9,8 +9,9 @@ import ( // TokenClaimValidationRuleApplyConfiguration represents a declarative configuration of the TokenClaimValidationRule type for use // with apply. type TokenClaimValidationRuleApplyConfiguration struct { - Type *configv1.TokenValidationRuleType `json:"type,omitempty"` - RequiredClaim *TokenRequiredClaimApplyConfiguration `json:"requiredClaim,omitempty"` + Type *configv1.TokenValidationRuleType `json:"type,omitempty"` + RequiredClaim *TokenRequiredClaimApplyConfiguration `json:"requiredClaim,omitempty"` + CEL *TokenClaimValidationCELRuleApplyConfiguration `json:"cel,omitempty"` } // TokenClaimValidationRuleApplyConfiguration constructs a declarative configuration of the TokenClaimValidationRule type for use with @@ -34,3 +35,11 @@ func (b *TokenClaimValidationRuleApplyConfiguration) WithRequiredClaim(value *To b.RequiredClaim = value return b } + +// WithCEL sets the CEL field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the CEL field is set to the value of the last call. +func (b *TokenClaimValidationRuleApplyConfiguration) WithCEL(value *TokenClaimValidationCELRuleApplyConfiguration) *TokenClaimValidationRuleApplyConfiguration { + b.CEL = value + return b +} diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/tokenissuer.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/tokenissuer.go index 68f590abc..4c971d292 100644 --- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/tokenissuer.go +++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/tokenissuer.go @@ -12,6 +12,7 @@ type TokenIssuerApplyConfiguration struct { URL *string `json:"issuerURL,omitempty"` Audiences []configv1.TokenAudience `json:"audiences,omitempty"` CertificateAuthority *ConfigMapNameReferenceApplyConfiguration `json:"issuerCertificateAuthority,omitempty"` + DiscoveryURL *string `json:"discoveryURL,omitempty"` } // TokenIssuerApplyConfiguration constructs a declarative configuration of the TokenIssuer type for use with @@ -45,3 +46,11 @@ func (b *TokenIssuerApplyConfiguration) WithCertificateAuthority(value *ConfigMa b.CertificateAuthority = value return b } + +// WithDiscoveryURL sets the DiscoveryURL field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the DiscoveryURL field is set to the value of the last call. +func (b *TokenIssuerApplyConfiguration) WithDiscoveryURL(value string) *TokenIssuerApplyConfiguration { + b.DiscoveryURL = &value + return b +} diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/tokenuservalidationrule.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/tokenuservalidationrule.go new file mode 100644 index 000000000..2aae5f3fe --- /dev/null +++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/tokenuservalidationrule.go @@ -0,0 +1,32 @@ +// Code generated by applyconfiguration-gen. DO NOT EDIT. + +package v1 + +// TokenUserValidationRuleApplyConfiguration represents a declarative configuration of the TokenUserValidationRule type for use +// with apply. +type TokenUserValidationRuleApplyConfiguration struct { + Expression *string `json:"expression,omitempty"` + Message *string `json:"message,omitempty"` +} + +// TokenUserValidationRuleApplyConfiguration constructs a declarative configuration of the TokenUserValidationRule type for use with +// apply. +func TokenUserValidationRule() *TokenUserValidationRuleApplyConfiguration { + return &TokenUserValidationRuleApplyConfiguration{} +} + +// WithExpression sets the Expression field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the Expression field is set to the value of the last call. +func (b *TokenUserValidationRuleApplyConfiguration) WithExpression(value string) *TokenUserValidationRuleApplyConfiguration { + b.Expression = &value + return b +} + +// WithMessage sets the Message field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the Message field is set to the value of the last call. +func (b *TokenUserValidationRuleApplyConfiguration) WithMessage(value string) *TokenUserValidationRuleApplyConfiguration { + b.Message = &value + return b +} diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/update.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/update.go index 004d1bac2..d20e3ca42 100644 --- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/update.go +++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/update.go @@ -13,6 +13,7 @@ type UpdateApplyConfiguration struct { Version *string `json:"version,omitempty"` Image *string `json:"image,omitempty"` Force *bool `json:"force,omitempty"` + AcceptRisks []AcceptRiskApplyConfiguration `json:"acceptRisks,omitempty"` } // UpdateApplyConfiguration constructs a declarative configuration of the Update type for use with @@ -52,3 +53,16 @@ func (b *UpdateApplyConfiguration) WithForce(value bool) *UpdateApplyConfigurati b.Force = &value return b } + +// WithAcceptRisks adds the given value to the AcceptRisks field in the declarative configuration +// and returns the receiver, so that objects can be build by chaining "With" function invocations. +// If called multiple times, values provided by each call will be appended to the AcceptRisks field. +func (b *UpdateApplyConfiguration) WithAcceptRisks(values ...*AcceptRiskApplyConfiguration) *UpdateApplyConfiguration { + for i := range values { + if values[i] == nil { + panic("nil value passed to WithAcceptRisks") + } + b.AcceptRisks = append(b.AcceptRisks, *values[i]) + } + return b +} diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/clusterimagepolicyspec.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/clusterimagepolicyspec.go index e4a3470c4..e1c4c630e 100644 --- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/clusterimagepolicyspec.go +++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/clusterimagepolicyspec.go @@ -9,8 +9,8 @@ import ( // ClusterImagePolicySpecApplyConfiguration represents a declarative configuration of the ClusterImagePolicySpec type for use // with apply. type ClusterImagePolicySpecApplyConfiguration struct { - Scopes []configv1alpha1.ImageScope `json:"scopes,omitempty"` - Policy *PolicyApplyConfiguration `json:"policy,omitempty"` + Scopes []configv1alpha1.ImageScope `json:"scopes,omitempty"` + Policy *ImageSigstoreVerificationPolicyApplyConfiguration `json:"policy,omitempty"` } // ClusterImagePolicySpecApplyConfiguration constructs a declarative configuration of the ClusterImagePolicySpec type for use with @@ -32,7 +32,7 @@ func (b *ClusterImagePolicySpecApplyConfiguration) WithScopes(values ...configv1 // WithPolicy sets the Policy field in the declarative configuration to the given value // and returns the receiver, so that objects can be built by chaining "With" function invocations. // If called multiple times, the Policy field is set to the value of the last call. -func (b *ClusterImagePolicySpecApplyConfiguration) WithPolicy(value *PolicyApplyConfiguration) *ClusterImagePolicySpecApplyConfiguration { +func (b *ClusterImagePolicySpecApplyConfiguration) WithPolicy(value *ImageSigstoreVerificationPolicyApplyConfiguration) *ClusterImagePolicySpecApplyConfiguration { b.Policy = value return b } diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/clustermonitoringspec.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/clustermonitoringspec.go index 7fcce84b5..e4e57f357 100644 --- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/clustermonitoringspec.go +++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/clustermonitoringspec.go @@ -5,9 +5,10 @@ package v1alpha1 // ClusterMonitoringSpecApplyConfiguration represents a declarative configuration of the ClusterMonitoringSpec type for use // with apply. type ClusterMonitoringSpecApplyConfiguration struct { - UserDefined *UserDefinedMonitoringApplyConfiguration `json:"userDefined,omitempty"` - AlertmanagerConfig *AlertmanagerConfigApplyConfiguration `json:"alertmanagerConfig,omitempty"` - MetricsServerConfig *MetricsServerConfigApplyConfiguration `json:"metricsServerConfig,omitempty"` + UserDefined *UserDefinedMonitoringApplyConfiguration `json:"userDefined,omitempty"` + AlertmanagerConfig *AlertmanagerConfigApplyConfiguration `json:"alertmanagerConfig,omitempty"` + MetricsServerConfig *MetricsServerConfigApplyConfiguration `json:"metricsServerConfig,omitempty"` + PrometheusOperatorConfig *PrometheusOperatorConfigApplyConfiguration `json:"prometheusOperatorConfig,omitempty"` } // ClusterMonitoringSpecApplyConfiguration constructs a declarative configuration of the ClusterMonitoringSpec type for use with @@ -39,3 +40,11 @@ func (b *ClusterMonitoringSpecApplyConfiguration) WithMetricsServerConfig(value b.MetricsServerConfig = value return b } + +// WithPrometheusOperatorConfig sets the PrometheusOperatorConfig field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the PrometheusOperatorConfig field is set to the value of the last call. +func (b *ClusterMonitoringSpecApplyConfiguration) WithPrometheusOperatorConfig(value *PrometheusOperatorConfigApplyConfiguration) *ClusterMonitoringSpecApplyConfiguration { + b.PrometheusOperatorConfig = value + return b +} diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/criocredentialproviderconfig.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/criocredentialproviderconfig.go new file mode 100644 index 000000000..221728dca --- /dev/null +++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/criocredentialproviderconfig.go @@ -0,0 +1,263 @@ +// Code generated by applyconfiguration-gen. DO NOT EDIT. + +package v1alpha1 + +import ( + configv1alpha1 "github.com/openshift/api/config/v1alpha1" + internal "github.com/openshift/client-go/config/applyconfigurations/internal" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + types "k8s.io/apimachinery/pkg/types" + managedfields "k8s.io/apimachinery/pkg/util/managedfields" + v1 "k8s.io/client-go/applyconfigurations/meta/v1" +) + +// CRIOCredentialProviderConfigApplyConfiguration represents a declarative configuration of the CRIOCredentialProviderConfig type for use +// with apply. +type CRIOCredentialProviderConfigApplyConfiguration struct { + v1.TypeMetaApplyConfiguration `json:",inline"` + *v1.ObjectMetaApplyConfiguration `json:"metadata,omitempty"` + Spec *CRIOCredentialProviderConfigSpecApplyConfiguration `json:"spec,omitempty"` + Status *CRIOCredentialProviderConfigStatusApplyConfiguration `json:"status,omitempty"` +} + +// CRIOCredentialProviderConfig constructs a declarative configuration of the CRIOCredentialProviderConfig type for use with +// apply. +func CRIOCredentialProviderConfig(name string) *CRIOCredentialProviderConfigApplyConfiguration { + b := &CRIOCredentialProviderConfigApplyConfiguration{} + b.WithName(name) + b.WithKind("CRIOCredentialProviderConfig") + b.WithAPIVersion("config.openshift.io/v1alpha1") + return b +} + +// ExtractCRIOCredentialProviderConfig extracts the applied configuration owned by fieldManager from +// cRIOCredentialProviderConfig. If no managedFields are found in cRIOCredentialProviderConfig for fieldManager, a +// CRIOCredentialProviderConfigApplyConfiguration is returned with only the Name, Namespace (if applicable), +// APIVersion and Kind populated. It is possible that no managed fields were found for because other +// field managers have taken ownership of all the fields previously owned by fieldManager, or because +// the fieldManager never owned fields any fields. +// cRIOCredentialProviderConfig must be a unmodified CRIOCredentialProviderConfig API object that was retrieved from the Kubernetes API. +// ExtractCRIOCredentialProviderConfig provides a way to perform a extract/modify-in-place/apply workflow. +// Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously +// applied if another fieldManager has updated or force applied any of the previously applied fields. +// Experimental! +func ExtractCRIOCredentialProviderConfig(cRIOCredentialProviderConfig *configv1alpha1.CRIOCredentialProviderConfig, fieldManager string) (*CRIOCredentialProviderConfigApplyConfiguration, error) { + return extractCRIOCredentialProviderConfig(cRIOCredentialProviderConfig, fieldManager, "") +} + +// ExtractCRIOCredentialProviderConfigStatus is the same as ExtractCRIOCredentialProviderConfig except +// that it extracts the status subresource applied configuration. +// Experimental! +func ExtractCRIOCredentialProviderConfigStatus(cRIOCredentialProviderConfig *configv1alpha1.CRIOCredentialProviderConfig, fieldManager string) (*CRIOCredentialProviderConfigApplyConfiguration, error) { + return extractCRIOCredentialProviderConfig(cRIOCredentialProviderConfig, fieldManager, "status") +} + +func extractCRIOCredentialProviderConfig(cRIOCredentialProviderConfig *configv1alpha1.CRIOCredentialProviderConfig, fieldManager string, subresource string) (*CRIOCredentialProviderConfigApplyConfiguration, error) { + b := &CRIOCredentialProviderConfigApplyConfiguration{} + err := managedfields.ExtractInto(cRIOCredentialProviderConfig, internal.Parser().Type("com.github.openshift.api.config.v1alpha1.CRIOCredentialProviderConfig"), fieldManager, b, subresource) + if err != nil { + return nil, err + } + b.WithName(cRIOCredentialProviderConfig.Name) + + b.WithKind("CRIOCredentialProviderConfig") + b.WithAPIVersion("config.openshift.io/v1alpha1") + return b, nil +} +func (b CRIOCredentialProviderConfigApplyConfiguration) IsApplyConfiguration() {} + +// WithKind sets the Kind field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the Kind field is set to the value of the last call. +func (b *CRIOCredentialProviderConfigApplyConfiguration) WithKind(value string) *CRIOCredentialProviderConfigApplyConfiguration { + b.TypeMetaApplyConfiguration.Kind = &value + return b +} + +// WithAPIVersion sets the APIVersion field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the APIVersion field is set to the value of the last call. +func (b *CRIOCredentialProviderConfigApplyConfiguration) WithAPIVersion(value string) *CRIOCredentialProviderConfigApplyConfiguration { + b.TypeMetaApplyConfiguration.APIVersion = &value + return b +} + +// WithName sets the Name field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the Name field is set to the value of the last call. +func (b *CRIOCredentialProviderConfigApplyConfiguration) WithName(value string) *CRIOCredentialProviderConfigApplyConfiguration { + b.ensureObjectMetaApplyConfigurationExists() + b.ObjectMetaApplyConfiguration.Name = &value + return b +} + +// WithGenerateName sets the GenerateName field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the GenerateName field is set to the value of the last call. +func (b *CRIOCredentialProviderConfigApplyConfiguration) WithGenerateName(value string) *CRIOCredentialProviderConfigApplyConfiguration { + b.ensureObjectMetaApplyConfigurationExists() + b.ObjectMetaApplyConfiguration.GenerateName = &value + return b +} + +// WithNamespace sets the Namespace field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the Namespace field is set to the value of the last call. +func (b *CRIOCredentialProviderConfigApplyConfiguration) WithNamespace(value string) *CRIOCredentialProviderConfigApplyConfiguration { + b.ensureObjectMetaApplyConfigurationExists() + b.ObjectMetaApplyConfiguration.Namespace = &value + return b +} + +// WithUID sets the UID field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the UID field is set to the value of the last call. +func (b *CRIOCredentialProviderConfigApplyConfiguration) WithUID(value types.UID) *CRIOCredentialProviderConfigApplyConfiguration { + b.ensureObjectMetaApplyConfigurationExists() + b.ObjectMetaApplyConfiguration.UID = &value + return b +} + +// WithResourceVersion sets the ResourceVersion field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the ResourceVersion field is set to the value of the last call. +func (b *CRIOCredentialProviderConfigApplyConfiguration) WithResourceVersion(value string) *CRIOCredentialProviderConfigApplyConfiguration { + b.ensureObjectMetaApplyConfigurationExists() + b.ObjectMetaApplyConfiguration.ResourceVersion = &value + return b +} + +// WithGeneration sets the Generation field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the Generation field is set to the value of the last call. +func (b *CRIOCredentialProviderConfigApplyConfiguration) WithGeneration(value int64) *CRIOCredentialProviderConfigApplyConfiguration { + b.ensureObjectMetaApplyConfigurationExists() + b.ObjectMetaApplyConfiguration.Generation = &value + return b +} + +// WithCreationTimestamp sets the CreationTimestamp field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the CreationTimestamp field is set to the value of the last call. +func (b *CRIOCredentialProviderConfigApplyConfiguration) WithCreationTimestamp(value metav1.Time) *CRIOCredentialProviderConfigApplyConfiguration { + b.ensureObjectMetaApplyConfigurationExists() + b.ObjectMetaApplyConfiguration.CreationTimestamp = &value + return b +} + +// WithDeletionTimestamp sets the DeletionTimestamp field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the DeletionTimestamp field is set to the value of the last call. +func (b *CRIOCredentialProviderConfigApplyConfiguration) WithDeletionTimestamp(value metav1.Time) *CRIOCredentialProviderConfigApplyConfiguration { + b.ensureObjectMetaApplyConfigurationExists() + b.ObjectMetaApplyConfiguration.DeletionTimestamp = &value + return b +} + +// WithDeletionGracePeriodSeconds sets the DeletionGracePeriodSeconds field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the DeletionGracePeriodSeconds field is set to the value of the last call. +func (b *CRIOCredentialProviderConfigApplyConfiguration) WithDeletionGracePeriodSeconds(value int64) *CRIOCredentialProviderConfigApplyConfiguration { + b.ensureObjectMetaApplyConfigurationExists() + b.ObjectMetaApplyConfiguration.DeletionGracePeriodSeconds = &value + return b +} + +// WithLabels puts the entries into the Labels field in the declarative configuration +// and returns the receiver, so that objects can be build by chaining "With" function invocations. +// If called multiple times, the entries provided by each call will be put on the Labels field, +// overwriting an existing map entries in Labels field with the same key. +func (b *CRIOCredentialProviderConfigApplyConfiguration) WithLabels(entries map[string]string) *CRIOCredentialProviderConfigApplyConfiguration { + b.ensureObjectMetaApplyConfigurationExists() + if b.ObjectMetaApplyConfiguration.Labels == nil && len(entries) > 0 { + b.ObjectMetaApplyConfiguration.Labels = make(map[string]string, len(entries)) + } + for k, v := range entries { + b.ObjectMetaApplyConfiguration.Labels[k] = v + } + return b +} + +// WithAnnotations puts the entries into the Annotations field in the declarative configuration +// and returns the receiver, so that objects can be build by chaining "With" function invocations. +// If called multiple times, the entries provided by each call will be put on the Annotations field, +// overwriting an existing map entries in Annotations field with the same key. +func (b *CRIOCredentialProviderConfigApplyConfiguration) WithAnnotations(entries map[string]string) *CRIOCredentialProviderConfigApplyConfiguration { + b.ensureObjectMetaApplyConfigurationExists() + if b.ObjectMetaApplyConfiguration.Annotations == nil && len(entries) > 0 { + b.ObjectMetaApplyConfiguration.Annotations = make(map[string]string, len(entries)) + } + for k, v := range entries { + b.ObjectMetaApplyConfiguration.Annotations[k] = v + } + return b +} + +// WithOwnerReferences adds the given value to the OwnerReferences field in the declarative configuration +// and returns the receiver, so that objects can be build by chaining "With" function invocations. +// If called multiple times, values provided by each call will be appended to the OwnerReferences field. +func (b *CRIOCredentialProviderConfigApplyConfiguration) WithOwnerReferences(values ...*v1.OwnerReferenceApplyConfiguration) *CRIOCredentialProviderConfigApplyConfiguration { + b.ensureObjectMetaApplyConfigurationExists() + for i := range values { + if values[i] == nil { + panic("nil value passed to WithOwnerReferences") + } + b.ObjectMetaApplyConfiguration.OwnerReferences = append(b.ObjectMetaApplyConfiguration.OwnerReferences, *values[i]) + } + return b +} + +// WithFinalizers adds the given value to the Finalizers field in the declarative configuration +// and returns the receiver, so that objects can be build by chaining "With" function invocations. +// If called multiple times, values provided by each call will be appended to the Finalizers field. +func (b *CRIOCredentialProviderConfigApplyConfiguration) WithFinalizers(values ...string) *CRIOCredentialProviderConfigApplyConfiguration { + b.ensureObjectMetaApplyConfigurationExists() + for i := range values { + b.ObjectMetaApplyConfiguration.Finalizers = append(b.ObjectMetaApplyConfiguration.Finalizers, values[i]) + } + return b +} + +func (b *CRIOCredentialProviderConfigApplyConfiguration) ensureObjectMetaApplyConfigurationExists() { + if b.ObjectMetaApplyConfiguration == nil { + b.ObjectMetaApplyConfiguration = &v1.ObjectMetaApplyConfiguration{} + } +} + +// WithSpec sets the Spec field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the Spec field is set to the value of the last call. +func (b *CRIOCredentialProviderConfigApplyConfiguration) WithSpec(value *CRIOCredentialProviderConfigSpecApplyConfiguration) *CRIOCredentialProviderConfigApplyConfiguration { + b.Spec = value + return b +} + +// WithStatus sets the Status field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the Status field is set to the value of the last call. +func (b *CRIOCredentialProviderConfigApplyConfiguration) WithStatus(value *CRIOCredentialProviderConfigStatusApplyConfiguration) *CRIOCredentialProviderConfigApplyConfiguration { + b.Status = value + return b +} + +// GetKind retrieves the value of the Kind field in the declarative configuration. +func (b *CRIOCredentialProviderConfigApplyConfiguration) GetKind() *string { + return b.TypeMetaApplyConfiguration.Kind +} + +// GetAPIVersion retrieves the value of the APIVersion field in the declarative configuration. +func (b *CRIOCredentialProviderConfigApplyConfiguration) GetAPIVersion() *string { + return b.TypeMetaApplyConfiguration.APIVersion +} + +// GetName retrieves the value of the Name field in the declarative configuration. +func (b *CRIOCredentialProviderConfigApplyConfiguration) GetName() *string { + b.ensureObjectMetaApplyConfigurationExists() + return b.ObjectMetaApplyConfiguration.Name +} + +// GetNamespace retrieves the value of the Namespace field in the declarative configuration. +func (b *CRIOCredentialProviderConfigApplyConfiguration) GetNamespace() *string { + b.ensureObjectMetaApplyConfigurationExists() + return b.ObjectMetaApplyConfiguration.Namespace +} diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/criocredentialproviderconfigspec.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/criocredentialproviderconfigspec.go new file mode 100644 index 000000000..e6588c608 --- /dev/null +++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/criocredentialproviderconfigspec.go @@ -0,0 +1,29 @@ +// Code generated by applyconfiguration-gen. DO NOT EDIT. + +package v1alpha1 + +import ( + configv1alpha1 "github.com/openshift/api/config/v1alpha1" +) + +// CRIOCredentialProviderConfigSpecApplyConfiguration represents a declarative configuration of the CRIOCredentialProviderConfigSpec type for use +// with apply. +type CRIOCredentialProviderConfigSpecApplyConfiguration struct { + MatchImages []configv1alpha1.MatchImage `json:"matchImages,omitempty"` +} + +// CRIOCredentialProviderConfigSpecApplyConfiguration constructs a declarative configuration of the CRIOCredentialProviderConfigSpec type for use with +// apply. +func CRIOCredentialProviderConfigSpec() *CRIOCredentialProviderConfigSpecApplyConfiguration { + return &CRIOCredentialProviderConfigSpecApplyConfiguration{} +} + +// WithMatchImages adds the given value to the MatchImages field in the declarative configuration +// and returns the receiver, so that objects can be build by chaining "With" function invocations. +// If called multiple times, values provided by each call will be appended to the MatchImages field. +func (b *CRIOCredentialProviderConfigSpecApplyConfiguration) WithMatchImages(values ...configv1alpha1.MatchImage) *CRIOCredentialProviderConfigSpecApplyConfiguration { + for i := range values { + b.MatchImages = append(b.MatchImages, values[i]) + } + return b +} diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/criocredentialproviderconfigstatus.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/criocredentialproviderconfigstatus.go new file mode 100644 index 000000000..a243b281d --- /dev/null +++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/criocredentialproviderconfigstatus.go @@ -0,0 +1,32 @@ +// Code generated by applyconfiguration-gen. DO NOT EDIT. + +package v1alpha1 + +import ( + v1 "k8s.io/client-go/applyconfigurations/meta/v1" +) + +// CRIOCredentialProviderConfigStatusApplyConfiguration represents a declarative configuration of the CRIOCredentialProviderConfigStatus type for use +// with apply. +type CRIOCredentialProviderConfigStatusApplyConfiguration struct { + Conditions []v1.ConditionApplyConfiguration `json:"conditions,omitempty"` +} + +// CRIOCredentialProviderConfigStatusApplyConfiguration constructs a declarative configuration of the CRIOCredentialProviderConfigStatus type for use with +// apply. +func CRIOCredentialProviderConfigStatus() *CRIOCredentialProviderConfigStatusApplyConfiguration { + return &CRIOCredentialProviderConfigStatusApplyConfiguration{} +} + +// WithConditions adds the given value to the Conditions field in the declarative configuration +// and returns the receiver, so that objects can be build by chaining "With" function invocations. +// If called multiple times, values provided by each call will be appended to the Conditions field. +func (b *CRIOCredentialProviderConfigStatusApplyConfiguration) WithConditions(values ...*v1.ConditionApplyConfiguration) *CRIOCredentialProviderConfigStatusApplyConfiguration { + for i := range values { + if values[i] == nil { + panic("nil value passed to WithConditions") + } + b.Conditions = append(b.Conditions, *values[i]) + } + return b +} diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/fulciocawithrekor.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/imagepolicyfulciocawithrekorrootoftrust.go similarity index 57% rename from vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/fulciocawithrekor.go rename to vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/imagepolicyfulciocawithrekorrootoftrust.go index 2a907a7e9..2fcaa3621 100644 --- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/fulciocawithrekor.go +++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/imagepolicyfulciocawithrekorrootoftrust.go @@ -2,24 +2,24 @@ package v1alpha1 -// FulcioCAWithRekorApplyConfiguration represents a declarative configuration of the FulcioCAWithRekor type for use +// ImagePolicyFulcioCAWithRekorRootOfTrustApplyConfiguration represents a declarative configuration of the ImagePolicyFulcioCAWithRekorRootOfTrust type for use // with apply. -type FulcioCAWithRekorApplyConfiguration struct { +type ImagePolicyFulcioCAWithRekorRootOfTrustApplyConfiguration struct { FulcioCAData []byte `json:"fulcioCAData,omitempty"` RekorKeyData []byte `json:"rekorKeyData,omitempty"` FulcioSubject *PolicyFulcioSubjectApplyConfiguration `json:"fulcioSubject,omitempty"` } -// FulcioCAWithRekorApplyConfiguration constructs a declarative configuration of the FulcioCAWithRekor type for use with +// ImagePolicyFulcioCAWithRekorRootOfTrustApplyConfiguration constructs a declarative configuration of the ImagePolicyFulcioCAWithRekorRootOfTrust type for use with // apply. -func FulcioCAWithRekor() *FulcioCAWithRekorApplyConfiguration { - return &FulcioCAWithRekorApplyConfiguration{} +func ImagePolicyFulcioCAWithRekorRootOfTrust() *ImagePolicyFulcioCAWithRekorRootOfTrustApplyConfiguration { + return &ImagePolicyFulcioCAWithRekorRootOfTrustApplyConfiguration{} } // WithFulcioCAData adds the given value to the FulcioCAData field in the declarative configuration // and returns the receiver, so that objects can be build by chaining "With" function invocations. // If called multiple times, values provided by each call will be appended to the FulcioCAData field. -func (b *FulcioCAWithRekorApplyConfiguration) WithFulcioCAData(values ...byte) *FulcioCAWithRekorApplyConfiguration { +func (b *ImagePolicyFulcioCAWithRekorRootOfTrustApplyConfiguration) WithFulcioCAData(values ...byte) *ImagePolicyFulcioCAWithRekorRootOfTrustApplyConfiguration { for i := range values { b.FulcioCAData = append(b.FulcioCAData, values[i]) } @@ -29,7 +29,7 @@ func (b *FulcioCAWithRekorApplyConfiguration) WithFulcioCAData(values ...byte) * // WithRekorKeyData adds the given value to the RekorKeyData field in the declarative configuration // and returns the receiver, so that objects can be build by chaining "With" function invocations. // If called multiple times, values provided by each call will be appended to the RekorKeyData field. -func (b *FulcioCAWithRekorApplyConfiguration) WithRekorKeyData(values ...byte) *FulcioCAWithRekorApplyConfiguration { +func (b *ImagePolicyFulcioCAWithRekorRootOfTrustApplyConfiguration) WithRekorKeyData(values ...byte) *ImagePolicyFulcioCAWithRekorRootOfTrustApplyConfiguration { for i := range values { b.RekorKeyData = append(b.RekorKeyData, values[i]) } @@ -39,7 +39,7 @@ func (b *FulcioCAWithRekorApplyConfiguration) WithRekorKeyData(values ...byte) * // WithFulcioSubject sets the FulcioSubject field in the declarative configuration to the given value // and returns the receiver, so that objects can be built by chaining "With" function invocations. // If called multiple times, the FulcioSubject field is set to the value of the last call. -func (b *FulcioCAWithRekorApplyConfiguration) WithFulcioSubject(value *PolicyFulcioSubjectApplyConfiguration) *FulcioCAWithRekorApplyConfiguration { +func (b *ImagePolicyFulcioCAWithRekorRootOfTrustApplyConfiguration) WithFulcioSubject(value *PolicyFulcioSubjectApplyConfiguration) *ImagePolicyFulcioCAWithRekorRootOfTrustApplyConfiguration { b.FulcioSubject = value return b } diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/pki.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/imagepolicypkirootoftrust.go similarity index 65% rename from vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/pki.go rename to vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/imagepolicypkirootoftrust.go index 455abe02a..a218867ea 100644 --- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/pki.go +++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/imagepolicypkirootoftrust.go @@ -2,24 +2,24 @@ package v1alpha1 -// PKIApplyConfiguration represents a declarative configuration of the PKI type for use +// ImagePolicyPKIRootOfTrustApplyConfiguration represents a declarative configuration of the ImagePolicyPKIRootOfTrust type for use // with apply. -type PKIApplyConfiguration struct { +type ImagePolicyPKIRootOfTrustApplyConfiguration struct { CertificateAuthorityRootsData []byte `json:"caRootsData,omitempty"` CertificateAuthorityIntermediatesData []byte `json:"caIntermediatesData,omitempty"` PKICertificateSubject *PKICertificateSubjectApplyConfiguration `json:"pkiCertificateSubject,omitempty"` } -// PKIApplyConfiguration constructs a declarative configuration of the PKI type for use with +// ImagePolicyPKIRootOfTrustApplyConfiguration constructs a declarative configuration of the ImagePolicyPKIRootOfTrust type for use with // apply. -func PKI() *PKIApplyConfiguration { - return &PKIApplyConfiguration{} +func ImagePolicyPKIRootOfTrust() *ImagePolicyPKIRootOfTrustApplyConfiguration { + return &ImagePolicyPKIRootOfTrustApplyConfiguration{} } // WithCertificateAuthorityRootsData adds the given value to the CertificateAuthorityRootsData field in the declarative configuration // and returns the receiver, so that objects can be build by chaining "With" function invocations. // If called multiple times, values provided by each call will be appended to the CertificateAuthorityRootsData field. -func (b *PKIApplyConfiguration) WithCertificateAuthorityRootsData(values ...byte) *PKIApplyConfiguration { +func (b *ImagePolicyPKIRootOfTrustApplyConfiguration) WithCertificateAuthorityRootsData(values ...byte) *ImagePolicyPKIRootOfTrustApplyConfiguration { for i := range values { b.CertificateAuthorityRootsData = append(b.CertificateAuthorityRootsData, values[i]) } @@ -29,7 +29,7 @@ func (b *PKIApplyConfiguration) WithCertificateAuthorityRootsData(values ...byte // WithCertificateAuthorityIntermediatesData adds the given value to the CertificateAuthorityIntermediatesData field in the declarative configuration // and returns the receiver, so that objects can be build by chaining "With" function invocations. // If called multiple times, values provided by each call will be appended to the CertificateAuthorityIntermediatesData field. -func (b *PKIApplyConfiguration) WithCertificateAuthorityIntermediatesData(values ...byte) *PKIApplyConfiguration { +func (b *ImagePolicyPKIRootOfTrustApplyConfiguration) WithCertificateAuthorityIntermediatesData(values ...byte) *ImagePolicyPKIRootOfTrustApplyConfiguration { for i := range values { b.CertificateAuthorityIntermediatesData = append(b.CertificateAuthorityIntermediatesData, values[i]) } @@ -39,7 +39,7 @@ func (b *PKIApplyConfiguration) WithCertificateAuthorityIntermediatesData(values // WithPKICertificateSubject sets the PKICertificateSubject field in the declarative configuration to the given value // and returns the receiver, so that objects can be built by chaining "With" function invocations. // If called multiple times, the PKICertificateSubject field is set to the value of the last call. -func (b *PKIApplyConfiguration) WithPKICertificateSubject(value *PKICertificateSubjectApplyConfiguration) *PKIApplyConfiguration { +func (b *ImagePolicyPKIRootOfTrustApplyConfiguration) WithPKICertificateSubject(value *PKICertificateSubjectApplyConfiguration) *ImagePolicyPKIRootOfTrustApplyConfiguration { b.PKICertificateSubject = value return b } diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/publickey.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/imagepolicypublickeyrootoftrust.go similarity index 54% rename from vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/publickey.go rename to vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/imagepolicypublickeyrootoftrust.go index 91665a90b..22513de62 100644 --- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/publickey.go +++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/imagepolicypublickeyrootoftrust.go @@ -2,23 +2,23 @@ package v1alpha1 -// PublicKeyApplyConfiguration represents a declarative configuration of the PublicKey type for use +// ImagePolicyPublicKeyRootOfTrustApplyConfiguration represents a declarative configuration of the ImagePolicyPublicKeyRootOfTrust type for use // with apply. -type PublicKeyApplyConfiguration struct { +type ImagePolicyPublicKeyRootOfTrustApplyConfiguration struct { KeyData []byte `json:"keyData,omitempty"` RekorKeyData []byte `json:"rekorKeyData,omitempty"` } -// PublicKeyApplyConfiguration constructs a declarative configuration of the PublicKey type for use with +// ImagePolicyPublicKeyRootOfTrustApplyConfiguration constructs a declarative configuration of the ImagePolicyPublicKeyRootOfTrust type for use with // apply. -func PublicKey() *PublicKeyApplyConfiguration { - return &PublicKeyApplyConfiguration{} +func ImagePolicyPublicKeyRootOfTrust() *ImagePolicyPublicKeyRootOfTrustApplyConfiguration { + return &ImagePolicyPublicKeyRootOfTrustApplyConfiguration{} } // WithKeyData adds the given value to the KeyData field in the declarative configuration // and returns the receiver, so that objects can be build by chaining "With" function invocations. // If called multiple times, values provided by each call will be appended to the KeyData field. -func (b *PublicKeyApplyConfiguration) WithKeyData(values ...byte) *PublicKeyApplyConfiguration { +func (b *ImagePolicyPublicKeyRootOfTrustApplyConfiguration) WithKeyData(values ...byte) *ImagePolicyPublicKeyRootOfTrustApplyConfiguration { for i := range values { b.KeyData = append(b.KeyData, values[i]) } @@ -28,7 +28,7 @@ func (b *PublicKeyApplyConfiguration) WithKeyData(values ...byte) *PublicKeyAppl // WithRekorKeyData adds the given value to the RekorKeyData field in the declarative configuration // and returns the receiver, so that objects can be build by chaining "With" function invocations. // If called multiple times, values provided by each call will be appended to the RekorKeyData field. -func (b *PublicKeyApplyConfiguration) WithRekorKeyData(values ...byte) *PublicKeyApplyConfiguration { +func (b *ImagePolicyPublicKeyRootOfTrustApplyConfiguration) WithRekorKeyData(values ...byte) *ImagePolicyPublicKeyRootOfTrustApplyConfiguration { for i := range values { b.RekorKeyData = append(b.RekorKeyData, values[i]) } diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/imagepolicyspec.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/imagepolicyspec.go index ac08e9cf4..84969b600 100644 --- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/imagepolicyspec.go +++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/imagepolicyspec.go @@ -9,8 +9,8 @@ import ( // ImagePolicySpecApplyConfiguration represents a declarative configuration of the ImagePolicySpec type for use // with apply. type ImagePolicySpecApplyConfiguration struct { - Scopes []configv1alpha1.ImageScope `json:"scopes,omitempty"` - Policy *PolicyApplyConfiguration `json:"policy,omitempty"` + Scopes []configv1alpha1.ImageScope `json:"scopes,omitempty"` + Policy *ImageSigstoreVerificationPolicyApplyConfiguration `json:"policy,omitempty"` } // ImagePolicySpecApplyConfiguration constructs a declarative configuration of the ImagePolicySpec type for use with @@ -32,7 +32,7 @@ func (b *ImagePolicySpecApplyConfiguration) WithScopes(values ...configv1alpha1. // WithPolicy sets the Policy field in the declarative configuration to the given value // and returns the receiver, so that objects can be built by chaining "With" function invocations. // If called multiple times, the Policy field is set to the value of the last call. -func (b *ImagePolicySpecApplyConfiguration) WithPolicy(value *PolicyApplyConfiguration) *ImagePolicySpecApplyConfiguration { +func (b *ImagePolicySpecApplyConfiguration) WithPolicy(value *ImageSigstoreVerificationPolicyApplyConfiguration) *ImagePolicySpecApplyConfiguration { b.Policy = value return b } diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/policy.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/imagesigstoreverificationpolicy.go similarity index 52% rename from vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/policy.go rename to vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/imagesigstoreverificationpolicy.go index 61e485664..64f9760e8 100644 --- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/policy.go +++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/imagesigstoreverificationpolicy.go @@ -2,23 +2,23 @@ package v1alpha1 -// PolicyApplyConfiguration represents a declarative configuration of the Policy type for use +// ImageSigstoreVerificationPolicyApplyConfiguration represents a declarative configuration of the ImageSigstoreVerificationPolicy type for use // with apply. -type PolicyApplyConfiguration struct { +type ImageSigstoreVerificationPolicyApplyConfiguration struct { RootOfTrust *PolicyRootOfTrustApplyConfiguration `json:"rootOfTrust,omitempty"` SignedIdentity *PolicyIdentityApplyConfiguration `json:"signedIdentity,omitempty"` } -// PolicyApplyConfiguration constructs a declarative configuration of the Policy type for use with +// ImageSigstoreVerificationPolicyApplyConfiguration constructs a declarative configuration of the ImageSigstoreVerificationPolicy type for use with // apply. -func Policy() *PolicyApplyConfiguration { - return &PolicyApplyConfiguration{} +func ImageSigstoreVerificationPolicy() *ImageSigstoreVerificationPolicyApplyConfiguration { + return &ImageSigstoreVerificationPolicyApplyConfiguration{} } // WithRootOfTrust sets the RootOfTrust field in the declarative configuration to the given value // and returns the receiver, so that objects can be built by chaining "With" function invocations. // If called multiple times, the RootOfTrust field is set to the value of the last call. -func (b *PolicyApplyConfiguration) WithRootOfTrust(value *PolicyRootOfTrustApplyConfiguration) *PolicyApplyConfiguration { +func (b *ImageSigstoreVerificationPolicyApplyConfiguration) WithRootOfTrust(value *PolicyRootOfTrustApplyConfiguration) *ImageSigstoreVerificationPolicyApplyConfiguration { b.RootOfTrust = value return b } @@ -26,7 +26,7 @@ func (b *PolicyApplyConfiguration) WithRootOfTrust(value *PolicyRootOfTrustApply // WithSignedIdentity sets the SignedIdentity field in the declarative configuration to the given value // and returns the receiver, so that objects can be built by chaining "With" function invocations. // If called multiple times, the SignedIdentity field is set to the value of the last call. -func (b *PolicyApplyConfiguration) WithSignedIdentity(value *PolicyIdentityApplyConfiguration) *PolicyApplyConfiguration { +func (b *ImageSigstoreVerificationPolicyApplyConfiguration) WithSignedIdentity(value *PolicyIdentityApplyConfiguration) *ImageSigstoreVerificationPolicyApplyConfiguration { b.SignedIdentity = value return b } diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/policyrootoftrust.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/policyrootoftrust.go index 5de792be6..5122c82e0 100644 --- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/policyrootoftrust.go +++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/policyrootoftrust.go @@ -9,10 +9,10 @@ import ( // PolicyRootOfTrustApplyConfiguration represents a declarative configuration of the PolicyRootOfTrust type for use // with apply. type PolicyRootOfTrustApplyConfiguration struct { - PolicyType *configv1alpha1.PolicyType `json:"policyType,omitempty"` - PublicKey *PublicKeyApplyConfiguration `json:"publicKey,omitempty"` - FulcioCAWithRekor *FulcioCAWithRekorApplyConfiguration `json:"fulcioCAWithRekor,omitempty"` - PKI *PKIApplyConfiguration `json:"pki,omitempty"` + PolicyType *configv1alpha1.PolicyType `json:"policyType,omitempty"` + PublicKey *ImagePolicyPublicKeyRootOfTrustApplyConfiguration `json:"publicKey,omitempty"` + FulcioCAWithRekor *ImagePolicyFulcioCAWithRekorRootOfTrustApplyConfiguration `json:"fulcioCAWithRekor,omitempty"` + PKI *ImagePolicyPKIRootOfTrustApplyConfiguration `json:"pki,omitempty"` } // PolicyRootOfTrustApplyConfiguration constructs a declarative configuration of the PolicyRootOfTrust type for use with @@ -32,7 +32,7 @@ func (b *PolicyRootOfTrustApplyConfiguration) WithPolicyType(value configv1alpha // WithPublicKey sets the PublicKey field in the declarative configuration to the given value // and returns the receiver, so that objects can be built by chaining "With" function invocations. // If called multiple times, the PublicKey field is set to the value of the last call. -func (b *PolicyRootOfTrustApplyConfiguration) WithPublicKey(value *PublicKeyApplyConfiguration) *PolicyRootOfTrustApplyConfiguration { +func (b *PolicyRootOfTrustApplyConfiguration) WithPublicKey(value *ImagePolicyPublicKeyRootOfTrustApplyConfiguration) *PolicyRootOfTrustApplyConfiguration { b.PublicKey = value return b } @@ -40,7 +40,7 @@ func (b *PolicyRootOfTrustApplyConfiguration) WithPublicKey(value *PublicKeyAppl // WithFulcioCAWithRekor sets the FulcioCAWithRekor field in the declarative configuration to the given value // and returns the receiver, so that objects can be built by chaining "With" function invocations. // If called multiple times, the FulcioCAWithRekor field is set to the value of the last call. -func (b *PolicyRootOfTrustApplyConfiguration) WithFulcioCAWithRekor(value *FulcioCAWithRekorApplyConfiguration) *PolicyRootOfTrustApplyConfiguration { +func (b *PolicyRootOfTrustApplyConfiguration) WithFulcioCAWithRekor(value *ImagePolicyFulcioCAWithRekorRootOfTrustApplyConfiguration) *PolicyRootOfTrustApplyConfiguration { b.FulcioCAWithRekor = value return b } @@ -48,7 +48,7 @@ func (b *PolicyRootOfTrustApplyConfiguration) WithFulcioCAWithRekor(value *Fulci // WithPKI sets the PKI field in the declarative configuration to the given value // and returns the receiver, so that objects can be built by chaining "With" function invocations. // If called multiple times, the PKI field is set to the value of the last call. -func (b *PolicyRootOfTrustApplyConfiguration) WithPKI(value *PKIApplyConfiguration) *PolicyRootOfTrustApplyConfiguration { +func (b *PolicyRootOfTrustApplyConfiguration) WithPKI(value *ImagePolicyPKIRootOfTrustApplyConfiguration) *PolicyRootOfTrustApplyConfiguration { b.PKI = value return b } diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/prometheusoperatorconfig.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/prometheusoperatorconfig.go new file mode 100644 index 000000000..3276097b3 --- /dev/null +++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/prometheusoperatorconfig.go @@ -0,0 +1,79 @@ +// Code generated by applyconfiguration-gen. DO NOT EDIT. + +package v1alpha1 + +import ( + configv1alpha1 "github.com/openshift/api/config/v1alpha1" + v1 "k8s.io/api/core/v1" +) + +// PrometheusOperatorConfigApplyConfiguration represents a declarative configuration of the PrometheusOperatorConfig type for use +// with apply. +type PrometheusOperatorConfigApplyConfiguration struct { + LogLevel *configv1alpha1.LogLevel `json:"logLevel,omitempty"` + NodeSelector map[string]string `json:"nodeSelector,omitempty"` + Resources []ContainerResourceApplyConfiguration `json:"resources,omitempty"` + Tolerations []v1.Toleration `json:"tolerations,omitempty"` + TopologySpreadConstraints []v1.TopologySpreadConstraint `json:"topologySpreadConstraints,omitempty"` +} + +// PrometheusOperatorConfigApplyConfiguration constructs a declarative configuration of the PrometheusOperatorConfig type for use with +// apply. +func PrometheusOperatorConfig() *PrometheusOperatorConfigApplyConfiguration { + return &PrometheusOperatorConfigApplyConfiguration{} +} + +// WithLogLevel sets the LogLevel field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the LogLevel field is set to the value of the last call. +func (b *PrometheusOperatorConfigApplyConfiguration) WithLogLevel(value configv1alpha1.LogLevel) *PrometheusOperatorConfigApplyConfiguration { + b.LogLevel = &value + return b +} + +// WithNodeSelector puts the entries into the NodeSelector field in the declarative configuration +// and returns the receiver, so that objects can be build by chaining "With" function invocations. +// If called multiple times, the entries provided by each call will be put on the NodeSelector field, +// overwriting an existing map entries in NodeSelector field with the same key. +func (b *PrometheusOperatorConfigApplyConfiguration) WithNodeSelector(entries map[string]string) *PrometheusOperatorConfigApplyConfiguration { + if b.NodeSelector == nil && len(entries) > 0 { + b.NodeSelector = make(map[string]string, len(entries)) + } + for k, v := range entries { + b.NodeSelector[k] = v + } + return b +} + +// WithResources adds the given value to the Resources field in the declarative configuration +// and returns the receiver, so that objects can be build by chaining "With" function invocations. +// If called multiple times, values provided by each call will be appended to the Resources field. +func (b *PrometheusOperatorConfigApplyConfiguration) WithResources(values ...*ContainerResourceApplyConfiguration) *PrometheusOperatorConfigApplyConfiguration { + for i := range values { + if values[i] == nil { + panic("nil value passed to WithResources") + } + b.Resources = append(b.Resources, *values[i]) + } + return b +} + +// WithTolerations adds the given value to the Tolerations field in the declarative configuration +// and returns the receiver, so that objects can be build by chaining "With" function invocations. +// If called multiple times, values provided by each call will be appended to the Tolerations field. +func (b *PrometheusOperatorConfigApplyConfiguration) WithTolerations(values ...v1.Toleration) *PrometheusOperatorConfigApplyConfiguration { + for i := range values { + b.Tolerations = append(b.Tolerations, values[i]) + } + return b +} + +// WithTopologySpreadConstraints adds the given value to the TopologySpreadConstraints field in the declarative configuration +// and returns the receiver, so that objects can be build by chaining "With" function invocations. +// If called multiple times, values provided by each call will be appended to the TopologySpreadConstraints field. +func (b *PrometheusOperatorConfigApplyConfiguration) WithTopologySpreadConstraints(values ...v1.TopologySpreadConstraint) *PrometheusOperatorConfigApplyConfiguration { + for i := range values { + b.TopologySpreadConstraints = append(b.TopologySpreadConstraints, values[i]) + } + return b +} diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/internal/internal.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/internal/internal.go index 0b620a0c1..65906b80c 100644 --- a/vendor/github.com/openshift/client-go/config/applyconfigurations/internal/internal.go +++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/internal/internal.go @@ -206,6 +206,12 @@ var schemaYAML = typed.YAMLObject(`types: type: scalar: string default: "" +- name: com.github.openshift.api.config.v1.AcceptRisk + map: + fields: + - name: name + type: + scalar: string - name: com.github.openshift.api.config.v1.AlibabaCloudPlatformSpec map: elementType: @@ -641,7 +647,7 @@ var schemaYAML = typed.YAMLObject(`types: fields: - name: policy type: - namedType: com.github.openshift.api.config.v1.Policy + namedType: com.github.openshift.api.config.v1.ImageSigstoreVerificationPolicy default: {} - name: scopes type: @@ -848,6 +854,14 @@ var schemaYAML = typed.YAMLObject(`types: type: namedType: com.github.openshift.api.config.v1.ClusterVersionCapabilitiesStatus default: {} + - name: conditionalUpdateRisks + type: + list: + elementType: + namedType: com.github.openshift.api.config.v1.ConditionalUpdateRisk + elementRelationship: associative + keys: + - name - name: conditionalUpdates type: list: @@ -978,6 +992,12 @@ var schemaYAML = typed.YAMLObject(`types: type: namedType: com.github.openshift.api.config.v1.Release default: {} + - name: riskNames + type: + list: + elementType: + scalar: string + elementRelationship: associative - name: risks type: list: @@ -989,6 +1009,14 @@ var schemaYAML = typed.YAMLObject(`types: - name: com.github.openshift.api.config.v1.ConditionalUpdateRisk map: fields: + - name: conditions + type: + list: + elementType: + namedType: io.k8s.apimachinery.pkg.apis.meta.v1.Condition + elementRelationship: associative + keys: + - type - name: matchingRules type: list: @@ -1340,19 +1368,6 @@ var schemaYAML = typed.YAMLObject(`types: elementRelationship: associative keys: - version -- name: com.github.openshift.api.config.v1.FulcioCAWithRekor - map: - fields: - - name: fulcioCAData - type: - scalar: string - - name: fulcioSubject - type: - namedType: com.github.openshift.api.config.v1.PolicyFulcioSubject - default: {} - - name: rekorKeyData - type: - scalar: string - name: com.github.openshift.api.config.v1.GCPPlatformSpec map: elementType: @@ -1783,12 +1798,47 @@ var schemaYAML = typed.YAMLObject(`types: type: namedType: com.github.openshift.api.config.v1.ImagePolicyStatus default: {} +- name: com.github.openshift.api.config.v1.ImagePolicyFulcioCAWithRekorRootOfTrust + map: + fields: + - name: fulcioCAData + type: + scalar: string + - name: fulcioSubject + type: + namedType: com.github.openshift.api.config.v1.PolicyFulcioSubject + default: {} + - name: rekorKeyData + type: + scalar: string +- name: com.github.openshift.api.config.v1.ImagePolicyPKIRootOfTrust + map: + fields: + - name: caIntermediatesData + type: + scalar: string + - name: caRootsData + type: + scalar: string + - name: pkiCertificateSubject + type: + namedType: com.github.openshift.api.config.v1.PKICertificateSubject + default: {} +- name: com.github.openshift.api.config.v1.ImagePolicyPublicKeyRootOfTrust + map: + fields: + - name: keyData + type: + scalar: string + - name: rekorKeyData + type: + scalar: string - name: com.github.openshift.api.config.v1.ImagePolicySpec map: fields: - name: policy type: - namedType: com.github.openshift.api.config.v1.Policy + namedType: com.github.openshift.api.config.v1.ImageSigstoreVerificationPolicy default: {} - name: scopes type: @@ -1807,6 +1857,16 @@ var schemaYAML = typed.YAMLObject(`types: elementRelationship: associative keys: - type +- name: com.github.openshift.api.config.v1.ImageSigstoreVerificationPolicy + map: + fields: + - name: rootOfTrust + type: + namedType: com.github.openshift.api.config.v1.PolicyRootOfTrust + default: {} + - name: signedIdentity + type: + namedType: com.github.openshift.api.config.v1.PolicyIdentity - name: com.github.openshift.api.config.v1.ImageSpec map: fields: @@ -2719,6 +2779,14 @@ var schemaYAML = typed.YAMLObject(`types: keys: - componentNamespace - componentName + - name: userValidationRules + type: + list: + elementType: + namedType: com.github.openshift.api.config.v1.TokenUserValidationRule + elementRelationship: associative + keys: + - expression - name: com.github.openshift.api.config.v1.ObjectReference map: fields: @@ -2987,19 +3055,6 @@ var schemaYAML = typed.YAMLObject(`types: - name: nodeDNSIP type: scalar: string -- name: com.github.openshift.api.config.v1.PKI - map: - fields: - - name: caIntermediatesData - type: - scalar: string - - name: caRootsData - type: - scalar: string - - name: pkiCertificateSubject - type: - namedType: com.github.openshift.api.config.v1.PKICertificateSubject - default: {} - name: com.github.openshift.api.config.v1.PKICertificateSubject map: fields: @@ -3123,16 +3178,6 @@ var schemaYAML = typed.YAMLObject(`types: - name: vsphere type: namedType: com.github.openshift.api.config.v1.VSpherePlatformStatus -- name: com.github.openshift.api.config.v1.Policy - map: - fields: - - name: rootOfTrust - type: - namedType: com.github.openshift.api.config.v1.PolicyRootOfTrust - default: {} - - name: signedIdentity - type: - namedType: com.github.openshift.api.config.v1.PolicyIdentity - name: com.github.openshift.api.config.v1.PolicyFulcioSubject map: fields: @@ -3187,17 +3232,17 @@ var schemaYAML = typed.YAMLObject(`types: fields: - name: fulcioCAWithRekor type: - namedType: com.github.openshift.api.config.v1.FulcioCAWithRekor + namedType: com.github.openshift.api.config.v1.ImagePolicyFulcioCAWithRekorRootOfTrust - name: pki type: - namedType: com.github.openshift.api.config.v1.PKI + namedType: com.github.openshift.api.config.v1.ImagePolicyPKIRootOfTrust - name: policyType type: scalar: string default: "" - name: publicKey type: - namedType: com.github.openshift.api.config.v1.PublicKey + namedType: com.github.openshift.api.config.v1.ImagePolicyPublicKeyRootOfTrust unions: - discriminator: policyType fields: @@ -3382,15 +3427,6 @@ var schemaYAML = typed.YAMLObject(`types: - name: noProxy type: scalar: string -- name: com.github.openshift.api.config.v1.PublicKey - map: - fields: - - name: keyData - type: - scalar: string - - name: rekorKeyData - type: - scalar: string - name: com.github.openshift.api.config.v1.RegistryLocation map: fields: @@ -3689,9 +3725,22 @@ var schemaYAML = typed.YAMLObject(`types: - name: expression type: scalar: string +- name: com.github.openshift.api.config.v1.TokenClaimValidationCELRule + map: + fields: + - name: expression + type: + scalar: string + - name: message + type: + scalar: string - name: com.github.openshift.api.config.v1.TokenClaimValidationRule map: fields: + - name: cel + type: + namedType: com.github.openshift.api.config.v1.TokenClaimValidationCELRule + default: {} - name: requiredClaim type: namedType: com.github.openshift.api.config.v1.TokenRequiredClaim @@ -3720,6 +3769,9 @@ var schemaYAML = typed.YAMLObject(`types: elementType: scalar: string elementRelationship: associative + - name: discoveryURL + type: + scalar: string - name: issuerCertificateAuthority type: namedType: com.github.openshift.api.config.v1.ConfigMapNameReference @@ -3739,9 +3791,26 @@ var schemaYAML = typed.YAMLObject(`types: type: scalar: string default: "" +- name: com.github.openshift.api.config.v1.TokenUserValidationRule + map: + fields: + - name: expression + type: + scalar: string + - name: message + type: + scalar: string - name: com.github.openshift.api.config.v1.Update map: fields: + - name: acceptRisks + type: + list: + elementType: + namedType: com.github.openshift.api.config.v1.AcceptRisk + elementRelationship: associative + keys: + - name - name: architecture type: scalar: string @@ -4149,6 +4218,46 @@ var schemaYAML = typed.YAMLObject(`types: elementType: namedType: __untyped_deduced_ elementRelationship: separable +- name: com.github.openshift.api.config.v1alpha1.CRIOCredentialProviderConfig + map: + fields: + - name: apiVersion + type: + scalar: string + - name: kind + type: + scalar: string + - name: metadata + type: + namedType: io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta + default: {} + - name: spec + type: + namedType: com.github.openshift.api.config.v1alpha1.CRIOCredentialProviderConfigSpec + - name: status + type: + namedType: com.github.openshift.api.config.v1alpha1.CRIOCredentialProviderConfigStatus + default: {} +- name: com.github.openshift.api.config.v1alpha1.CRIOCredentialProviderConfigSpec + map: + fields: + - name: matchImages + type: + list: + elementType: + scalar: string + elementRelationship: associative +- name: com.github.openshift.api.config.v1alpha1.CRIOCredentialProviderConfigStatus + map: + fields: + - name: conditions + type: + list: + elementType: + namedType: io.k8s.apimachinery.pkg.apis.meta.v1.Condition + elementRelationship: associative + keys: + - type - name: com.github.openshift.api.config.v1alpha1.ClusterImagePolicy map: fields: @@ -4175,7 +4284,7 @@ var schemaYAML = typed.YAMLObject(`types: fields: - name: policy type: - namedType: com.github.openshift.api.config.v1alpha1.Policy + namedType: com.github.openshift.api.config.v1alpha1.ImageSigstoreVerificationPolicy default: {} - name: scopes type: @@ -4226,6 +4335,10 @@ var schemaYAML = typed.YAMLObject(`types: type: namedType: com.github.openshift.api.config.v1alpha1.MetricsServerConfig default: {} + - name: prometheusOperatorConfig + type: + namedType: com.github.openshift.api.config.v1alpha1.PrometheusOperatorConfig + default: {} - name: userDefined type: namedType: com.github.openshift.api.config.v1alpha1.UserDefinedMonitoring @@ -4273,19 +4386,6 @@ var schemaYAML = typed.YAMLObject(`types: type: scalar: string default: "" -- name: com.github.openshift.api.config.v1alpha1.FulcioCAWithRekor - map: - fields: - - name: fulcioCAData - type: - scalar: string - - name: fulcioSubject - type: - namedType: com.github.openshift.api.config.v1alpha1.PolicyFulcioSubject - default: {} - - name: rekorKeyData - type: - scalar: string - name: com.github.openshift.api.config.v1alpha1.GatherConfig map: fields: @@ -4322,12 +4422,47 @@ var schemaYAML = typed.YAMLObject(`types: type: namedType: com.github.openshift.api.config.v1alpha1.ImagePolicyStatus default: {} +- name: com.github.openshift.api.config.v1alpha1.ImagePolicyFulcioCAWithRekorRootOfTrust + map: + fields: + - name: fulcioCAData + type: + scalar: string + - name: fulcioSubject + type: + namedType: com.github.openshift.api.config.v1alpha1.PolicyFulcioSubject + default: {} + - name: rekorKeyData + type: + scalar: string +- name: com.github.openshift.api.config.v1alpha1.ImagePolicyPKIRootOfTrust + map: + fields: + - name: caIntermediatesData + type: + scalar: string + - name: caRootsData + type: + scalar: string + - name: pkiCertificateSubject + type: + namedType: com.github.openshift.api.config.v1alpha1.PKICertificateSubject + default: {} +- name: com.github.openshift.api.config.v1alpha1.ImagePolicyPublicKeyRootOfTrust + map: + fields: + - name: keyData + type: + scalar: string + - name: rekorKeyData + type: + scalar: string - name: com.github.openshift.api.config.v1alpha1.ImagePolicySpec map: fields: - name: policy type: - namedType: com.github.openshift.api.config.v1alpha1.Policy + namedType: com.github.openshift.api.config.v1alpha1.ImageSigstoreVerificationPolicy default: {} - name: scopes type: @@ -4346,6 +4481,17 @@ var schemaYAML = typed.YAMLObject(`types: elementRelationship: associative keys: - type +- name: com.github.openshift.api.config.v1alpha1.ImageSigstoreVerificationPolicy + map: + fields: + - name: rootOfTrust + type: + namedType: com.github.openshift.api.config.v1alpha1.PolicyRootOfTrust + default: {} + - name: signedIdentity + type: + namedType: com.github.openshift.api.config.v1alpha1.PolicyIdentity + default: {} - name: com.github.openshift.api.config.v1alpha1.InsightsDataGather map: fields: @@ -4424,19 +4570,6 @@ var schemaYAML = typed.YAMLObject(`types: - name: verbosity type: scalar: string -- name: com.github.openshift.api.config.v1alpha1.PKI - map: - fields: - - name: caIntermediatesData - type: - scalar: string - - name: caRootsData - type: - scalar: string - - name: pkiCertificateSubject - type: - namedType: com.github.openshift.api.config.v1alpha1.PKICertificateSubject - default: {} - name: com.github.openshift.api.config.v1alpha1.PKICertificateSubject map: fields: @@ -4463,17 +4596,6 @@ var schemaYAML = typed.YAMLObject(`types: - name: mountPath type: scalar: string -- name: com.github.openshift.api.config.v1alpha1.Policy - map: - fields: - - name: rootOfTrust - type: - namedType: com.github.openshift.api.config.v1alpha1.PolicyRootOfTrust - default: {} - - name: signedIdentity - type: - namedType: com.github.openshift.api.config.v1alpha1.PolicyIdentity - default: {} - name: com.github.openshift.api.config.v1alpha1.PolicyFulcioSubject map: fields: @@ -4528,17 +4650,17 @@ var schemaYAML = typed.YAMLObject(`types: fields: - name: fulcioCAWithRekor type: - namedType: com.github.openshift.api.config.v1alpha1.FulcioCAWithRekor + namedType: com.github.openshift.api.config.v1alpha1.ImagePolicyFulcioCAWithRekorRootOfTrust - name: pki type: - namedType: com.github.openshift.api.config.v1alpha1.PKI + namedType: com.github.openshift.api.config.v1alpha1.ImagePolicyPKIRootOfTrust - name: policyType type: scalar: string default: "" - name: publicKey type: - namedType: com.github.openshift.api.config.v1alpha1.PublicKey + namedType: com.github.openshift.api.config.v1alpha1.ImagePolicyPublicKeyRootOfTrust unions: - discriminator: policyType fields: @@ -4548,15 +4670,40 @@ var schemaYAML = typed.YAMLObject(`types: discriminatorValue: PKI - fieldName: publicKey discriminatorValue: PublicKey -- name: com.github.openshift.api.config.v1alpha1.PublicKey +- name: com.github.openshift.api.config.v1alpha1.PrometheusOperatorConfig map: fields: - - name: keyData + - name: logLevel type: scalar: string - - name: rekorKeyData + - name: nodeSelector type: - scalar: string + map: + elementType: + scalar: string + - name: resources + type: + list: + elementType: + namedType: com.github.openshift.api.config.v1alpha1.ContainerResource + elementRelationship: associative + keys: + - name + - name: tolerations + type: + list: + elementType: + namedType: io.k8s.api.core.v1.Toleration + elementRelationship: atomic + - name: topologySpreadConstraints + type: + list: + elementType: + namedType: io.k8s.api.core.v1.TopologySpreadConstraint + elementRelationship: associative + keys: + - topologyKey + - whenUnsatisfiable - name: com.github.openshift.api.config.v1alpha1.RetentionNumberConfig map: fields: diff --git a/vendor/github.com/openshift/client-go/config/clientset/versioned/typed/config/v1alpha1/config_client.go b/vendor/github.com/openshift/client-go/config/clientset/versioned/typed/config/v1alpha1/config_client.go index 2530a4a64..58cf671dc 100644 --- a/vendor/github.com/openshift/client-go/config/clientset/versioned/typed/config/v1alpha1/config_client.go +++ b/vendor/github.com/openshift/client-go/config/clientset/versioned/typed/config/v1alpha1/config_client.go @@ -13,6 +13,7 @@ import ( type ConfigV1alpha1Interface interface { RESTClient() rest.Interface BackupsGetter + CRIOCredentialProviderConfigsGetter ClusterImagePoliciesGetter ClusterMonitoringsGetter ImagePoliciesGetter @@ -28,6 +29,10 @@ func (c *ConfigV1alpha1Client) Backups() BackupInterface { return newBackups(c) } +func (c *ConfigV1alpha1Client) CRIOCredentialProviderConfigs() CRIOCredentialProviderConfigInterface { + return newCRIOCredentialProviderConfigs(c) +} + func (c *ConfigV1alpha1Client) ClusterImagePolicies() ClusterImagePolicyInterface { return newClusterImagePolicies(c) } diff --git a/vendor/github.com/openshift/client-go/config/clientset/versioned/typed/config/v1alpha1/criocredentialproviderconfig.go b/vendor/github.com/openshift/client-go/config/clientset/versioned/typed/config/v1alpha1/criocredentialproviderconfig.go new file mode 100644 index 000000000..3c4962155 --- /dev/null +++ b/vendor/github.com/openshift/client-go/config/clientset/versioned/typed/config/v1alpha1/criocredentialproviderconfig.go @@ -0,0 +1,62 @@ +// Code generated by client-gen. DO NOT EDIT. + +package v1alpha1 + +import ( + context "context" + + configv1alpha1 "github.com/openshift/api/config/v1alpha1" + applyconfigurationsconfigv1alpha1 "github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1" + scheme "github.com/openshift/client-go/config/clientset/versioned/scheme" + v1 "k8s.io/apimachinery/pkg/apis/meta/v1" + types "k8s.io/apimachinery/pkg/types" + watch "k8s.io/apimachinery/pkg/watch" + gentype "k8s.io/client-go/gentype" +) + +// CRIOCredentialProviderConfigsGetter has a method to return a CRIOCredentialProviderConfigInterface. +// A group's client should implement this interface. +type CRIOCredentialProviderConfigsGetter interface { + CRIOCredentialProviderConfigs() CRIOCredentialProviderConfigInterface +} + +// CRIOCredentialProviderConfigInterface has methods to work with CRIOCredentialProviderConfig resources. +type CRIOCredentialProviderConfigInterface interface { + Create(ctx context.Context, cRIOCredentialProviderConfig *configv1alpha1.CRIOCredentialProviderConfig, opts v1.CreateOptions) (*configv1alpha1.CRIOCredentialProviderConfig, error) + Update(ctx context.Context, cRIOCredentialProviderConfig *configv1alpha1.CRIOCredentialProviderConfig, opts v1.UpdateOptions) (*configv1alpha1.CRIOCredentialProviderConfig, error) + // Add a +genclient:noStatus comment above the type to avoid generating UpdateStatus(). + UpdateStatus(ctx context.Context, cRIOCredentialProviderConfig *configv1alpha1.CRIOCredentialProviderConfig, opts v1.UpdateOptions) (*configv1alpha1.CRIOCredentialProviderConfig, error) + Delete(ctx context.Context, name string, opts v1.DeleteOptions) error + DeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error + Get(ctx context.Context, name string, opts v1.GetOptions) (*configv1alpha1.CRIOCredentialProviderConfig, error) + List(ctx context.Context, opts v1.ListOptions) (*configv1alpha1.CRIOCredentialProviderConfigList, error) + Watch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error) + Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *configv1alpha1.CRIOCredentialProviderConfig, err error) + Apply(ctx context.Context, cRIOCredentialProviderConfig *applyconfigurationsconfigv1alpha1.CRIOCredentialProviderConfigApplyConfiguration, opts v1.ApplyOptions) (result *configv1alpha1.CRIOCredentialProviderConfig, err error) + // Add a +genclient:noStatus comment above the type to avoid generating ApplyStatus(). + ApplyStatus(ctx context.Context, cRIOCredentialProviderConfig *applyconfigurationsconfigv1alpha1.CRIOCredentialProviderConfigApplyConfiguration, opts v1.ApplyOptions) (result *configv1alpha1.CRIOCredentialProviderConfig, err error) + CRIOCredentialProviderConfigExpansion +} + +// cRIOCredentialProviderConfigs implements CRIOCredentialProviderConfigInterface +type cRIOCredentialProviderConfigs struct { + *gentype.ClientWithListAndApply[*configv1alpha1.CRIOCredentialProviderConfig, *configv1alpha1.CRIOCredentialProviderConfigList, *applyconfigurationsconfigv1alpha1.CRIOCredentialProviderConfigApplyConfiguration] +} + +// newCRIOCredentialProviderConfigs returns a CRIOCredentialProviderConfigs +func newCRIOCredentialProviderConfigs(c *ConfigV1alpha1Client) *cRIOCredentialProviderConfigs { + return &cRIOCredentialProviderConfigs{ + gentype.NewClientWithListAndApply[*configv1alpha1.CRIOCredentialProviderConfig, *configv1alpha1.CRIOCredentialProviderConfigList, *applyconfigurationsconfigv1alpha1.CRIOCredentialProviderConfigApplyConfiguration]( + "criocredentialproviderconfigs", + c.RESTClient(), + scheme.ParameterCodec, + "", + func() *configv1alpha1.CRIOCredentialProviderConfig { + return &configv1alpha1.CRIOCredentialProviderConfig{} + }, + func() *configv1alpha1.CRIOCredentialProviderConfigList { + return &configv1alpha1.CRIOCredentialProviderConfigList{} + }, + ), + } +} diff --git a/vendor/github.com/openshift/client-go/config/clientset/versioned/typed/config/v1alpha1/generated_expansion.go b/vendor/github.com/openshift/client-go/config/clientset/versioned/typed/config/v1alpha1/generated_expansion.go index ab5198cce..9f530ae22 100644 --- a/vendor/github.com/openshift/client-go/config/clientset/versioned/typed/config/v1alpha1/generated_expansion.go +++ b/vendor/github.com/openshift/client-go/config/clientset/versioned/typed/config/v1alpha1/generated_expansion.go @@ -4,6 +4,8 @@ package v1alpha1 type BackupExpansion interface{} +type CRIOCredentialProviderConfigExpansion interface{} + type ClusterImagePolicyExpansion interface{} type ClusterMonitoringExpansion interface{} diff --git a/vendor/github.com/openshift/client-go/config/informers/externalversions/config/v1alpha1/criocredentialproviderconfig.go b/vendor/github.com/openshift/client-go/config/informers/externalversions/config/v1alpha1/criocredentialproviderconfig.go new file mode 100644 index 000000000..b349ee0ed --- /dev/null +++ b/vendor/github.com/openshift/client-go/config/informers/externalversions/config/v1alpha1/criocredentialproviderconfig.go @@ -0,0 +1,85 @@ +// Code generated by informer-gen. DO NOT EDIT. + +package v1alpha1 + +import ( + context "context" + time "time" + + apiconfigv1alpha1 "github.com/openshift/api/config/v1alpha1" + versioned "github.com/openshift/client-go/config/clientset/versioned" + internalinterfaces "github.com/openshift/client-go/config/informers/externalversions/internalinterfaces" + configv1alpha1 "github.com/openshift/client-go/config/listers/config/v1alpha1" + v1 "k8s.io/apimachinery/pkg/apis/meta/v1" + runtime "k8s.io/apimachinery/pkg/runtime" + watch "k8s.io/apimachinery/pkg/watch" + cache "k8s.io/client-go/tools/cache" +) + +// CRIOCredentialProviderConfigInformer provides access to a shared informer and lister for +// CRIOCredentialProviderConfigs. +type CRIOCredentialProviderConfigInformer interface { + Informer() cache.SharedIndexInformer + Lister() configv1alpha1.CRIOCredentialProviderConfigLister +} + +type cRIOCredentialProviderConfigInformer struct { + factory internalinterfaces.SharedInformerFactory + tweakListOptions internalinterfaces.TweakListOptionsFunc +} + +// NewCRIOCredentialProviderConfigInformer constructs a new informer for CRIOCredentialProviderConfig type. +// Always prefer using an informer factory to get a shared informer instead of getting an independent +// one. This reduces memory footprint and number of connections to the server. +func NewCRIOCredentialProviderConfigInformer(client versioned.Interface, resyncPeriod time.Duration, indexers cache.Indexers) cache.SharedIndexInformer { + return NewFilteredCRIOCredentialProviderConfigInformer(client, resyncPeriod, indexers, nil) +} + +// NewFilteredCRIOCredentialProviderConfigInformer constructs a new informer for CRIOCredentialProviderConfig type. +// Always prefer using an informer factory to get a shared informer instead of getting an independent +// one. This reduces memory footprint and number of connections to the server. +func NewFilteredCRIOCredentialProviderConfigInformer(client versioned.Interface, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer { + return cache.NewSharedIndexInformer( + &cache.ListWatch{ + ListFunc: func(options v1.ListOptions) (runtime.Object, error) { + if tweakListOptions != nil { + tweakListOptions(&options) + } + return client.ConfigV1alpha1().CRIOCredentialProviderConfigs().List(context.Background(), options) + }, + WatchFunc: func(options v1.ListOptions) (watch.Interface, error) { + if tweakListOptions != nil { + tweakListOptions(&options) + } + return client.ConfigV1alpha1().CRIOCredentialProviderConfigs().Watch(context.Background(), options) + }, + ListWithContextFunc: func(ctx context.Context, options v1.ListOptions) (runtime.Object, error) { + if tweakListOptions != nil { + tweakListOptions(&options) + } + return client.ConfigV1alpha1().CRIOCredentialProviderConfigs().List(ctx, options) + }, + WatchFuncWithContext: func(ctx context.Context, options v1.ListOptions) (watch.Interface, error) { + if tweakListOptions != nil { + tweakListOptions(&options) + } + return client.ConfigV1alpha1().CRIOCredentialProviderConfigs().Watch(ctx, options) + }, + }, + &apiconfigv1alpha1.CRIOCredentialProviderConfig{}, + resyncPeriod, + indexers, + ) +} + +func (f *cRIOCredentialProviderConfigInformer) defaultInformer(client versioned.Interface, resyncPeriod time.Duration) cache.SharedIndexInformer { + return NewFilteredCRIOCredentialProviderConfigInformer(client, resyncPeriod, cache.Indexers{cache.NamespaceIndex: cache.MetaNamespaceIndexFunc}, f.tweakListOptions) +} + +func (f *cRIOCredentialProviderConfigInformer) Informer() cache.SharedIndexInformer { + return f.factory.InformerFor(&apiconfigv1alpha1.CRIOCredentialProviderConfig{}, f.defaultInformer) +} + +func (f *cRIOCredentialProviderConfigInformer) Lister() configv1alpha1.CRIOCredentialProviderConfigLister { + return configv1alpha1.NewCRIOCredentialProviderConfigLister(f.Informer().GetIndexer()) +} diff --git a/vendor/github.com/openshift/client-go/config/informers/externalversions/config/v1alpha1/interface.go b/vendor/github.com/openshift/client-go/config/informers/externalversions/config/v1alpha1/interface.go index 893d2db0a..10cc930b8 100644 --- a/vendor/github.com/openshift/client-go/config/informers/externalversions/config/v1alpha1/interface.go +++ b/vendor/github.com/openshift/client-go/config/informers/externalversions/config/v1alpha1/interface.go @@ -10,6 +10,8 @@ import ( type Interface interface { // Backups returns a BackupInformer. Backups() BackupInformer + // CRIOCredentialProviderConfigs returns a CRIOCredentialProviderConfigInformer. + CRIOCredentialProviderConfigs() CRIOCredentialProviderConfigInformer // ClusterImagePolicies returns a ClusterImagePolicyInformer. ClusterImagePolicies() ClusterImagePolicyInformer // ClusterMonitorings returns a ClusterMonitoringInformer. @@ -36,6 +38,11 @@ func (v *version) Backups() BackupInformer { return &backupInformer{factory: v.factory, tweakListOptions: v.tweakListOptions} } +// CRIOCredentialProviderConfigs returns a CRIOCredentialProviderConfigInformer. +func (v *version) CRIOCredentialProviderConfigs() CRIOCredentialProviderConfigInformer { + return &cRIOCredentialProviderConfigInformer{factory: v.factory, tweakListOptions: v.tweakListOptions} +} + // ClusterImagePolicies returns a ClusterImagePolicyInformer. func (v *version) ClusterImagePolicies() ClusterImagePolicyInformer { return &clusterImagePolicyInformer{factory: v.factory, tweakListOptions: v.tweakListOptions} diff --git a/vendor/github.com/openshift/client-go/config/informers/externalversions/generic.go b/vendor/github.com/openshift/client-go/config/informers/externalversions/generic.go index 146e7e975..ca697748a 100644 --- a/vendor/github.com/openshift/client-go/config/informers/externalversions/generic.go +++ b/vendor/github.com/openshift/client-go/config/informers/externalversions/generic.go @@ -91,6 +91,8 @@ func (f *sharedInformerFactory) ForResource(resource schema.GroupVersionResource // Group=config.openshift.io, Version=v1alpha1 case v1alpha1.SchemeGroupVersion.WithResource("backups"): return &genericInformer{resource: resource.GroupResource(), informer: f.Config().V1alpha1().Backups().Informer()}, nil + case v1alpha1.SchemeGroupVersion.WithResource("criocredentialproviderconfigs"): + return &genericInformer{resource: resource.GroupResource(), informer: f.Config().V1alpha1().CRIOCredentialProviderConfigs().Informer()}, nil case v1alpha1.SchemeGroupVersion.WithResource("clusterimagepolicies"): return &genericInformer{resource: resource.GroupResource(), informer: f.Config().V1alpha1().ClusterImagePolicies().Informer()}, nil case v1alpha1.SchemeGroupVersion.WithResource("clustermonitorings"): diff --git a/vendor/github.com/openshift/client-go/config/listers/config/v1alpha1/criocredentialproviderconfig.go b/vendor/github.com/openshift/client-go/config/listers/config/v1alpha1/criocredentialproviderconfig.go new file mode 100644 index 000000000..cc5dfa388 --- /dev/null +++ b/vendor/github.com/openshift/client-go/config/listers/config/v1alpha1/criocredentialproviderconfig.go @@ -0,0 +1,32 @@ +// Code generated by lister-gen. DO NOT EDIT. + +package v1alpha1 + +import ( + configv1alpha1 "github.com/openshift/api/config/v1alpha1" + labels "k8s.io/apimachinery/pkg/labels" + listers "k8s.io/client-go/listers" + cache "k8s.io/client-go/tools/cache" +) + +// CRIOCredentialProviderConfigLister helps list CRIOCredentialProviderConfigs. +// All objects returned here must be treated as read-only. +type CRIOCredentialProviderConfigLister interface { + // List lists all CRIOCredentialProviderConfigs in the indexer. + // Objects returned here must be treated as read-only. + List(selector labels.Selector) (ret []*configv1alpha1.CRIOCredentialProviderConfig, err error) + // Get retrieves the CRIOCredentialProviderConfig from the index for a given name. + // Objects returned here must be treated as read-only. + Get(name string) (*configv1alpha1.CRIOCredentialProviderConfig, error) + CRIOCredentialProviderConfigListerExpansion +} + +// cRIOCredentialProviderConfigLister implements the CRIOCredentialProviderConfigLister interface. +type cRIOCredentialProviderConfigLister struct { + listers.ResourceIndexer[*configv1alpha1.CRIOCredentialProviderConfig] +} + +// NewCRIOCredentialProviderConfigLister returns a new CRIOCredentialProviderConfigLister. +func NewCRIOCredentialProviderConfigLister(indexer cache.Indexer) CRIOCredentialProviderConfigLister { + return &cRIOCredentialProviderConfigLister{listers.New[*configv1alpha1.CRIOCredentialProviderConfig](indexer, configv1alpha1.Resource("criocredentialproviderconfig"))} +} diff --git a/vendor/github.com/openshift/client-go/config/listers/config/v1alpha1/expansion_generated.go b/vendor/github.com/openshift/client-go/config/listers/config/v1alpha1/expansion_generated.go index 09b4d206d..75ba32823 100644 --- a/vendor/github.com/openshift/client-go/config/listers/config/v1alpha1/expansion_generated.go +++ b/vendor/github.com/openshift/client-go/config/listers/config/v1alpha1/expansion_generated.go @@ -6,6 +6,10 @@ package v1alpha1 // BackupLister. type BackupListerExpansion interface{} +// CRIOCredentialProviderConfigListerExpansion allows custom methods to be added to +// CRIOCredentialProviderConfigLister. +type CRIOCredentialProviderConfigListerExpansion interface{} + // ClusterImagePolicyListerExpansion allows custom methods to be added to // ClusterImagePolicyLister. type ClusterImagePolicyListerExpansion interface{} diff --git a/vendor/github.com/openshift/client-go/machine/applyconfigurations/internal/internal.go b/vendor/github.com/openshift/client-go/machine/applyconfigurations/internal/internal.go index 8a9308e85..3dd213be7 100644 --- a/vendor/github.com/openshift/client-go/machine/applyconfigurations/internal/internal.go +++ b/vendor/github.com/openshift/client-go/machine/applyconfigurations/internal/internal.go @@ -548,6 +548,9 @@ var schemaYAML = typed.YAMLObject(`types: type: scalar: numeric default: 0 + - name: synchronizedAPI + type: + scalar: string - name: synchronizedGeneration type: scalar: numeric @@ -620,6 +623,9 @@ var schemaYAML = typed.YAMLObject(`types: - name: providerStatus type: namedType: __untyped_atomic_ + - name: synchronizedAPI + type: + scalar: string - name: synchronizedGeneration type: scalar: numeric diff --git a/vendor/github.com/openshift/client-go/machine/applyconfigurations/machine/v1beta1/machinesetstatus.go b/vendor/github.com/openshift/client-go/machine/applyconfigurations/machine/v1beta1/machinesetstatus.go index 583ee66b7..08b74fde0 100644 --- a/vendor/github.com/openshift/client-go/machine/applyconfigurations/machine/v1beta1/machinesetstatus.go +++ b/vendor/github.com/openshift/client-go/machine/applyconfigurations/machine/v1beta1/machinesetstatus.go @@ -18,6 +18,7 @@ type MachineSetStatusApplyConfiguration struct { ErrorMessage *string `json:"errorMessage,omitempty"` Conditions []ConditionApplyConfiguration `json:"conditions,omitempty"` AuthoritativeAPI *machinev1beta1.MachineAuthority `json:"authoritativeAPI,omitempty"` + SynchronizedAPI *machinev1beta1.SynchronizedAPI `json:"synchronizedAPI,omitempty"` SynchronizedGeneration *int64 `json:"synchronizedGeneration,omitempty"` } @@ -104,6 +105,14 @@ func (b *MachineSetStatusApplyConfiguration) WithAuthoritativeAPI(value machinev return b } +// WithSynchronizedAPI sets the SynchronizedAPI field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the SynchronizedAPI field is set to the value of the last call. +func (b *MachineSetStatusApplyConfiguration) WithSynchronizedAPI(value machinev1beta1.SynchronizedAPI) *MachineSetStatusApplyConfiguration { + b.SynchronizedAPI = &value + return b +} + // WithSynchronizedGeneration sets the SynchronizedGeneration field in the declarative configuration to the given value // and returns the receiver, so that objects can be built by chaining "With" function invocations. // If called multiple times, the SynchronizedGeneration field is set to the value of the last call. diff --git a/vendor/github.com/openshift/client-go/machine/applyconfigurations/machine/v1beta1/machinestatus.go b/vendor/github.com/openshift/client-go/machine/applyconfigurations/machine/v1beta1/machinestatus.go index ab4a2632c..8e211e60e 100644 --- a/vendor/github.com/openshift/client-go/machine/applyconfigurations/machine/v1beta1/machinestatus.go +++ b/vendor/github.com/openshift/client-go/machine/applyconfigurations/machine/v1beta1/machinestatus.go @@ -22,6 +22,7 @@ type MachineStatusApplyConfiguration struct { Phase *string `json:"phase,omitempty"` Conditions []ConditionApplyConfiguration `json:"conditions,omitempty"` AuthoritativeAPI *machinev1beta1.MachineAuthority `json:"authoritativeAPI,omitempty"` + SynchronizedAPI *machinev1beta1.SynchronizedAPI `json:"synchronizedAPI,omitempty"` SynchronizedGeneration *int64 `json:"synchronizedGeneration,omitempty"` } @@ -118,6 +119,14 @@ func (b *MachineStatusApplyConfiguration) WithAuthoritativeAPI(value machinev1be return b } +// WithSynchronizedAPI sets the SynchronizedAPI field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the SynchronizedAPI field is set to the value of the last call. +func (b *MachineStatusApplyConfiguration) WithSynchronizedAPI(value machinev1beta1.SynchronizedAPI) *MachineStatusApplyConfiguration { + b.SynchronizedAPI = &value + return b +} + // WithSynchronizedGeneration sets the SynchronizedGeneration field in the declarative configuration to the given value // and returns the receiver, so that objects can be built by chaining "With" function invocations. // If called multiple times, the SynchronizedGeneration field is set to the value of the last call. diff --git a/vendor/github.com/openshift/cluster-api-actuator-pkg/testutils/resourcebuilder/machine/v1beta1/machine.go b/vendor/github.com/openshift/cluster-api-actuator-pkg/testutils/resourcebuilder/machine/v1beta1/machine.go index ccb01f64c..7e3249263 100644 --- a/vendor/github.com/openshift/cluster-api-actuator-pkg/testutils/resourcebuilder/machine/v1beta1/machine.go +++ b/vendor/github.com/openshift/cluster-api-actuator-pkg/testutils/resourcebuilder/machine/v1beta1/machine.go @@ -51,6 +51,7 @@ type MachineBuilder struct { // status fields addresses []corev1.NodeAddress authoritativeAPIStatus machinev1beta1.MachineAuthority + synchronizedAPIStatus machinev1beta1.SynchronizedAPI conditions []machinev1beta1.Condition errorMessage *string errorReason *machinev1beta1.MachineStatusError @@ -95,6 +96,7 @@ func (m MachineBuilder) Build() *machinev1beta1.Machine { NodeRef: m.nodeRef, Phase: m.phase, ProviderStatus: m.providerStatus, + SynchronizedAPI: m.synchronizedAPIStatus, }, } @@ -240,6 +242,12 @@ func (m MachineBuilder) WithAuthoritativeAPIStatus(authority machinev1beta1.Mach return m } +// WithSynchronizedAPIStatus sets the synchronizedAPIStatus for the machine builder. +func (m MachineBuilder) WithSynchronizedAPIStatus(synchronizedAPI machinev1beta1.SynchronizedAPI) MachineBuilder { + m.synchronizedAPIStatus = synchronizedAPI + return m +} + // WithConditions sets the conditions status field for the machine builder. func (m MachineBuilder) WithConditions(c []machinev1beta1.Condition) MachineBuilder { m.conditions = c diff --git a/vendor/github.com/openshift/cluster-api-actuator-pkg/testutils/resourcebuilder/machine/v1beta1/machineset.go b/vendor/github.com/openshift/cluster-api-actuator-pkg/testutils/resourcebuilder/machine/v1beta1/machineset.go index fa7d7307e..37bbd3dba 100644 --- a/vendor/github.com/openshift/cluster-api-actuator-pkg/testutils/resourcebuilder/machine/v1beta1/machineset.go +++ b/vendor/github.com/openshift/cluster-api-actuator-pkg/testutils/resourcebuilder/machine/v1beta1/machineset.go @@ -67,6 +67,7 @@ type MachineSetBuilder struct { observedGeneration int64 readyReplicas int32 replicasStatus int32 + synchronizedAPIStatus machinev1beta1.SynchronizedAPI synchronizedGeneration int64 } @@ -118,6 +119,7 @@ func (m MachineSetBuilder) Build() *machinev1beta1.MachineSet { ObservedGeneration: m.observedGeneration, ReadyReplicas: m.readyReplicas, Replicas: m.replicasStatus, + SynchronizedAPI: m.synchronizedAPIStatus, SynchronizedGeneration: m.synchronizedGeneration, }, } @@ -342,6 +344,12 @@ func (m MachineSetBuilder) WithReplicasStatus(r int32) MachineSetBuilder { return m } +// WithSynchronizedAPIStatus sets the synchronizedAPIStatus for the machineSet builder. +func (m MachineSetBuilder) WithSynchronizedAPIStatus(synchronizedAPI machinev1beta1.SynchronizedAPI) MachineSetBuilder { + m.synchronizedAPIStatus = synchronizedAPI + return m +} + // WithSynchronizedGeneration sets the synchronizedGeneration for the machineSet builder. func (m MachineSetBuilder) WithSynchronizedGeneration(n int64) MachineSetBuilder { m.synchronizedGeneration = n diff --git a/vendor/modules.txt b/vendor/modules.txt index 127e337a5..f680eea96 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -1043,7 +1043,7 @@ github.com/onsi/gomega/types # github.com/opencontainers/go-digest v1.0.0 ## explicit; go 1.13 github.com/opencontainers/go-digest -# github.com/openshift/api v0.0.0-20260105114749-aae5635a71a7 +# github.com/openshift/api v0.0.0-20260209232644-126cbbe24427 ## explicit; go 1.24.0 github.com/openshift/api github.com/openshift/api/annotations @@ -1066,6 +1066,8 @@ github.com/openshift/api/config/v1alpha1 github.com/openshift/api/config/v1alpha2 github.com/openshift/api/console github.com/openshift/api/console/v1 +github.com/openshift/api/etcd +github.com/openshift/api/etcd/v1alpha1 github.com/openshift/api/features github.com/openshift/api/helm github.com/openshift/api/helm/v1beta1 @@ -1122,7 +1124,7 @@ github.com/openshift/api/template github.com/openshift/api/template/v1 github.com/openshift/api/user github.com/openshift/api/user/v1 -# github.com/openshift/client-go v0.0.0-20260105124352-f93a4291f9ae +# github.com/openshift/client-go v0.0.0-20260108185524-48f4ccfc4e13 => ../client-go ## explicit; go 1.24.0 github.com/openshift/client-go/config/applyconfigurations/config/v1 github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1 @@ -1150,7 +1152,7 @@ github.com/openshift/client-go/operator/applyconfigurations/operator/v1 ## explicit; go 1.24.0 github.com/openshift/cluster-api-actuator-pkg/pkg/framework github.com/openshift/cluster-api-actuator-pkg/pkg/framework/gatherer -# github.com/openshift/cluster-api-actuator-pkg/testutils v0.0.0 => github.com/openshift/cluster-api-actuator-pkg/testutils v0.0.0-20251212150432-4a60119d9691 +# github.com/openshift/cluster-api-actuator-pkg/testutils v0.0.0 => github.com/radekmanak/cluster-api-actuator-pkg/testutils v0.0.0-20260204135636-0341bab0647e ## explicit; go 1.24.0 github.com/openshift/cluster-api-actuator-pkg/testutils github.com/openshift/cluster-api-actuator-pkg/testutils/resourcebuilder @@ -3006,6 +3008,7 @@ sigs.k8s.io/yaml sigs.k8s.io/yaml/goyaml.v2 # github.com/metal3-io/baremetal-operator => github.com/metal3-io/baremetal-operator v0.5.1 # github.com/openshift/cluster-api-actuator-pkg => github.com/openshift/cluster-api-actuator-pkg v0.0.0-20251212150432-4a60119d9691 -# github.com/openshift/cluster-api-actuator-pkg/testutils => github.com/openshift/cluster-api-actuator-pkg/testutils v0.0.0-20251212150432-4a60119d9691 +# github.com/openshift/cluster-api-actuator-pkg/testutils => github.com/radekmanak/cluster-api-actuator-pkg/testutils v0.0.0-20260204135636-0341bab0647e +# github.com/openshift/client-go => ../client-go # sigs.k8s.io/cluster-api => sigs.k8s.io/cluster-api v1.11.3 # sigs.k8s.io/cluster-api-provider-azure => github.com/openshift/cluster-api-provider-azure v0.0.0-20251202084521-c2e0e38d1e0e