From 42c3d265ce6ee0319a625a01e7a65a1c29f9e2ed Mon Sep 17 00:00:00 2001 From: Naseerah Kani Pakrudeen Ali Date: Mon, 23 Jun 2025 16:04:00 -0400 Subject: [PATCH 01/11] fixing noisy logs for MCN --- pkg/upgrademonitor/upgrade_monitor.go | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/pkg/upgrademonitor/upgrade_monitor.go b/pkg/upgrademonitor/upgrade_monitor.go index 299439b300..10f88524ab 100644 --- a/pkg/upgrademonitor/upgrade_monitor.go +++ b/pkg/upgrademonitor/upgrade_monitor.go @@ -403,11 +403,16 @@ func GenerateAndApplyMachineConfigNodeSpec(fgAccessor featuregates.FeatureGateAc // createOrGetMachineConfigNode gets the named MCN or returns a boolean indicating we need to create one func createOrGetMachineConfigNode(mcfgClient mcfgclientset.Interface, node *corev1.Node) (*mcfgv1.MachineConfigNode, bool) { mcNode, err := mcfgClient.MachineconfigurationV1().MachineConfigNodes().Get(context.TODO(), node.Name, metav1.GetOptions{}) - if mcNode.Name == "" || (err != nil && apierrors.IsNotFound(err)) { + if err != nil { + //no existing MCN found since no resource found, no error yet just create a new one + if apierrors.IsNotFound((err)) { + klog.V(4).Infof("MachineConfigNode for node %q not found, will create a new one", node.Name) + return mcNode, true + } + //true error getting existing MCN klog.Errorf("error getting existing MCN: %v", err) return mcNode, true } - return mcNode, false } From 8c3f7476a4545dfa61d27595184edb3f46876d4e Mon Sep 17 00:00:00 2001 From: Naseerah Kani Pakrudeen Ali Date: Tue, 24 Jun 2025 10:59:14 -0400 Subject: [PATCH 02/11] fixing comment styles --- pkg/upgrademonitor/upgrade_monitor.go | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkg/upgrademonitor/upgrade_monitor.go b/pkg/upgrademonitor/upgrade_monitor.go index 10f88524ab..7e1a60ab0d 100644 --- a/pkg/upgrademonitor/upgrade_monitor.go +++ b/pkg/upgrademonitor/upgrade_monitor.go @@ -404,12 +404,12 @@ func GenerateAndApplyMachineConfigNodeSpec(fgAccessor featuregates.FeatureGateAc func createOrGetMachineConfigNode(mcfgClient mcfgclientset.Interface, node *corev1.Node) (*mcfgv1.MachineConfigNode, bool) { mcNode, err := mcfgClient.MachineconfigurationV1().MachineConfigNodes().Get(context.TODO(), node.Name, metav1.GetOptions{}) if err != nil { - //no existing MCN found since no resource found, no error yet just create a new one + // no existing MCN found since no resource found, no error yet just create a new one if apierrors.IsNotFound((err)) { klog.V(4).Infof("MachineConfigNode for node %q not found, will create a new one", node.Name) return mcNode, true } - //true error getting existing MCN + // true error getting existing MCN klog.Errorf("error getting existing MCN: %v", err) return mcNode, true } From c5f30d0bd6f0010d89c1e72eeb5e5099377b9cc1 Mon Sep 17 00:00:00 2001 From: Naseerah Kani Pakrudeen Ali Date: Tue, 1 Jul 2025 17:29:35 -0400 Subject: [PATCH 03/11] updated version for api --- go.mod | 2 ++ 1 file changed, 2 insertions(+) diff --git a/go.mod b/go.mod index a54321bfcd..6655bf1049 100644 --- a/go.mod +++ b/go.mod @@ -350,3 +350,5 @@ require ( ) replace k8s.io/kube-openapi => github.com/openshift/kube-openapi v0.0.0-20230816122517-ffc8f001abb0 + +replace github.com/openshift/api => github.com/naseerahkani/api v0.0.0-20250425163235-9b80d67473bc From ab8a94df38a2750ee3fd6305bd6dc9c9cd75a289 Mon Sep 17 00:00:00 2001 From: Naseerah Kani Pakrudeen Ali Date: Wed, 2 Jul 2025 11:40:51 -0400 Subject: [PATCH 04/11] updating client-go reference in mco --- go.mod | 4 +- go.sum | 8 +- .../github.com/openshift/api/.golangci.yaml | 7 +- .../github.com/openshift/api/Dockerfile.ocp | 2 +- vendor/github.com/openshift/api/README.md | 2 + .../api/config/v1/types_apiserver.go | 2 + .../api/config/v1/types_authentication.go | 302 +++-- .../config/v1/types_cluster_image_policy.go | 87 ++ .../api/config/v1/types_cluster_version.go | 4 +- .../api/config/v1/types_image_policy.go | 322 +++++ .../api/config/v1/types_infrastructure.go | 14 +- ...1_clusterversions-CustomNoUpgrade.crd.yaml | 4 +- ...erator_01_clusterversions-Default.crd.yaml | 4 +- ...usterversions-DevPreviewNoUpgrade.crd.yaml | 4 +- ...sterversions-TechPreviewNoUpgrade.crd.yaml | 4 +- ...tor_01_apiservers-CustomNoUpgrade.crd.yaml | 2 + ...ig-operator_01_apiservers-Default.crd.yaml | 2 + ...01_apiservers-DevPreviewNoUpgrade.crd.yaml | 2 + ...1_apiservers-TechPreviewNoUpgrade.crd.yaml | 2 + ...ations-Hypershift-CustomNoUpgrade.crd.yaml | 297 +++-- ...uthentications-Hypershift-Default.crd.yaml | 297 +++-- ...ns-Hypershift-DevPreviewNoUpgrade.crd.yaml | 297 +++-- ...s-Hypershift-TechPreviewNoUpgrade.crd.yaml | 297 +++-- ...ons-SelfManagedHA-CustomNoUpgrade.crd.yaml | 297 +++-- ...SelfManagedHA-DevPreviewNoUpgrade.crd.yaml | 297 +++-- ...elfManagedHA-TechPreviewNoUpgrade.crd.yaml | 297 +++-- ...sterimagepolicies-CustomNoUpgrade.crd.yaml | 510 ++++++++ ...imagepolicies-DevPreviewNoUpgrade.crd.yaml | 510 ++++++++ ...magepolicies-TechPreviewNoUpgrade.crd.yaml | 510 ++++++++ ..._01_imagepolicies-CustomNoUpgrade.crd.yaml | 511 ++++++++ ...imagepolicies-DevPreviewNoUpgrade.crd.yaml | 511 ++++++++ ...magepolicies-TechPreviewNoUpgrade.crd.yaml | 511 ++++++++ ...1_infrastructures-CustomNoUpgrade.crd.yaml | 3 +- ...erator_01_infrastructures-Default.crd.yaml | 2 +- ...frastructures-DevPreviewNoUpgrade.crd.yaml | 3 +- ...rastructures-TechPreviewNoUpgrade.crd.yaml | 3 +- .../api/config/v1/zz_generated.deepcopy.go | 436 ++++++- ..._generated.featuregated-crd-manifests.yaml | 50 +- .../v1/zz_generated.swagger_doc_generated.go | 256 +++- .../api/config/v1alpha1/types_image_policy.go | 2 +- ...sterimagepolicies-CustomNoUpgrade.crd.yaml | 2 +- ...imagepolicies-DevPreviewNoUpgrade.crd.yaml | 2 +- ...magepolicies-TechPreviewNoUpgrade.crd.yaml | 95 +- ..._01_imagepolicies-CustomNoUpgrade.crd.yaml | 2 +- ...imagepolicies-DevPreviewNoUpgrade.crd.yaml | 2 +- ...magepolicies-TechPreviewNoUpgrade.crd.yaml | 95 +- .../zz_generated.swagger_doc_generated.go | 2 +- vendor/github.com/openshift/api/features.md | 43 +- .../openshift/api/features/features.go | 241 ++-- .../api/features/legacyfeaturegates.go | 6 - .../api/machine/v1beta1/types_awsprovider.go | 4 +- .../machine/v1beta1/zz_generated.deepcopy.go | 4 +- .../zz_generated.swagger_doc_generated.go | 2 +- .../v1/types_machineosbuild.go | 4 +- ...controllerconfigs-CustomNoUpgrade.crd.yaml | 3 +- ...nfig_01_controllerconfigs-Default.crd.yaml | 2 +- ...rollerconfigs-DevPreviewNoUpgrade.crd.yaml | 3 +- ...ollerconfigs-TechPreviewNoUpgrade.crd.yaml | 3 +- ...neconfignodes-DevPreviewNoUpgrade.crd.yaml | 379 ------ ...econfignodes-TechPreviewNoUpgrade.crd.yaml | 379 ------ ...ine-config_01_machineconfignodes.crd.yaml} | 1 - ...fig_01_machineconfigpools-Default.crd.yaml | 500 -------- ...neconfigpools-DevPreviewNoUpgrade.crd.yaml | 617 ---------- ...econfigpools-TechPreviewNoUpgrade.crd.yaml | 617 ---------- ...ine-config_01_machineconfigpools.crd.yaml} | 1 - ...machine-config_01_machineosbuilds.crd.yaml | 18 +- ...achine-config_01_machineosconfigs.crd.yaml | 9 +- ...nnedimagesets-DevPreviewNoUpgrade.crd.yaml | 102 -- ...nedimagesets-TechPreviewNoUpgrade.crd.yaml | 102 -- ...achine-config_01_pinnedimagesets.crd.yaml} | 1 - ..._generated.featuregated-crd-manifests.yaml | 2 - .../v1/zz_generated.swagger_doc_generated.go | 2 +- ...neconfignodes-DevPreviewNoUpgrade.crd.yaml | 378 ------ ...econfignodes-TechPreviewNoUpgrade.crd.yaml | 378 ------ ...ine-config_01_machineconfignodes.crd.yaml} | 1 - ...nnedimagesets-DevPreviewNoUpgrade.crd.yaml | 168 --- ...nedimagesets-TechPreviewNoUpgrade.crd.yaml | 168 --- ...achine-config_01_pinnedimagesets.crd.yaml} | 1 - .../api/openshiftcontrolplane/v1/types.go | 5 +- .../v1/zz_generated.deepcopy.go | 1 - .../operator/v1/types_csi_cluster_driver.go | 3 - .../operator/v1/types_machineconfiguration.go | 2 - ...00_70_network_01_networks-Default.crd.yaml | 1028 ---------------- ...k_01_networks-DevPreviewNoUpgrade.crd.yaml | 1051 ----------------- ..._01_networks-TechPreviewNoUpgrade.crd.yaml | 1051 ----------------- ...l => 0000_70_network_01_networks.crd.yaml} | 1 - ..._generated.featuregated-crd-manifests.yaml | 2 - .../render/legacyfeaturegates.go | 4 - .../config/v1/clusterimagepolicy.go | 246 ++++ .../config/v1/clusterimagepolicyspec.go | 38 + .../config/v1/clusterimagepolicystatus.go | 32 + .../config/v1/fulciocawithrekor.go | 45 + .../config/v1/imagepolicy.go | 248 ++++ .../config/v1/imagepolicyspec.go | 38 + .../config/v1/imagepolicystatus.go | 32 + .../applyconfigurations/config/v1/pki.go | 45 + .../config/v1/pkicertificatesubject.go | 32 + .../applyconfigurations/config/v1/policy.go | 32 + .../config/v1/policyfulciosubject.go | 32 + .../config/v1/policyidentity.go | 45 + .../config/v1/policymatchexactrepository.go | 27 + .../config/v1/policymatchremapidentity.go | 36 + .../config/v1/policyrootoftrust.go | 54 + .../config/v1/publickey.go | 36 + .../config/v1/usernameclaimmapping.go | 8 +- .../config/v1alpha2/custom.go | 28 + .../config/v1alpha2/gatherconfig.go | 47 + .../config/v1alpha2/gathererconfig.go | 36 + .../config/v1alpha2/gatherers.go | 36 + .../config/v1alpha2/insightsdatagather.go | 246 ++++ .../config/v1alpha2/insightsdatagatherspec.go | 23 + .../persistentvolumeclaimreference.go | 23 + .../config/v1alpha2/persistentvolumeconfig.go | 32 + .../config/v1alpha2/storage.go | 36 + .../applyconfigurations/internal/internal.go | 340 ++++++ .../config/applyconfigurations/utils.go | 54 + .../config/clientset/versioned/clientset.go | 13 + .../versioned/fake/clientset_generated.go | 7 + .../clientset/versioned/fake/register.go | 2 + .../clientset/versioned/scheme/register.go | 2 + .../typed/config/v1/clusterimagepolicy.go | 58 + .../typed/config/v1/config_client.go | 10 + .../config/v1/fake/fake_clusterimagepolicy.go | 37 + .../config/v1/fake/fake_config_client.go | 8 + .../typed/config/v1/fake/fake_imagepolicy.go | 33 + .../typed/config/v1/generated_expansion.go | 4 + .../versioned/typed/config/v1/imagepolicy.go | 58 + .../typed/config/v1alpha2/config_client.go | 91 ++ .../versioned/typed/config/v1alpha2/doc.go | 4 + .../typed/config/v1alpha2/fake/doc.go | 4 + .../v1alpha2/fake/fake_config_client.go | 24 + .../v1alpha2/fake/fake_insightsdatagather.go | 37 + .../config/v1alpha2/generated_expansion.go | 5 + .../config/v1alpha2/insightsdatagather.go | 58 + .../externalversions/config/interface.go | 8 + .../config/v1/clusterimagepolicy.go | 73 ++ .../externalversions/config/v1/imagepolicy.go | 74 ++ .../externalversions/config/v1/interface.go | 14 + .../config/v1alpha2/insightsdatagather.go | 73 ++ .../config/v1alpha2/interface.go | 29 + .../informers/externalversions/generic.go | 9 + .../listers/config/v1/clusterimagepolicy.go | 32 + .../listers/config/v1/expansion_generated.go | 12 + .../config/listers/config/v1/imagepolicy.go | 54 + .../config/v1alpha2/expansion_generated.go | 7 + .../config/v1alpha2/insightsdatagather.go | 32 + vendor/modules.txt | 10 +- 147 files changed, 9129 insertions(+), 7842 deletions(-) create mode 100644 vendor/github.com/openshift/api/config/v1/types_cluster_image_policy.go create mode 100644 vendor/github.com/openshift/api/config/v1/types_image_policy.go create mode 100644 vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_clusterimagepolicies-CustomNoUpgrade.crd.yaml create mode 100644 vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_clusterimagepolicies-DevPreviewNoUpgrade.crd.yaml create mode 100644 vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_clusterimagepolicies-TechPreviewNoUpgrade.crd.yaml create mode 100644 vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_imagepolicies-CustomNoUpgrade.crd.yaml create mode 100644 vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_imagepolicies-DevPreviewNoUpgrade.crd.yaml create mode 100644 vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_imagepolicies-TechPreviewNoUpgrade.crd.yaml delete mode 100644 vendor/github.com/openshift/api/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_machineconfignodes-DevPreviewNoUpgrade.crd.yaml delete mode 100644 vendor/github.com/openshift/api/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_machineconfignodes-TechPreviewNoUpgrade.crd.yaml rename vendor/github.com/openshift/api/machineconfiguration/v1/zz_generated.crd-manifests/{0000_80_machine-config_01_machineconfignodes-CustomNoUpgrade.crd.yaml => 0000_80_machine-config_01_machineconfignodes.crd.yaml} (99%) delete mode 100644 vendor/github.com/openshift/api/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_machineconfigpools-Default.crd.yaml delete mode 100644 vendor/github.com/openshift/api/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_machineconfigpools-DevPreviewNoUpgrade.crd.yaml delete mode 100644 vendor/github.com/openshift/api/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_machineconfigpools-TechPreviewNoUpgrade.crd.yaml rename vendor/github.com/openshift/api/machineconfiguration/v1/zz_generated.crd-manifests/{0000_80_machine-config_01_machineconfigpools-CustomNoUpgrade.crd.yaml => 0000_80_machine-config_01_machineconfigpools.crd.yaml} (99%) delete mode 100644 vendor/github.com/openshift/api/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_pinnedimagesets-DevPreviewNoUpgrade.crd.yaml delete mode 100644 vendor/github.com/openshift/api/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_pinnedimagesets-TechPreviewNoUpgrade.crd.yaml rename vendor/github.com/openshift/api/machineconfiguration/v1/zz_generated.crd-manifests/{0000_80_machine-config_01_pinnedimagesets-CustomNoUpgrade.crd.yaml => 0000_80_machine-config_01_pinnedimagesets.crd.yaml} (98%) delete mode 100644 vendor/github.com/openshift/api/machineconfiguration/v1alpha1/zz_generated.crd-manifests/0000_80_machine-config_01_machineconfignodes-DevPreviewNoUpgrade.crd.yaml delete mode 100644 vendor/github.com/openshift/api/machineconfiguration/v1alpha1/zz_generated.crd-manifests/0000_80_machine-config_01_machineconfignodes-TechPreviewNoUpgrade.crd.yaml rename vendor/github.com/openshift/api/machineconfiguration/v1alpha1/zz_generated.crd-manifests/{0000_80_machine-config_01_machineconfignodes-CustomNoUpgrade.crd.yaml => 0000_80_machine-config_01_machineconfignodes.crd.yaml} (99%) delete mode 100644 vendor/github.com/openshift/api/machineconfiguration/v1alpha1/zz_generated.crd-manifests/0000_80_machine-config_01_pinnedimagesets-DevPreviewNoUpgrade.crd.yaml delete mode 100644 vendor/github.com/openshift/api/machineconfiguration/v1alpha1/zz_generated.crd-manifests/0000_80_machine-config_01_pinnedimagesets-TechPreviewNoUpgrade.crd.yaml rename vendor/github.com/openshift/api/machineconfiguration/v1alpha1/zz_generated.crd-manifests/{0000_80_machine-config_01_pinnedimagesets-CustomNoUpgrade.crd.yaml => 0000_80_machine-config_01_pinnedimagesets.crd.yaml} (99%) delete mode 100644 vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_70_network_01_networks-Default.crd.yaml delete mode 100644 vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_70_network_01_networks-DevPreviewNoUpgrade.crd.yaml delete mode 100644 vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_70_network_01_networks-TechPreviewNoUpgrade.crd.yaml rename vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/{0000_70_network_01_networks-CustomNoUpgrade.crd.yaml => 0000_70_network_01_networks.crd.yaml} (99%) create mode 100644 vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/clusterimagepolicy.go create mode 100644 vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/clusterimagepolicyspec.go create mode 100644 vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/clusterimagepolicystatus.go create mode 100644 vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/fulciocawithrekor.go create mode 100644 vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/imagepolicy.go create mode 100644 vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/imagepolicyspec.go create mode 100644 vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/imagepolicystatus.go create mode 100644 vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/pki.go create mode 100644 vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/pkicertificatesubject.go create mode 100644 vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/policy.go create mode 100644 vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/policyfulciosubject.go create mode 100644 vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/policyidentity.go create mode 100644 vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/policymatchexactrepository.go create mode 100644 vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/policymatchremapidentity.go create mode 100644 vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/policyrootoftrust.go create mode 100644 vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/publickey.go create mode 100644 vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha2/custom.go create mode 100644 vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha2/gatherconfig.go create mode 100644 vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha2/gathererconfig.go create mode 100644 vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha2/gatherers.go create mode 100644 vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha2/insightsdatagather.go create mode 100644 vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha2/insightsdatagatherspec.go create mode 100644 vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha2/persistentvolumeclaimreference.go create mode 100644 vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha2/persistentvolumeconfig.go create mode 100644 vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha2/storage.go create mode 100644 vendor/github.com/openshift/client-go/config/clientset/versioned/typed/config/v1/clusterimagepolicy.go create mode 100644 vendor/github.com/openshift/client-go/config/clientset/versioned/typed/config/v1/fake/fake_clusterimagepolicy.go create mode 100644 vendor/github.com/openshift/client-go/config/clientset/versioned/typed/config/v1/fake/fake_imagepolicy.go create mode 100644 vendor/github.com/openshift/client-go/config/clientset/versioned/typed/config/v1/imagepolicy.go create mode 100644 vendor/github.com/openshift/client-go/config/clientset/versioned/typed/config/v1alpha2/config_client.go create mode 100644 vendor/github.com/openshift/client-go/config/clientset/versioned/typed/config/v1alpha2/doc.go create mode 100644 vendor/github.com/openshift/client-go/config/clientset/versioned/typed/config/v1alpha2/fake/doc.go create mode 100644 vendor/github.com/openshift/client-go/config/clientset/versioned/typed/config/v1alpha2/fake/fake_config_client.go create mode 100644 vendor/github.com/openshift/client-go/config/clientset/versioned/typed/config/v1alpha2/fake/fake_insightsdatagather.go create mode 100644 vendor/github.com/openshift/client-go/config/clientset/versioned/typed/config/v1alpha2/generated_expansion.go create mode 100644 vendor/github.com/openshift/client-go/config/clientset/versioned/typed/config/v1alpha2/insightsdatagather.go create mode 100644 vendor/github.com/openshift/client-go/config/informers/externalversions/config/v1/clusterimagepolicy.go create mode 100644 vendor/github.com/openshift/client-go/config/informers/externalversions/config/v1/imagepolicy.go create mode 100644 vendor/github.com/openshift/client-go/config/informers/externalversions/config/v1alpha2/insightsdatagather.go create mode 100644 vendor/github.com/openshift/client-go/config/informers/externalversions/config/v1alpha2/interface.go create mode 100644 vendor/github.com/openshift/client-go/config/listers/config/v1/clusterimagepolicy.go create mode 100644 vendor/github.com/openshift/client-go/config/listers/config/v1/imagepolicy.go create mode 100644 vendor/github.com/openshift/client-go/config/listers/config/v1alpha2/expansion_generated.go create mode 100644 vendor/github.com/openshift/client-go/config/listers/config/v1alpha2/insightsdatagather.go diff --git a/go.mod b/go.mod index 6655bf1049..404fc1844a 100644 --- a/go.mod +++ b/go.mod @@ -30,7 +30,7 @@ require ( github.com/google/renameio v0.1.0 github.com/imdario/mergo v0.3.16 github.com/opencontainers/go-digest v1.0.0 - github.com/openshift/api v0.0.0-20250425163235-9b80d67473bc + github.com/openshift/api v0.0.0-20250620092249-a8cbc218cd2c github.com/openshift/client-go v0.0.0-20250425165505-5f55ff6979a1 github.com/openshift/library-go v0.0.0-20250129210218-fe56c2cf5d70 github.com/openshift/runtime-utils v0.0.0-20230921210328-7bdb5b9c177b @@ -351,4 +351,4 @@ require ( replace k8s.io/kube-openapi => github.com/openshift/kube-openapi v0.0.0-20230816122517-ffc8f001abb0 -replace github.com/openshift/api => github.com/naseerahkani/api v0.0.0-20250425163235-9b80d67473bc +replace github.com/openshift/client-go => github.com/naseerahkani/client-go v0.0.0-20250702153039-3fb0bcdfe344 diff --git a/go.sum b/go.sum index 0b1df80200..ce82b5242f 100644 --- a/go.sum +++ b/go.sum @@ -483,6 +483,8 @@ github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f h1:y5//uYreIhSUg3J github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f/go.mod h1:ZdcZmHo+o7JKHSa8/e818NopupXU1YMK5fe1lsApnBw= github.com/nakabonne/nestif v0.3.1 h1:wm28nZjhQY5HyYPx+weN3Q65k6ilSBxDb8v5S81B81U= github.com/nakabonne/nestif v0.3.1/go.mod h1:9EtoZochLn5iUprVDmDjqGKPofoUEBL8U4Ngq6aY7OE= +github.com/naseerahkani/client-go v0.0.0-20250702153039-3fb0bcdfe344 h1:F3b00R8BHTLsRFwdnFqsq2qbmBNo/wb7NlW2yuvUmk4= +github.com/naseerahkani/client-go v0.0.0-20250702153039-3fb0bcdfe344/go.mod h1:Cce4FUvlkzzMnElVNAk2VDn/g6H48DyK96ZYcaU9GdY= github.com/nishanths/exhaustive v0.12.0 h1:vIY9sALmw6T/yxiASewa4TQcFsVYZQQRUQJhKRf3Swg= github.com/nishanths/exhaustive v0.12.0/go.mod h1:mEZ95wPIZW+x8kC4TgC+9YCUgiST7ecevsVDTgc2obs= github.com/nishanths/predeclared v0.2.2 h1:V2EPdZPliZymNAn79T8RkNApBjMmVKh5XRpLm/w98Vk= @@ -513,10 +515,8 @@ github.com/opencontainers/image-spec v1.1.0 h1:8SG7/vwALn54lVB/0yZ/MMwhFrPYtpEHQ github.com/opencontainers/image-spec v1.1.0/go.mod h1:W4s4sFTMaBeK1BQLXbG4AdM2szdn85PY75RI83NrTrM= github.com/opencontainers/runtime-spec v1.2.0 h1:z97+pHb3uELt/yiAWD691HNHQIF07bE7dzrbT927iTk= github.com/opencontainers/runtime-spec v1.2.0/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0= -github.com/openshift/api v0.0.0-20250425163235-9b80d67473bc h1:BGKjHtYzBweOSu1UwTnNqtPbJZ4VzOTqVFlUDpP+6U8= -github.com/openshift/api v0.0.0-20250425163235-9b80d67473bc/go.mod h1:yk60tHAmHhtVpJQo3TwVYq2zpuP70iJIFDCmeKMIzPw= -github.com/openshift/client-go v0.0.0-20250425165505-5f55ff6979a1 h1:2HPG58V07TrrSGBviNPd0PY42vYHPPCIEwj/pb9nUlY= -github.com/openshift/client-go v0.0.0-20250425165505-5f55ff6979a1/go.mod h1:kH5mjMfcHCF0tEnxwvNJTLMnlbrEt3Ua+vMVGvBOK5w= +github.com/openshift/api v0.0.0-20250620092249-a8cbc218cd2c h1:0Np840IRyzpvHLWxcE1AZ8sttVZe+a3Y6QBS3Ge+umA= +github.com/openshift/api v0.0.0-20250620092249-a8cbc218cd2c/go.mod h1:yk60tHAmHhtVpJQo3TwVYq2zpuP70iJIFDCmeKMIzPw= github.com/openshift/kube-openapi v0.0.0-20230816122517-ffc8f001abb0 h1:GPlAy197Jkr+D0T2FNWanamraTdzS/r9ZkT29lxvHaA= github.com/openshift/kube-openapi v0.0.0-20230816122517-ffc8f001abb0/go.mod h1:wZK2AVp1uHCp4VamDVgBP2COHZjqD1T68Rf0CM3YjSM= github.com/openshift/library-go v0.0.0-20250129210218-fe56c2cf5d70 h1:VLj8CU9q009xlMuR4wNcqDX4lVa2Ji3u/iYnBLHtQUc= diff --git a/vendor/github.com/openshift/api/.golangci.yaml b/vendor/github.com/openshift/api/.golangci.yaml index 848960e946..3d44daed39 100644 --- a/vendor/github.com/openshift/api/.golangci.yaml +++ b/vendor/github.com/openshift/api/.golangci.yaml @@ -1,13 +1,14 @@ linters-settings: custom: - kal: + kubeapilinter: type: "module" - description: KAL is the Kube-API-Linter and lints Kube like APIs based on API conventions and best practices. + description: kubeapilinter is the Kube-API-Linter and lints Kube like APIs based on API conventions and best practices. settings: linters: enable: - "maxlength" - "nobools" + - "nomaps" - "statussubresource" lintersConfig: conditions: @@ -17,7 +18,7 @@ linters-settings: linters: disable-all: true enable: - - kal + - kubeapilinter issues: # We have a lot of existing issues. # Want to make sure that those adding new fields have an diff --git a/vendor/github.com/openshift/api/Dockerfile.ocp b/vendor/github.com/openshift/api/Dockerfile.ocp index 8d50096ed0..3b5d1736dc 100644 --- a/vendor/github.com/openshift/api/Dockerfile.ocp +++ b/vendor/github.com/openshift/api/Dockerfile.ocp @@ -15,7 +15,7 @@ RUN mkdir -p /usr/share/bootkube/manifests/manifests COPY payload-manifests/crds/* /usr/share/bootkube/manifests/manifests # these are applied by the CVO -COPY manifests /manifests +RUN mkdir -p /manifests COPY payload-manifests/crds/* /manifests COPY payload-manifests/featuregates/* /manifests COPY payload-command/empty-resources /manifests diff --git a/vendor/github.com/openshift/api/README.md b/vendor/github.com/openshift/api/README.md index 934bcd3299..071da98c07 100644 --- a/vendor/github.com/openshift/api/README.md +++ b/vendor/github.com/openshift/api/README.md @@ -99,6 +99,8 @@ and then enforces the following rules. 3. Every test must be run on every TechPreview platform we have jobs for. (Ask for an exception if your feature doesn't support a variant.) 4. Every test must run at least 14 times on every platform/variant. 5. Every test must pass at least 95% of the time on every platform/variant. +6. Test results are taken from the last 7 days if the test was run at least 14 times during that period. Otherwise, data from the last 14 days is used. +7. Test flakes (even if the test eventually passes on a retry) are considered failures and negatively impact the pass rate. If your FeatureGate lacks automated testing, there is an exception process that allows QE to sign off on the promotion by commenting on the PR. diff --git a/vendor/github.com/openshift/api/config/v1/types_apiserver.go b/vendor/github.com/openshift/api/config/v1/types_apiserver.go index 38322b95d5..327ce13da3 100644 --- a/vendor/github.com/openshift/api/config/v1/types_apiserver.go +++ b/vendor/github.com/openshift/api/config/v1/types_apiserver.go @@ -155,6 +155,7 @@ type APIServerServingCerts struct { // the defaultServingCertificate will be used. // +optional // +listType=atomic + // +kubebuilder:validation:MaxItems=32 NamedCertificates []APIServerNamedServingCert `json:"namedCertificates,omitempty"` } @@ -165,6 +166,7 @@ type APIServerNamedServingCert struct { // Exact names trump over wildcard names. Explicit names defined here trump over extracted implicit names. // +optional // +listType=atomic + // +kubebuilder:validation:MaxItems=64 Names []string `json:"names,omitempty"` // servingCertificate references a kubernetes.io/tls type secret containing the TLS cert info for serving secure traffic. // The secret must exist in the openshift-config namespace and contain the following required fields: diff --git a/vendor/github.com/openshift/api/config/v1/types_authentication.go b/vendor/github.com/openshift/api/config/v1/types_authentication.go index 651d8a2101..f91c9cbf0b 100644 --- a/vendor/github.com/openshift/api/config/v1/types_authentication.go +++ b/vendor/github.com/openshift/api/config/v1/types_authentication.go @@ -195,32 +195,50 @@ const ( ) type OIDCProvider struct { - // name of the OIDC provider + // name is a required field that configures the unique human-readable identifier + // associated with the identity provider. + // It is used to distinguish between multiple identity providers + // and has no impact on token validation or authentication mechanics. + // + // name must not be an empty string (""). // // +kubebuilder:validation:MinLength=1 // +required Name string `json:"name"` - // issuer describes atributes of the OIDC token issuer + + // issuer is a required field that configures how the platform interacts + // with the identity provider and how tokens issued from the identity provider + // are evaluated by the Kubernetes API server. // // +required Issuer TokenIssuer `json:"issuer"` - // oidcClients contains configuration for the platform's clients that - // need to request tokens from the issuer + // oidcClients is an optional field that configures how on-cluster, + // platform clients should request tokens from the identity provider. + // oidcClients must not exceed 20 entries and entries must have unique namespace/name pairs. // // +listType=map // +listMapKey=componentNamespace // +listMapKey=componentName // +kubebuilder:validation:MaxItems=20 + // +optional OIDCClients []OIDCClientConfig `json:"oidcClients"` - // claimMappings describes rules on how to transform information from an - // ID token into a cluster identity + // claimMappings is a required field that configures the rules to be used by + // the Kubernetes API server for translating claims in a JWT token, issued + // by the identity provider, to a cluster identity. + // + // +required ClaimMappings TokenClaimMappings `json:"claimMappings"` - // claimValidationRules are rules that are applied to validate token claims to authenticate users. + // claimValidationRules is an optional field that configures the rules to + // be used by the Kubernetes API server for validating the claims in a JWT + // token issued by the identity provider. + // + // Validation rules are joined via an AND operation. // // +listType=atomic + // +optional ClaimValidationRules []TokenClaimValidationRule `json:"claimValidationRules,omitempty"` } @@ -228,17 +246,22 @@ type OIDCProvider struct { type TokenAudience string type TokenIssuer struct { - // URL is the serving URL of the token issuer. - // Must use the https:// scheme. + // issuerURL is a required field that configures the URL used to issue tokens + // by the identity provider. + // The Kubernetes API server determines how authentication tokens should be handled + // by matching the 'iss' claim in the JWT to the issuerURL of configured identity providers. + // + // issuerURL must use the 'https' scheme. // // +kubebuilder:validation:Pattern=`^https:\/\/[^\s]` // +required URL string `json:"issuerURL"` - // audiences is an array of audiences that the token was issued for. - // Valid tokens must include at least one of these values in their - // "aud" claim. - // Must be set to exactly one value. + // audiences is a required field that configures the acceptable audiences + // the JWT token, issued by the identity provider, must be issued to. + // At least one of the entries must match the 'aud' claim in the JWT token. + // + // audiences must contain at least one entry and must not exceed ten entries. // // +listType=set // +kubebuilder:validation:MinItems=1 @@ -246,23 +269,35 @@ type TokenIssuer struct { // +required Audiences []TokenAudience `json:"audiences"` - // CertificateAuthority is a reference to a config map in the - // configuration namespace. The .data of the configMap must contain - // the "ca-bundle.crt" key. - // If unset, system trust is used instead. + // issuerCertificateAuthority is an optional field that configures the + // certificate authority, used by the Kubernetes API server, to validate + // the connection to the identity provider when fetching discovery information. + // + // When not specified, the system trust is used. + // + // When specified, it must reference a ConfigMap in the openshift-config + // namespace containing the PEM-encoded CA certificates under the 'ca-bundle.crt' + // key in the data field of the ConfigMap. + // + // +optional CertificateAuthority ConfigMapNameReference `json:"issuerCertificateAuthority"` } type TokenClaimMappings struct { - // username is a name of the claim that should be used to construct - // usernames for the cluster identity. + // username is a required field that configures how the username of a cluster identity + // should be constructed from the claims in a JWT token issued by the identity provider. // - // Default value: "sub" - Username UsernameClaimMapping `json:"username,omitempty"` + // +required + Username UsernameClaimMapping `json:"username"` - // groups is a name of the claim that should be used to construct - // groups for the cluster identity. - // The referenced claim must use array of strings values. + // groups is an optional field that configures how the groups of a cluster identity + // should be constructed from the claims in a JWT token issued + // by the identity provider. + // When referencing a claim, if the claim is present in the JWT + // token, its value must be a list of groups separated by a comma (','). + // For example - '"example"' and '"exampleOne", "exampleTwo", "exampleThree"' are valid claim values. + // + // +optional Groups PrefixedClaimMapping `json:"groups,omitempty"` // uid is an optional field for configuring the claim mapping @@ -293,8 +328,13 @@ type TokenClaimMappings struct { Extra []ExtraMapping `json:"extra,omitempty"` } +// TokenClaimMapping allows specifying a JWT token +// claim to be used when mapping claims from an +// authentication token to cluster identities. type TokenClaimMapping struct { - // claim is a JWT token claim to be used in the mapping + // claim is a required field that configures the JWT token + // claim whose value is assigned to the cluster identity + // field associated with this mapping. // // +required Claim string `json:"claim"` @@ -404,66 +444,118 @@ type ExtraMapping struct { ValueExpression string `json:"valueExpression"` } +// OIDCClientConfig configures how platform clients +// interact with identity providers as an authentication +// method type OIDCClientConfig struct { - // componentName is the name of the component that is supposed to consume this - // client configuration + // componentName is a required field that specifies the name of the platform + // component being configured to use the identity provider as an authentication mode. + // It is used in combination with componentNamespace as a unique identifier. + // + // componentName must not be an empty string ("") and must not exceed 256 characters in length. // // +kubebuilder:validation:MinLength=1 // +kubebuilder:validation:MaxLength=256 // +required ComponentName string `json:"componentName"` - // componentNamespace is the namespace of the component that is supposed to consume this - // client configuration + // componentNamespace is a required field that specifies the namespace in which the + // platform component being configured to use the identity provider as an authentication + // mode is running. + // It is used in combination with componentName as a unique identifier. + // + // componentNamespace must not be an empty string ("") and must not exceed 63 characters in length. // // +kubebuilder:validation:MinLength=1 // +kubebuilder:validation:MaxLength=63 // +required ComponentNamespace string `json:"componentNamespace"` - // clientID is the identifier of the OIDC client from the OIDC provider + // clientID is a required field that configures the client identifier, from + // the identity provider, that the platform component uses for authentication + // requests made to the identity provider. + // The identity provider must accept this identifier for platform components + // to be able to use the identity provider as an authentication mode. + // + // clientID must not be an empty string (""). // // +kubebuilder:validation:MinLength=1 // +required ClientID string `json:"clientID"` - // clientSecret refers to a secret in the `openshift-config` namespace that - // contains the client secret in the `clientSecret` key of the `.data` field + // clientSecret is an optional field that configures the client secret used + // by the platform component when making authentication requests to the identity provider. + // + // When not specified, no client secret will be used when making authentication requests + // to the identity provider. + // + // When specified, clientSecret references a Secret in the 'openshift-config' + // namespace that contains the client secret in the 'clientSecret' key of the '.data' field. + // The client secret will be used when making authentication requests to the identity provider. + // + // Public clients do not require a client secret but private + // clients do require a client secret to work with the identity provider. + // + // +optional ClientSecret SecretNameReference `json:"clientSecret"` - // extraScopes is an optional set of scopes to request tokens with. + // extraScopes is an optional field that configures the extra scopes that should + // be requested by the platform component when making authentication requests to the + // identity provider. + // This is useful if you have configured claim mappings that requires specific + // scopes to be requested beyond the standard OIDC scopes. + // + // When omitted, no additional scopes are requested. // // +listType=set + // +optional ExtraScopes []string `json:"extraScopes"` } +// OIDCClientStatus represents the current state +// of platform components and how they interact with +// the configured identity providers. type OIDCClientStatus struct { - // componentName is the name of the component that will consume a client configuration. + // componentName is a required field that specifies the name of the platform + // component using the identity provider as an authentication mode. + // It is used in combination with componentNamespace as a unique identifier. + // + // componentName must not be an empty string ("") and must not exceed 256 characters in length. // // +kubebuilder:validation:MinLength=1 // +kubebuilder:validation:MaxLength=256 // +required ComponentName string `json:"componentName"` - // componentNamespace is the namespace of the component that will consume a client configuration. + // componentNamespace is a required field that specifies the namespace in which the + // platform component using the identity provider as an authentication + // mode is running. + // It is used in combination with componentName as a unique identifier. + // + // componentNamespace must not be an empty string ("") and must not exceed 63 characters in length. // // +kubebuilder:validation:MinLength=1 // +kubebuilder:validation:MaxLength=63 // +required ComponentNamespace string `json:"componentNamespace"` - // currentOIDCClients is a list of clients that the component is currently using. + // currentOIDCClients is an optional list of clients that the component is currently using. + // Entries must have unique issuerURL/clientID pairs. // // +listType=map // +listMapKey=issuerURL // +listMapKey=clientID + // +optional CurrentOIDCClients []OIDCClientReference `json:"currentOIDCClients"` - // consumingUsers is a slice of ServiceAccounts that need to have read - // permission on the `clientSecret` secret. + // consumingUsers is an optional list of ServiceAccounts requiring + // read permissions on the `clientSecret` secret. + // + // consumingUsers must not exceed 5 entries. // // +kubebuilder:validation:MaxItems=5 // +listType=set + // +optional ConsumingUsers []ConsumingUser `json:"consumingUsers"` // conditions are used to communicate the state of the `oidcClients` entry. @@ -480,21 +572,32 @@ type OIDCClientStatus struct { Conditions []metav1.Condition `json:"conditions,omitempty"` } +// OIDCClientReference is a reference to a platform component +// client configuration. type OIDCClientReference struct { - // OIDCName refers to the `name` of the provider from `oidcProviders` + // oidcProviderName is a required reference to the 'name' of the identity provider + // configured in 'oidcProviders' that this client is associated with. + // + // oidcProviderName must not be an empty string (""). // // +kubebuilder:validation:MinLength=1 // +required OIDCProviderName string `json:"oidcProviderName"` - // URL is the serving URL of the token issuer. - // Must use the https:// scheme. + // issuerURL is a required field that specifies the URL of the identity + // provider that this client is configured to make requests against. + // + // issuerURL must use the 'https' scheme. // // +kubebuilder:validation:Pattern=`^https:\/\/[^\s]` // +required IssuerURL string `json:"issuerURL"` - // clientID is the identifier of the OIDC client from the OIDC provider + // clientID is a required field that specifies the client identifier, from + // the identity provider, that the platform component is using for authentication + // requests made to the identity provider. + // + // clientID must not be empty. // // +kubebuilder:validation:MinLength=1 // +required @@ -502,35 +605,61 @@ type OIDCClientReference struct { } // +kubebuilder:validation:XValidation:rule="has(self.prefixPolicy) && self.prefixPolicy == 'Prefix' ? (has(self.prefix) && size(self.prefix.prefixString) > 0) : !has(self.prefix)",message="prefix must be set if prefixPolicy is 'Prefix', but must remain unset otherwise" +// +union type UsernameClaimMapping struct { - TokenClaimMapping `json:",inline"` + // claim is a required field that configures the JWT token + // claim whose value is assigned to the cluster identity + // field associated with this mapping. + // + // claim must not be an empty string ("") and must not exceed 256 characters. + // + // +required + // +kubebuilder:validation:MinLength:=1 + // +kubebuilder:validation:MaxLength:=256 + Claim string `json:"claim"` - // prefixPolicy specifies how a prefix should apply. + // prefixPolicy is an optional field that configures how a prefix should be + // applied to the value of the JWT claim specified in the 'claim' field. // - // By default, claims other than `email` will be prefixed with the issuer URL to - // prevent naming clashes with other plugins. + // Allowed values are 'Prefix', 'NoPrefix', and omitted (not provided or an empty string). // - // Set to "NoPrefix" to disable prefixing. + // When set to 'Prefix', the value specified in the prefix field will be + // prepended to the value of the JWT claim. + // The prefix field must be set when prefixPolicy is 'Prefix'. // - // Example: - // (1) `prefix` is set to "myoidc:" and `claim` is set to "username". - // If the JWT claim `username` contains value `userA`, the resulting - // mapped value will be "myoidc:userA". - // (2) `prefix` is set to "myoidc:" and `claim` is set to "email". If the - // JWT `email` claim contains value "userA@myoidc.tld", the resulting - // mapped value will be "myoidc:userA@myoidc.tld". - // (3) `prefix` is unset, `issuerURL` is set to `https://myoidc.tld`, - // the JWT claims include "username":"userA" and "email":"userA@myoidc.tld", - // and `claim` is set to: - // (a) "username": the mapped value will be "https://myoidc.tld#userA" - // (b) "email": the mapped value will be "userA@myoidc.tld" + // When set to 'NoPrefix', no prefix will be prepended to the value + // of the JWT claim. + // + // When omitted, this means no opinion and the platform is left to choose + // any prefixes that are applied which is subject to change over time. + // Currently, the platform prepends `{issuerURL}#` to the value of the JWT claim + // when the claim is not 'email'. + // As an example, consider the following scenario: + // `prefix` is unset, `issuerURL` is set to `https://myoidc.tld`, + // the JWT claims include "username":"userA" and "email":"userA@myoidc.tld", + // and `claim` is set to: + // - "username": the mapped value will be "https://myoidc.tld#userA" + // - "email": the mapped value will be "userA@myoidc.tld" // // +kubebuilder:validation:Enum={"", "NoPrefix", "Prefix"} + // +optional + // +unionDiscriminator PrefixPolicy UsernamePrefixPolicy `json:"prefixPolicy"` + // prefix configures the prefix that should be prepended to the value + // of the JWT claim. + // + // prefix must be set when prefixPolicy is set to 'Prefix' and must be unset otherwise. + // + // +optional + // +unionMember Prefix *UsernamePrefix `json:"prefix"` } +// UsernamePrefixPolicy configures how prefixes should be applied +// to values extracted from the JWT claims during the process of mapping +// JWT claims to cluster identity attributes. +// +enum type UsernamePrefixPolicy string var ( @@ -545,26 +674,42 @@ var ( Prefix UsernamePrefixPolicy = "Prefix" ) +// UsernamePrefix configures the string that should +// be used as a prefix for username claim mappings. type UsernamePrefix struct { + // prefixString is a required field that configures the prefix that will + // be applied to cluster identity username attribute + // during the process of mapping JWT claims to cluster identity attributes. + // + // prefixString must not be an empty string (""). + // // +kubebuilder:validation:MinLength=1 // +required PrefixString string `json:"prefixString"` } +// PrefixedClaimMapping configures a claim mapping +// that allows for an optional prefix. type PrefixedClaimMapping struct { TokenClaimMapping `json:",inline"` - // prefix is a string to prefix the value from the token in the result of the - // claim mapping. + // prefix is an optional field that configures the prefix that will be + // applied to the cluster identity attribute during the process of mapping + // JWT claims to cluster identity attributes. // - // By default, no prefixing occurs. + // When omitted (""), no prefix is applied to the cluster identity attribute. // - // Example: if `prefix` is set to "myoidc:"" and the `claim` in JWT contains + // Example: if `prefix` is set to "myoidc:" and the `claim` in JWT contains // an array of strings "a", "b" and "c", the mapping will result in an // array of string "myoidc:a", "myoidc:b" and "myoidc:c". + // + // +optional Prefix string `json:"prefix"` } +// TokenValidationRuleType represents the different +// claim validation rule types that can be configured. +// +enum type TokenValidationRuleType string const ( @@ -572,26 +717,45 @@ const ( ) type TokenClaimValidationRule struct { - // type sets the type of the validation rule + // type is an optional field that configures the type of the validation rule. + // + // Allowed values are 'RequiredClaim' and omitted (not provided or an empty string). + // + // When set to 'RequiredClaim', the Kubernetes API server + // will be configured to validate that the incoming JWT + // contains the required claim and that its value matches + // the required value. + // + // Defaults to 'RequiredClaim'. // // +kubebuilder:validation:Enum={"RequiredClaim"} // +kubebuilder:default="RequiredClaim" Type TokenValidationRuleType `json:"type"` - // requiredClaim allows configuring a required claim name and its expected - // value + // requiredClaim is an optional field that configures the required claim + // and value that the Kubernetes API server will use to validate if an incoming + // JWT is valid for this identity provider. + // + // +optional RequiredClaim *TokenRequiredClaim `json:"requiredClaim"` } type TokenRequiredClaim struct { - // claim is a name of a required claim. Only claims with string values are - // supported. + // claim is a required field that configures the name of the required claim. + // When taken from the JWT claims, claim must be a string value. + // + // claim must not be an empty string (""). // // +kubebuilder:validation:MinLength=1 // +required Claim string `json:"claim"` - // requiredValue is the required value for the claim. + // requiredValue is a required field that configures the value that 'claim' must + // have when taken from the incoming JWT claims. + // If the value in the JWT claims does not match, the token + // will be rejected for authentication. + // + // requiredValue must not be an empty string (""). // // +kubebuilder:validation:MinLength=1 // +required diff --git a/vendor/github.com/openshift/api/config/v1/types_cluster_image_policy.go b/vendor/github.com/openshift/api/config/v1/types_cluster_image_policy.go new file mode 100644 index 0000000000..ca604e05c5 --- /dev/null +++ b/vendor/github.com/openshift/api/config/v1/types_cluster_image_policy.go @@ -0,0 +1,87 @@ +package v1 + +import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + +// +genclient +// +genclient:nonNamespaced +// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object + +// ClusterImagePolicy holds cluster-wide configuration for image signature verification +// +// Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer). +// +kubebuilder:object:root=true +// +kubebuilder:resource:path=clusterimagepolicies,scope=Cluster +// +kubebuilder:subresource:status +// +openshift:api-approved.openshift.io=https://github.com/openshift/api/pull/2310 +// +openshift:file-pattern=cvoRunLevel=0000_10,operatorName=config-operator,operatorOrdering=01 +// +openshift:enable:FeatureGate=SigstoreImageVerification +// +openshift:compatibility-gen:level=1 +type ClusterImagePolicy struct { + metav1.TypeMeta `json:",inline"` + + // metadata is the standard object's metadata. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata + // +optional + metav1.ObjectMeta `json:"metadata"` + + // spec contains the configuration for the cluster image policy. + // +required + Spec ClusterImagePolicySpec `json:"spec"` + // status contains the observed state of the resource. + // +optional + Status ClusterImagePolicyStatus `json:"status"` +} + +// CLusterImagePolicySpec is the specification of the ClusterImagePolicy custom resource. +type ClusterImagePolicySpec struct { + // scopes is a required field that defines the list of image identities assigned to a policy. Each item refers to a scope in a registry implementing the "Docker Registry HTTP API V2". + // Scopes matching individual images are named Docker references in the fully expanded form, either using a tag or digest. For example, docker.io/library/busybox:latest (not busybox:latest). + // More general scopes are prefixes of individual-image scopes, and specify a repository (by omitting the tag or digest), a repository + // namespace, or a registry host (by only specifying the host name and possibly a port number) or a wildcard expression starting with `*.`, for matching all subdomains (not including a port number). + // Wildcards are only supported for subdomain matching, and may not be used in the middle of the host, i.e. *.example.com is a valid case, but example*.*.com is not. + // This support no more than 256 scopes in one object. If multiple scopes match a given image, only the policy requirements for the most specific scope apply. The policy requirements for more general scopes are ignored. + // In addition to setting a policy appropriate for your own deployed applications, make sure that a policy on the OpenShift image repositories + // quay.io/openshift-release-dev/ocp-release, quay.io/openshift-release-dev/ocp-v4.0-art-dev (or on a more general scope) allows deployment of the OpenShift images required for cluster operation. + // If a scope is configured in both the ClusterImagePolicy and the ImagePolicy, or if the scope in ImagePolicy is nested under one of the scopes from the ClusterImagePolicy, only the policy from the ClusterImagePolicy will be applied. + // For additional details about the format, please refer to the document explaining the docker transport field, + // which can be found at: https://github.com/containers/image/blob/main/docs/containers-policy.json.5.md#docker + // +required + // +kubebuilder:validation:MaxItems=256 + // +listType=set + Scopes []ImageScope `json:"scopes"` + // policy is a required field that contains configuration to allow scopes to be verified, and defines how + // images not matching the verification policy will be treated. + // +required + Policy Policy `json:"policy"` +} + +// +k8s:deepcopy-gen=true +type ClusterImagePolicyStatus struct { + // conditions provide details on the status of this API Resource. + // +kubebuilder:validation:MaxItems=8 + // +kubebuilder:validation:MinItems=1 + // +listType=map + // +listMapKey=type + // +optional + Conditions []metav1.Condition `json:"conditions,omitempty"` +} + +// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object + +// ClusterImagePolicyList is a list of ClusterImagePolicy resources +// +// Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer). +// +openshift:compatibility-gen:level=1 +type ClusterImagePolicyList struct { + metav1.TypeMeta `json:",inline"` + + // metadata is the standard list's metadata. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata + // +required + metav1.ListMeta `json:"metadata"` + + // items is a list of ClusterImagePolices + // +kubebuilder:validation:MaxItems=1000 + // +required + Items []ClusterImagePolicy `json:"items"` +} diff --git a/vendor/github.com/openshift/api/config/v1/types_cluster_version.go b/vendor/github.com/openshift/api/config/v1/types_cluster_version.go index 092bebff09..b89d487ca4 100644 --- a/vendor/github.com/openshift/api/config/v1/types_cluster_version.go +++ b/vendor/github.com/openshift/api/config/v1/types_cluster_version.go @@ -83,8 +83,8 @@ type ClusterVersionSpec struct { // // +optional Upstream URL `json:"upstream,omitempty"` - // channel is an identifier for explicitly requesting that a non-default - // set of updates be applied to this cluster. The default channel will be + // channel is an identifier for explicitly requesting a non-default set + // of updates to be applied to this cluster. The default channel will // contain stable updates that are appropriate for production clusters. // // +optional diff --git a/vendor/github.com/openshift/api/config/v1/types_image_policy.go b/vendor/github.com/openshift/api/config/v1/types_image_policy.go new file mode 100644 index 0000000000..54bd21adb4 --- /dev/null +++ b/vendor/github.com/openshift/api/config/v1/types_image_policy.go @@ -0,0 +1,322 @@ +package v1 + +import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + +// +genclient +// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object + +// ImagePolicy holds namespace-wide configuration for image signature verification +// +// Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer). +// +kubebuilder:object:root=true +// +kubebuilder:resource:path=imagepolicies,scope=Namespaced +// +kubebuilder:subresource:status +// +openshift:api-approved.openshift.io=https://github.com/openshift/api/pull/2310 +// +openshift:file-pattern=cvoRunLevel=0000_10,operatorName=config-operator,operatorOrdering=01 +// +openshift:enable:FeatureGate=SigstoreImageVerification +// +openshift:compatibility-gen:level=1 +type ImagePolicy struct { + metav1.TypeMeta `json:",inline"` + + // metadata is the standard object's metadata. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata + // +optional + metav1.ObjectMeta `json:"metadata"` + + // spec holds user settable values for configuration + // +required + Spec ImagePolicySpec `json:"spec"` + // status contains the observed state of the resource. + // +optional + Status ImagePolicyStatus `json:"status"` +} + +// ImagePolicySpec is the specification of the ImagePolicy CRD. +type ImagePolicySpec struct { + // scopes is a required field that defines the list of image identities assigned to a policy. Each item refers to a scope in a registry implementing the "Docker Registry HTTP API V2". + // Scopes matching individual images are named Docker references in the fully expanded form, either using a tag or digest. For example, docker.io/library/busybox:latest (not busybox:latest). + // More general scopes are prefixes of individual-image scopes, and specify a repository (by omitting the tag or digest), a repository + // namespace, or a registry host (by only specifying the host name and possibly a port number) or a wildcard expression starting with `*.`, for matching all subdomains (not including a port number). + // Wildcards are only supported for subdomain matching, and may not be used in the middle of the host, i.e. *.example.com is a valid case, but example*.*.com is not. + // This support no more than 256 scopes in one object. If multiple scopes match a given image, only the policy requirements for the most specific scope apply. The policy requirements for more general scopes are ignored. + // In addition to setting a policy appropriate for your own deployed applications, make sure that a policy on the OpenShift image repositories + // quay.io/openshift-release-dev/ocp-release, quay.io/openshift-release-dev/ocp-v4.0-art-dev (or on a more general scope) allows deployment of the OpenShift images required for cluster operation. + // If a scope is configured in both the ClusterImagePolicy and the ImagePolicy, or if the scope in ImagePolicy is nested under one of the scopes from the ClusterImagePolicy, only the policy from the ClusterImagePolicy will be applied. + // For additional details about the format, please refer to the document explaining the docker transport field, + // which can be found at: https://github.com/containers/image/blob/main/docs/containers-policy.json.5.md#docker + // +required + // +kubebuilder:validation:MaxItems=256 + // +listType=set + Scopes []ImageScope `json:"scopes"` + // policy is a required field that contains configuration to allow scopes to be verified, and defines how + // images not matching the verification policy will be treated. + // +required + Policy Policy `json:"policy"` +} + +// +kubebuilder:validation:XValidation:rule="size(self.split('/')[0].split('.')) == 1 ? self.split('/')[0].split('.')[0].split(':')[0] == 'localhost' : true",message="invalid image scope format, scope must contain a fully qualified domain name or 'localhost'" +// +kubebuilder:validation:XValidation:rule=`self.contains('*') ? self.matches('^\\*(?:\\.(?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9]))+$') : true`,message="invalid image scope with wildcard, a wildcard can only be at the start of the domain and is only supported for subdomain matching, not path matching" +// +kubebuilder:validation:XValidation:rule=`!self.contains('*') ? self.matches('^((((?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9])(?:\\.(?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9]))+(?::[0-9]+)?)|(localhost(?::[0-9]+)?))(?:(?:/[a-z0-9]+(?:(?:(?:[._]|__|[-]*)[a-z0-9]+)+)?)+)?)(?::([\\w][\\w.-]{0,127}))?(?:@([A-Za-z][A-Za-z0-9]*(?:[-_+.][A-Za-z][A-Za-z0-9]*)*[:][[:xdigit:]]{32,}))?$') : true`,message="invalid repository namespace or image specification in the image scope" +// +kubebuilder:validation:MaxLength=512 +type ImageScope string + +// Policy defines the verification policy for the items in the scopes list. +type Policy struct { + // rootOfTrust is a required field that defines the root of trust for verifying image signatures during retrieval. + // This allows image consumers to specify policyType and corresponding configuration of the policy, matching how the policy was generated. + // +required + RootOfTrust PolicyRootOfTrust `json:"rootOfTrust"` + // signedIdentity is an optional field specifies what image identity the signature claims about the image. This is useful when the image identity in the signature differs from the original image spec, such as when mirror registry is configured for the image scope, the signature from the mirror registry contains the image identity of the mirror instead of the original scope. + // The required matchPolicy field specifies the approach used in the verification process to verify the identity in the signature and the actual image identity, the default matchPolicy is "MatchRepoDigestOrExact". + // +optional + SignedIdentity *PolicyIdentity `json:"signedIdentity,omitempty"` +} + +// PolicyRootOfTrust defines the root of trust based on the selected policyType. +// +union +// +kubebuilder:validation:XValidation:rule="has(self.policyType) && self.policyType == 'PublicKey' ? has(self.publicKey) : !has(self.publicKey)",message="publicKey is required when policyType is PublicKey, and forbidden otherwise" +// +kubebuilder:validation:XValidation:rule="has(self.policyType) && self.policyType == 'FulcioCAWithRekor' ? has(self.fulcioCAWithRekor) : !has(self.fulcioCAWithRekor)",message="fulcioCAWithRekor is required when policyType is FulcioCAWithRekor, and forbidden otherwise" +// +openshift:validation:FeatureGateAwareXValidation:featureGate=SigstoreImageVerificationPKI,rule="has(self.policyType) && self.policyType == 'PKI' ? has(self.pki) : !has(self.pki)",message="pki is required when policyType is PKI, and forbidden otherwise" +type PolicyRootOfTrust struct { + // policyType is a required field specifies the type of the policy for verification. This field must correspond to how the policy was generated. + // Allowed values are "PublicKey", "FulcioCAWithRekor", and "PKI". + // When set to "PublicKey", the policy relies on a sigstore publicKey and may optionally use a Rekor verification. + // When set to "FulcioCAWithRekor", the policy is based on the Fulcio certification and incorporates a Rekor verification. + // When set to "PKI", the policy is based on the certificates from Bring Your Own Public Key Infrastructure (BYOPKI). This value is enabled by turning on the SigstoreImageVerificationPKI feature gate. + // +unionDiscriminator + // +required + PolicyType PolicyType `json:"policyType"` + // publicKey defines the root of trust configuration based on a sigstore public key. Optionally include a Rekor public key for Rekor verification. + // publicKey is required when policyType is PublicKey, and forbidden otherwise. + // +optional + PublicKey *PublicKey `json:"publicKey,omitempty"` + // fulcioCAWithRekor defines the root of trust configuration based on the Fulcio certificate and the Rekor public key. + // fulcioCAWithRekor is required when policyType is FulcioCAWithRekor, and forbidden otherwise + // For more information about Fulcio and Rekor, please refer to the document at: + // https://github.com/sigstore/fulcio and https://github.com/sigstore/rekor + // +optional + FulcioCAWithRekor *FulcioCAWithRekor `json:"fulcioCAWithRekor,omitempty"` + // pki defines the root of trust configuration based on Bring Your Own Public Key Infrastructure (BYOPKI) Root CA(s) and corresponding intermediate certificates. + // pki is required when policyType is PKI, and forbidden otherwise. + // +optional + // +openshift:enable:FeatureGate=SigstoreImageVerificationPKI + PKI *PKI `json:"pki,omitempty"` +} + +// +openshift:validation:FeatureGateAwareEnum:featureGate="",enum=PublicKey;FulcioCAWithRekor +// +openshift:validation:FeatureGateAwareEnum:featureGate=SigstoreImageVerificationPKI,enum=PublicKey;FulcioCAWithRekor;PKI +type PolicyType string + +const ( + PublicKeyRootOfTrust PolicyType = "PublicKey" + FulcioCAWithRekorRootOfTrust PolicyType = "FulcioCAWithRekor" + PKIRootOfTrust PolicyType = "PKI" +) + +// PublicKey defines the root of trust based on a sigstore public key. +type PublicKey struct { + // keyData is a required field contains inline base64-encoded data for the PEM format public key. + // keyData must be at most 8192 characters. + // +required + // +kubebuilder:validation:MaxLength=8192 + // +kubebuilder:validation:MinLength=68 + // +kubebuilder:validation:XValidation:rule="string(self).startsWith('-----BEGIN PUBLIC KEY-----')",message="the keyData must start with base64 encoding of '-----BEGIN PUBLIC KEY-----'." + // +kubebuilder:validation:XValidation:rule="string(self).endsWith('-----END PUBLIC KEY-----\\n') || string(self).endsWith('-----END PUBLIC KEY-----')",message="the keyData must end with base64 encoding of '-----END PUBLIC KEY-----'." + KeyData []byte `json:"keyData"` + // rekorKeyData is an optional field contains inline base64-encoded data for the PEM format from the Rekor public key. + // rekorKeyData must be at most 8192 characters. + // +optional + // +kubebuilder:validation:MaxLength=8192 + // +kubebuilder:validation:XValidation:rule="string(self).startsWith('-----BEGIN PUBLIC KEY-----')",message="the rekorKeyData must start with base64 encoding of '-----BEGIN PUBLIC KEY-----'." + // +kubebuilder:validation:XValidation:rule="string(self).endsWith('-----END PUBLIC KEY-----\\n') || string(self).endsWith('-----END PUBLIC KEY-----')",message="the rekorKeyData must end with base64 encoding of '-----END PUBLIC KEY-----'." + RekorKeyData []byte `json:"rekorKeyData,omitempty"` +} + +// FulcioCAWithRekor defines the root of trust based on the Fulcio certificate and the Rekor public key. +type FulcioCAWithRekor struct { + // fulcioCAData is a required field contains inline base64-encoded data for the PEM format fulcio CA. + // fulcioCAData must be at most 8192 characters. + // +required + // +kubebuilder:validation:MaxLength=8192 + // +kubebuilder:validation:XValidation:rule="string(self).startsWith('-----BEGIN CERTIFICATE-----')",message="the fulcioCAData must start with base64 encoding of '-----BEGIN CERTIFICATE-----'." + // +kubebuilder:validation:XValidation:rule="string(self).endsWith('-----END CERTIFICATE-----\\n') || string(self).endsWith('-----END CERTIFICATE-----')",message="the fulcioCAData must end with base64 encoding of '-----END CERTIFICATE-----'." + FulcioCAData []byte `json:"fulcioCAData"` + // rekorKeyData is a required field contains inline base64-encoded data for the PEM format from the Rekor public key. + // rekorKeyData must be at most 8192 characters. + // +required + // +kubebuilder:validation:MaxLength=8192 + // +kubebuilder:validation:XValidation:rule="string(self).startsWith('-----BEGIN PUBLIC KEY-----')",message="the rekorKeyData must start with base64 encoding of '-----BEGIN PUBLIC KEY-----'." + // +kubebuilder:validation:XValidation:rule="string(self).endsWith('-----END PUBLIC KEY-----\\n') || string(self).endsWith('-----END PUBLIC KEY-----')",message="the rekorKeyData must end with base64 encoding of '-----END PUBLIC KEY-----'." + RekorKeyData []byte `json:"rekorKeyData"` + // fulcioSubject is a required field specifies OIDC issuer and the email of the Fulcio authentication configuration. + // +required + FulcioSubject PolicyFulcioSubject `json:"fulcioSubject"` +} + +// PolicyFulcioSubject defines the OIDC issuer and the email of the Fulcio authentication configuration. +type PolicyFulcioSubject struct { + // oidcIssuer is a required filed contains the expected OIDC issuer. The oidcIssuer must be a valid URL and at most 2048 characters in length. + // It will be verified that the Fulcio-issued certificate contains a (Fulcio-defined) certificate extension pointing at this OIDC issuer URL. + // When Fulcio issues certificates, it includes a value based on an URL inside the client-provided ID token. + // Example: "https://expected.OIDC.issuer/" + // +required + // +kubebuilder:validation:MaxLength=2048 + // +kubebuilder:validation:XValidation:rule="isURL(self)",message="oidcIssuer must be a valid URL" + OIDCIssuer string `json:"oidcIssuer"` + // signedEmail is a required field holds the email address that the Fulcio certificate is issued for. + // The signedEmail must be a valid email address and at most 320 characters in length. + // Example: "expected-signing-user@example.com" + // +required + // +kubebuilder:validation:MaxLength=320 + // +kubebuilder:validation:XValidation:rule=`self.matches('^\\S+@\\S+$')`,message="invalid email address" + SignedEmail string `json:"signedEmail"` +} + +// PKI defines the root of trust based on Root CA(s) and corresponding intermediate certificates. +type PKI struct { + // caRootsData contains base64-encoded data of a certificate bundle PEM file, which contains one or more CA roots in the PEM format. The total length of the data must not exceed 8192 characters. + // +required + // +kubebuilder:validation:MaxLength=8192 + // +kubebuilder:validation:MinLength=72 + // +kubebuilder:validation:XValidation:rule="string(self).startsWith('-----BEGIN CERTIFICATE-----')",message="the caRootsData must start with base64 encoding of '-----BEGIN CERTIFICATE-----'." + // +kubebuilder:validation:XValidation:rule="string(self).endsWith('-----END CERTIFICATE-----\\n') || string(self).endsWith('-----END CERTIFICATE-----')",message="the caRootsData must end with base64 encoding of '-----END CERTIFICATE-----'." + // +kubebuilder:validation:XValidation:rule="string(self).findAll('-----BEGIN CERTIFICATE-----').size() == string(self).findAll('-----END CERTIFICATE-----').size()",message="caRootsData must be base64 encoding of valid PEM format data contain the same number of '-----BEGIN CERTIFICATE-----' and '-----END CERTIFICATE-----' markers." + CertificateAuthorityRootsData []byte `json:"caRootsData"` + // caIntermediatesData contains base64-encoded data of a certificate bundle PEM file, which contains one or more intermediate certificates in the PEM format. The total length of the data must not exceed 8192 characters. + // caIntermediatesData requires caRootsData to be set. + // +optional + // +kubebuilder:validation:XValidation:rule="string(self).startsWith('-----BEGIN CERTIFICATE-----')",message="the caIntermediatesData must start with base64 encoding of '-----BEGIN CERTIFICATE-----'." + // +kubebuilder:validation:XValidation:rule="string(self).endsWith('-----END CERTIFICATE-----\\n') || string(self).endsWith('-----END CERTIFICATE-----')",message="the caIntermediatesData must end with base64 encoding of '-----END CERTIFICATE-----'." + // +kubebuilder:validation:XValidation:rule="string(self).findAll('-----BEGIN CERTIFICATE-----').size() == string(self).findAll('-----END CERTIFICATE-----').size()",message="caIntermediatesData must be base64 encoding of valid PEM format data contain the same number of '-----BEGIN CERTIFICATE-----' and '-----END CERTIFICATE-----' markers." + // +kubebuilder:validation:MaxLength=8192 + // +kubebuilder:validation:MinLength=72 + CertificateAuthorityIntermediatesData []byte `json:"caIntermediatesData,omitempty"` + + // pkiCertificateSubject defines the requirements imposed on the subject to which the certificate was issued. + // +required + PKICertificateSubject PKICertificateSubject `json:"pkiCertificateSubject"` +} + +// PKICertificateSubject defines the requirements imposed on the subject to which the certificate was issued. +// +kubebuilder:validation:XValidation:rule="has(self.email) || has(self.hostname)", message="at least one of email or hostname must be set in pkiCertificateSubject" +// +openshift:enable:FeatureGate=SigstoreImageVerificationPKI +type PKICertificateSubject struct { + // email specifies the expected email address imposed on the subject to which the certificate was issued, and must match the email address listed in the Subject Alternative Name (SAN) field of the certificate. + // The email must be a valid email address and at most 320 characters in length. + // +optional + // +kubebuilder:validation:MaxLength:=320 + // +kubebuilder:validation:XValidation:rule=`self.matches('^\\S+@\\S+$')`,message="invalid email address" + Email string `json:"email,omitempty"` + // hostname specifies the expected hostname imposed on the subject to which the certificate was issued, and it must match the hostname listed in the Subject Alternative Name (SAN) DNS field of the certificate. + // The hostname must be a valid dns 1123 subdomain name, optionally prefixed by '*.', and at most 253 characters in length. + // It must consist only of lowercase alphanumeric characters, hyphens, periods and the optional preceding asterisk. + // +optional + // +kubebuilder:validation:MaxLength:=253 + // +kubebuilder:validation:XValidation:rule="self.startsWith('*.') ? !format.dns1123Subdomain().validate(self.replace('*.', '', 1)).hasValue() : !format.dns1123Subdomain().validate(self).hasValue()",message="hostname must be a valid dns 1123 subdomain name, optionally prefixed by '*.'. It must consist only of lowercase alphanumeric characters, hyphens, periods and the optional preceding asterisk." + Hostname string `json:"hostname,omitempty"` +} + +// PolicyIdentity defines image identity the signature claims about the image. When omitted, the default matchPolicy is "MatchRepoDigestOrExact". +// +kubebuilder:validation:XValidation:rule="(has(self.matchPolicy) && self.matchPolicy == 'ExactRepository') ? has(self.exactRepository) : !has(self.exactRepository)",message="exactRepository is required when matchPolicy is ExactRepository, and forbidden otherwise" +// +kubebuilder:validation:XValidation:rule="(has(self.matchPolicy) && self.matchPolicy == 'RemapIdentity') ? has(self.remapIdentity) : !has(self.remapIdentity)",message="remapIdentity is required when matchPolicy is RemapIdentity, and forbidden otherwise" +// +union +type PolicyIdentity struct { + // matchPolicy is a required filed specifies matching strategy to verify the image identity in the signature against the image scope. + // Allowed values are "MatchRepoDigestOrExact", "MatchRepository", "ExactRepository", "RemapIdentity". When omitted, the default value is "MatchRepoDigestOrExact". + // When set to "MatchRepoDigestOrExact", the identity in the signature must be in the same repository as the image identity if the image identity is referenced by a digest. Otherwise, the identity in the signature must be the same as the image identity. + // When set to "MatchRepository", the identity in the signature must be in the same repository as the image identity. + // When set to "ExactRepository", the exactRepository must be specified. The identity in the signature must be in the same repository as a specific identity specified by "repository". + // When set to "RemapIdentity", the remapIdentity must be specified. The signature must be in the same as the remapped image identity. Remapped image identity is obtained by replacing the "prefix" with the specified “signedPrefix” if the the image identity matches the specified remapPrefix. + // +unionDiscriminator + // +required + MatchPolicy IdentityMatchPolicy `json:"matchPolicy"` + // exactRepository specifies the repository that must be exactly matched by the identity in the signature. + // exactRepository is required if matchPolicy is set to "ExactRepository". It is used to verify that the signature claims an identity matching this exact repository, rather than the original image identity. + // +optional + PolicyMatchExactRepository *PolicyMatchExactRepository `json:"exactRepository,omitempty"` + // remapIdentity specifies the prefix remapping rule for verifying image identity. + // remapIdentity is required if matchPolicy is set to "RemapIdentity". It is used to verify that the signature claims a different registry/repository prefix than the original image. + // +optional + PolicyMatchRemapIdentity *PolicyMatchRemapIdentity `json:"remapIdentity,omitempty"` +} + +// +kubebuilder:validation:MaxLength=512 +// +kubebuilder:validation:XValidation:rule=`self.matches('.*:([\\w][\\w.-]{0,127})$')? self.matches('^(localhost:[0-9]+)$'): true`,message="invalid repository or prefix in the signedIdentity, should not include the tag or digest" +// +kubebuilder:validation:XValidation:rule=`self.matches('^(((?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9])(?:\\.(?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9]))+(?::[0-9]+)?)|(localhost(?::[0-9]+)?))(?:(?:/[a-z0-9]+(?:(?:(?:[._]|__|[-]*)[a-z0-9]+)+)?)+)?$')`,message="invalid repository or prefix in the signedIdentity. The repository or prefix must starts with 'localhost' or a valid '.' separated domain. If contains registry paths, the path component names must start with at least one letter or number, with following parts able to be separated by one period, one or two underscore and multiple dashes." +type IdentityRepositoryPrefix string + +type PolicyMatchExactRepository struct { + // repository is the reference of the image identity to be matched. + // repository is required if matchPolicy is set to "ExactRepository". + // The value should be a repository name (by omitting the tag or digest) in a registry implementing the "Docker Registry HTTP API V2". For example, docker.io/library/busybox + // +required + Repository IdentityRepositoryPrefix `json:"repository"` +} + +type PolicyMatchRemapIdentity struct { + // prefix is required if matchPolicy is set to "RemapIdentity". + // prefix is the prefix of the image identity to be matched. + // If the image identity matches the specified prefix, that prefix is replaced by the specified “signedPrefix” (otherwise it is used as unchanged and no remapping takes place). + // This is useful when verifying signatures for a mirror of some other repository namespace that preserves the vendor’s repository structure. + // The prefix and signedPrefix values can be either host[:port] values (matching exactly the same host[:port], string), repository namespaces, + // or repositories (i.e. they must not contain tags/digests), and match as prefixes of the fully expanded form. + // For example, docker.io/library/busybox (not busybox) to specify that single repository, or docker.io/library (not an empty string) to specify the parent namespace of docker.io/library/busybox. + // +required + Prefix IdentityRepositoryPrefix `json:"prefix"` + // signedPrefix is required if matchPolicy is set to "RemapIdentity". + // signedPrefix is the prefix of the image identity to be matched in the signature. The format is the same as "prefix". The values can be either host[:port] values (matching exactly the same host[:port], string), repository namespaces, + // or repositories (i.e. they must not contain tags/digests), and match as prefixes of the fully expanded form. + // For example, docker.io/library/busybox (not busybox) to specify that single repository, or docker.io/library (not an empty string) to specify the parent namespace of docker.io/library/busybox. + // +required + SignedPrefix IdentityRepositoryPrefix `json:"signedPrefix"` +} + +// IdentityMatchPolicy defines the type of matching for "matchPolicy". +// +kubebuilder:validation:Enum=MatchRepoDigestOrExact;MatchRepository;ExactRepository;RemapIdentity +type IdentityMatchPolicy string + +const ( + IdentityMatchPolicyMatchRepoDigestOrExact IdentityMatchPolicy = "MatchRepoDigestOrExact" + IdentityMatchPolicyMatchRepository IdentityMatchPolicy = "MatchRepository" + IdentityMatchPolicyExactRepository IdentityMatchPolicy = "ExactRepository" + IdentityMatchPolicyRemapIdentity IdentityMatchPolicy = "RemapIdentity" +) + +// +k8s:deepcopy-gen=true +type ImagePolicyStatus struct { + // conditions provide details on the status of this API Resource. + // condition type 'Pending' indicates that the customer resource contains a policy that cannot take effect. It is either overwritten by a global policy or the image scope is not valid. + // +kubebuilder:validation:MaxItems=8 + // +kubebuilder:validation:MinItems=1 + // +listType=map + // +listMapKey=type + // +optional + Conditions []metav1.Condition `json:"conditions,omitempty"` +} + +// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object + +// ImagePolicyList is a list of ImagePolicy resources +// +// Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer). +// +openshift:compatibility-gen:level=1 +type ImagePolicyList struct { + metav1.TypeMeta `json:",inline"` + + // metadata is the standard list's metadata. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata + // +required + metav1.ListMeta `json:"metadata"` + + // items is a list of ImagePolicies + // +kubebuilder:validation:MaxItems=1000 + // +required + Items []ImagePolicy `json:"items"` +} + +const ( + // ImagePolicyPending indicates that the customer resource contains a policy that cannot take effect. It is either overwritten by a global policy or the image scope is not valid. + ImagePolicyPending = "Pending" + // ImagePolicyApplied indicates that the policy has been applied + ImagePolicyApplied = "Applied" +) diff --git a/vendor/github.com/openshift/api/config/v1/types_infrastructure.go b/vendor/github.com/openshift/api/config/v1/types_infrastructure.go index 8140f54973..ffb0f3f603 100644 --- a/vendor/github.com/openshift/api/config/v1/types_infrastructure.go +++ b/vendor/github.com/openshift/api/config/v1/types_infrastructure.go @@ -630,7 +630,7 @@ const ( ) // GCPServiceEndpointName is the name of the GCP Service Endpoint. -// +kubebuilder:validation:Enum=Compute;Container;CloudResourceManager;DNS;File;IAM;ServiceUsage;Storage;TagManager +// +kubebuilder:validation:Enum=Compute;Container;CloudResourceManager;DNS;File;IAM;ServiceUsage;Storage type GCPServiceEndpointName string const ( @@ -657,9 +657,6 @@ const ( // GCPServiceEndpointNameStorage is the name used for the GCP Storage Service endpoint. GCPServiceEndpointNameStorage GCPServiceEndpointName = "Storage" - - // GCPServiceEndpointNameTagManager is the name used for the GCP Tag Manager Service endpoint. - GCPServiceEndpointNameTagManager GCPServiceEndpointName = "TagManager" ) // GCPServiceEndpoint store the configuration of a custom url to @@ -755,7 +752,7 @@ type GCPPlatformStatus struct { // The maximum number of endpoint overrides allowed is 9. // +listType=map // +listMapKey=name - // +kubebuilder:validation:MaxItems=9 + // +kubebuilder:validation:MaxItems=8 // +kubebuilder:validation:XValidation:rule="self.all(x, self.exists_one(y, x.name == y.name))",message="only 1 endpoint override is permitted per GCP service name" // +optional // +openshift:enable:FeatureGate=GCPCustomAPIEndpoints @@ -1008,7 +1005,6 @@ type BareMetalPlatformStatus struct { // loadBalancer defines how the load balancer used by the cluster is configured. // +default={"type": "OpenShiftManagedDefault"} // +kubebuilder:default={"type": "OpenShiftManagedDefault"} - // +openshift:enable:FeatureGate=BareMetalLoadBalancer // +optional LoadBalancer *BareMetalPlatformLoadBalancer `json:"loadBalancer,omitempty"` @@ -1222,7 +1218,6 @@ type OvirtPlatformStatus struct { // loadBalancer defines how the load balancer used by the cluster is configured. // +default={"type": "OpenShiftManagedDefault"} // +kubebuilder:default={"type": "OpenShiftManagedDefault"} - // +openshift:enable:FeatureGate=BareMetalLoadBalancer // +optional LoadBalancer *OvirtPlatformLoadBalancer `json:"loadBalancer,omitempty"` } @@ -1559,8 +1554,7 @@ type VSpherePlatformSpec struct { // + If VCenters is not defined use the existing cloud-config configmap defined // + in openshift-config. // +kubebuilder:validation:MinItems=0 - // +openshift:validation:FeatureGateAwareMaxItems:featureGate="",maxItems=1 - // +openshift:validation:FeatureGateAwareMaxItems:featureGate=VSphereMultiVCenters,maxItems=3 + // +kubebuilder:validation:MaxItems=3 // +kubebuilder:validation:XValidation:rule="size(self) != size(oldSelf) ? size(oldSelf) == 0 && size(self) < 2 : true",message="vcenters cannot be added or removed once set" // +listType=atomic // +optional @@ -1672,7 +1666,6 @@ type VSpherePlatformStatus struct { // loadBalancer defines how the load balancer used by the cluster is configured. // +default={"type": "OpenShiftManagedDefault"} // +kubebuilder:default={"type": "OpenShiftManagedDefault"} - // +openshift:enable:FeatureGate=BareMetalLoadBalancer // +optional LoadBalancer *VSpherePlatformLoadBalancer `json:"loadBalancer,omitempty"` @@ -2090,7 +2083,6 @@ type NutanixPlatformStatus struct { // loadBalancer defines how the load balancer used by the cluster is configured. // +default={"type": "OpenShiftManagedDefault"} // +kubebuilder:default={"type": "OpenShiftManagedDefault"} - // +openshift:enable:FeatureGate=BareMetalLoadBalancer // +optional LoadBalancer *NutanixPlatformLoadBalancer `json:"loadBalancer,omitempty"` } diff --git a/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_00_cluster-version-operator_01_clusterversions-CustomNoUpgrade.crd.yaml b/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_00_cluster-version-operator_01_clusterversions-CustomNoUpgrade.crd.yaml index f800eeb2a8..087b62dda1 100644 --- a/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_00_cluster-version-operator_01_clusterversions-CustomNoUpgrade.crd.yaml +++ b/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_00_cluster-version-operator_01_clusterversions-CustomNoUpgrade.crd.yaml @@ -120,8 +120,8 @@ spec: type: object channel: description: |- - channel is an identifier for explicitly requesting that a non-default - set of updates be applied to this cluster. The default channel will be + channel is an identifier for explicitly requesting a non-default set + of updates to be applied to this cluster. The default channel will contain stable updates that are appropriate for production clusters. type: string clusterID: diff --git a/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_00_cluster-version-operator_01_clusterversions-Default.crd.yaml b/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_00_cluster-version-operator_01_clusterversions-Default.crd.yaml index da1d0f028b..f93da1e2e2 100644 --- a/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_00_cluster-version-operator_01_clusterversions-Default.crd.yaml +++ b/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_00_cluster-version-operator_01_clusterversions-Default.crd.yaml @@ -120,8 +120,8 @@ spec: type: object channel: description: |- - channel is an identifier for explicitly requesting that a non-default - set of updates be applied to this cluster. The default channel will be + channel is an identifier for explicitly requesting a non-default set + of updates to be applied to this cluster. The default channel will contain stable updates that are appropriate for production clusters. type: string clusterID: diff --git a/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_00_cluster-version-operator_01_clusterversions-DevPreviewNoUpgrade.crd.yaml b/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_00_cluster-version-operator_01_clusterversions-DevPreviewNoUpgrade.crd.yaml index 39e37aaae7..300d94a714 100644 --- a/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_00_cluster-version-operator_01_clusterversions-DevPreviewNoUpgrade.crd.yaml +++ b/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_00_cluster-version-operator_01_clusterversions-DevPreviewNoUpgrade.crd.yaml @@ -120,8 +120,8 @@ spec: type: object channel: description: |- - channel is an identifier for explicitly requesting that a non-default - set of updates be applied to this cluster. The default channel will be + channel is an identifier for explicitly requesting a non-default set + of updates to be applied to this cluster. The default channel will contain stable updates that are appropriate for production clusters. type: string clusterID: diff --git a/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_00_cluster-version-operator_01_clusterversions-TechPreviewNoUpgrade.crd.yaml b/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_00_cluster-version-operator_01_clusterversions-TechPreviewNoUpgrade.crd.yaml index 6a9c342602..6fc2cb0d94 100644 --- a/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_00_cluster-version-operator_01_clusterversions-TechPreviewNoUpgrade.crd.yaml +++ b/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_00_cluster-version-operator_01_clusterversions-TechPreviewNoUpgrade.crd.yaml @@ -120,8 +120,8 @@ spec: type: object channel: description: |- - channel is an identifier for explicitly requesting that a non-default - set of updates be applied to this cluster. The default channel will be + channel is an identifier for explicitly requesting a non-default set + of updates to be applied to this cluster. The default channel will contain stable updates that are appropriate for production clusters. type: string clusterID: diff --git a/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-CustomNoUpgrade.crd.yaml b/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-CustomNoUpgrade.crd.yaml index cac1477ec3..b10b46c6fb 100644 --- a/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-CustomNoUpgrade.crd.yaml +++ b/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-CustomNoUpgrade.crd.yaml @@ -270,6 +270,7 @@ spec: Exact names trump over wildcard names. Explicit names defined here trump over extracted implicit names. items: type: string + maxItems: 64 type: array x-kubernetes-list-type: atomic servingCertificate: @@ -287,6 +288,7 @@ spec: - name type: object type: object + maxItems: 32 type: array x-kubernetes-list-type: atomic type: object diff --git a/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-Default.crd.yaml b/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-Default.crd.yaml index c5206c23cb..44dc2924aa 100644 --- a/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-Default.crd.yaml +++ b/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-Default.crd.yaml @@ -201,6 +201,7 @@ spec: Exact names trump over wildcard names. Explicit names defined here trump over extracted implicit names. items: type: string + maxItems: 64 type: array x-kubernetes-list-type: atomic servingCertificate: @@ -218,6 +219,7 @@ spec: - name type: object type: object + maxItems: 32 type: array x-kubernetes-list-type: atomic type: object diff --git a/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-DevPreviewNoUpgrade.crd.yaml b/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-DevPreviewNoUpgrade.crd.yaml index 894faf8468..843984380b 100644 --- a/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-DevPreviewNoUpgrade.crd.yaml +++ b/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-DevPreviewNoUpgrade.crd.yaml @@ -270,6 +270,7 @@ spec: Exact names trump over wildcard names. Explicit names defined here trump over extracted implicit names. items: type: string + maxItems: 64 type: array x-kubernetes-list-type: atomic servingCertificate: @@ -287,6 +288,7 @@ spec: - name type: object type: object + maxItems: 32 type: array x-kubernetes-list-type: atomic type: object diff --git a/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-TechPreviewNoUpgrade.crd.yaml b/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-TechPreviewNoUpgrade.crd.yaml index 54fdb0b055..808e11aac3 100644 --- a/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-TechPreviewNoUpgrade.crd.yaml +++ b/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-TechPreviewNoUpgrade.crd.yaml @@ -270,6 +270,7 @@ spec: Exact names trump over wildcard names. Explicit names defined here trump over extracted implicit names. items: type: string + maxItems: 64 type: array x-kubernetes-list-type: atomic servingCertificate: @@ -287,6 +288,7 @@ spec: - name type: object type: object + maxItems: 32 type: array x-kubernetes-list-type: atomic type: object diff --git a/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-Hypershift-CustomNoUpgrade.crd.yaml b/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-Hypershift-CustomNoUpgrade.crd.yaml index db8b07e8dd..a42368f2bf 100644 --- a/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-Hypershift-CustomNoUpgrade.crd.yaml +++ b/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-Hypershift-CustomNoUpgrade.crd.yaml @@ -79,8 +79,9 @@ spec: properties: claimMappings: description: |- - claimMappings describes rules on how to transform information from an - ID token into a cluster identity + claimMappings is a required field that configures the rules to be used by + the Kubernetes API server for translating claims in a JWT token, issued + by the identity provider, to a cluster identity. properties: extra: description: |- @@ -185,22 +186,28 @@ spec: x-kubernetes-list-type: map groups: description: |- - groups is a name of the claim that should be used to construct - groups for the cluster identity. - The referenced claim must use array of strings values. + groups is an optional field that configures how the groups of a cluster identity + should be constructed from the claims in a JWT token issued + by the identity provider. + When referencing a claim, if the claim is present in the JWT + token, its value must be a list of groups separated by a comma (','). + For example - '"example"' and '"exampleOne", "exampleTwo", "exampleThree"' are valid claim values. properties: claim: - description: claim is a JWT token claim to be used in - the mapping + description: |- + claim is a required field that configures the JWT token + claim whose value is assigned to the cluster identity + field associated with this mapping. type: string prefix: description: |- - prefix is a string to prefix the value from the token in the result of the - claim mapping. + prefix is an optional field that configures the prefix that will be + applied to the cluster identity attribute during the process of mapping + JWT claims to cluster identity attributes. - By default, no prefixing occurs. + When omitted (""), no prefix is applied to the cluster identity attribute. - Example: if `prefix` is set to "myoidc:"" and the `claim` in JWT contains + Example: if `prefix` is set to "myoidc:" and the `claim` in JWT contains an array of strings "a", "b" and "c", the mapping will result in an array of string "myoidc:a", "myoidc:b" and "myoidc:c". type: string @@ -259,18 +266,33 @@ spec: rule: 'has(self.claim) ? !has(self.expression) : has(self.expression)' username: description: |- - username is a name of the claim that should be used to construct - usernames for the cluster identity. - - Default value: "sub" + username is a required field that configures how the username of a cluster identity + should be constructed from the claims in a JWT token issued by the identity provider. properties: claim: - description: claim is a JWT token claim to be used in - the mapping + description: |- + claim is a required field that configures the JWT token + claim whose value is assigned to the cluster identity + field associated with this mapping. + + claim must not be an empty string ("") and must not exceed 256 characters. + maxLength: 256 + minLength: 1 type: string prefix: + description: |- + prefix configures the prefix that should be prepended to the value + of the JWT claim. + + prefix must be set when prefixPolicy is set to 'Prefix' and must be unset otherwise. properties: prefixString: + description: |- + prefixString is a required field that configures the prefix that will + be applied to cluster identity username attribute + during the process of mapping JWT claims to cluster identity attributes. + + prefixString must not be an empty string (""). minLength: 1 type: string required: @@ -278,25 +300,28 @@ spec: type: object prefixPolicy: description: |- - prefixPolicy specifies how a prefix should apply. - - By default, claims other than `email` will be prefixed with the issuer URL to - prevent naming clashes with other plugins. - - Set to "NoPrefix" to disable prefixing. - - Example: - (1) `prefix` is set to "myoidc:" and `claim` is set to "username". - If the JWT claim `username` contains value `userA`, the resulting - mapped value will be "myoidc:userA". - (2) `prefix` is set to "myoidc:" and `claim` is set to "email". If the - JWT `email` claim contains value "userA@myoidc.tld", the resulting - mapped value will be "myoidc:userA@myoidc.tld". - (3) `prefix` is unset, `issuerURL` is set to `https://myoidc.tld`, - the JWT claims include "username":"userA" and "email":"userA@myoidc.tld", - and `claim` is set to: - (a) "username": the mapped value will be "https://myoidc.tld#userA" - (b) "email": the mapped value will be "userA@myoidc.tld" + prefixPolicy is an optional field that configures how a prefix should be + applied to the value of the JWT claim specified in the 'claim' field. + + Allowed values are 'Prefix', 'NoPrefix', and omitted (not provided or an empty string). + + When set to 'Prefix', the value specified in the prefix field will be + prepended to the value of the JWT claim. + The prefix field must be set when prefixPolicy is 'Prefix'. + + When set to 'NoPrefix', no prefix will be prepended to the value + of the JWT claim. + + When omitted, this means no opinion and the platform is left to choose + any prefixes that are applied which is subject to change over time. + Currently, the platform prepends `{issuerURL}#` to the value of the JWT claim + when the claim is not 'email'. + As an example, consider the following scenario: + `prefix` is unset, `issuerURL` is set to `https://myoidc.tld`, + the JWT claims include "username":"userA" and "email":"userA@myoidc.tld", + and `claim` is set to: + - "username": the mapped value will be "https://myoidc.tld#userA" + - "email": the mapped value will be "userA@myoidc.tld" enum: - "" - NoPrefix @@ -311,26 +336,40 @@ spec: rule: 'has(self.prefixPolicy) && self.prefixPolicy == ''Prefix'' ? (has(self.prefix) && size(self.prefix.prefixString) > 0) : !has(self.prefix)' + required: + - username type: object claimValidationRules: - description: claimValidationRules are rules that are applied - to validate token claims to authenticate users. + description: |- + claimValidationRules is an optional field that configures the rules to + be used by the Kubernetes API server for validating the claims in a JWT + token issued by the identity provider. + + Validation rules are joined via an AND operation. items: properties: requiredClaim: description: |- - requiredClaim allows configuring a required claim name and its expected - value + requiredClaim is an optional field that configures the required claim + and value that the Kubernetes API server will use to validate if an incoming + JWT is valid for this identity provider. properties: claim: description: |- - claim is a name of a required claim. Only claims with string values are - supported. + claim is a required field that configures the name of the required claim. + When taken from the JWT claims, claim must be a string value. + + claim must not be an empty string (""). minLength: 1 type: string requiredValue: - description: requiredValue is the required value for - the claim. + description: |- + requiredValue is a required field that configures the value that 'claim' must + have when taken from the incoming JWT claims. + If the value in the JWT claims does not match, the token + will be rejected for authentication. + + requiredValue must not be an empty string (""). minLength: 1 type: string required: @@ -339,7 +378,17 @@ spec: type: object type: default: RequiredClaim - description: type sets the type of the validation rule + description: |- + type is an optional field that configures the type of the validation rule. + + Allowed values are 'RequiredClaim' and omitted (not provided or an empty string). + + When set to 'RequiredClaim', the Kubernetes API server + will be configured to validate that the incoming JWT + contains the required claim and that its value matches + the required value. + + Defaults to 'RequiredClaim'. enum: - RequiredClaim type: string @@ -347,14 +396,18 @@ spec: type: array x-kubernetes-list-type: atomic issuer: - description: issuer describes atributes of the OIDC token issuer + description: |- + issuer is a required field that configures how the platform interacts + with the identity provider and how tokens issued from the identity provider + are evaluated by the Kubernetes API server. properties: audiences: description: |- - audiences is an array of audiences that the token was issued for. - Valid tokens must include at least one of these values in their - "aud" claim. - Must be set to exactly one value. + audiences is a required field that configures the acceptable audiences + the JWT token, issued by the identity provider, must be issued to. + At least one of the entries must match the 'aud' claim in the JWT token. + + audiences must contain at least one entry and must not exceed ten entries. items: minLength: 1 type: string @@ -364,10 +417,15 @@ spec: x-kubernetes-list-type: set issuerCertificateAuthority: description: |- - CertificateAuthority is a reference to a config map in the - configuration namespace. The .data of the configMap must contain - the "ca-bundle.crt" key. - If unset, system trust is used instead. + issuerCertificateAuthority is an optional field that configures the + certificate authority, used by the Kubernetes API server, to validate + the connection to the identity provider when fetching discovery information. + + When not specified, the system trust is used. + + When specified, it must reference a ConfigMap in the openshift-config + namespace containing the PEM-encoded CA certificates under the 'ca-bundle.crt' + key in the data field of the ConfigMap. properties: name: description: name is the metadata.name of the referenced @@ -378,8 +436,12 @@ spec: type: object issuerURL: description: |- - URL is the serving URL of the token issuer. - Must use the https:// scheme. + issuerURL is a required field that configures the URL used to issue tokens + by the identity provider. + The Kubernetes API server determines how authentication tokens should be handled + by matching the 'iss' claim in the JWT to the issuerURL of configured identity providers. + + issuerURL must use the 'https' scheme. pattern: ^https:\/\/[^\s] type: string required: @@ -387,24 +449,51 @@ spec: - issuerURL type: object name: - description: name of the OIDC provider + description: |- + name is a required field that configures the unique human-readable identifier + associated with the identity provider. + It is used to distinguish between multiple identity providers + and has no impact on token validation or authentication mechanics. + + name must not be an empty string (""). minLength: 1 type: string oidcClients: description: |- - oidcClients contains configuration for the platform's clients that - need to request tokens from the issuer + oidcClients is an optional field that configures how on-cluster, + platform clients should request tokens from the identity provider. + oidcClients must not exceed 20 entries and entries must have unique namespace/name pairs. items: + description: |- + OIDCClientConfig configures how platform clients + interact with identity providers as an authentication + method properties: clientID: - description: clientID is the identifier of the OIDC client - from the OIDC provider + description: |- + clientID is a required field that configures the client identifier, from + the identity provider, that the platform component uses for authentication + requests made to the identity provider. + The identity provider must accept this identifier for platform components + to be able to use the identity provider as an authentication mode. + + clientID must not be an empty string (""). minLength: 1 type: string clientSecret: description: |- - clientSecret refers to a secret in the `openshift-config` namespace that - contains the client secret in the `clientSecret` key of the `.data` field + clientSecret is an optional field that configures the client secret used + by the platform component when making authentication requests to the identity provider. + + When not specified, no client secret will be used when making authentication requests + to the identity provider. + + When specified, clientSecret references a Secret in the 'openshift-config' + namespace that contains the client secret in the 'clientSecret' key of the '.data' field. + The client secret will be used when making authentication requests to the identity provider. + + Public clients do not require a client secret but private + clients do require a client secret to work with the identity provider. properties: name: description: name is the metadata.name of the referenced @@ -415,21 +504,34 @@ spec: type: object componentName: description: |- - componentName is the name of the component that is supposed to consume this - client configuration + componentName is a required field that specifies the name of the platform + component being configured to use the identity provider as an authentication mode. + It is used in combination with componentNamespace as a unique identifier. + + componentName must not be an empty string ("") and must not exceed 256 characters in length. maxLength: 256 minLength: 1 type: string componentNamespace: description: |- - componentNamespace is the namespace of the component that is supposed to consume this - client configuration + componentNamespace is a required field that specifies the namespace in which the + platform component being configured to use the identity provider as an authentication + mode is running. + It is used in combination with componentName as a unique identifier. + + componentNamespace must not be an empty string ("") and must not exceed 63 characters in length. maxLength: 63 minLength: 1 type: string extraScopes: - description: extraScopes is an optional set of scopes - to request tokens with. + description: |- + extraScopes is an optional field that configures the extra scopes that should + be requested by the platform component when making authentication requests to the + identity provider. + This is useful if you have configured claim mappings that requires specific + scopes to be requested beyond the standard OIDC scopes. + + When omitted, no additional scopes are requested. items: type: string type: array @@ -446,6 +548,7 @@ spec: - componentName x-kubernetes-list-type: map required: + - claimMappings - issuer - name type: object @@ -569,16 +672,29 @@ spec: oidcClients is where participating operators place the current OIDC client status for OIDC clients that can be customized by the cluster-admin. items: + description: |- + OIDCClientStatus represents the current state + of platform components and how they interact with + the configured identity providers. properties: componentName: - description: componentName is the name of the component that - will consume a client configuration. + description: |- + componentName is a required field that specifies the name of the platform + component using the identity provider as an authentication mode. + It is used in combination with componentNamespace as a unique identifier. + + componentName must not be an empty string ("") and must not exceed 256 characters in length. maxLength: 256 minLength: 1 type: string componentNamespace: - description: componentNamespace is the namespace of the component - that will consume a client configuration. + description: |- + componentNamespace is a required field that specifies the namespace in which the + platform component using the identity provider as an authentication + mode is running. + It is used in combination with componentName as a unique identifier. + + componentNamespace must not be an empty string ("") and must not exceed 63 characters in length. maxLength: 63 minLength: 1 type: string @@ -652,8 +768,10 @@ spec: x-kubernetes-list-type: map consumingUsers: description: |- - consumingUsers is a slice of ServiceAccounts that need to have read - permission on the `clientSecret` secret. + consumingUsers is an optional list of ServiceAccounts requiring + read permissions on the `clientSecret` secret. + + consumingUsers must not exceed 5 entries. items: description: ConsumingUser is an alias for string which we add validation to. Currently only service accounts are supported. @@ -665,24 +783,37 @@ spec: type: array x-kubernetes-list-type: set currentOIDCClients: - description: currentOIDCClients is a list of clients that the - component is currently using. + description: |- + currentOIDCClients is an optional list of clients that the component is currently using. + Entries must have unique issuerURL/clientID pairs. items: + description: |- + OIDCClientReference is a reference to a platform component + client configuration. properties: clientID: - description: clientID is the identifier of the OIDC client - from the OIDC provider + description: |- + clientID is a required field that specifies the client identifier, from + the identity provider, that the platform component is using for authentication + requests made to the identity provider. + + clientID must not be empty. minLength: 1 type: string issuerURL: description: |- - URL is the serving URL of the token issuer. - Must use the https:// scheme. + issuerURL is a required field that specifies the URL of the identity + provider that this client is configured to make requests against. + + issuerURL must use the 'https' scheme. pattern: ^https:\/\/[^\s] type: string oidcProviderName: - description: OIDCName refers to the `name` of the provider - from `oidcProviders` + description: |- + oidcProviderName is a required reference to the 'name' of the identity provider + configured in 'oidcProviders' that this client is associated with. + + oidcProviderName must not be an empty string (""). minLength: 1 type: string required: diff --git a/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-Hypershift-Default.crd.yaml b/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-Hypershift-Default.crd.yaml index ea5c325228..687cdc83ee 100644 --- a/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-Hypershift-Default.crd.yaml +++ b/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-Hypershift-Default.crd.yaml @@ -79,27 +79,34 @@ spec: properties: claimMappings: description: |- - claimMappings describes rules on how to transform information from an - ID token into a cluster identity + claimMappings is a required field that configures the rules to be used by + the Kubernetes API server for translating claims in a JWT token, issued + by the identity provider, to a cluster identity. properties: groups: description: |- - groups is a name of the claim that should be used to construct - groups for the cluster identity. - The referenced claim must use array of strings values. + groups is an optional field that configures how the groups of a cluster identity + should be constructed from the claims in a JWT token issued + by the identity provider. + When referencing a claim, if the claim is present in the JWT + token, its value must be a list of groups separated by a comma (','). + For example - '"example"' and '"exampleOne", "exampleTwo", "exampleThree"' are valid claim values. properties: claim: - description: claim is a JWT token claim to be used in - the mapping + description: |- + claim is a required field that configures the JWT token + claim whose value is assigned to the cluster identity + field associated with this mapping. type: string prefix: description: |- - prefix is a string to prefix the value from the token in the result of the - claim mapping. + prefix is an optional field that configures the prefix that will be + applied to the cluster identity attribute during the process of mapping + JWT claims to cluster identity attributes. - By default, no prefixing occurs. + When omitted (""), no prefix is applied to the cluster identity attribute. - Example: if `prefix` is set to "myoidc:"" and the `claim` in JWT contains + Example: if `prefix` is set to "myoidc:" and the `claim` in JWT contains an array of strings "a", "b" and "c", the mapping will result in an array of string "myoidc:a", "myoidc:b" and "myoidc:c". type: string @@ -108,18 +115,33 @@ spec: type: object username: description: |- - username is a name of the claim that should be used to construct - usernames for the cluster identity. - - Default value: "sub" + username is a required field that configures how the username of a cluster identity + should be constructed from the claims in a JWT token issued by the identity provider. properties: claim: - description: claim is a JWT token claim to be used in - the mapping + description: |- + claim is a required field that configures the JWT token + claim whose value is assigned to the cluster identity + field associated with this mapping. + + claim must not be an empty string ("") and must not exceed 256 characters. + maxLength: 256 + minLength: 1 type: string prefix: + description: |- + prefix configures the prefix that should be prepended to the value + of the JWT claim. + + prefix must be set when prefixPolicy is set to 'Prefix' and must be unset otherwise. properties: prefixString: + description: |- + prefixString is a required field that configures the prefix that will + be applied to cluster identity username attribute + during the process of mapping JWT claims to cluster identity attributes. + + prefixString must not be an empty string (""). minLength: 1 type: string required: @@ -127,25 +149,28 @@ spec: type: object prefixPolicy: description: |- - prefixPolicy specifies how a prefix should apply. - - By default, claims other than `email` will be prefixed with the issuer URL to - prevent naming clashes with other plugins. - - Set to "NoPrefix" to disable prefixing. - - Example: - (1) `prefix` is set to "myoidc:" and `claim` is set to "username". - If the JWT claim `username` contains value `userA`, the resulting - mapped value will be "myoidc:userA". - (2) `prefix` is set to "myoidc:" and `claim` is set to "email". If the - JWT `email` claim contains value "userA@myoidc.tld", the resulting - mapped value will be "myoidc:userA@myoidc.tld". - (3) `prefix` is unset, `issuerURL` is set to `https://myoidc.tld`, - the JWT claims include "username":"userA" and "email":"userA@myoidc.tld", - and `claim` is set to: - (a) "username": the mapped value will be "https://myoidc.tld#userA" - (b) "email": the mapped value will be "userA@myoidc.tld" + prefixPolicy is an optional field that configures how a prefix should be + applied to the value of the JWT claim specified in the 'claim' field. + + Allowed values are 'Prefix', 'NoPrefix', and omitted (not provided or an empty string). + + When set to 'Prefix', the value specified in the prefix field will be + prepended to the value of the JWT claim. + The prefix field must be set when prefixPolicy is 'Prefix'. + + When set to 'NoPrefix', no prefix will be prepended to the value + of the JWT claim. + + When omitted, this means no opinion and the platform is left to choose + any prefixes that are applied which is subject to change over time. + Currently, the platform prepends `{issuerURL}#` to the value of the JWT claim + when the claim is not 'email'. + As an example, consider the following scenario: + `prefix` is unset, `issuerURL` is set to `https://myoidc.tld`, + the JWT claims include "username":"userA" and "email":"userA@myoidc.tld", + and `claim` is set to: + - "username": the mapped value will be "https://myoidc.tld#userA" + - "email": the mapped value will be "userA@myoidc.tld" enum: - "" - NoPrefix @@ -160,26 +185,40 @@ spec: rule: 'has(self.prefixPolicy) && self.prefixPolicy == ''Prefix'' ? (has(self.prefix) && size(self.prefix.prefixString) > 0) : !has(self.prefix)' + required: + - username type: object claimValidationRules: - description: claimValidationRules are rules that are applied - to validate token claims to authenticate users. + description: |- + claimValidationRules is an optional field that configures the rules to + be used by the Kubernetes API server for validating the claims in a JWT + token issued by the identity provider. + + Validation rules are joined via an AND operation. items: properties: requiredClaim: description: |- - requiredClaim allows configuring a required claim name and its expected - value + requiredClaim is an optional field that configures the required claim + and value that the Kubernetes API server will use to validate if an incoming + JWT is valid for this identity provider. properties: claim: description: |- - claim is a name of a required claim. Only claims with string values are - supported. + claim is a required field that configures the name of the required claim. + When taken from the JWT claims, claim must be a string value. + + claim must not be an empty string (""). minLength: 1 type: string requiredValue: - description: requiredValue is the required value for - the claim. + description: |- + requiredValue is a required field that configures the value that 'claim' must + have when taken from the incoming JWT claims. + If the value in the JWT claims does not match, the token + will be rejected for authentication. + + requiredValue must not be an empty string (""). minLength: 1 type: string required: @@ -188,7 +227,17 @@ spec: type: object type: default: RequiredClaim - description: type sets the type of the validation rule + description: |- + type is an optional field that configures the type of the validation rule. + + Allowed values are 'RequiredClaim' and omitted (not provided or an empty string). + + When set to 'RequiredClaim', the Kubernetes API server + will be configured to validate that the incoming JWT + contains the required claim and that its value matches + the required value. + + Defaults to 'RequiredClaim'. enum: - RequiredClaim type: string @@ -196,14 +245,18 @@ spec: type: array x-kubernetes-list-type: atomic issuer: - description: issuer describes atributes of the OIDC token issuer + description: |- + issuer is a required field that configures how the platform interacts + with the identity provider and how tokens issued from the identity provider + are evaluated by the Kubernetes API server. properties: audiences: description: |- - audiences is an array of audiences that the token was issued for. - Valid tokens must include at least one of these values in their - "aud" claim. - Must be set to exactly one value. + audiences is a required field that configures the acceptable audiences + the JWT token, issued by the identity provider, must be issued to. + At least one of the entries must match the 'aud' claim in the JWT token. + + audiences must contain at least one entry and must not exceed ten entries. items: minLength: 1 type: string @@ -213,10 +266,15 @@ spec: x-kubernetes-list-type: set issuerCertificateAuthority: description: |- - CertificateAuthority is a reference to a config map in the - configuration namespace. The .data of the configMap must contain - the "ca-bundle.crt" key. - If unset, system trust is used instead. + issuerCertificateAuthority is an optional field that configures the + certificate authority, used by the Kubernetes API server, to validate + the connection to the identity provider when fetching discovery information. + + When not specified, the system trust is used. + + When specified, it must reference a ConfigMap in the openshift-config + namespace containing the PEM-encoded CA certificates under the 'ca-bundle.crt' + key in the data field of the ConfigMap. properties: name: description: name is the metadata.name of the referenced @@ -227,8 +285,12 @@ spec: type: object issuerURL: description: |- - URL is the serving URL of the token issuer. - Must use the https:// scheme. + issuerURL is a required field that configures the URL used to issue tokens + by the identity provider. + The Kubernetes API server determines how authentication tokens should be handled + by matching the 'iss' claim in the JWT to the issuerURL of configured identity providers. + + issuerURL must use the 'https' scheme. pattern: ^https:\/\/[^\s] type: string required: @@ -236,24 +298,51 @@ spec: - issuerURL type: object name: - description: name of the OIDC provider + description: |- + name is a required field that configures the unique human-readable identifier + associated with the identity provider. + It is used to distinguish between multiple identity providers + and has no impact on token validation or authentication mechanics. + + name must not be an empty string (""). minLength: 1 type: string oidcClients: description: |- - oidcClients contains configuration for the platform's clients that - need to request tokens from the issuer + oidcClients is an optional field that configures how on-cluster, + platform clients should request tokens from the identity provider. + oidcClients must not exceed 20 entries and entries must have unique namespace/name pairs. items: + description: |- + OIDCClientConfig configures how platform clients + interact with identity providers as an authentication + method properties: clientID: - description: clientID is the identifier of the OIDC client - from the OIDC provider + description: |- + clientID is a required field that configures the client identifier, from + the identity provider, that the platform component uses for authentication + requests made to the identity provider. + The identity provider must accept this identifier for platform components + to be able to use the identity provider as an authentication mode. + + clientID must not be an empty string (""). minLength: 1 type: string clientSecret: description: |- - clientSecret refers to a secret in the `openshift-config` namespace that - contains the client secret in the `clientSecret` key of the `.data` field + clientSecret is an optional field that configures the client secret used + by the platform component when making authentication requests to the identity provider. + + When not specified, no client secret will be used when making authentication requests + to the identity provider. + + When specified, clientSecret references a Secret in the 'openshift-config' + namespace that contains the client secret in the 'clientSecret' key of the '.data' field. + The client secret will be used when making authentication requests to the identity provider. + + Public clients do not require a client secret but private + clients do require a client secret to work with the identity provider. properties: name: description: name is the metadata.name of the referenced @@ -264,21 +353,34 @@ spec: type: object componentName: description: |- - componentName is the name of the component that is supposed to consume this - client configuration + componentName is a required field that specifies the name of the platform + component being configured to use the identity provider as an authentication mode. + It is used in combination with componentNamespace as a unique identifier. + + componentName must not be an empty string ("") and must not exceed 256 characters in length. maxLength: 256 minLength: 1 type: string componentNamespace: description: |- - componentNamespace is the namespace of the component that is supposed to consume this - client configuration + componentNamespace is a required field that specifies the namespace in which the + platform component being configured to use the identity provider as an authentication + mode is running. + It is used in combination with componentName as a unique identifier. + + componentNamespace must not be an empty string ("") and must not exceed 63 characters in length. maxLength: 63 minLength: 1 type: string extraScopes: - description: extraScopes is an optional set of scopes - to request tokens with. + description: |- + extraScopes is an optional field that configures the extra scopes that should + be requested by the platform component when making authentication requests to the + identity provider. + This is useful if you have configured claim mappings that requires specific + scopes to be requested beyond the standard OIDC scopes. + + When omitted, no additional scopes are requested. items: type: string type: array @@ -295,6 +397,7 @@ spec: - componentName x-kubernetes-list-type: map required: + - claimMappings - issuer - name type: object @@ -418,16 +521,29 @@ spec: oidcClients is where participating operators place the current OIDC client status for OIDC clients that can be customized by the cluster-admin. items: + description: |- + OIDCClientStatus represents the current state + of platform components and how they interact with + the configured identity providers. properties: componentName: - description: componentName is the name of the component that - will consume a client configuration. + description: |- + componentName is a required field that specifies the name of the platform + component using the identity provider as an authentication mode. + It is used in combination with componentNamespace as a unique identifier. + + componentName must not be an empty string ("") and must not exceed 256 characters in length. maxLength: 256 minLength: 1 type: string componentNamespace: - description: componentNamespace is the namespace of the component - that will consume a client configuration. + description: |- + componentNamespace is a required field that specifies the namespace in which the + platform component using the identity provider as an authentication + mode is running. + It is used in combination with componentName as a unique identifier. + + componentNamespace must not be an empty string ("") and must not exceed 63 characters in length. maxLength: 63 minLength: 1 type: string @@ -501,8 +617,10 @@ spec: x-kubernetes-list-type: map consumingUsers: description: |- - consumingUsers is a slice of ServiceAccounts that need to have read - permission on the `clientSecret` secret. + consumingUsers is an optional list of ServiceAccounts requiring + read permissions on the `clientSecret` secret. + + consumingUsers must not exceed 5 entries. items: description: ConsumingUser is an alias for string which we add validation to. Currently only service accounts are supported. @@ -514,24 +632,37 @@ spec: type: array x-kubernetes-list-type: set currentOIDCClients: - description: currentOIDCClients is a list of clients that the - component is currently using. + description: |- + currentOIDCClients is an optional list of clients that the component is currently using. + Entries must have unique issuerURL/clientID pairs. items: + description: |- + OIDCClientReference is a reference to a platform component + client configuration. properties: clientID: - description: clientID is the identifier of the OIDC client - from the OIDC provider + description: |- + clientID is a required field that specifies the client identifier, from + the identity provider, that the platform component is using for authentication + requests made to the identity provider. + + clientID must not be empty. minLength: 1 type: string issuerURL: description: |- - URL is the serving URL of the token issuer. - Must use the https:// scheme. + issuerURL is a required field that specifies the URL of the identity + provider that this client is configured to make requests against. + + issuerURL must use the 'https' scheme. pattern: ^https:\/\/[^\s] type: string oidcProviderName: - description: OIDCName refers to the `name` of the provider - from `oidcProviders` + description: |- + oidcProviderName is a required reference to the 'name' of the identity provider + configured in 'oidcProviders' that this client is associated with. + + oidcProviderName must not be an empty string (""). minLength: 1 type: string required: diff --git a/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-Hypershift-DevPreviewNoUpgrade.crd.yaml b/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-Hypershift-DevPreviewNoUpgrade.crd.yaml index 6a4daafecc..d828678e9e 100644 --- a/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-Hypershift-DevPreviewNoUpgrade.crd.yaml +++ b/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-Hypershift-DevPreviewNoUpgrade.crd.yaml @@ -79,8 +79,9 @@ spec: properties: claimMappings: description: |- - claimMappings describes rules on how to transform information from an - ID token into a cluster identity + claimMappings is a required field that configures the rules to be used by + the Kubernetes API server for translating claims in a JWT token, issued + by the identity provider, to a cluster identity. properties: extra: description: |- @@ -185,22 +186,28 @@ spec: x-kubernetes-list-type: map groups: description: |- - groups is a name of the claim that should be used to construct - groups for the cluster identity. - The referenced claim must use array of strings values. + groups is an optional field that configures how the groups of a cluster identity + should be constructed from the claims in a JWT token issued + by the identity provider. + When referencing a claim, if the claim is present in the JWT + token, its value must be a list of groups separated by a comma (','). + For example - '"example"' and '"exampleOne", "exampleTwo", "exampleThree"' are valid claim values. properties: claim: - description: claim is a JWT token claim to be used in - the mapping + description: |- + claim is a required field that configures the JWT token + claim whose value is assigned to the cluster identity + field associated with this mapping. type: string prefix: description: |- - prefix is a string to prefix the value from the token in the result of the - claim mapping. + prefix is an optional field that configures the prefix that will be + applied to the cluster identity attribute during the process of mapping + JWT claims to cluster identity attributes. - By default, no prefixing occurs. + When omitted (""), no prefix is applied to the cluster identity attribute. - Example: if `prefix` is set to "myoidc:"" and the `claim` in JWT contains + Example: if `prefix` is set to "myoidc:" and the `claim` in JWT contains an array of strings "a", "b" and "c", the mapping will result in an array of string "myoidc:a", "myoidc:b" and "myoidc:c". type: string @@ -259,18 +266,33 @@ spec: rule: 'has(self.claim) ? !has(self.expression) : has(self.expression)' username: description: |- - username is a name of the claim that should be used to construct - usernames for the cluster identity. - - Default value: "sub" + username is a required field that configures how the username of a cluster identity + should be constructed from the claims in a JWT token issued by the identity provider. properties: claim: - description: claim is a JWT token claim to be used in - the mapping + description: |- + claim is a required field that configures the JWT token + claim whose value is assigned to the cluster identity + field associated with this mapping. + + claim must not be an empty string ("") and must not exceed 256 characters. + maxLength: 256 + minLength: 1 type: string prefix: + description: |- + prefix configures the prefix that should be prepended to the value + of the JWT claim. + + prefix must be set when prefixPolicy is set to 'Prefix' and must be unset otherwise. properties: prefixString: + description: |- + prefixString is a required field that configures the prefix that will + be applied to cluster identity username attribute + during the process of mapping JWT claims to cluster identity attributes. + + prefixString must not be an empty string (""). minLength: 1 type: string required: @@ -278,25 +300,28 @@ spec: type: object prefixPolicy: description: |- - prefixPolicy specifies how a prefix should apply. - - By default, claims other than `email` will be prefixed with the issuer URL to - prevent naming clashes with other plugins. - - Set to "NoPrefix" to disable prefixing. - - Example: - (1) `prefix` is set to "myoidc:" and `claim` is set to "username". - If the JWT claim `username` contains value `userA`, the resulting - mapped value will be "myoidc:userA". - (2) `prefix` is set to "myoidc:" and `claim` is set to "email". If the - JWT `email` claim contains value "userA@myoidc.tld", the resulting - mapped value will be "myoidc:userA@myoidc.tld". - (3) `prefix` is unset, `issuerURL` is set to `https://myoidc.tld`, - the JWT claims include "username":"userA" and "email":"userA@myoidc.tld", - and `claim` is set to: - (a) "username": the mapped value will be "https://myoidc.tld#userA" - (b) "email": the mapped value will be "userA@myoidc.tld" + prefixPolicy is an optional field that configures how a prefix should be + applied to the value of the JWT claim specified in the 'claim' field. + + Allowed values are 'Prefix', 'NoPrefix', and omitted (not provided or an empty string). + + When set to 'Prefix', the value specified in the prefix field will be + prepended to the value of the JWT claim. + The prefix field must be set when prefixPolicy is 'Prefix'. + + When set to 'NoPrefix', no prefix will be prepended to the value + of the JWT claim. + + When omitted, this means no opinion and the platform is left to choose + any prefixes that are applied which is subject to change over time. + Currently, the platform prepends `{issuerURL}#` to the value of the JWT claim + when the claim is not 'email'. + As an example, consider the following scenario: + `prefix` is unset, `issuerURL` is set to `https://myoidc.tld`, + the JWT claims include "username":"userA" and "email":"userA@myoidc.tld", + and `claim` is set to: + - "username": the mapped value will be "https://myoidc.tld#userA" + - "email": the mapped value will be "userA@myoidc.tld" enum: - "" - NoPrefix @@ -311,26 +336,40 @@ spec: rule: 'has(self.prefixPolicy) && self.prefixPolicy == ''Prefix'' ? (has(self.prefix) && size(self.prefix.prefixString) > 0) : !has(self.prefix)' + required: + - username type: object claimValidationRules: - description: claimValidationRules are rules that are applied - to validate token claims to authenticate users. + description: |- + claimValidationRules is an optional field that configures the rules to + be used by the Kubernetes API server for validating the claims in a JWT + token issued by the identity provider. + + Validation rules are joined via an AND operation. items: properties: requiredClaim: description: |- - requiredClaim allows configuring a required claim name and its expected - value + requiredClaim is an optional field that configures the required claim + and value that the Kubernetes API server will use to validate if an incoming + JWT is valid for this identity provider. properties: claim: description: |- - claim is a name of a required claim. Only claims with string values are - supported. + claim is a required field that configures the name of the required claim. + When taken from the JWT claims, claim must be a string value. + + claim must not be an empty string (""). minLength: 1 type: string requiredValue: - description: requiredValue is the required value for - the claim. + description: |- + requiredValue is a required field that configures the value that 'claim' must + have when taken from the incoming JWT claims. + If the value in the JWT claims does not match, the token + will be rejected for authentication. + + requiredValue must not be an empty string (""). minLength: 1 type: string required: @@ -339,7 +378,17 @@ spec: type: object type: default: RequiredClaim - description: type sets the type of the validation rule + description: |- + type is an optional field that configures the type of the validation rule. + + Allowed values are 'RequiredClaim' and omitted (not provided or an empty string). + + When set to 'RequiredClaim', the Kubernetes API server + will be configured to validate that the incoming JWT + contains the required claim and that its value matches + the required value. + + Defaults to 'RequiredClaim'. enum: - RequiredClaim type: string @@ -347,14 +396,18 @@ spec: type: array x-kubernetes-list-type: atomic issuer: - description: issuer describes atributes of the OIDC token issuer + description: |- + issuer is a required field that configures how the platform interacts + with the identity provider and how tokens issued from the identity provider + are evaluated by the Kubernetes API server. properties: audiences: description: |- - audiences is an array of audiences that the token was issued for. - Valid tokens must include at least one of these values in their - "aud" claim. - Must be set to exactly one value. + audiences is a required field that configures the acceptable audiences + the JWT token, issued by the identity provider, must be issued to. + At least one of the entries must match the 'aud' claim in the JWT token. + + audiences must contain at least one entry and must not exceed ten entries. items: minLength: 1 type: string @@ -364,10 +417,15 @@ spec: x-kubernetes-list-type: set issuerCertificateAuthority: description: |- - CertificateAuthority is a reference to a config map in the - configuration namespace. The .data of the configMap must contain - the "ca-bundle.crt" key. - If unset, system trust is used instead. + issuerCertificateAuthority is an optional field that configures the + certificate authority, used by the Kubernetes API server, to validate + the connection to the identity provider when fetching discovery information. + + When not specified, the system trust is used. + + When specified, it must reference a ConfigMap in the openshift-config + namespace containing the PEM-encoded CA certificates under the 'ca-bundle.crt' + key in the data field of the ConfigMap. properties: name: description: name is the metadata.name of the referenced @@ -378,8 +436,12 @@ spec: type: object issuerURL: description: |- - URL is the serving URL of the token issuer. - Must use the https:// scheme. + issuerURL is a required field that configures the URL used to issue tokens + by the identity provider. + The Kubernetes API server determines how authentication tokens should be handled + by matching the 'iss' claim in the JWT to the issuerURL of configured identity providers. + + issuerURL must use the 'https' scheme. pattern: ^https:\/\/[^\s] type: string required: @@ -387,24 +449,51 @@ spec: - issuerURL type: object name: - description: name of the OIDC provider + description: |- + name is a required field that configures the unique human-readable identifier + associated with the identity provider. + It is used to distinguish between multiple identity providers + and has no impact on token validation or authentication mechanics. + + name must not be an empty string (""). minLength: 1 type: string oidcClients: description: |- - oidcClients contains configuration for the platform's clients that - need to request tokens from the issuer + oidcClients is an optional field that configures how on-cluster, + platform clients should request tokens from the identity provider. + oidcClients must not exceed 20 entries and entries must have unique namespace/name pairs. items: + description: |- + OIDCClientConfig configures how platform clients + interact with identity providers as an authentication + method properties: clientID: - description: clientID is the identifier of the OIDC client - from the OIDC provider + description: |- + clientID is a required field that configures the client identifier, from + the identity provider, that the platform component uses for authentication + requests made to the identity provider. + The identity provider must accept this identifier for platform components + to be able to use the identity provider as an authentication mode. + + clientID must not be an empty string (""). minLength: 1 type: string clientSecret: description: |- - clientSecret refers to a secret in the `openshift-config` namespace that - contains the client secret in the `clientSecret` key of the `.data` field + clientSecret is an optional field that configures the client secret used + by the platform component when making authentication requests to the identity provider. + + When not specified, no client secret will be used when making authentication requests + to the identity provider. + + When specified, clientSecret references a Secret in the 'openshift-config' + namespace that contains the client secret in the 'clientSecret' key of the '.data' field. + The client secret will be used when making authentication requests to the identity provider. + + Public clients do not require a client secret but private + clients do require a client secret to work with the identity provider. properties: name: description: name is the metadata.name of the referenced @@ -415,21 +504,34 @@ spec: type: object componentName: description: |- - componentName is the name of the component that is supposed to consume this - client configuration + componentName is a required field that specifies the name of the platform + component being configured to use the identity provider as an authentication mode. + It is used in combination with componentNamespace as a unique identifier. + + componentName must not be an empty string ("") and must not exceed 256 characters in length. maxLength: 256 minLength: 1 type: string componentNamespace: description: |- - componentNamespace is the namespace of the component that is supposed to consume this - client configuration + componentNamespace is a required field that specifies the namespace in which the + platform component being configured to use the identity provider as an authentication + mode is running. + It is used in combination with componentName as a unique identifier. + + componentNamespace must not be an empty string ("") and must not exceed 63 characters in length. maxLength: 63 minLength: 1 type: string extraScopes: - description: extraScopes is an optional set of scopes - to request tokens with. + description: |- + extraScopes is an optional field that configures the extra scopes that should + be requested by the platform component when making authentication requests to the + identity provider. + This is useful if you have configured claim mappings that requires specific + scopes to be requested beyond the standard OIDC scopes. + + When omitted, no additional scopes are requested. items: type: string type: array @@ -446,6 +548,7 @@ spec: - componentName x-kubernetes-list-type: map required: + - claimMappings - issuer - name type: object @@ -569,16 +672,29 @@ spec: oidcClients is where participating operators place the current OIDC client status for OIDC clients that can be customized by the cluster-admin. items: + description: |- + OIDCClientStatus represents the current state + of platform components and how they interact with + the configured identity providers. properties: componentName: - description: componentName is the name of the component that - will consume a client configuration. + description: |- + componentName is a required field that specifies the name of the platform + component using the identity provider as an authentication mode. + It is used in combination with componentNamespace as a unique identifier. + + componentName must not be an empty string ("") and must not exceed 256 characters in length. maxLength: 256 minLength: 1 type: string componentNamespace: - description: componentNamespace is the namespace of the component - that will consume a client configuration. + description: |- + componentNamespace is a required field that specifies the namespace in which the + platform component using the identity provider as an authentication + mode is running. + It is used in combination with componentName as a unique identifier. + + componentNamespace must not be an empty string ("") and must not exceed 63 characters in length. maxLength: 63 minLength: 1 type: string @@ -652,8 +768,10 @@ spec: x-kubernetes-list-type: map consumingUsers: description: |- - consumingUsers is a slice of ServiceAccounts that need to have read - permission on the `clientSecret` secret. + consumingUsers is an optional list of ServiceAccounts requiring + read permissions on the `clientSecret` secret. + + consumingUsers must not exceed 5 entries. items: description: ConsumingUser is an alias for string which we add validation to. Currently only service accounts are supported. @@ -665,24 +783,37 @@ spec: type: array x-kubernetes-list-type: set currentOIDCClients: - description: currentOIDCClients is a list of clients that the - component is currently using. + description: |- + currentOIDCClients is an optional list of clients that the component is currently using. + Entries must have unique issuerURL/clientID pairs. items: + description: |- + OIDCClientReference is a reference to a platform component + client configuration. properties: clientID: - description: clientID is the identifier of the OIDC client - from the OIDC provider + description: |- + clientID is a required field that specifies the client identifier, from + the identity provider, that the platform component is using for authentication + requests made to the identity provider. + + clientID must not be empty. minLength: 1 type: string issuerURL: description: |- - URL is the serving URL of the token issuer. - Must use the https:// scheme. + issuerURL is a required field that specifies the URL of the identity + provider that this client is configured to make requests against. + + issuerURL must use the 'https' scheme. pattern: ^https:\/\/[^\s] type: string oidcProviderName: - description: OIDCName refers to the `name` of the provider - from `oidcProviders` + description: |- + oidcProviderName is a required reference to the 'name' of the identity provider + configured in 'oidcProviders' that this client is associated with. + + oidcProviderName must not be an empty string (""). minLength: 1 type: string required: diff --git a/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-Hypershift-TechPreviewNoUpgrade.crd.yaml b/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-Hypershift-TechPreviewNoUpgrade.crd.yaml index 0fcf1d3f2c..c117ad8866 100644 --- a/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-Hypershift-TechPreviewNoUpgrade.crd.yaml +++ b/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-Hypershift-TechPreviewNoUpgrade.crd.yaml @@ -79,8 +79,9 @@ spec: properties: claimMappings: description: |- - claimMappings describes rules on how to transform information from an - ID token into a cluster identity + claimMappings is a required field that configures the rules to be used by + the Kubernetes API server for translating claims in a JWT token, issued + by the identity provider, to a cluster identity. properties: extra: description: |- @@ -185,22 +186,28 @@ spec: x-kubernetes-list-type: map groups: description: |- - groups is a name of the claim that should be used to construct - groups for the cluster identity. - The referenced claim must use array of strings values. + groups is an optional field that configures how the groups of a cluster identity + should be constructed from the claims in a JWT token issued + by the identity provider. + When referencing a claim, if the claim is present in the JWT + token, its value must be a list of groups separated by a comma (','). + For example - '"example"' and '"exampleOne", "exampleTwo", "exampleThree"' are valid claim values. properties: claim: - description: claim is a JWT token claim to be used in - the mapping + description: |- + claim is a required field that configures the JWT token + claim whose value is assigned to the cluster identity + field associated with this mapping. type: string prefix: description: |- - prefix is a string to prefix the value from the token in the result of the - claim mapping. + prefix is an optional field that configures the prefix that will be + applied to the cluster identity attribute during the process of mapping + JWT claims to cluster identity attributes. - By default, no prefixing occurs. + When omitted (""), no prefix is applied to the cluster identity attribute. - Example: if `prefix` is set to "myoidc:"" and the `claim` in JWT contains + Example: if `prefix` is set to "myoidc:" and the `claim` in JWT contains an array of strings "a", "b" and "c", the mapping will result in an array of string "myoidc:a", "myoidc:b" and "myoidc:c". type: string @@ -259,18 +266,33 @@ spec: rule: 'has(self.claim) ? !has(self.expression) : has(self.expression)' username: description: |- - username is a name of the claim that should be used to construct - usernames for the cluster identity. - - Default value: "sub" + username is a required field that configures how the username of a cluster identity + should be constructed from the claims in a JWT token issued by the identity provider. properties: claim: - description: claim is a JWT token claim to be used in - the mapping + description: |- + claim is a required field that configures the JWT token + claim whose value is assigned to the cluster identity + field associated with this mapping. + + claim must not be an empty string ("") and must not exceed 256 characters. + maxLength: 256 + minLength: 1 type: string prefix: + description: |- + prefix configures the prefix that should be prepended to the value + of the JWT claim. + + prefix must be set when prefixPolicy is set to 'Prefix' and must be unset otherwise. properties: prefixString: + description: |- + prefixString is a required field that configures the prefix that will + be applied to cluster identity username attribute + during the process of mapping JWT claims to cluster identity attributes. + + prefixString must not be an empty string (""). minLength: 1 type: string required: @@ -278,25 +300,28 @@ spec: type: object prefixPolicy: description: |- - prefixPolicy specifies how a prefix should apply. - - By default, claims other than `email` will be prefixed with the issuer URL to - prevent naming clashes with other plugins. - - Set to "NoPrefix" to disable prefixing. - - Example: - (1) `prefix` is set to "myoidc:" and `claim` is set to "username". - If the JWT claim `username` contains value `userA`, the resulting - mapped value will be "myoidc:userA". - (2) `prefix` is set to "myoidc:" and `claim` is set to "email". If the - JWT `email` claim contains value "userA@myoidc.tld", the resulting - mapped value will be "myoidc:userA@myoidc.tld". - (3) `prefix` is unset, `issuerURL` is set to `https://myoidc.tld`, - the JWT claims include "username":"userA" and "email":"userA@myoidc.tld", - and `claim` is set to: - (a) "username": the mapped value will be "https://myoidc.tld#userA" - (b) "email": the mapped value will be "userA@myoidc.tld" + prefixPolicy is an optional field that configures how a prefix should be + applied to the value of the JWT claim specified in the 'claim' field. + + Allowed values are 'Prefix', 'NoPrefix', and omitted (not provided or an empty string). + + When set to 'Prefix', the value specified in the prefix field will be + prepended to the value of the JWT claim. + The prefix field must be set when prefixPolicy is 'Prefix'. + + When set to 'NoPrefix', no prefix will be prepended to the value + of the JWT claim. + + When omitted, this means no opinion and the platform is left to choose + any prefixes that are applied which is subject to change over time. + Currently, the platform prepends `{issuerURL}#` to the value of the JWT claim + when the claim is not 'email'. + As an example, consider the following scenario: + `prefix` is unset, `issuerURL` is set to `https://myoidc.tld`, + the JWT claims include "username":"userA" and "email":"userA@myoidc.tld", + and `claim` is set to: + - "username": the mapped value will be "https://myoidc.tld#userA" + - "email": the mapped value will be "userA@myoidc.tld" enum: - "" - NoPrefix @@ -311,26 +336,40 @@ spec: rule: 'has(self.prefixPolicy) && self.prefixPolicy == ''Prefix'' ? (has(self.prefix) && size(self.prefix.prefixString) > 0) : !has(self.prefix)' + required: + - username type: object claimValidationRules: - description: claimValidationRules are rules that are applied - to validate token claims to authenticate users. + description: |- + claimValidationRules is an optional field that configures the rules to + be used by the Kubernetes API server for validating the claims in a JWT + token issued by the identity provider. + + Validation rules are joined via an AND operation. items: properties: requiredClaim: description: |- - requiredClaim allows configuring a required claim name and its expected - value + requiredClaim is an optional field that configures the required claim + and value that the Kubernetes API server will use to validate if an incoming + JWT is valid for this identity provider. properties: claim: description: |- - claim is a name of a required claim. Only claims with string values are - supported. + claim is a required field that configures the name of the required claim. + When taken from the JWT claims, claim must be a string value. + + claim must not be an empty string (""). minLength: 1 type: string requiredValue: - description: requiredValue is the required value for - the claim. + description: |- + requiredValue is a required field that configures the value that 'claim' must + have when taken from the incoming JWT claims. + If the value in the JWT claims does not match, the token + will be rejected for authentication. + + requiredValue must not be an empty string (""). minLength: 1 type: string required: @@ -339,7 +378,17 @@ spec: type: object type: default: RequiredClaim - description: type sets the type of the validation rule + description: |- + type is an optional field that configures the type of the validation rule. + + Allowed values are 'RequiredClaim' and omitted (not provided or an empty string). + + When set to 'RequiredClaim', the Kubernetes API server + will be configured to validate that the incoming JWT + contains the required claim and that its value matches + the required value. + + Defaults to 'RequiredClaim'. enum: - RequiredClaim type: string @@ -347,14 +396,18 @@ spec: type: array x-kubernetes-list-type: atomic issuer: - description: issuer describes atributes of the OIDC token issuer + description: |- + issuer is a required field that configures how the platform interacts + with the identity provider and how tokens issued from the identity provider + are evaluated by the Kubernetes API server. properties: audiences: description: |- - audiences is an array of audiences that the token was issued for. - Valid tokens must include at least one of these values in their - "aud" claim. - Must be set to exactly one value. + audiences is a required field that configures the acceptable audiences + the JWT token, issued by the identity provider, must be issued to. + At least one of the entries must match the 'aud' claim in the JWT token. + + audiences must contain at least one entry and must not exceed ten entries. items: minLength: 1 type: string @@ -364,10 +417,15 @@ spec: x-kubernetes-list-type: set issuerCertificateAuthority: description: |- - CertificateAuthority is a reference to a config map in the - configuration namespace. The .data of the configMap must contain - the "ca-bundle.crt" key. - If unset, system trust is used instead. + issuerCertificateAuthority is an optional field that configures the + certificate authority, used by the Kubernetes API server, to validate + the connection to the identity provider when fetching discovery information. + + When not specified, the system trust is used. + + When specified, it must reference a ConfigMap in the openshift-config + namespace containing the PEM-encoded CA certificates under the 'ca-bundle.crt' + key in the data field of the ConfigMap. properties: name: description: name is the metadata.name of the referenced @@ -378,8 +436,12 @@ spec: type: object issuerURL: description: |- - URL is the serving URL of the token issuer. - Must use the https:// scheme. + issuerURL is a required field that configures the URL used to issue tokens + by the identity provider. + The Kubernetes API server determines how authentication tokens should be handled + by matching the 'iss' claim in the JWT to the issuerURL of configured identity providers. + + issuerURL must use the 'https' scheme. pattern: ^https:\/\/[^\s] type: string required: @@ -387,24 +449,51 @@ spec: - issuerURL type: object name: - description: name of the OIDC provider + description: |- + name is a required field that configures the unique human-readable identifier + associated with the identity provider. + It is used to distinguish between multiple identity providers + and has no impact on token validation or authentication mechanics. + + name must not be an empty string (""). minLength: 1 type: string oidcClients: description: |- - oidcClients contains configuration for the platform's clients that - need to request tokens from the issuer + oidcClients is an optional field that configures how on-cluster, + platform clients should request tokens from the identity provider. + oidcClients must not exceed 20 entries and entries must have unique namespace/name pairs. items: + description: |- + OIDCClientConfig configures how platform clients + interact with identity providers as an authentication + method properties: clientID: - description: clientID is the identifier of the OIDC client - from the OIDC provider + description: |- + clientID is a required field that configures the client identifier, from + the identity provider, that the platform component uses for authentication + requests made to the identity provider. + The identity provider must accept this identifier for platform components + to be able to use the identity provider as an authentication mode. + + clientID must not be an empty string (""). minLength: 1 type: string clientSecret: description: |- - clientSecret refers to a secret in the `openshift-config` namespace that - contains the client secret in the `clientSecret` key of the `.data` field + clientSecret is an optional field that configures the client secret used + by the platform component when making authentication requests to the identity provider. + + When not specified, no client secret will be used when making authentication requests + to the identity provider. + + When specified, clientSecret references a Secret in the 'openshift-config' + namespace that contains the client secret in the 'clientSecret' key of the '.data' field. + The client secret will be used when making authentication requests to the identity provider. + + Public clients do not require a client secret but private + clients do require a client secret to work with the identity provider. properties: name: description: name is the metadata.name of the referenced @@ -415,21 +504,34 @@ spec: type: object componentName: description: |- - componentName is the name of the component that is supposed to consume this - client configuration + componentName is a required field that specifies the name of the platform + component being configured to use the identity provider as an authentication mode. + It is used in combination with componentNamespace as a unique identifier. + + componentName must not be an empty string ("") and must not exceed 256 characters in length. maxLength: 256 minLength: 1 type: string componentNamespace: description: |- - componentNamespace is the namespace of the component that is supposed to consume this - client configuration + componentNamespace is a required field that specifies the namespace in which the + platform component being configured to use the identity provider as an authentication + mode is running. + It is used in combination with componentName as a unique identifier. + + componentNamespace must not be an empty string ("") and must not exceed 63 characters in length. maxLength: 63 minLength: 1 type: string extraScopes: - description: extraScopes is an optional set of scopes - to request tokens with. + description: |- + extraScopes is an optional field that configures the extra scopes that should + be requested by the platform component when making authentication requests to the + identity provider. + This is useful if you have configured claim mappings that requires specific + scopes to be requested beyond the standard OIDC scopes. + + When omitted, no additional scopes are requested. items: type: string type: array @@ -446,6 +548,7 @@ spec: - componentName x-kubernetes-list-type: map required: + - claimMappings - issuer - name type: object @@ -569,16 +672,29 @@ spec: oidcClients is where participating operators place the current OIDC client status for OIDC clients that can be customized by the cluster-admin. items: + description: |- + OIDCClientStatus represents the current state + of platform components and how they interact with + the configured identity providers. properties: componentName: - description: componentName is the name of the component that - will consume a client configuration. + description: |- + componentName is a required field that specifies the name of the platform + component using the identity provider as an authentication mode. + It is used in combination with componentNamespace as a unique identifier. + + componentName must not be an empty string ("") and must not exceed 256 characters in length. maxLength: 256 minLength: 1 type: string componentNamespace: - description: componentNamespace is the namespace of the component - that will consume a client configuration. + description: |- + componentNamespace is a required field that specifies the namespace in which the + platform component using the identity provider as an authentication + mode is running. + It is used in combination with componentName as a unique identifier. + + componentNamespace must not be an empty string ("") and must not exceed 63 characters in length. maxLength: 63 minLength: 1 type: string @@ -652,8 +768,10 @@ spec: x-kubernetes-list-type: map consumingUsers: description: |- - consumingUsers is a slice of ServiceAccounts that need to have read - permission on the `clientSecret` secret. + consumingUsers is an optional list of ServiceAccounts requiring + read permissions on the `clientSecret` secret. + + consumingUsers must not exceed 5 entries. items: description: ConsumingUser is an alias for string which we add validation to. Currently only service accounts are supported. @@ -665,24 +783,37 @@ spec: type: array x-kubernetes-list-type: set currentOIDCClients: - description: currentOIDCClients is a list of clients that the - component is currently using. + description: |- + currentOIDCClients is an optional list of clients that the component is currently using. + Entries must have unique issuerURL/clientID pairs. items: + description: |- + OIDCClientReference is a reference to a platform component + client configuration. properties: clientID: - description: clientID is the identifier of the OIDC client - from the OIDC provider + description: |- + clientID is a required field that specifies the client identifier, from + the identity provider, that the platform component is using for authentication + requests made to the identity provider. + + clientID must not be empty. minLength: 1 type: string issuerURL: description: |- - URL is the serving URL of the token issuer. - Must use the https:// scheme. + issuerURL is a required field that specifies the URL of the identity + provider that this client is configured to make requests against. + + issuerURL must use the 'https' scheme. pattern: ^https:\/\/[^\s] type: string oidcProviderName: - description: OIDCName refers to the `name` of the provider - from `oidcProviders` + description: |- + oidcProviderName is a required reference to the 'name' of the identity provider + configured in 'oidcProviders' that this client is associated with. + + oidcProviderName must not be an empty string (""). minLength: 1 type: string required: diff --git a/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-SelfManagedHA-CustomNoUpgrade.crd.yaml b/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-SelfManagedHA-CustomNoUpgrade.crd.yaml index 880ca79d92..be25dac52d 100644 --- a/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-SelfManagedHA-CustomNoUpgrade.crd.yaml +++ b/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-SelfManagedHA-CustomNoUpgrade.crd.yaml @@ -79,8 +79,9 @@ spec: properties: claimMappings: description: |- - claimMappings describes rules on how to transform information from an - ID token into a cluster identity + claimMappings is a required field that configures the rules to be used by + the Kubernetes API server for translating claims in a JWT token, issued + by the identity provider, to a cluster identity. properties: extra: description: |- @@ -185,22 +186,28 @@ spec: x-kubernetes-list-type: map groups: description: |- - groups is a name of the claim that should be used to construct - groups for the cluster identity. - The referenced claim must use array of strings values. + groups is an optional field that configures how the groups of a cluster identity + should be constructed from the claims in a JWT token issued + by the identity provider. + When referencing a claim, if the claim is present in the JWT + token, its value must be a list of groups separated by a comma (','). + For example - '"example"' and '"exampleOne", "exampleTwo", "exampleThree"' are valid claim values. properties: claim: - description: claim is a JWT token claim to be used in - the mapping + description: |- + claim is a required field that configures the JWT token + claim whose value is assigned to the cluster identity + field associated with this mapping. type: string prefix: description: |- - prefix is a string to prefix the value from the token in the result of the - claim mapping. + prefix is an optional field that configures the prefix that will be + applied to the cluster identity attribute during the process of mapping + JWT claims to cluster identity attributes. - By default, no prefixing occurs. + When omitted (""), no prefix is applied to the cluster identity attribute. - Example: if `prefix` is set to "myoidc:"" and the `claim` in JWT contains + Example: if `prefix` is set to "myoidc:" and the `claim` in JWT contains an array of strings "a", "b" and "c", the mapping will result in an array of string "myoidc:a", "myoidc:b" and "myoidc:c". type: string @@ -259,18 +266,33 @@ spec: rule: 'has(self.claim) ? !has(self.expression) : has(self.expression)' username: description: |- - username is a name of the claim that should be used to construct - usernames for the cluster identity. - - Default value: "sub" + username is a required field that configures how the username of a cluster identity + should be constructed from the claims in a JWT token issued by the identity provider. properties: claim: - description: claim is a JWT token claim to be used in - the mapping + description: |- + claim is a required field that configures the JWT token + claim whose value is assigned to the cluster identity + field associated with this mapping. + + claim must not be an empty string ("") and must not exceed 256 characters. + maxLength: 256 + minLength: 1 type: string prefix: + description: |- + prefix configures the prefix that should be prepended to the value + of the JWT claim. + + prefix must be set when prefixPolicy is set to 'Prefix' and must be unset otherwise. properties: prefixString: + description: |- + prefixString is a required field that configures the prefix that will + be applied to cluster identity username attribute + during the process of mapping JWT claims to cluster identity attributes. + + prefixString must not be an empty string (""). minLength: 1 type: string required: @@ -278,25 +300,28 @@ spec: type: object prefixPolicy: description: |- - prefixPolicy specifies how a prefix should apply. - - By default, claims other than `email` will be prefixed with the issuer URL to - prevent naming clashes with other plugins. - - Set to "NoPrefix" to disable prefixing. - - Example: - (1) `prefix` is set to "myoidc:" and `claim` is set to "username". - If the JWT claim `username` contains value `userA`, the resulting - mapped value will be "myoidc:userA". - (2) `prefix` is set to "myoidc:" and `claim` is set to "email". If the - JWT `email` claim contains value "userA@myoidc.tld", the resulting - mapped value will be "myoidc:userA@myoidc.tld". - (3) `prefix` is unset, `issuerURL` is set to `https://myoidc.tld`, - the JWT claims include "username":"userA" and "email":"userA@myoidc.tld", - and `claim` is set to: - (a) "username": the mapped value will be "https://myoidc.tld#userA" - (b) "email": the mapped value will be "userA@myoidc.tld" + prefixPolicy is an optional field that configures how a prefix should be + applied to the value of the JWT claim specified in the 'claim' field. + + Allowed values are 'Prefix', 'NoPrefix', and omitted (not provided or an empty string). + + When set to 'Prefix', the value specified in the prefix field will be + prepended to the value of the JWT claim. + The prefix field must be set when prefixPolicy is 'Prefix'. + + When set to 'NoPrefix', no prefix will be prepended to the value + of the JWT claim. + + When omitted, this means no opinion and the platform is left to choose + any prefixes that are applied which is subject to change over time. + Currently, the platform prepends `{issuerURL}#` to the value of the JWT claim + when the claim is not 'email'. + As an example, consider the following scenario: + `prefix` is unset, `issuerURL` is set to `https://myoidc.tld`, + the JWT claims include "username":"userA" and "email":"userA@myoidc.tld", + and `claim` is set to: + - "username": the mapped value will be "https://myoidc.tld#userA" + - "email": the mapped value will be "userA@myoidc.tld" enum: - "" - NoPrefix @@ -311,26 +336,40 @@ spec: rule: 'has(self.prefixPolicy) && self.prefixPolicy == ''Prefix'' ? (has(self.prefix) && size(self.prefix.prefixString) > 0) : !has(self.prefix)' + required: + - username type: object claimValidationRules: - description: claimValidationRules are rules that are applied - to validate token claims to authenticate users. + description: |- + claimValidationRules is an optional field that configures the rules to + be used by the Kubernetes API server for validating the claims in a JWT + token issued by the identity provider. + + Validation rules are joined via an AND operation. items: properties: requiredClaim: description: |- - requiredClaim allows configuring a required claim name and its expected - value + requiredClaim is an optional field that configures the required claim + and value that the Kubernetes API server will use to validate if an incoming + JWT is valid for this identity provider. properties: claim: description: |- - claim is a name of a required claim. Only claims with string values are - supported. + claim is a required field that configures the name of the required claim. + When taken from the JWT claims, claim must be a string value. + + claim must not be an empty string (""). minLength: 1 type: string requiredValue: - description: requiredValue is the required value for - the claim. + description: |- + requiredValue is a required field that configures the value that 'claim' must + have when taken from the incoming JWT claims. + If the value in the JWT claims does not match, the token + will be rejected for authentication. + + requiredValue must not be an empty string (""). minLength: 1 type: string required: @@ -339,7 +378,17 @@ spec: type: object type: default: RequiredClaim - description: type sets the type of the validation rule + description: |- + type is an optional field that configures the type of the validation rule. + + Allowed values are 'RequiredClaim' and omitted (not provided or an empty string). + + When set to 'RequiredClaim', the Kubernetes API server + will be configured to validate that the incoming JWT + contains the required claim and that its value matches + the required value. + + Defaults to 'RequiredClaim'. enum: - RequiredClaim type: string @@ -347,14 +396,18 @@ spec: type: array x-kubernetes-list-type: atomic issuer: - description: issuer describes atributes of the OIDC token issuer + description: |- + issuer is a required field that configures how the platform interacts + with the identity provider and how tokens issued from the identity provider + are evaluated by the Kubernetes API server. properties: audiences: description: |- - audiences is an array of audiences that the token was issued for. - Valid tokens must include at least one of these values in their - "aud" claim. - Must be set to exactly one value. + audiences is a required field that configures the acceptable audiences + the JWT token, issued by the identity provider, must be issued to. + At least one of the entries must match the 'aud' claim in the JWT token. + + audiences must contain at least one entry and must not exceed ten entries. items: minLength: 1 type: string @@ -364,10 +417,15 @@ spec: x-kubernetes-list-type: set issuerCertificateAuthority: description: |- - CertificateAuthority is a reference to a config map in the - configuration namespace. The .data of the configMap must contain - the "ca-bundle.crt" key. - If unset, system trust is used instead. + issuerCertificateAuthority is an optional field that configures the + certificate authority, used by the Kubernetes API server, to validate + the connection to the identity provider when fetching discovery information. + + When not specified, the system trust is used. + + When specified, it must reference a ConfigMap in the openshift-config + namespace containing the PEM-encoded CA certificates under the 'ca-bundle.crt' + key in the data field of the ConfigMap. properties: name: description: name is the metadata.name of the referenced @@ -378,8 +436,12 @@ spec: type: object issuerURL: description: |- - URL is the serving URL of the token issuer. - Must use the https:// scheme. + issuerURL is a required field that configures the URL used to issue tokens + by the identity provider. + The Kubernetes API server determines how authentication tokens should be handled + by matching the 'iss' claim in the JWT to the issuerURL of configured identity providers. + + issuerURL must use the 'https' scheme. pattern: ^https:\/\/[^\s] type: string required: @@ -387,24 +449,51 @@ spec: - issuerURL type: object name: - description: name of the OIDC provider + description: |- + name is a required field that configures the unique human-readable identifier + associated with the identity provider. + It is used to distinguish between multiple identity providers + and has no impact on token validation or authentication mechanics. + + name must not be an empty string (""). minLength: 1 type: string oidcClients: description: |- - oidcClients contains configuration for the platform's clients that - need to request tokens from the issuer + oidcClients is an optional field that configures how on-cluster, + platform clients should request tokens from the identity provider. + oidcClients must not exceed 20 entries and entries must have unique namespace/name pairs. items: + description: |- + OIDCClientConfig configures how platform clients + interact with identity providers as an authentication + method properties: clientID: - description: clientID is the identifier of the OIDC client - from the OIDC provider + description: |- + clientID is a required field that configures the client identifier, from + the identity provider, that the platform component uses for authentication + requests made to the identity provider. + The identity provider must accept this identifier for platform components + to be able to use the identity provider as an authentication mode. + + clientID must not be an empty string (""). minLength: 1 type: string clientSecret: description: |- - clientSecret refers to a secret in the `openshift-config` namespace that - contains the client secret in the `clientSecret` key of the `.data` field + clientSecret is an optional field that configures the client secret used + by the platform component when making authentication requests to the identity provider. + + When not specified, no client secret will be used when making authentication requests + to the identity provider. + + When specified, clientSecret references a Secret in the 'openshift-config' + namespace that contains the client secret in the 'clientSecret' key of the '.data' field. + The client secret will be used when making authentication requests to the identity provider. + + Public clients do not require a client secret but private + clients do require a client secret to work with the identity provider. properties: name: description: name is the metadata.name of the referenced @@ -415,21 +504,34 @@ spec: type: object componentName: description: |- - componentName is the name of the component that is supposed to consume this - client configuration + componentName is a required field that specifies the name of the platform + component being configured to use the identity provider as an authentication mode. + It is used in combination with componentNamespace as a unique identifier. + + componentName must not be an empty string ("") and must not exceed 256 characters in length. maxLength: 256 minLength: 1 type: string componentNamespace: description: |- - componentNamespace is the namespace of the component that is supposed to consume this - client configuration + componentNamespace is a required field that specifies the namespace in which the + platform component being configured to use the identity provider as an authentication + mode is running. + It is used in combination with componentName as a unique identifier. + + componentNamespace must not be an empty string ("") and must not exceed 63 characters in length. maxLength: 63 minLength: 1 type: string extraScopes: - description: extraScopes is an optional set of scopes - to request tokens with. + description: |- + extraScopes is an optional field that configures the extra scopes that should + be requested by the platform component when making authentication requests to the + identity provider. + This is useful if you have configured claim mappings that requires specific + scopes to be requested beyond the standard OIDC scopes. + + When omitted, no additional scopes are requested. items: type: string type: array @@ -446,6 +548,7 @@ spec: - componentName x-kubernetes-list-type: map required: + - claimMappings - issuer - name type: object @@ -569,16 +672,29 @@ spec: oidcClients is where participating operators place the current OIDC client status for OIDC clients that can be customized by the cluster-admin. items: + description: |- + OIDCClientStatus represents the current state + of platform components and how they interact with + the configured identity providers. properties: componentName: - description: componentName is the name of the component that - will consume a client configuration. + description: |- + componentName is a required field that specifies the name of the platform + component using the identity provider as an authentication mode. + It is used in combination with componentNamespace as a unique identifier. + + componentName must not be an empty string ("") and must not exceed 256 characters in length. maxLength: 256 minLength: 1 type: string componentNamespace: - description: componentNamespace is the namespace of the component - that will consume a client configuration. + description: |- + componentNamespace is a required field that specifies the namespace in which the + platform component using the identity provider as an authentication + mode is running. + It is used in combination with componentName as a unique identifier. + + componentNamespace must not be an empty string ("") and must not exceed 63 characters in length. maxLength: 63 minLength: 1 type: string @@ -652,8 +768,10 @@ spec: x-kubernetes-list-type: map consumingUsers: description: |- - consumingUsers is a slice of ServiceAccounts that need to have read - permission on the `clientSecret` secret. + consumingUsers is an optional list of ServiceAccounts requiring + read permissions on the `clientSecret` secret. + + consumingUsers must not exceed 5 entries. items: description: ConsumingUser is an alias for string which we add validation to. Currently only service accounts are supported. @@ -665,24 +783,37 @@ spec: type: array x-kubernetes-list-type: set currentOIDCClients: - description: currentOIDCClients is a list of clients that the - component is currently using. + description: |- + currentOIDCClients is an optional list of clients that the component is currently using. + Entries must have unique issuerURL/clientID pairs. items: + description: |- + OIDCClientReference is a reference to a platform component + client configuration. properties: clientID: - description: clientID is the identifier of the OIDC client - from the OIDC provider + description: |- + clientID is a required field that specifies the client identifier, from + the identity provider, that the platform component is using for authentication + requests made to the identity provider. + + clientID must not be empty. minLength: 1 type: string issuerURL: description: |- - URL is the serving URL of the token issuer. - Must use the https:// scheme. + issuerURL is a required field that specifies the URL of the identity + provider that this client is configured to make requests against. + + issuerURL must use the 'https' scheme. pattern: ^https:\/\/[^\s] type: string oidcProviderName: - description: OIDCName refers to the `name` of the provider - from `oidcProviders` + description: |- + oidcProviderName is a required reference to the 'name' of the identity provider + configured in 'oidcProviders' that this client is associated with. + + oidcProviderName must not be an empty string (""). minLength: 1 type: string required: diff --git a/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-SelfManagedHA-DevPreviewNoUpgrade.crd.yaml b/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-SelfManagedHA-DevPreviewNoUpgrade.crd.yaml index 9ffcd225a6..5b604bbd20 100644 --- a/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-SelfManagedHA-DevPreviewNoUpgrade.crd.yaml +++ b/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-SelfManagedHA-DevPreviewNoUpgrade.crd.yaml @@ -79,8 +79,9 @@ spec: properties: claimMappings: description: |- - claimMappings describes rules on how to transform information from an - ID token into a cluster identity + claimMappings is a required field that configures the rules to be used by + the Kubernetes API server for translating claims in a JWT token, issued + by the identity provider, to a cluster identity. properties: extra: description: |- @@ -185,22 +186,28 @@ spec: x-kubernetes-list-type: map groups: description: |- - groups is a name of the claim that should be used to construct - groups for the cluster identity. - The referenced claim must use array of strings values. + groups is an optional field that configures how the groups of a cluster identity + should be constructed from the claims in a JWT token issued + by the identity provider. + When referencing a claim, if the claim is present in the JWT + token, its value must be a list of groups separated by a comma (','). + For example - '"example"' and '"exampleOne", "exampleTwo", "exampleThree"' are valid claim values. properties: claim: - description: claim is a JWT token claim to be used in - the mapping + description: |- + claim is a required field that configures the JWT token + claim whose value is assigned to the cluster identity + field associated with this mapping. type: string prefix: description: |- - prefix is a string to prefix the value from the token in the result of the - claim mapping. + prefix is an optional field that configures the prefix that will be + applied to the cluster identity attribute during the process of mapping + JWT claims to cluster identity attributes. - By default, no prefixing occurs. + When omitted (""), no prefix is applied to the cluster identity attribute. - Example: if `prefix` is set to "myoidc:"" and the `claim` in JWT contains + Example: if `prefix` is set to "myoidc:" and the `claim` in JWT contains an array of strings "a", "b" and "c", the mapping will result in an array of string "myoidc:a", "myoidc:b" and "myoidc:c". type: string @@ -259,18 +266,33 @@ spec: rule: 'has(self.claim) ? !has(self.expression) : has(self.expression)' username: description: |- - username is a name of the claim that should be used to construct - usernames for the cluster identity. - - Default value: "sub" + username is a required field that configures how the username of a cluster identity + should be constructed from the claims in a JWT token issued by the identity provider. properties: claim: - description: claim is a JWT token claim to be used in - the mapping + description: |- + claim is a required field that configures the JWT token + claim whose value is assigned to the cluster identity + field associated with this mapping. + + claim must not be an empty string ("") and must not exceed 256 characters. + maxLength: 256 + minLength: 1 type: string prefix: + description: |- + prefix configures the prefix that should be prepended to the value + of the JWT claim. + + prefix must be set when prefixPolicy is set to 'Prefix' and must be unset otherwise. properties: prefixString: + description: |- + prefixString is a required field that configures the prefix that will + be applied to cluster identity username attribute + during the process of mapping JWT claims to cluster identity attributes. + + prefixString must not be an empty string (""). minLength: 1 type: string required: @@ -278,25 +300,28 @@ spec: type: object prefixPolicy: description: |- - prefixPolicy specifies how a prefix should apply. - - By default, claims other than `email` will be prefixed with the issuer URL to - prevent naming clashes with other plugins. - - Set to "NoPrefix" to disable prefixing. - - Example: - (1) `prefix` is set to "myoidc:" and `claim` is set to "username". - If the JWT claim `username` contains value `userA`, the resulting - mapped value will be "myoidc:userA". - (2) `prefix` is set to "myoidc:" and `claim` is set to "email". If the - JWT `email` claim contains value "userA@myoidc.tld", the resulting - mapped value will be "myoidc:userA@myoidc.tld". - (3) `prefix` is unset, `issuerURL` is set to `https://myoidc.tld`, - the JWT claims include "username":"userA" and "email":"userA@myoidc.tld", - and `claim` is set to: - (a) "username": the mapped value will be "https://myoidc.tld#userA" - (b) "email": the mapped value will be "userA@myoidc.tld" + prefixPolicy is an optional field that configures how a prefix should be + applied to the value of the JWT claim specified in the 'claim' field. + + Allowed values are 'Prefix', 'NoPrefix', and omitted (not provided or an empty string). + + When set to 'Prefix', the value specified in the prefix field will be + prepended to the value of the JWT claim. + The prefix field must be set when prefixPolicy is 'Prefix'. + + When set to 'NoPrefix', no prefix will be prepended to the value + of the JWT claim. + + When omitted, this means no opinion and the platform is left to choose + any prefixes that are applied which is subject to change over time. + Currently, the platform prepends `{issuerURL}#` to the value of the JWT claim + when the claim is not 'email'. + As an example, consider the following scenario: + `prefix` is unset, `issuerURL` is set to `https://myoidc.tld`, + the JWT claims include "username":"userA" and "email":"userA@myoidc.tld", + and `claim` is set to: + - "username": the mapped value will be "https://myoidc.tld#userA" + - "email": the mapped value will be "userA@myoidc.tld" enum: - "" - NoPrefix @@ -311,26 +336,40 @@ spec: rule: 'has(self.prefixPolicy) && self.prefixPolicy == ''Prefix'' ? (has(self.prefix) && size(self.prefix.prefixString) > 0) : !has(self.prefix)' + required: + - username type: object claimValidationRules: - description: claimValidationRules are rules that are applied - to validate token claims to authenticate users. + description: |- + claimValidationRules is an optional field that configures the rules to + be used by the Kubernetes API server for validating the claims in a JWT + token issued by the identity provider. + + Validation rules are joined via an AND operation. items: properties: requiredClaim: description: |- - requiredClaim allows configuring a required claim name and its expected - value + requiredClaim is an optional field that configures the required claim + and value that the Kubernetes API server will use to validate if an incoming + JWT is valid for this identity provider. properties: claim: description: |- - claim is a name of a required claim. Only claims with string values are - supported. + claim is a required field that configures the name of the required claim. + When taken from the JWT claims, claim must be a string value. + + claim must not be an empty string (""). minLength: 1 type: string requiredValue: - description: requiredValue is the required value for - the claim. + description: |- + requiredValue is a required field that configures the value that 'claim' must + have when taken from the incoming JWT claims. + If the value in the JWT claims does not match, the token + will be rejected for authentication. + + requiredValue must not be an empty string (""). minLength: 1 type: string required: @@ -339,7 +378,17 @@ spec: type: object type: default: RequiredClaim - description: type sets the type of the validation rule + description: |- + type is an optional field that configures the type of the validation rule. + + Allowed values are 'RequiredClaim' and omitted (not provided or an empty string). + + When set to 'RequiredClaim', the Kubernetes API server + will be configured to validate that the incoming JWT + contains the required claim and that its value matches + the required value. + + Defaults to 'RequiredClaim'. enum: - RequiredClaim type: string @@ -347,14 +396,18 @@ spec: type: array x-kubernetes-list-type: atomic issuer: - description: issuer describes atributes of the OIDC token issuer + description: |- + issuer is a required field that configures how the platform interacts + with the identity provider and how tokens issued from the identity provider + are evaluated by the Kubernetes API server. properties: audiences: description: |- - audiences is an array of audiences that the token was issued for. - Valid tokens must include at least one of these values in their - "aud" claim. - Must be set to exactly one value. + audiences is a required field that configures the acceptable audiences + the JWT token, issued by the identity provider, must be issued to. + At least one of the entries must match the 'aud' claim in the JWT token. + + audiences must contain at least one entry and must not exceed ten entries. items: minLength: 1 type: string @@ -364,10 +417,15 @@ spec: x-kubernetes-list-type: set issuerCertificateAuthority: description: |- - CertificateAuthority is a reference to a config map in the - configuration namespace. The .data of the configMap must contain - the "ca-bundle.crt" key. - If unset, system trust is used instead. + issuerCertificateAuthority is an optional field that configures the + certificate authority, used by the Kubernetes API server, to validate + the connection to the identity provider when fetching discovery information. + + When not specified, the system trust is used. + + When specified, it must reference a ConfigMap in the openshift-config + namespace containing the PEM-encoded CA certificates under the 'ca-bundle.crt' + key in the data field of the ConfigMap. properties: name: description: name is the metadata.name of the referenced @@ -378,8 +436,12 @@ spec: type: object issuerURL: description: |- - URL is the serving URL of the token issuer. - Must use the https:// scheme. + issuerURL is a required field that configures the URL used to issue tokens + by the identity provider. + The Kubernetes API server determines how authentication tokens should be handled + by matching the 'iss' claim in the JWT to the issuerURL of configured identity providers. + + issuerURL must use the 'https' scheme. pattern: ^https:\/\/[^\s] type: string required: @@ -387,24 +449,51 @@ spec: - issuerURL type: object name: - description: name of the OIDC provider + description: |- + name is a required field that configures the unique human-readable identifier + associated with the identity provider. + It is used to distinguish between multiple identity providers + and has no impact on token validation or authentication mechanics. + + name must not be an empty string (""). minLength: 1 type: string oidcClients: description: |- - oidcClients contains configuration for the platform's clients that - need to request tokens from the issuer + oidcClients is an optional field that configures how on-cluster, + platform clients should request tokens from the identity provider. + oidcClients must not exceed 20 entries and entries must have unique namespace/name pairs. items: + description: |- + OIDCClientConfig configures how platform clients + interact with identity providers as an authentication + method properties: clientID: - description: clientID is the identifier of the OIDC client - from the OIDC provider + description: |- + clientID is a required field that configures the client identifier, from + the identity provider, that the platform component uses for authentication + requests made to the identity provider. + The identity provider must accept this identifier for platform components + to be able to use the identity provider as an authentication mode. + + clientID must not be an empty string (""). minLength: 1 type: string clientSecret: description: |- - clientSecret refers to a secret in the `openshift-config` namespace that - contains the client secret in the `clientSecret` key of the `.data` field + clientSecret is an optional field that configures the client secret used + by the platform component when making authentication requests to the identity provider. + + When not specified, no client secret will be used when making authentication requests + to the identity provider. + + When specified, clientSecret references a Secret in the 'openshift-config' + namespace that contains the client secret in the 'clientSecret' key of the '.data' field. + The client secret will be used when making authentication requests to the identity provider. + + Public clients do not require a client secret but private + clients do require a client secret to work with the identity provider. properties: name: description: name is the metadata.name of the referenced @@ -415,21 +504,34 @@ spec: type: object componentName: description: |- - componentName is the name of the component that is supposed to consume this - client configuration + componentName is a required field that specifies the name of the platform + component being configured to use the identity provider as an authentication mode. + It is used in combination with componentNamespace as a unique identifier. + + componentName must not be an empty string ("") and must not exceed 256 characters in length. maxLength: 256 minLength: 1 type: string componentNamespace: description: |- - componentNamespace is the namespace of the component that is supposed to consume this - client configuration + componentNamespace is a required field that specifies the namespace in which the + platform component being configured to use the identity provider as an authentication + mode is running. + It is used in combination with componentName as a unique identifier. + + componentNamespace must not be an empty string ("") and must not exceed 63 characters in length. maxLength: 63 minLength: 1 type: string extraScopes: - description: extraScopes is an optional set of scopes - to request tokens with. + description: |- + extraScopes is an optional field that configures the extra scopes that should + be requested by the platform component when making authentication requests to the + identity provider. + This is useful if you have configured claim mappings that requires specific + scopes to be requested beyond the standard OIDC scopes. + + When omitted, no additional scopes are requested. items: type: string type: array @@ -446,6 +548,7 @@ spec: - componentName x-kubernetes-list-type: map required: + - claimMappings - issuer - name type: object @@ -569,16 +672,29 @@ spec: oidcClients is where participating operators place the current OIDC client status for OIDC clients that can be customized by the cluster-admin. items: + description: |- + OIDCClientStatus represents the current state + of platform components and how they interact with + the configured identity providers. properties: componentName: - description: componentName is the name of the component that - will consume a client configuration. + description: |- + componentName is a required field that specifies the name of the platform + component using the identity provider as an authentication mode. + It is used in combination with componentNamespace as a unique identifier. + + componentName must not be an empty string ("") and must not exceed 256 characters in length. maxLength: 256 minLength: 1 type: string componentNamespace: - description: componentNamespace is the namespace of the component - that will consume a client configuration. + description: |- + componentNamespace is a required field that specifies the namespace in which the + platform component using the identity provider as an authentication + mode is running. + It is used in combination with componentName as a unique identifier. + + componentNamespace must not be an empty string ("") and must not exceed 63 characters in length. maxLength: 63 minLength: 1 type: string @@ -652,8 +768,10 @@ spec: x-kubernetes-list-type: map consumingUsers: description: |- - consumingUsers is a slice of ServiceAccounts that need to have read - permission on the `clientSecret` secret. + consumingUsers is an optional list of ServiceAccounts requiring + read permissions on the `clientSecret` secret. + + consumingUsers must not exceed 5 entries. items: description: ConsumingUser is an alias for string which we add validation to. Currently only service accounts are supported. @@ -665,24 +783,37 @@ spec: type: array x-kubernetes-list-type: set currentOIDCClients: - description: currentOIDCClients is a list of clients that the - component is currently using. + description: |- + currentOIDCClients is an optional list of clients that the component is currently using. + Entries must have unique issuerURL/clientID pairs. items: + description: |- + OIDCClientReference is a reference to a platform component + client configuration. properties: clientID: - description: clientID is the identifier of the OIDC client - from the OIDC provider + description: |- + clientID is a required field that specifies the client identifier, from + the identity provider, that the platform component is using for authentication + requests made to the identity provider. + + clientID must not be empty. minLength: 1 type: string issuerURL: description: |- - URL is the serving URL of the token issuer. - Must use the https:// scheme. + issuerURL is a required field that specifies the URL of the identity + provider that this client is configured to make requests against. + + issuerURL must use the 'https' scheme. pattern: ^https:\/\/[^\s] type: string oidcProviderName: - description: OIDCName refers to the `name` of the provider - from `oidcProviders` + description: |- + oidcProviderName is a required reference to the 'name' of the identity provider + configured in 'oidcProviders' that this client is associated with. + + oidcProviderName must not be an empty string (""). minLength: 1 type: string required: diff --git a/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-SelfManagedHA-TechPreviewNoUpgrade.crd.yaml b/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-SelfManagedHA-TechPreviewNoUpgrade.crd.yaml index e258aa25da..9ea5ab87b9 100644 --- a/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-SelfManagedHA-TechPreviewNoUpgrade.crd.yaml +++ b/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-SelfManagedHA-TechPreviewNoUpgrade.crd.yaml @@ -79,8 +79,9 @@ spec: properties: claimMappings: description: |- - claimMappings describes rules on how to transform information from an - ID token into a cluster identity + claimMappings is a required field that configures the rules to be used by + the Kubernetes API server for translating claims in a JWT token, issued + by the identity provider, to a cluster identity. properties: extra: description: |- @@ -185,22 +186,28 @@ spec: x-kubernetes-list-type: map groups: description: |- - groups is a name of the claim that should be used to construct - groups for the cluster identity. - The referenced claim must use array of strings values. + groups is an optional field that configures how the groups of a cluster identity + should be constructed from the claims in a JWT token issued + by the identity provider. + When referencing a claim, if the claim is present in the JWT + token, its value must be a list of groups separated by a comma (','). + For example - '"example"' and '"exampleOne", "exampleTwo", "exampleThree"' are valid claim values. properties: claim: - description: claim is a JWT token claim to be used in - the mapping + description: |- + claim is a required field that configures the JWT token + claim whose value is assigned to the cluster identity + field associated with this mapping. type: string prefix: description: |- - prefix is a string to prefix the value from the token in the result of the - claim mapping. + prefix is an optional field that configures the prefix that will be + applied to the cluster identity attribute during the process of mapping + JWT claims to cluster identity attributes. - By default, no prefixing occurs. + When omitted (""), no prefix is applied to the cluster identity attribute. - Example: if `prefix` is set to "myoidc:"" and the `claim` in JWT contains + Example: if `prefix` is set to "myoidc:" and the `claim` in JWT contains an array of strings "a", "b" and "c", the mapping will result in an array of string "myoidc:a", "myoidc:b" and "myoidc:c". type: string @@ -259,18 +266,33 @@ spec: rule: 'has(self.claim) ? !has(self.expression) : has(self.expression)' username: description: |- - username is a name of the claim that should be used to construct - usernames for the cluster identity. - - Default value: "sub" + username is a required field that configures how the username of a cluster identity + should be constructed from the claims in a JWT token issued by the identity provider. properties: claim: - description: claim is a JWT token claim to be used in - the mapping + description: |- + claim is a required field that configures the JWT token + claim whose value is assigned to the cluster identity + field associated with this mapping. + + claim must not be an empty string ("") and must not exceed 256 characters. + maxLength: 256 + minLength: 1 type: string prefix: + description: |- + prefix configures the prefix that should be prepended to the value + of the JWT claim. + + prefix must be set when prefixPolicy is set to 'Prefix' and must be unset otherwise. properties: prefixString: + description: |- + prefixString is a required field that configures the prefix that will + be applied to cluster identity username attribute + during the process of mapping JWT claims to cluster identity attributes. + + prefixString must not be an empty string (""). minLength: 1 type: string required: @@ -278,25 +300,28 @@ spec: type: object prefixPolicy: description: |- - prefixPolicy specifies how a prefix should apply. - - By default, claims other than `email` will be prefixed with the issuer URL to - prevent naming clashes with other plugins. - - Set to "NoPrefix" to disable prefixing. - - Example: - (1) `prefix` is set to "myoidc:" and `claim` is set to "username". - If the JWT claim `username` contains value `userA`, the resulting - mapped value will be "myoidc:userA". - (2) `prefix` is set to "myoidc:" and `claim` is set to "email". If the - JWT `email` claim contains value "userA@myoidc.tld", the resulting - mapped value will be "myoidc:userA@myoidc.tld". - (3) `prefix` is unset, `issuerURL` is set to `https://myoidc.tld`, - the JWT claims include "username":"userA" and "email":"userA@myoidc.tld", - and `claim` is set to: - (a) "username": the mapped value will be "https://myoidc.tld#userA" - (b) "email": the mapped value will be "userA@myoidc.tld" + prefixPolicy is an optional field that configures how a prefix should be + applied to the value of the JWT claim specified in the 'claim' field. + + Allowed values are 'Prefix', 'NoPrefix', and omitted (not provided or an empty string). + + When set to 'Prefix', the value specified in the prefix field will be + prepended to the value of the JWT claim. + The prefix field must be set when prefixPolicy is 'Prefix'. + + When set to 'NoPrefix', no prefix will be prepended to the value + of the JWT claim. + + When omitted, this means no opinion and the platform is left to choose + any prefixes that are applied which is subject to change over time. + Currently, the platform prepends `{issuerURL}#` to the value of the JWT claim + when the claim is not 'email'. + As an example, consider the following scenario: + `prefix` is unset, `issuerURL` is set to `https://myoidc.tld`, + the JWT claims include "username":"userA" and "email":"userA@myoidc.tld", + and `claim` is set to: + - "username": the mapped value will be "https://myoidc.tld#userA" + - "email": the mapped value will be "userA@myoidc.tld" enum: - "" - NoPrefix @@ -311,26 +336,40 @@ spec: rule: 'has(self.prefixPolicy) && self.prefixPolicy == ''Prefix'' ? (has(self.prefix) && size(self.prefix.prefixString) > 0) : !has(self.prefix)' + required: + - username type: object claimValidationRules: - description: claimValidationRules are rules that are applied - to validate token claims to authenticate users. + description: |- + claimValidationRules is an optional field that configures the rules to + be used by the Kubernetes API server for validating the claims in a JWT + token issued by the identity provider. + + Validation rules are joined via an AND operation. items: properties: requiredClaim: description: |- - requiredClaim allows configuring a required claim name and its expected - value + requiredClaim is an optional field that configures the required claim + and value that the Kubernetes API server will use to validate if an incoming + JWT is valid for this identity provider. properties: claim: description: |- - claim is a name of a required claim. Only claims with string values are - supported. + claim is a required field that configures the name of the required claim. + When taken from the JWT claims, claim must be a string value. + + claim must not be an empty string (""). minLength: 1 type: string requiredValue: - description: requiredValue is the required value for - the claim. + description: |- + requiredValue is a required field that configures the value that 'claim' must + have when taken from the incoming JWT claims. + If the value in the JWT claims does not match, the token + will be rejected for authentication. + + requiredValue must not be an empty string (""). minLength: 1 type: string required: @@ -339,7 +378,17 @@ spec: type: object type: default: RequiredClaim - description: type sets the type of the validation rule + description: |- + type is an optional field that configures the type of the validation rule. + + Allowed values are 'RequiredClaim' and omitted (not provided or an empty string). + + When set to 'RequiredClaim', the Kubernetes API server + will be configured to validate that the incoming JWT + contains the required claim and that its value matches + the required value. + + Defaults to 'RequiredClaim'. enum: - RequiredClaim type: string @@ -347,14 +396,18 @@ spec: type: array x-kubernetes-list-type: atomic issuer: - description: issuer describes atributes of the OIDC token issuer + description: |- + issuer is a required field that configures how the platform interacts + with the identity provider and how tokens issued from the identity provider + are evaluated by the Kubernetes API server. properties: audiences: description: |- - audiences is an array of audiences that the token was issued for. - Valid tokens must include at least one of these values in their - "aud" claim. - Must be set to exactly one value. + audiences is a required field that configures the acceptable audiences + the JWT token, issued by the identity provider, must be issued to. + At least one of the entries must match the 'aud' claim in the JWT token. + + audiences must contain at least one entry and must not exceed ten entries. items: minLength: 1 type: string @@ -364,10 +417,15 @@ spec: x-kubernetes-list-type: set issuerCertificateAuthority: description: |- - CertificateAuthority is a reference to a config map in the - configuration namespace. The .data of the configMap must contain - the "ca-bundle.crt" key. - If unset, system trust is used instead. + issuerCertificateAuthority is an optional field that configures the + certificate authority, used by the Kubernetes API server, to validate + the connection to the identity provider when fetching discovery information. + + When not specified, the system trust is used. + + When specified, it must reference a ConfigMap in the openshift-config + namespace containing the PEM-encoded CA certificates under the 'ca-bundle.crt' + key in the data field of the ConfigMap. properties: name: description: name is the metadata.name of the referenced @@ -378,8 +436,12 @@ spec: type: object issuerURL: description: |- - URL is the serving URL of the token issuer. - Must use the https:// scheme. + issuerURL is a required field that configures the URL used to issue tokens + by the identity provider. + The Kubernetes API server determines how authentication tokens should be handled + by matching the 'iss' claim in the JWT to the issuerURL of configured identity providers. + + issuerURL must use the 'https' scheme. pattern: ^https:\/\/[^\s] type: string required: @@ -387,24 +449,51 @@ spec: - issuerURL type: object name: - description: name of the OIDC provider + description: |- + name is a required field that configures the unique human-readable identifier + associated with the identity provider. + It is used to distinguish between multiple identity providers + and has no impact on token validation or authentication mechanics. + + name must not be an empty string (""). minLength: 1 type: string oidcClients: description: |- - oidcClients contains configuration for the platform's clients that - need to request tokens from the issuer + oidcClients is an optional field that configures how on-cluster, + platform clients should request tokens from the identity provider. + oidcClients must not exceed 20 entries and entries must have unique namespace/name pairs. items: + description: |- + OIDCClientConfig configures how platform clients + interact with identity providers as an authentication + method properties: clientID: - description: clientID is the identifier of the OIDC client - from the OIDC provider + description: |- + clientID is a required field that configures the client identifier, from + the identity provider, that the platform component uses for authentication + requests made to the identity provider. + The identity provider must accept this identifier for platform components + to be able to use the identity provider as an authentication mode. + + clientID must not be an empty string (""). minLength: 1 type: string clientSecret: description: |- - clientSecret refers to a secret in the `openshift-config` namespace that - contains the client secret in the `clientSecret` key of the `.data` field + clientSecret is an optional field that configures the client secret used + by the platform component when making authentication requests to the identity provider. + + When not specified, no client secret will be used when making authentication requests + to the identity provider. + + When specified, clientSecret references a Secret in the 'openshift-config' + namespace that contains the client secret in the 'clientSecret' key of the '.data' field. + The client secret will be used when making authentication requests to the identity provider. + + Public clients do not require a client secret but private + clients do require a client secret to work with the identity provider. properties: name: description: name is the metadata.name of the referenced @@ -415,21 +504,34 @@ spec: type: object componentName: description: |- - componentName is the name of the component that is supposed to consume this - client configuration + componentName is a required field that specifies the name of the platform + component being configured to use the identity provider as an authentication mode. + It is used in combination with componentNamespace as a unique identifier. + + componentName must not be an empty string ("") and must not exceed 256 characters in length. maxLength: 256 minLength: 1 type: string componentNamespace: description: |- - componentNamespace is the namespace of the component that is supposed to consume this - client configuration + componentNamespace is a required field that specifies the namespace in which the + platform component being configured to use the identity provider as an authentication + mode is running. + It is used in combination with componentName as a unique identifier. + + componentNamespace must not be an empty string ("") and must not exceed 63 characters in length. maxLength: 63 minLength: 1 type: string extraScopes: - description: extraScopes is an optional set of scopes - to request tokens with. + description: |- + extraScopes is an optional field that configures the extra scopes that should + be requested by the platform component when making authentication requests to the + identity provider. + This is useful if you have configured claim mappings that requires specific + scopes to be requested beyond the standard OIDC scopes. + + When omitted, no additional scopes are requested. items: type: string type: array @@ -446,6 +548,7 @@ spec: - componentName x-kubernetes-list-type: map required: + - claimMappings - issuer - name type: object @@ -569,16 +672,29 @@ spec: oidcClients is where participating operators place the current OIDC client status for OIDC clients that can be customized by the cluster-admin. items: + description: |- + OIDCClientStatus represents the current state + of platform components and how they interact with + the configured identity providers. properties: componentName: - description: componentName is the name of the component that - will consume a client configuration. + description: |- + componentName is a required field that specifies the name of the platform + component using the identity provider as an authentication mode. + It is used in combination with componentNamespace as a unique identifier. + + componentName must not be an empty string ("") and must not exceed 256 characters in length. maxLength: 256 minLength: 1 type: string componentNamespace: - description: componentNamespace is the namespace of the component - that will consume a client configuration. + description: |- + componentNamespace is a required field that specifies the namespace in which the + platform component using the identity provider as an authentication + mode is running. + It is used in combination with componentName as a unique identifier. + + componentNamespace must not be an empty string ("") and must not exceed 63 characters in length. maxLength: 63 minLength: 1 type: string @@ -652,8 +768,10 @@ spec: x-kubernetes-list-type: map consumingUsers: description: |- - consumingUsers is a slice of ServiceAccounts that need to have read - permission on the `clientSecret` secret. + consumingUsers is an optional list of ServiceAccounts requiring + read permissions on the `clientSecret` secret. + + consumingUsers must not exceed 5 entries. items: description: ConsumingUser is an alias for string which we add validation to. Currently only service accounts are supported. @@ -665,24 +783,37 @@ spec: type: array x-kubernetes-list-type: set currentOIDCClients: - description: currentOIDCClients is a list of clients that the - component is currently using. + description: |- + currentOIDCClients is an optional list of clients that the component is currently using. + Entries must have unique issuerURL/clientID pairs. items: + description: |- + OIDCClientReference is a reference to a platform component + client configuration. properties: clientID: - description: clientID is the identifier of the OIDC client - from the OIDC provider + description: |- + clientID is a required field that specifies the client identifier, from + the identity provider, that the platform component is using for authentication + requests made to the identity provider. + + clientID must not be empty. minLength: 1 type: string issuerURL: description: |- - URL is the serving URL of the token issuer. - Must use the https:// scheme. + issuerURL is a required field that specifies the URL of the identity + provider that this client is configured to make requests against. + + issuerURL must use the 'https' scheme. pattern: ^https:\/\/[^\s] type: string oidcProviderName: - description: OIDCName refers to the `name` of the provider - from `oidcProviders` + description: |- + oidcProviderName is a required reference to the 'name' of the identity provider + configured in 'oidcProviders' that this client is associated with. + + oidcProviderName must not be an empty string (""). minLength: 1 type: string required: diff --git a/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_clusterimagepolicies-CustomNoUpgrade.crd.yaml b/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_clusterimagepolicies-CustomNoUpgrade.crd.yaml new file mode 100644 index 0000000000..8794f271fa --- /dev/null +++ b/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_clusterimagepolicies-CustomNoUpgrade.crd.yaml @@ -0,0 +1,510 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.openshift.io: https://github.com/openshift/api/pull/2310 + api.openshift.io/merged-by-featuregates: "true" + include.release.openshift.io/ibm-cloud-managed: "true" + include.release.openshift.io/self-managed-high-availability: "true" + release.openshift.io/feature-set: CustomNoUpgrade + name: clusterimagepolicies.config.openshift.io +spec: + group: config.openshift.io + names: + kind: ClusterImagePolicy + listKind: ClusterImagePolicyList + plural: clusterimagepolicies + singular: clusterimagepolicy + scope: Cluster + versions: + - name: v1 + schema: + openAPIV3Schema: + description: |- + ClusterImagePolicy holds cluster-wide configuration for image signature verification + + Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer). + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: spec contains the configuration for the cluster image policy. + properties: + policy: + description: |- + policy is a required field that contains configuration to allow scopes to be verified, and defines how + images not matching the verification policy will be treated. + properties: + rootOfTrust: + description: |- + rootOfTrust is a required field that defines the root of trust for verifying image signatures during retrieval. + This allows image consumers to specify policyType and corresponding configuration of the policy, matching how the policy was generated. + properties: + fulcioCAWithRekor: + description: |- + fulcioCAWithRekor defines the root of trust configuration based on the Fulcio certificate and the Rekor public key. + fulcioCAWithRekor is required when policyType is FulcioCAWithRekor, and forbidden otherwise + For more information about Fulcio and Rekor, please refer to the document at: + https://github.com/sigstore/fulcio and https://github.com/sigstore/rekor + properties: + fulcioCAData: + description: |- + fulcioCAData is a required field contains inline base64-encoded data for the PEM format fulcio CA. + fulcioCAData must be at most 8192 characters. + format: byte + maxLength: 8192 + type: string + x-kubernetes-validations: + - message: the fulcioCAData must start with base64 encoding + of '-----BEGIN CERTIFICATE-----'. + rule: string(self).startsWith('-----BEGIN CERTIFICATE-----') + - message: the fulcioCAData must end with base64 encoding + of '-----END CERTIFICATE-----'. + rule: string(self).endsWith('-----END CERTIFICATE-----\n') + || string(self).endsWith('-----END CERTIFICATE-----') + fulcioSubject: + description: fulcioSubject is a required field specifies + OIDC issuer and the email of the Fulcio authentication + configuration. + properties: + oidcIssuer: + description: |- + oidcIssuer is a required filed contains the expected OIDC issuer. The oidcIssuer must be a valid URL and at most 2048 characters in length. + It will be verified that the Fulcio-issued certificate contains a (Fulcio-defined) certificate extension pointing at this OIDC issuer URL. + When Fulcio issues certificates, it includes a value based on an URL inside the client-provided ID token. + Example: "https://expected.OIDC.issuer/" + maxLength: 2048 + type: string + x-kubernetes-validations: + - message: oidcIssuer must be a valid URL + rule: isURL(self) + signedEmail: + description: |- + signedEmail is a required field holds the email address that the Fulcio certificate is issued for. + The signedEmail must be a valid email address and at most 320 characters in length. + Example: "expected-signing-user@example.com" + maxLength: 320 + type: string + x-kubernetes-validations: + - message: invalid email address + rule: self.matches('^\\S+@\\S+$') + required: + - oidcIssuer + - signedEmail + type: object + rekorKeyData: + description: |- + rekorKeyData is a required field contains inline base64-encoded data for the PEM format from the Rekor public key. + rekorKeyData must be at most 8192 characters. + format: byte + maxLength: 8192 + type: string + x-kubernetes-validations: + - message: the rekorKeyData must start with base64 encoding + of '-----BEGIN PUBLIC KEY-----'. + rule: string(self).startsWith('-----BEGIN PUBLIC KEY-----') + - message: the rekorKeyData must end with base64 encoding + of '-----END PUBLIC KEY-----'. + rule: string(self).endsWith('-----END PUBLIC KEY-----\n') + || string(self).endsWith('-----END PUBLIC KEY-----') + required: + - fulcioCAData + - fulcioSubject + - rekorKeyData + type: object + pki: + description: |- + pki defines the root of trust configuration based on Bring Your Own Public Key Infrastructure (BYOPKI) Root CA(s) and corresponding intermediate certificates. + pki is required when policyType is PKI, and forbidden otherwise. + properties: + caIntermediatesData: + description: |- + caIntermediatesData contains base64-encoded data of a certificate bundle PEM file, which contains one or more intermediate certificates in the PEM format. The total length of the data must not exceed 8192 characters. + caIntermediatesData requires caRootsData to be set. + format: byte + maxLength: 8192 + minLength: 72 + type: string + x-kubernetes-validations: + - message: the caIntermediatesData must start with base64 + encoding of '-----BEGIN CERTIFICATE-----'. + rule: string(self).startsWith('-----BEGIN CERTIFICATE-----') + - message: the caIntermediatesData must end with base64 + encoding of '-----END CERTIFICATE-----'. + rule: string(self).endsWith('-----END CERTIFICATE-----\n') + || string(self).endsWith('-----END CERTIFICATE-----') + - message: caIntermediatesData must be base64 encoding + of valid PEM format data contain the same number of + '-----BEGIN CERTIFICATE-----' and '-----END CERTIFICATE-----' + markers. + rule: string(self).findAll('-----BEGIN CERTIFICATE-----').size() + == string(self).findAll('-----END CERTIFICATE-----').size() + caRootsData: + description: caRootsData contains base64-encoded data + of a certificate bundle PEM file, which contains one + or more CA roots in the PEM format. The total length + of the data must not exceed 8192 characters. + format: byte + maxLength: 8192 + minLength: 72 + type: string + x-kubernetes-validations: + - message: the caRootsData must start with base64 encoding + of '-----BEGIN CERTIFICATE-----'. + rule: string(self).startsWith('-----BEGIN CERTIFICATE-----') + - message: the caRootsData must end with base64 encoding + of '-----END CERTIFICATE-----'. + rule: string(self).endsWith('-----END CERTIFICATE-----\n') + || string(self).endsWith('-----END CERTIFICATE-----') + - message: caRootsData must be base64 encoding of valid + PEM format data contain the same number of '-----BEGIN + CERTIFICATE-----' and '-----END CERTIFICATE-----' + markers. + rule: string(self).findAll('-----BEGIN CERTIFICATE-----').size() + == string(self).findAll('-----END CERTIFICATE-----').size() + pkiCertificateSubject: + description: pkiCertificateSubject defines the requirements + imposed on the subject to which the certificate was + issued. + properties: + email: + description: |- + email specifies the expected email address imposed on the subject to which the certificate was issued, and must match the email address listed in the Subject Alternative Name (SAN) field of the certificate. + The email must be a valid email address and at most 320 characters in length. + maxLength: 320 + type: string + x-kubernetes-validations: + - message: invalid email address + rule: self.matches('^\\S+@\\S+$') + hostname: + description: |- + hostname specifies the expected hostname imposed on the subject to which the certificate was issued, and it must match the hostname listed in the Subject Alternative Name (SAN) DNS field of the certificate. + The hostname must be a valid dns 1123 subdomain name, optionally prefixed by '*.', and at most 253 characters in length. + It must consist only of lowercase alphanumeric characters, hyphens, periods and the optional preceding asterisk. + maxLength: 253 + type: string + x-kubernetes-validations: + - message: hostname must be a valid dns 1123 subdomain + name, optionally prefixed by '*.'. It must consist + only of lowercase alphanumeric characters, hyphens, + periods and the optional preceding asterisk. + rule: 'self.startsWith(''*.'') ? !format.dns1123Subdomain().validate(self.replace(''*.'', + '''', 1)).hasValue() : !format.dns1123Subdomain().validate(self).hasValue()' + type: object + x-kubernetes-validations: + - message: at least one of email or hostname must be set + in pkiCertificateSubject + rule: has(self.email) || has(self.hostname) + required: + - caRootsData + - pkiCertificateSubject + type: object + policyType: + description: |- + policyType is a required field specifies the type of the policy for verification. This field must correspond to how the policy was generated. + Allowed values are "PublicKey", "FulcioCAWithRekor", and "PKI". + When set to "PublicKey", the policy relies on a sigstore publicKey and may optionally use a Rekor verification. + When set to "FulcioCAWithRekor", the policy is based on the Fulcio certification and incorporates a Rekor verification. + When set to "PKI", the policy is based on the certificates from Bring Your Own Public Key Infrastructure (BYOPKI). This value is enabled by turning on the SigstoreImageVerificationPKI feature gate. + enum: + - PublicKey + - FulcioCAWithRekor + - PKI + type: string + publicKey: + description: |- + publicKey defines the root of trust configuration based on a sigstore public key. Optionally include a Rekor public key for Rekor verification. + publicKey is required when policyType is PublicKey, and forbidden otherwise. + properties: + keyData: + description: |- + keyData is a required field contains inline base64-encoded data for the PEM format public key. + keyData must be at most 8192 characters. + format: byte + maxLength: 8192 + minLength: 68 + type: string + x-kubernetes-validations: + - message: the keyData must start with base64 encoding + of '-----BEGIN PUBLIC KEY-----'. + rule: string(self).startsWith('-----BEGIN PUBLIC KEY-----') + - message: the keyData must end with base64 encoding of + '-----END PUBLIC KEY-----'. + rule: string(self).endsWith('-----END PUBLIC KEY-----\n') + || string(self).endsWith('-----END PUBLIC KEY-----') + rekorKeyData: + description: |- + rekorKeyData is an optional field contains inline base64-encoded data for the PEM format from the Rekor public key. + rekorKeyData must be at most 8192 characters. + format: byte + maxLength: 8192 + type: string + x-kubernetes-validations: + - message: the rekorKeyData must start with base64 encoding + of '-----BEGIN PUBLIC KEY-----'. + rule: string(self).startsWith('-----BEGIN PUBLIC KEY-----') + - message: the rekorKeyData must end with base64 encoding + of '-----END PUBLIC KEY-----'. + rule: string(self).endsWith('-----END PUBLIC KEY-----\n') + || string(self).endsWith('-----END PUBLIC KEY-----') + required: + - keyData + type: object + required: + - policyType + type: object + x-kubernetes-validations: + - message: pki is required when policyType is PKI, and forbidden + otherwise + rule: 'has(self.policyType) && self.policyType == ''PKI'' ? + has(self.pki) : !has(self.pki)' + - message: publicKey is required when policyType is PublicKey, + and forbidden otherwise + rule: 'has(self.policyType) && self.policyType == ''PublicKey'' + ? has(self.publicKey) : !has(self.publicKey)' + - message: fulcioCAWithRekor is required when policyType is FulcioCAWithRekor, + and forbidden otherwise + rule: 'has(self.policyType) && self.policyType == ''FulcioCAWithRekor'' + ? has(self.fulcioCAWithRekor) : !has(self.fulcioCAWithRekor)' + signedIdentity: + description: |- + signedIdentity is an optional field specifies what image identity the signature claims about the image. This is useful when the image identity in the signature differs from the original image spec, such as when mirror registry is configured for the image scope, the signature from the mirror registry contains the image identity of the mirror instead of the original scope. + The required matchPolicy field specifies the approach used in the verification process to verify the identity in the signature and the actual image identity, the default matchPolicy is "MatchRepoDigestOrExact". + properties: + exactRepository: + description: |- + exactRepository specifies the repository that must be exactly matched by the identity in the signature. + exactRepository is required if matchPolicy is set to "ExactRepository". It is used to verify that the signature claims an identity matching this exact repository, rather than the original image identity. + properties: + repository: + description: |- + repository is the reference of the image identity to be matched. + repository is required if matchPolicy is set to "ExactRepository". + The value should be a repository name (by omitting the tag or digest) in a registry implementing the "Docker Registry HTTP API V2". For example, docker.io/library/busybox + maxLength: 512 + type: string + x-kubernetes-validations: + - message: invalid repository or prefix in the signedIdentity, + should not include the tag or digest + rule: 'self.matches(''.*:([\\w][\\w.-]{0,127})$'')? + self.matches(''^(localhost:[0-9]+)$''): true' + - message: invalid repository or prefix in the signedIdentity. + The repository or prefix must starts with 'localhost' + or a valid '.' separated domain. If contains registry + paths, the path component names must start with at + least one letter or number, with following parts able + to be separated by one period, one or two underscore + and multiple dashes. + rule: self.matches('^(((?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9])(?:\\.(?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9]))+(?::[0-9]+)?)|(localhost(?::[0-9]+)?))(?:(?:/[a-z0-9]+(?:(?:(?:[._]|__|[-]*)[a-z0-9]+)+)?)+)?$') + required: + - repository + type: object + matchPolicy: + description: |- + matchPolicy is a required filed specifies matching strategy to verify the image identity in the signature against the image scope. + Allowed values are "MatchRepoDigestOrExact", "MatchRepository", "ExactRepository", "RemapIdentity". When omitted, the default value is "MatchRepoDigestOrExact". + When set to "MatchRepoDigestOrExact", the identity in the signature must be in the same repository as the image identity if the image identity is referenced by a digest. Otherwise, the identity in the signature must be the same as the image identity. + When set to "MatchRepository", the identity in the signature must be in the same repository as the image identity. + When set to "ExactRepository", the exactRepository must be specified. The identity in the signature must be in the same repository as a specific identity specified by "repository". + When set to "RemapIdentity", the remapIdentity must be specified. The signature must be in the same as the remapped image identity. Remapped image identity is obtained by replacing the "prefix" with the specified “signedPrefix” if the the image identity matches the specified remapPrefix. + enum: + - MatchRepoDigestOrExact + - MatchRepository + - ExactRepository + - RemapIdentity + type: string + remapIdentity: + description: |- + remapIdentity specifies the prefix remapping rule for verifying image identity. + remapIdentity is required if matchPolicy is set to "RemapIdentity". It is used to verify that the signature claims a different registry/repository prefix than the original image. + properties: + prefix: + description: |- + prefix is required if matchPolicy is set to "RemapIdentity". + prefix is the prefix of the image identity to be matched. + If the image identity matches the specified prefix, that prefix is replaced by the specified “signedPrefix” (otherwise it is used as unchanged and no remapping takes place). + This is useful when verifying signatures for a mirror of some other repository namespace that preserves the vendor’s repository structure. + The prefix and signedPrefix values can be either host[:port] values (matching exactly the same host[:port], string), repository namespaces, + or repositories (i.e. they must not contain tags/digests), and match as prefixes of the fully expanded form. + For example, docker.io/library/busybox (not busybox) to specify that single repository, or docker.io/library (not an empty string) to specify the parent namespace of docker.io/library/busybox. + maxLength: 512 + type: string + x-kubernetes-validations: + - message: invalid repository or prefix in the signedIdentity, + should not include the tag or digest + rule: 'self.matches(''.*:([\\w][\\w.-]{0,127})$'')? + self.matches(''^(localhost:[0-9]+)$''): true' + - message: invalid repository or prefix in the signedIdentity. + The repository or prefix must starts with 'localhost' + or a valid '.' separated domain. If contains registry + paths, the path component names must start with at + least one letter or number, with following parts able + to be separated by one period, one or two underscore + and multiple dashes. + rule: self.matches('^(((?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9])(?:\\.(?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9]))+(?::[0-9]+)?)|(localhost(?::[0-9]+)?))(?:(?:/[a-z0-9]+(?:(?:(?:[._]|__|[-]*)[a-z0-9]+)+)?)+)?$') + signedPrefix: + description: |- + signedPrefix is required if matchPolicy is set to "RemapIdentity". + signedPrefix is the prefix of the image identity to be matched in the signature. The format is the same as "prefix". The values can be either host[:port] values (matching exactly the same host[:port], string), repository namespaces, + or repositories (i.e. they must not contain tags/digests), and match as prefixes of the fully expanded form. + For example, docker.io/library/busybox (not busybox) to specify that single repository, or docker.io/library (not an empty string) to specify the parent namespace of docker.io/library/busybox. + maxLength: 512 + type: string + x-kubernetes-validations: + - message: invalid repository or prefix in the signedIdentity, + should not include the tag or digest + rule: 'self.matches(''.*:([\\w][\\w.-]{0,127})$'')? + self.matches(''^(localhost:[0-9]+)$''): true' + - message: invalid repository or prefix in the signedIdentity. + The repository or prefix must starts with 'localhost' + or a valid '.' separated domain. If contains registry + paths, the path component names must start with at + least one letter or number, with following parts able + to be separated by one period, one or two underscore + and multiple dashes. + rule: self.matches('^(((?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9])(?:\\.(?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9]))+(?::[0-9]+)?)|(localhost(?::[0-9]+)?))(?:(?:/[a-z0-9]+(?:(?:(?:[._]|__|[-]*)[a-z0-9]+)+)?)+)?$') + required: + - prefix + - signedPrefix + type: object + required: + - matchPolicy + type: object + x-kubernetes-validations: + - message: exactRepository is required when matchPolicy is ExactRepository, + and forbidden otherwise + rule: '(has(self.matchPolicy) && self.matchPolicy == ''ExactRepository'') + ? has(self.exactRepository) : !has(self.exactRepository)' + - message: remapIdentity is required when matchPolicy is RemapIdentity, + and forbidden otherwise + rule: '(has(self.matchPolicy) && self.matchPolicy == ''RemapIdentity'') + ? has(self.remapIdentity) : !has(self.remapIdentity)' + required: + - rootOfTrust + type: object + scopes: + description: |- + scopes is a required field that defines the list of image identities assigned to a policy. Each item refers to a scope in a registry implementing the "Docker Registry HTTP API V2". + Scopes matching individual images are named Docker references in the fully expanded form, either using a tag or digest. For example, docker.io/library/busybox:latest (not busybox:latest). + More general scopes are prefixes of individual-image scopes, and specify a repository (by omitting the tag or digest), a repository + namespace, or a registry host (by only specifying the host name and possibly a port number) or a wildcard expression starting with `*.`, for matching all subdomains (not including a port number). + Wildcards are only supported for subdomain matching, and may not be used in the middle of the host, i.e. *.example.com is a valid case, but example*.*.com is not. + This support no more than 256 scopes in one object. If multiple scopes match a given image, only the policy requirements for the most specific scope apply. The policy requirements for more general scopes are ignored. + In addition to setting a policy appropriate for your own deployed applications, make sure that a policy on the OpenShift image repositories + quay.io/openshift-release-dev/ocp-release, quay.io/openshift-release-dev/ocp-v4.0-art-dev (or on a more general scope) allows deployment of the OpenShift images required for cluster operation. + If a scope is configured in both the ClusterImagePolicy and the ImagePolicy, or if the scope in ImagePolicy is nested under one of the scopes from the ClusterImagePolicy, only the policy from the ClusterImagePolicy will be applied. + For additional details about the format, please refer to the document explaining the docker transport field, + which can be found at: https://github.com/containers/image/blob/main/docs/containers-policy.json.5.md#docker + items: + maxLength: 512 + type: string + x-kubernetes-validations: + - message: invalid image scope format, scope must contain a fully + qualified domain name or 'localhost' + rule: 'size(self.split(''/'')[0].split(''.'')) == 1 ? self.split(''/'')[0].split(''.'')[0].split('':'')[0] + == ''localhost'' : true' + - message: invalid image scope with wildcard, a wildcard can only + be at the start of the domain and is only supported for subdomain + matching, not path matching + rule: 'self.contains(''*'') ? self.matches(''^\\*(?:\\.(?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9]))+$'') + : true' + - message: invalid repository namespace or image specification in + the image scope + rule: '!self.contains(''*'') ? self.matches(''^((((?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9])(?:\\.(?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9]))+(?::[0-9]+)?)|(localhost(?::[0-9]+)?))(?:(?:/[a-z0-9]+(?:(?:(?:[._]|__|[-]*)[a-z0-9]+)+)?)+)?)(?::([\\w][\\w.-]{0,127}))?(?:@([A-Za-z][A-Za-z0-9]*(?:[-_+.][A-Za-z][A-Za-z0-9]*)*[:][[:xdigit:]]{32,}))?$'') + : true' + maxItems: 256 + type: array + x-kubernetes-list-type: set + required: + - policy + - scopes + type: object + status: + description: status contains the observed state of the resource. + properties: + conditions: + description: conditions provide details on the status of this API + Resource. + items: + description: Condition contains details for one aspect of the current + state of this API Resource. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + minItems: 1 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} diff --git a/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_clusterimagepolicies-DevPreviewNoUpgrade.crd.yaml b/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_clusterimagepolicies-DevPreviewNoUpgrade.crd.yaml new file mode 100644 index 0000000000..c36e20e2da --- /dev/null +++ b/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_clusterimagepolicies-DevPreviewNoUpgrade.crd.yaml @@ -0,0 +1,510 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.openshift.io: https://github.com/openshift/api/pull/2310 + api.openshift.io/merged-by-featuregates: "true" + include.release.openshift.io/ibm-cloud-managed: "true" + include.release.openshift.io/self-managed-high-availability: "true" + release.openshift.io/feature-set: DevPreviewNoUpgrade + name: clusterimagepolicies.config.openshift.io +spec: + group: config.openshift.io + names: + kind: ClusterImagePolicy + listKind: ClusterImagePolicyList + plural: clusterimagepolicies + singular: clusterimagepolicy + scope: Cluster + versions: + - name: v1 + schema: + openAPIV3Schema: + description: |- + ClusterImagePolicy holds cluster-wide configuration for image signature verification + + Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer). + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: spec contains the configuration for the cluster image policy. + properties: + policy: + description: |- + policy is a required field that contains configuration to allow scopes to be verified, and defines how + images not matching the verification policy will be treated. + properties: + rootOfTrust: + description: |- + rootOfTrust is a required field that defines the root of trust for verifying image signatures during retrieval. + This allows image consumers to specify policyType and corresponding configuration of the policy, matching how the policy was generated. + properties: + fulcioCAWithRekor: + description: |- + fulcioCAWithRekor defines the root of trust configuration based on the Fulcio certificate and the Rekor public key. + fulcioCAWithRekor is required when policyType is FulcioCAWithRekor, and forbidden otherwise + For more information about Fulcio and Rekor, please refer to the document at: + https://github.com/sigstore/fulcio and https://github.com/sigstore/rekor + properties: + fulcioCAData: + description: |- + fulcioCAData is a required field contains inline base64-encoded data for the PEM format fulcio CA. + fulcioCAData must be at most 8192 characters. + format: byte + maxLength: 8192 + type: string + x-kubernetes-validations: + - message: the fulcioCAData must start with base64 encoding + of '-----BEGIN CERTIFICATE-----'. + rule: string(self).startsWith('-----BEGIN CERTIFICATE-----') + - message: the fulcioCAData must end with base64 encoding + of '-----END CERTIFICATE-----'. + rule: string(self).endsWith('-----END CERTIFICATE-----\n') + || string(self).endsWith('-----END CERTIFICATE-----') + fulcioSubject: + description: fulcioSubject is a required field specifies + OIDC issuer and the email of the Fulcio authentication + configuration. + properties: + oidcIssuer: + description: |- + oidcIssuer is a required filed contains the expected OIDC issuer. The oidcIssuer must be a valid URL and at most 2048 characters in length. + It will be verified that the Fulcio-issued certificate contains a (Fulcio-defined) certificate extension pointing at this OIDC issuer URL. + When Fulcio issues certificates, it includes a value based on an URL inside the client-provided ID token. + Example: "https://expected.OIDC.issuer/" + maxLength: 2048 + type: string + x-kubernetes-validations: + - message: oidcIssuer must be a valid URL + rule: isURL(self) + signedEmail: + description: |- + signedEmail is a required field holds the email address that the Fulcio certificate is issued for. + The signedEmail must be a valid email address and at most 320 characters in length. + Example: "expected-signing-user@example.com" + maxLength: 320 + type: string + x-kubernetes-validations: + - message: invalid email address + rule: self.matches('^\\S+@\\S+$') + required: + - oidcIssuer + - signedEmail + type: object + rekorKeyData: + description: |- + rekorKeyData is a required field contains inline base64-encoded data for the PEM format from the Rekor public key. + rekorKeyData must be at most 8192 characters. + format: byte + maxLength: 8192 + type: string + x-kubernetes-validations: + - message: the rekorKeyData must start with base64 encoding + of '-----BEGIN PUBLIC KEY-----'. + rule: string(self).startsWith('-----BEGIN PUBLIC KEY-----') + - message: the rekorKeyData must end with base64 encoding + of '-----END PUBLIC KEY-----'. + rule: string(self).endsWith('-----END PUBLIC KEY-----\n') + || string(self).endsWith('-----END PUBLIC KEY-----') + required: + - fulcioCAData + - fulcioSubject + - rekorKeyData + type: object + pki: + description: |- + pki defines the root of trust configuration based on Bring Your Own Public Key Infrastructure (BYOPKI) Root CA(s) and corresponding intermediate certificates. + pki is required when policyType is PKI, and forbidden otherwise. + properties: + caIntermediatesData: + description: |- + caIntermediatesData contains base64-encoded data of a certificate bundle PEM file, which contains one or more intermediate certificates in the PEM format. The total length of the data must not exceed 8192 characters. + caIntermediatesData requires caRootsData to be set. + format: byte + maxLength: 8192 + minLength: 72 + type: string + x-kubernetes-validations: + - message: the caIntermediatesData must start with base64 + encoding of '-----BEGIN CERTIFICATE-----'. + rule: string(self).startsWith('-----BEGIN CERTIFICATE-----') + - message: the caIntermediatesData must end with base64 + encoding of '-----END CERTIFICATE-----'. + rule: string(self).endsWith('-----END CERTIFICATE-----\n') + || string(self).endsWith('-----END CERTIFICATE-----') + - message: caIntermediatesData must be base64 encoding + of valid PEM format data contain the same number of + '-----BEGIN CERTIFICATE-----' and '-----END CERTIFICATE-----' + markers. + rule: string(self).findAll('-----BEGIN CERTIFICATE-----').size() + == string(self).findAll('-----END CERTIFICATE-----').size() + caRootsData: + description: caRootsData contains base64-encoded data + of a certificate bundle PEM file, which contains one + or more CA roots in the PEM format. The total length + of the data must not exceed 8192 characters. + format: byte + maxLength: 8192 + minLength: 72 + type: string + x-kubernetes-validations: + - message: the caRootsData must start with base64 encoding + of '-----BEGIN CERTIFICATE-----'. + rule: string(self).startsWith('-----BEGIN CERTIFICATE-----') + - message: the caRootsData must end with base64 encoding + of '-----END CERTIFICATE-----'. + rule: string(self).endsWith('-----END CERTIFICATE-----\n') + || string(self).endsWith('-----END CERTIFICATE-----') + - message: caRootsData must be base64 encoding of valid + PEM format data contain the same number of '-----BEGIN + CERTIFICATE-----' and '-----END CERTIFICATE-----' + markers. + rule: string(self).findAll('-----BEGIN CERTIFICATE-----').size() + == string(self).findAll('-----END CERTIFICATE-----').size() + pkiCertificateSubject: + description: pkiCertificateSubject defines the requirements + imposed on the subject to which the certificate was + issued. + properties: + email: + description: |- + email specifies the expected email address imposed on the subject to which the certificate was issued, and must match the email address listed in the Subject Alternative Name (SAN) field of the certificate. + The email must be a valid email address and at most 320 characters in length. + maxLength: 320 + type: string + x-kubernetes-validations: + - message: invalid email address + rule: self.matches('^\\S+@\\S+$') + hostname: + description: |- + hostname specifies the expected hostname imposed on the subject to which the certificate was issued, and it must match the hostname listed in the Subject Alternative Name (SAN) DNS field of the certificate. + The hostname must be a valid dns 1123 subdomain name, optionally prefixed by '*.', and at most 253 characters in length. + It must consist only of lowercase alphanumeric characters, hyphens, periods and the optional preceding asterisk. + maxLength: 253 + type: string + x-kubernetes-validations: + - message: hostname must be a valid dns 1123 subdomain + name, optionally prefixed by '*.'. It must consist + only of lowercase alphanumeric characters, hyphens, + periods and the optional preceding asterisk. + rule: 'self.startsWith(''*.'') ? !format.dns1123Subdomain().validate(self.replace(''*.'', + '''', 1)).hasValue() : !format.dns1123Subdomain().validate(self).hasValue()' + type: object + x-kubernetes-validations: + - message: at least one of email or hostname must be set + in pkiCertificateSubject + rule: has(self.email) || has(self.hostname) + required: + - caRootsData + - pkiCertificateSubject + type: object + policyType: + description: |- + policyType is a required field specifies the type of the policy for verification. This field must correspond to how the policy was generated. + Allowed values are "PublicKey", "FulcioCAWithRekor", and "PKI". + When set to "PublicKey", the policy relies on a sigstore publicKey and may optionally use a Rekor verification. + When set to "FulcioCAWithRekor", the policy is based on the Fulcio certification and incorporates a Rekor verification. + When set to "PKI", the policy is based on the certificates from Bring Your Own Public Key Infrastructure (BYOPKI). This value is enabled by turning on the SigstoreImageVerificationPKI feature gate. + enum: + - PublicKey + - FulcioCAWithRekor + - PKI + type: string + publicKey: + description: |- + publicKey defines the root of trust configuration based on a sigstore public key. Optionally include a Rekor public key for Rekor verification. + publicKey is required when policyType is PublicKey, and forbidden otherwise. + properties: + keyData: + description: |- + keyData is a required field contains inline base64-encoded data for the PEM format public key. + keyData must be at most 8192 characters. + format: byte + maxLength: 8192 + minLength: 68 + type: string + x-kubernetes-validations: + - message: the keyData must start with base64 encoding + of '-----BEGIN PUBLIC KEY-----'. + rule: string(self).startsWith('-----BEGIN PUBLIC KEY-----') + - message: the keyData must end with base64 encoding of + '-----END PUBLIC KEY-----'. + rule: string(self).endsWith('-----END PUBLIC KEY-----\n') + || string(self).endsWith('-----END PUBLIC KEY-----') + rekorKeyData: + description: |- + rekorKeyData is an optional field contains inline base64-encoded data for the PEM format from the Rekor public key. + rekorKeyData must be at most 8192 characters. + format: byte + maxLength: 8192 + type: string + x-kubernetes-validations: + - message: the rekorKeyData must start with base64 encoding + of '-----BEGIN PUBLIC KEY-----'. + rule: string(self).startsWith('-----BEGIN PUBLIC KEY-----') + - message: the rekorKeyData must end with base64 encoding + of '-----END PUBLIC KEY-----'. + rule: string(self).endsWith('-----END PUBLIC KEY-----\n') + || string(self).endsWith('-----END PUBLIC KEY-----') + required: + - keyData + type: object + required: + - policyType + type: object + x-kubernetes-validations: + - message: pki is required when policyType is PKI, and forbidden + otherwise + rule: 'has(self.policyType) && self.policyType == ''PKI'' ? + has(self.pki) : !has(self.pki)' + - message: publicKey is required when policyType is PublicKey, + and forbidden otherwise + rule: 'has(self.policyType) && self.policyType == ''PublicKey'' + ? has(self.publicKey) : !has(self.publicKey)' + - message: fulcioCAWithRekor is required when policyType is FulcioCAWithRekor, + and forbidden otherwise + rule: 'has(self.policyType) && self.policyType == ''FulcioCAWithRekor'' + ? has(self.fulcioCAWithRekor) : !has(self.fulcioCAWithRekor)' + signedIdentity: + description: |- + signedIdentity is an optional field specifies what image identity the signature claims about the image. This is useful when the image identity in the signature differs from the original image spec, such as when mirror registry is configured for the image scope, the signature from the mirror registry contains the image identity of the mirror instead of the original scope. + The required matchPolicy field specifies the approach used in the verification process to verify the identity in the signature and the actual image identity, the default matchPolicy is "MatchRepoDigestOrExact". + properties: + exactRepository: + description: |- + exactRepository specifies the repository that must be exactly matched by the identity in the signature. + exactRepository is required if matchPolicy is set to "ExactRepository". It is used to verify that the signature claims an identity matching this exact repository, rather than the original image identity. + properties: + repository: + description: |- + repository is the reference of the image identity to be matched. + repository is required if matchPolicy is set to "ExactRepository". + The value should be a repository name (by omitting the tag or digest) in a registry implementing the "Docker Registry HTTP API V2". For example, docker.io/library/busybox + maxLength: 512 + type: string + x-kubernetes-validations: + - message: invalid repository or prefix in the signedIdentity, + should not include the tag or digest + rule: 'self.matches(''.*:([\\w][\\w.-]{0,127})$'')? + self.matches(''^(localhost:[0-9]+)$''): true' + - message: invalid repository or prefix in the signedIdentity. + The repository or prefix must starts with 'localhost' + or a valid '.' separated domain. If contains registry + paths, the path component names must start with at + least one letter or number, with following parts able + to be separated by one period, one or two underscore + and multiple dashes. + rule: self.matches('^(((?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9])(?:\\.(?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9]))+(?::[0-9]+)?)|(localhost(?::[0-9]+)?))(?:(?:/[a-z0-9]+(?:(?:(?:[._]|__|[-]*)[a-z0-9]+)+)?)+)?$') + required: + - repository + type: object + matchPolicy: + description: |- + matchPolicy is a required filed specifies matching strategy to verify the image identity in the signature against the image scope. + Allowed values are "MatchRepoDigestOrExact", "MatchRepository", "ExactRepository", "RemapIdentity". When omitted, the default value is "MatchRepoDigestOrExact". + When set to "MatchRepoDigestOrExact", the identity in the signature must be in the same repository as the image identity if the image identity is referenced by a digest. Otherwise, the identity in the signature must be the same as the image identity. + When set to "MatchRepository", the identity in the signature must be in the same repository as the image identity. + When set to "ExactRepository", the exactRepository must be specified. The identity in the signature must be in the same repository as a specific identity specified by "repository". + When set to "RemapIdentity", the remapIdentity must be specified. The signature must be in the same as the remapped image identity. Remapped image identity is obtained by replacing the "prefix" with the specified “signedPrefix” if the the image identity matches the specified remapPrefix. + enum: + - MatchRepoDigestOrExact + - MatchRepository + - ExactRepository + - RemapIdentity + type: string + remapIdentity: + description: |- + remapIdentity specifies the prefix remapping rule for verifying image identity. + remapIdentity is required if matchPolicy is set to "RemapIdentity". It is used to verify that the signature claims a different registry/repository prefix than the original image. + properties: + prefix: + description: |- + prefix is required if matchPolicy is set to "RemapIdentity". + prefix is the prefix of the image identity to be matched. + If the image identity matches the specified prefix, that prefix is replaced by the specified “signedPrefix” (otherwise it is used as unchanged and no remapping takes place). + This is useful when verifying signatures for a mirror of some other repository namespace that preserves the vendor’s repository structure. + The prefix and signedPrefix values can be either host[:port] values (matching exactly the same host[:port], string), repository namespaces, + or repositories (i.e. they must not contain tags/digests), and match as prefixes of the fully expanded form. + For example, docker.io/library/busybox (not busybox) to specify that single repository, or docker.io/library (not an empty string) to specify the parent namespace of docker.io/library/busybox. + maxLength: 512 + type: string + x-kubernetes-validations: + - message: invalid repository or prefix in the signedIdentity, + should not include the tag or digest + rule: 'self.matches(''.*:([\\w][\\w.-]{0,127})$'')? + self.matches(''^(localhost:[0-9]+)$''): true' + - message: invalid repository or prefix in the signedIdentity. + The repository or prefix must starts with 'localhost' + or a valid '.' separated domain. If contains registry + paths, the path component names must start with at + least one letter or number, with following parts able + to be separated by one period, one or two underscore + and multiple dashes. + rule: self.matches('^(((?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9])(?:\\.(?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9]))+(?::[0-9]+)?)|(localhost(?::[0-9]+)?))(?:(?:/[a-z0-9]+(?:(?:(?:[._]|__|[-]*)[a-z0-9]+)+)?)+)?$') + signedPrefix: + description: |- + signedPrefix is required if matchPolicy is set to "RemapIdentity". + signedPrefix is the prefix of the image identity to be matched in the signature. The format is the same as "prefix". The values can be either host[:port] values (matching exactly the same host[:port], string), repository namespaces, + or repositories (i.e. they must not contain tags/digests), and match as prefixes of the fully expanded form. + For example, docker.io/library/busybox (not busybox) to specify that single repository, or docker.io/library (not an empty string) to specify the parent namespace of docker.io/library/busybox. + maxLength: 512 + type: string + x-kubernetes-validations: + - message: invalid repository or prefix in the signedIdentity, + should not include the tag or digest + rule: 'self.matches(''.*:([\\w][\\w.-]{0,127})$'')? + self.matches(''^(localhost:[0-9]+)$''): true' + - message: invalid repository or prefix in the signedIdentity. + The repository or prefix must starts with 'localhost' + or a valid '.' separated domain. If contains registry + paths, the path component names must start with at + least one letter or number, with following parts able + to be separated by one period, one or two underscore + and multiple dashes. + rule: self.matches('^(((?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9])(?:\\.(?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9]))+(?::[0-9]+)?)|(localhost(?::[0-9]+)?))(?:(?:/[a-z0-9]+(?:(?:(?:[._]|__|[-]*)[a-z0-9]+)+)?)+)?$') + required: + - prefix + - signedPrefix + type: object + required: + - matchPolicy + type: object + x-kubernetes-validations: + - message: exactRepository is required when matchPolicy is ExactRepository, + and forbidden otherwise + rule: '(has(self.matchPolicy) && self.matchPolicy == ''ExactRepository'') + ? has(self.exactRepository) : !has(self.exactRepository)' + - message: remapIdentity is required when matchPolicy is RemapIdentity, + and forbidden otherwise + rule: '(has(self.matchPolicy) && self.matchPolicy == ''RemapIdentity'') + ? has(self.remapIdentity) : !has(self.remapIdentity)' + required: + - rootOfTrust + type: object + scopes: + description: |- + scopes is a required field that defines the list of image identities assigned to a policy. Each item refers to a scope in a registry implementing the "Docker Registry HTTP API V2". + Scopes matching individual images are named Docker references in the fully expanded form, either using a tag or digest. For example, docker.io/library/busybox:latest (not busybox:latest). + More general scopes are prefixes of individual-image scopes, and specify a repository (by omitting the tag or digest), a repository + namespace, or a registry host (by only specifying the host name and possibly a port number) or a wildcard expression starting with `*.`, for matching all subdomains (not including a port number). + Wildcards are only supported for subdomain matching, and may not be used in the middle of the host, i.e. *.example.com is a valid case, but example*.*.com is not. + This support no more than 256 scopes in one object. If multiple scopes match a given image, only the policy requirements for the most specific scope apply. The policy requirements for more general scopes are ignored. + In addition to setting a policy appropriate for your own deployed applications, make sure that a policy on the OpenShift image repositories + quay.io/openshift-release-dev/ocp-release, quay.io/openshift-release-dev/ocp-v4.0-art-dev (or on a more general scope) allows deployment of the OpenShift images required for cluster operation. + If a scope is configured in both the ClusterImagePolicy and the ImagePolicy, or if the scope in ImagePolicy is nested under one of the scopes from the ClusterImagePolicy, only the policy from the ClusterImagePolicy will be applied. + For additional details about the format, please refer to the document explaining the docker transport field, + which can be found at: https://github.com/containers/image/blob/main/docs/containers-policy.json.5.md#docker + items: + maxLength: 512 + type: string + x-kubernetes-validations: + - message: invalid image scope format, scope must contain a fully + qualified domain name or 'localhost' + rule: 'size(self.split(''/'')[0].split(''.'')) == 1 ? self.split(''/'')[0].split(''.'')[0].split('':'')[0] + == ''localhost'' : true' + - message: invalid image scope with wildcard, a wildcard can only + be at the start of the domain and is only supported for subdomain + matching, not path matching + rule: 'self.contains(''*'') ? self.matches(''^\\*(?:\\.(?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9]))+$'') + : true' + - message: invalid repository namespace or image specification in + the image scope + rule: '!self.contains(''*'') ? self.matches(''^((((?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9])(?:\\.(?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9]))+(?::[0-9]+)?)|(localhost(?::[0-9]+)?))(?:(?:/[a-z0-9]+(?:(?:(?:[._]|__|[-]*)[a-z0-9]+)+)?)+)?)(?::([\\w][\\w.-]{0,127}))?(?:@([A-Za-z][A-Za-z0-9]*(?:[-_+.][A-Za-z][A-Za-z0-9]*)*[:][[:xdigit:]]{32,}))?$'') + : true' + maxItems: 256 + type: array + x-kubernetes-list-type: set + required: + - policy + - scopes + type: object + status: + description: status contains the observed state of the resource. + properties: + conditions: + description: conditions provide details on the status of this API + Resource. + items: + description: Condition contains details for one aspect of the current + state of this API Resource. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + minItems: 1 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} diff --git a/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_clusterimagepolicies-TechPreviewNoUpgrade.crd.yaml b/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_clusterimagepolicies-TechPreviewNoUpgrade.crd.yaml new file mode 100644 index 0000000000..d4b1ae9cb3 --- /dev/null +++ b/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_clusterimagepolicies-TechPreviewNoUpgrade.crd.yaml @@ -0,0 +1,510 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.openshift.io: https://github.com/openshift/api/pull/2310 + api.openshift.io/merged-by-featuregates: "true" + include.release.openshift.io/ibm-cloud-managed: "true" + include.release.openshift.io/self-managed-high-availability: "true" + release.openshift.io/feature-set: TechPreviewNoUpgrade + name: clusterimagepolicies.config.openshift.io +spec: + group: config.openshift.io + names: + kind: ClusterImagePolicy + listKind: ClusterImagePolicyList + plural: clusterimagepolicies + singular: clusterimagepolicy + scope: Cluster + versions: + - name: v1 + schema: + openAPIV3Schema: + description: |- + ClusterImagePolicy holds cluster-wide configuration for image signature verification + + Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer). + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: spec contains the configuration for the cluster image policy. + properties: + policy: + description: |- + policy is a required field that contains configuration to allow scopes to be verified, and defines how + images not matching the verification policy will be treated. + properties: + rootOfTrust: + description: |- + rootOfTrust is a required field that defines the root of trust for verifying image signatures during retrieval. + This allows image consumers to specify policyType and corresponding configuration of the policy, matching how the policy was generated. + properties: + fulcioCAWithRekor: + description: |- + fulcioCAWithRekor defines the root of trust configuration based on the Fulcio certificate and the Rekor public key. + fulcioCAWithRekor is required when policyType is FulcioCAWithRekor, and forbidden otherwise + For more information about Fulcio and Rekor, please refer to the document at: + https://github.com/sigstore/fulcio and https://github.com/sigstore/rekor + properties: + fulcioCAData: + description: |- + fulcioCAData is a required field contains inline base64-encoded data for the PEM format fulcio CA. + fulcioCAData must be at most 8192 characters. + format: byte + maxLength: 8192 + type: string + x-kubernetes-validations: + - message: the fulcioCAData must start with base64 encoding + of '-----BEGIN CERTIFICATE-----'. + rule: string(self).startsWith('-----BEGIN CERTIFICATE-----') + - message: the fulcioCAData must end with base64 encoding + of '-----END CERTIFICATE-----'. + rule: string(self).endsWith('-----END CERTIFICATE-----\n') + || string(self).endsWith('-----END CERTIFICATE-----') + fulcioSubject: + description: fulcioSubject is a required field specifies + OIDC issuer and the email of the Fulcio authentication + configuration. + properties: + oidcIssuer: + description: |- + oidcIssuer is a required filed contains the expected OIDC issuer. The oidcIssuer must be a valid URL and at most 2048 characters in length. + It will be verified that the Fulcio-issued certificate contains a (Fulcio-defined) certificate extension pointing at this OIDC issuer URL. + When Fulcio issues certificates, it includes a value based on an URL inside the client-provided ID token. + Example: "https://expected.OIDC.issuer/" + maxLength: 2048 + type: string + x-kubernetes-validations: + - message: oidcIssuer must be a valid URL + rule: isURL(self) + signedEmail: + description: |- + signedEmail is a required field holds the email address that the Fulcio certificate is issued for. + The signedEmail must be a valid email address and at most 320 characters in length. + Example: "expected-signing-user@example.com" + maxLength: 320 + type: string + x-kubernetes-validations: + - message: invalid email address + rule: self.matches('^\\S+@\\S+$') + required: + - oidcIssuer + - signedEmail + type: object + rekorKeyData: + description: |- + rekorKeyData is a required field contains inline base64-encoded data for the PEM format from the Rekor public key. + rekorKeyData must be at most 8192 characters. + format: byte + maxLength: 8192 + type: string + x-kubernetes-validations: + - message: the rekorKeyData must start with base64 encoding + of '-----BEGIN PUBLIC KEY-----'. + rule: string(self).startsWith('-----BEGIN PUBLIC KEY-----') + - message: the rekorKeyData must end with base64 encoding + of '-----END PUBLIC KEY-----'. + rule: string(self).endsWith('-----END PUBLIC KEY-----\n') + || string(self).endsWith('-----END PUBLIC KEY-----') + required: + - fulcioCAData + - fulcioSubject + - rekorKeyData + type: object + pki: + description: |- + pki defines the root of trust configuration based on Bring Your Own Public Key Infrastructure (BYOPKI) Root CA(s) and corresponding intermediate certificates. + pki is required when policyType is PKI, and forbidden otherwise. + properties: + caIntermediatesData: + description: |- + caIntermediatesData contains base64-encoded data of a certificate bundle PEM file, which contains one or more intermediate certificates in the PEM format. The total length of the data must not exceed 8192 characters. + caIntermediatesData requires caRootsData to be set. + format: byte + maxLength: 8192 + minLength: 72 + type: string + x-kubernetes-validations: + - message: the caIntermediatesData must start with base64 + encoding of '-----BEGIN CERTIFICATE-----'. + rule: string(self).startsWith('-----BEGIN CERTIFICATE-----') + - message: the caIntermediatesData must end with base64 + encoding of '-----END CERTIFICATE-----'. + rule: string(self).endsWith('-----END CERTIFICATE-----\n') + || string(self).endsWith('-----END CERTIFICATE-----') + - message: caIntermediatesData must be base64 encoding + of valid PEM format data contain the same number of + '-----BEGIN CERTIFICATE-----' and '-----END CERTIFICATE-----' + markers. + rule: string(self).findAll('-----BEGIN CERTIFICATE-----').size() + == string(self).findAll('-----END CERTIFICATE-----').size() + caRootsData: + description: caRootsData contains base64-encoded data + of a certificate bundle PEM file, which contains one + or more CA roots in the PEM format. The total length + of the data must not exceed 8192 characters. + format: byte + maxLength: 8192 + minLength: 72 + type: string + x-kubernetes-validations: + - message: the caRootsData must start with base64 encoding + of '-----BEGIN CERTIFICATE-----'. + rule: string(self).startsWith('-----BEGIN CERTIFICATE-----') + - message: the caRootsData must end with base64 encoding + of '-----END CERTIFICATE-----'. + rule: string(self).endsWith('-----END CERTIFICATE-----\n') + || string(self).endsWith('-----END CERTIFICATE-----') + - message: caRootsData must be base64 encoding of valid + PEM format data contain the same number of '-----BEGIN + CERTIFICATE-----' and '-----END CERTIFICATE-----' + markers. + rule: string(self).findAll('-----BEGIN CERTIFICATE-----').size() + == string(self).findAll('-----END CERTIFICATE-----').size() + pkiCertificateSubject: + description: pkiCertificateSubject defines the requirements + imposed on the subject to which the certificate was + issued. + properties: + email: + description: |- + email specifies the expected email address imposed on the subject to which the certificate was issued, and must match the email address listed in the Subject Alternative Name (SAN) field of the certificate. + The email must be a valid email address and at most 320 characters in length. + maxLength: 320 + type: string + x-kubernetes-validations: + - message: invalid email address + rule: self.matches('^\\S+@\\S+$') + hostname: + description: |- + hostname specifies the expected hostname imposed on the subject to which the certificate was issued, and it must match the hostname listed in the Subject Alternative Name (SAN) DNS field of the certificate. + The hostname must be a valid dns 1123 subdomain name, optionally prefixed by '*.', and at most 253 characters in length. + It must consist only of lowercase alphanumeric characters, hyphens, periods and the optional preceding asterisk. + maxLength: 253 + type: string + x-kubernetes-validations: + - message: hostname must be a valid dns 1123 subdomain + name, optionally prefixed by '*.'. It must consist + only of lowercase alphanumeric characters, hyphens, + periods and the optional preceding asterisk. + rule: 'self.startsWith(''*.'') ? !format.dns1123Subdomain().validate(self.replace(''*.'', + '''', 1)).hasValue() : !format.dns1123Subdomain().validate(self).hasValue()' + type: object + x-kubernetes-validations: + - message: at least one of email or hostname must be set + in pkiCertificateSubject + rule: has(self.email) || has(self.hostname) + required: + - caRootsData + - pkiCertificateSubject + type: object + policyType: + description: |- + policyType is a required field specifies the type of the policy for verification. This field must correspond to how the policy was generated. + Allowed values are "PublicKey", "FulcioCAWithRekor", and "PKI". + When set to "PublicKey", the policy relies on a sigstore publicKey and may optionally use a Rekor verification. + When set to "FulcioCAWithRekor", the policy is based on the Fulcio certification and incorporates a Rekor verification. + When set to "PKI", the policy is based on the certificates from Bring Your Own Public Key Infrastructure (BYOPKI). This value is enabled by turning on the SigstoreImageVerificationPKI feature gate. + enum: + - PublicKey + - FulcioCAWithRekor + - PKI + type: string + publicKey: + description: |- + publicKey defines the root of trust configuration based on a sigstore public key. Optionally include a Rekor public key for Rekor verification. + publicKey is required when policyType is PublicKey, and forbidden otherwise. + properties: + keyData: + description: |- + keyData is a required field contains inline base64-encoded data for the PEM format public key. + keyData must be at most 8192 characters. + format: byte + maxLength: 8192 + minLength: 68 + type: string + x-kubernetes-validations: + - message: the keyData must start with base64 encoding + of '-----BEGIN PUBLIC KEY-----'. + rule: string(self).startsWith('-----BEGIN PUBLIC KEY-----') + - message: the keyData must end with base64 encoding of + '-----END PUBLIC KEY-----'. + rule: string(self).endsWith('-----END PUBLIC KEY-----\n') + || string(self).endsWith('-----END PUBLIC KEY-----') + rekorKeyData: + description: |- + rekorKeyData is an optional field contains inline base64-encoded data for the PEM format from the Rekor public key. + rekorKeyData must be at most 8192 characters. + format: byte + maxLength: 8192 + type: string + x-kubernetes-validations: + - message: the rekorKeyData must start with base64 encoding + of '-----BEGIN PUBLIC KEY-----'. + rule: string(self).startsWith('-----BEGIN PUBLIC KEY-----') + - message: the rekorKeyData must end with base64 encoding + of '-----END PUBLIC KEY-----'. + rule: string(self).endsWith('-----END PUBLIC KEY-----\n') + || string(self).endsWith('-----END PUBLIC KEY-----') + required: + - keyData + type: object + required: + - policyType + type: object + x-kubernetes-validations: + - message: pki is required when policyType is PKI, and forbidden + otherwise + rule: 'has(self.policyType) && self.policyType == ''PKI'' ? + has(self.pki) : !has(self.pki)' + - message: publicKey is required when policyType is PublicKey, + and forbidden otherwise + rule: 'has(self.policyType) && self.policyType == ''PublicKey'' + ? has(self.publicKey) : !has(self.publicKey)' + - message: fulcioCAWithRekor is required when policyType is FulcioCAWithRekor, + and forbidden otherwise + rule: 'has(self.policyType) && self.policyType == ''FulcioCAWithRekor'' + ? has(self.fulcioCAWithRekor) : !has(self.fulcioCAWithRekor)' + signedIdentity: + description: |- + signedIdentity is an optional field specifies what image identity the signature claims about the image. This is useful when the image identity in the signature differs from the original image spec, such as when mirror registry is configured for the image scope, the signature from the mirror registry contains the image identity of the mirror instead of the original scope. + The required matchPolicy field specifies the approach used in the verification process to verify the identity in the signature and the actual image identity, the default matchPolicy is "MatchRepoDigestOrExact". + properties: + exactRepository: + description: |- + exactRepository specifies the repository that must be exactly matched by the identity in the signature. + exactRepository is required if matchPolicy is set to "ExactRepository". It is used to verify that the signature claims an identity matching this exact repository, rather than the original image identity. + properties: + repository: + description: |- + repository is the reference of the image identity to be matched. + repository is required if matchPolicy is set to "ExactRepository". + The value should be a repository name (by omitting the tag or digest) in a registry implementing the "Docker Registry HTTP API V2". For example, docker.io/library/busybox + maxLength: 512 + type: string + x-kubernetes-validations: + - message: invalid repository or prefix in the signedIdentity, + should not include the tag or digest + rule: 'self.matches(''.*:([\\w][\\w.-]{0,127})$'')? + self.matches(''^(localhost:[0-9]+)$''): true' + - message: invalid repository or prefix in the signedIdentity. + The repository or prefix must starts with 'localhost' + or a valid '.' separated domain. If contains registry + paths, the path component names must start with at + least one letter or number, with following parts able + to be separated by one period, one or two underscore + and multiple dashes. + rule: self.matches('^(((?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9])(?:\\.(?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9]))+(?::[0-9]+)?)|(localhost(?::[0-9]+)?))(?:(?:/[a-z0-9]+(?:(?:(?:[._]|__|[-]*)[a-z0-9]+)+)?)+)?$') + required: + - repository + type: object + matchPolicy: + description: |- + matchPolicy is a required filed specifies matching strategy to verify the image identity in the signature against the image scope. + Allowed values are "MatchRepoDigestOrExact", "MatchRepository", "ExactRepository", "RemapIdentity". When omitted, the default value is "MatchRepoDigestOrExact". + When set to "MatchRepoDigestOrExact", the identity in the signature must be in the same repository as the image identity if the image identity is referenced by a digest. Otherwise, the identity in the signature must be the same as the image identity. + When set to "MatchRepository", the identity in the signature must be in the same repository as the image identity. + When set to "ExactRepository", the exactRepository must be specified. The identity in the signature must be in the same repository as a specific identity specified by "repository". + When set to "RemapIdentity", the remapIdentity must be specified. The signature must be in the same as the remapped image identity. Remapped image identity is obtained by replacing the "prefix" with the specified “signedPrefix” if the the image identity matches the specified remapPrefix. + enum: + - MatchRepoDigestOrExact + - MatchRepository + - ExactRepository + - RemapIdentity + type: string + remapIdentity: + description: |- + remapIdentity specifies the prefix remapping rule for verifying image identity. + remapIdentity is required if matchPolicy is set to "RemapIdentity". It is used to verify that the signature claims a different registry/repository prefix than the original image. + properties: + prefix: + description: |- + prefix is required if matchPolicy is set to "RemapIdentity". + prefix is the prefix of the image identity to be matched. + If the image identity matches the specified prefix, that prefix is replaced by the specified “signedPrefix” (otherwise it is used as unchanged and no remapping takes place). + This is useful when verifying signatures for a mirror of some other repository namespace that preserves the vendor’s repository structure. + The prefix and signedPrefix values can be either host[:port] values (matching exactly the same host[:port], string), repository namespaces, + or repositories (i.e. they must not contain tags/digests), and match as prefixes of the fully expanded form. + For example, docker.io/library/busybox (not busybox) to specify that single repository, or docker.io/library (not an empty string) to specify the parent namespace of docker.io/library/busybox. + maxLength: 512 + type: string + x-kubernetes-validations: + - message: invalid repository or prefix in the signedIdentity, + should not include the tag or digest + rule: 'self.matches(''.*:([\\w][\\w.-]{0,127})$'')? + self.matches(''^(localhost:[0-9]+)$''): true' + - message: invalid repository or prefix in the signedIdentity. + The repository or prefix must starts with 'localhost' + or a valid '.' separated domain. If contains registry + paths, the path component names must start with at + least one letter or number, with following parts able + to be separated by one period, one or two underscore + and multiple dashes. + rule: self.matches('^(((?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9])(?:\\.(?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9]))+(?::[0-9]+)?)|(localhost(?::[0-9]+)?))(?:(?:/[a-z0-9]+(?:(?:(?:[._]|__|[-]*)[a-z0-9]+)+)?)+)?$') + signedPrefix: + description: |- + signedPrefix is required if matchPolicy is set to "RemapIdentity". + signedPrefix is the prefix of the image identity to be matched in the signature. The format is the same as "prefix". The values can be either host[:port] values (matching exactly the same host[:port], string), repository namespaces, + or repositories (i.e. they must not contain tags/digests), and match as prefixes of the fully expanded form. + For example, docker.io/library/busybox (not busybox) to specify that single repository, or docker.io/library (not an empty string) to specify the parent namespace of docker.io/library/busybox. + maxLength: 512 + type: string + x-kubernetes-validations: + - message: invalid repository or prefix in the signedIdentity, + should not include the tag or digest + rule: 'self.matches(''.*:([\\w][\\w.-]{0,127})$'')? + self.matches(''^(localhost:[0-9]+)$''): true' + - message: invalid repository or prefix in the signedIdentity. + The repository or prefix must starts with 'localhost' + or a valid '.' separated domain. If contains registry + paths, the path component names must start with at + least one letter or number, with following parts able + to be separated by one period, one or two underscore + and multiple dashes. + rule: self.matches('^(((?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9])(?:\\.(?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9]))+(?::[0-9]+)?)|(localhost(?::[0-9]+)?))(?:(?:/[a-z0-9]+(?:(?:(?:[._]|__|[-]*)[a-z0-9]+)+)?)+)?$') + required: + - prefix + - signedPrefix + type: object + required: + - matchPolicy + type: object + x-kubernetes-validations: + - message: exactRepository is required when matchPolicy is ExactRepository, + and forbidden otherwise + rule: '(has(self.matchPolicy) && self.matchPolicy == ''ExactRepository'') + ? has(self.exactRepository) : !has(self.exactRepository)' + - message: remapIdentity is required when matchPolicy is RemapIdentity, + and forbidden otherwise + rule: '(has(self.matchPolicy) && self.matchPolicy == ''RemapIdentity'') + ? has(self.remapIdentity) : !has(self.remapIdentity)' + required: + - rootOfTrust + type: object + scopes: + description: |- + scopes is a required field that defines the list of image identities assigned to a policy. Each item refers to a scope in a registry implementing the "Docker Registry HTTP API V2". + Scopes matching individual images are named Docker references in the fully expanded form, either using a tag or digest. For example, docker.io/library/busybox:latest (not busybox:latest). + More general scopes are prefixes of individual-image scopes, and specify a repository (by omitting the tag or digest), a repository + namespace, or a registry host (by only specifying the host name and possibly a port number) or a wildcard expression starting with `*.`, for matching all subdomains (not including a port number). + Wildcards are only supported for subdomain matching, and may not be used in the middle of the host, i.e. *.example.com is a valid case, but example*.*.com is not. + This support no more than 256 scopes in one object. If multiple scopes match a given image, only the policy requirements for the most specific scope apply. The policy requirements for more general scopes are ignored. + In addition to setting a policy appropriate for your own deployed applications, make sure that a policy on the OpenShift image repositories + quay.io/openshift-release-dev/ocp-release, quay.io/openshift-release-dev/ocp-v4.0-art-dev (or on a more general scope) allows deployment of the OpenShift images required for cluster operation. + If a scope is configured in both the ClusterImagePolicy and the ImagePolicy, or if the scope in ImagePolicy is nested under one of the scopes from the ClusterImagePolicy, only the policy from the ClusterImagePolicy will be applied. + For additional details about the format, please refer to the document explaining the docker transport field, + which can be found at: https://github.com/containers/image/blob/main/docs/containers-policy.json.5.md#docker + items: + maxLength: 512 + type: string + x-kubernetes-validations: + - message: invalid image scope format, scope must contain a fully + qualified domain name or 'localhost' + rule: 'size(self.split(''/'')[0].split(''.'')) == 1 ? self.split(''/'')[0].split(''.'')[0].split('':'')[0] + == ''localhost'' : true' + - message: invalid image scope with wildcard, a wildcard can only + be at the start of the domain and is only supported for subdomain + matching, not path matching + rule: 'self.contains(''*'') ? self.matches(''^\\*(?:\\.(?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9]))+$'') + : true' + - message: invalid repository namespace or image specification in + the image scope + rule: '!self.contains(''*'') ? self.matches(''^((((?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9])(?:\\.(?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9]))+(?::[0-9]+)?)|(localhost(?::[0-9]+)?))(?:(?:/[a-z0-9]+(?:(?:(?:[._]|__|[-]*)[a-z0-9]+)+)?)+)?)(?::([\\w][\\w.-]{0,127}))?(?:@([A-Za-z][A-Za-z0-9]*(?:[-_+.][A-Za-z][A-Za-z0-9]*)*[:][[:xdigit:]]{32,}))?$'') + : true' + maxItems: 256 + type: array + x-kubernetes-list-type: set + required: + - policy + - scopes + type: object + status: + description: status contains the observed state of the resource. + properties: + conditions: + description: conditions provide details on the status of this API + Resource. + items: + description: Condition contains details for one aspect of the current + state of this API Resource. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + minItems: 1 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} diff --git a/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_imagepolicies-CustomNoUpgrade.crd.yaml b/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_imagepolicies-CustomNoUpgrade.crd.yaml new file mode 100644 index 0000000000..f71c649524 --- /dev/null +++ b/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_imagepolicies-CustomNoUpgrade.crd.yaml @@ -0,0 +1,511 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.openshift.io: https://github.com/openshift/api/pull/2310 + api.openshift.io/merged-by-featuregates: "true" + include.release.openshift.io/ibm-cloud-managed: "true" + include.release.openshift.io/self-managed-high-availability: "true" + release.openshift.io/feature-set: CustomNoUpgrade + name: imagepolicies.config.openshift.io +spec: + group: config.openshift.io + names: + kind: ImagePolicy + listKind: ImagePolicyList + plural: imagepolicies + singular: imagepolicy + scope: Namespaced + versions: + - name: v1 + schema: + openAPIV3Schema: + description: |- + ImagePolicy holds namespace-wide configuration for image signature verification + + Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer). + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: spec holds user settable values for configuration + properties: + policy: + description: |- + policy is a required field that contains configuration to allow scopes to be verified, and defines how + images not matching the verification policy will be treated. + properties: + rootOfTrust: + description: |- + rootOfTrust is a required field that defines the root of trust for verifying image signatures during retrieval. + This allows image consumers to specify policyType and corresponding configuration of the policy, matching how the policy was generated. + properties: + fulcioCAWithRekor: + description: |- + fulcioCAWithRekor defines the root of trust configuration based on the Fulcio certificate and the Rekor public key. + fulcioCAWithRekor is required when policyType is FulcioCAWithRekor, and forbidden otherwise + For more information about Fulcio and Rekor, please refer to the document at: + https://github.com/sigstore/fulcio and https://github.com/sigstore/rekor + properties: + fulcioCAData: + description: |- + fulcioCAData is a required field contains inline base64-encoded data for the PEM format fulcio CA. + fulcioCAData must be at most 8192 characters. + format: byte + maxLength: 8192 + type: string + x-kubernetes-validations: + - message: the fulcioCAData must start with base64 encoding + of '-----BEGIN CERTIFICATE-----'. + rule: string(self).startsWith('-----BEGIN CERTIFICATE-----') + - message: the fulcioCAData must end with base64 encoding + of '-----END CERTIFICATE-----'. + rule: string(self).endsWith('-----END CERTIFICATE-----\n') + || string(self).endsWith('-----END CERTIFICATE-----') + fulcioSubject: + description: fulcioSubject is a required field specifies + OIDC issuer and the email of the Fulcio authentication + configuration. + properties: + oidcIssuer: + description: |- + oidcIssuer is a required filed contains the expected OIDC issuer. The oidcIssuer must be a valid URL and at most 2048 characters in length. + It will be verified that the Fulcio-issued certificate contains a (Fulcio-defined) certificate extension pointing at this OIDC issuer URL. + When Fulcio issues certificates, it includes a value based on an URL inside the client-provided ID token. + Example: "https://expected.OIDC.issuer/" + maxLength: 2048 + type: string + x-kubernetes-validations: + - message: oidcIssuer must be a valid URL + rule: isURL(self) + signedEmail: + description: |- + signedEmail is a required field holds the email address that the Fulcio certificate is issued for. + The signedEmail must be a valid email address and at most 320 characters in length. + Example: "expected-signing-user@example.com" + maxLength: 320 + type: string + x-kubernetes-validations: + - message: invalid email address + rule: self.matches('^\\S+@\\S+$') + required: + - oidcIssuer + - signedEmail + type: object + rekorKeyData: + description: |- + rekorKeyData is a required field contains inline base64-encoded data for the PEM format from the Rekor public key. + rekorKeyData must be at most 8192 characters. + format: byte + maxLength: 8192 + type: string + x-kubernetes-validations: + - message: the rekorKeyData must start with base64 encoding + of '-----BEGIN PUBLIC KEY-----'. + rule: string(self).startsWith('-----BEGIN PUBLIC KEY-----') + - message: the rekorKeyData must end with base64 encoding + of '-----END PUBLIC KEY-----'. + rule: string(self).endsWith('-----END PUBLIC KEY-----\n') + || string(self).endsWith('-----END PUBLIC KEY-----') + required: + - fulcioCAData + - fulcioSubject + - rekorKeyData + type: object + pki: + description: |- + pki defines the root of trust configuration based on Bring Your Own Public Key Infrastructure (BYOPKI) Root CA(s) and corresponding intermediate certificates. + pki is required when policyType is PKI, and forbidden otherwise. + properties: + caIntermediatesData: + description: |- + caIntermediatesData contains base64-encoded data of a certificate bundle PEM file, which contains one or more intermediate certificates in the PEM format. The total length of the data must not exceed 8192 characters. + caIntermediatesData requires caRootsData to be set. + format: byte + maxLength: 8192 + minLength: 72 + type: string + x-kubernetes-validations: + - message: the caIntermediatesData must start with base64 + encoding of '-----BEGIN CERTIFICATE-----'. + rule: string(self).startsWith('-----BEGIN CERTIFICATE-----') + - message: the caIntermediatesData must end with base64 + encoding of '-----END CERTIFICATE-----'. + rule: string(self).endsWith('-----END CERTIFICATE-----\n') + || string(self).endsWith('-----END CERTIFICATE-----') + - message: caIntermediatesData must be base64 encoding + of valid PEM format data contain the same number of + '-----BEGIN CERTIFICATE-----' and '-----END CERTIFICATE-----' + markers. + rule: string(self).findAll('-----BEGIN CERTIFICATE-----').size() + == string(self).findAll('-----END CERTIFICATE-----').size() + caRootsData: + description: caRootsData contains base64-encoded data + of a certificate bundle PEM file, which contains one + or more CA roots in the PEM format. The total length + of the data must not exceed 8192 characters. + format: byte + maxLength: 8192 + minLength: 72 + type: string + x-kubernetes-validations: + - message: the caRootsData must start with base64 encoding + of '-----BEGIN CERTIFICATE-----'. + rule: string(self).startsWith('-----BEGIN CERTIFICATE-----') + - message: the caRootsData must end with base64 encoding + of '-----END CERTIFICATE-----'. + rule: string(self).endsWith('-----END CERTIFICATE-----\n') + || string(self).endsWith('-----END CERTIFICATE-----') + - message: caRootsData must be base64 encoding of valid + PEM format data contain the same number of '-----BEGIN + CERTIFICATE-----' and '-----END CERTIFICATE-----' + markers. + rule: string(self).findAll('-----BEGIN CERTIFICATE-----').size() + == string(self).findAll('-----END CERTIFICATE-----').size() + pkiCertificateSubject: + description: pkiCertificateSubject defines the requirements + imposed on the subject to which the certificate was + issued. + properties: + email: + description: |- + email specifies the expected email address imposed on the subject to which the certificate was issued, and must match the email address listed in the Subject Alternative Name (SAN) field of the certificate. + The email must be a valid email address and at most 320 characters in length. + maxLength: 320 + type: string + x-kubernetes-validations: + - message: invalid email address + rule: self.matches('^\\S+@\\S+$') + hostname: + description: |- + hostname specifies the expected hostname imposed on the subject to which the certificate was issued, and it must match the hostname listed in the Subject Alternative Name (SAN) DNS field of the certificate. + The hostname must be a valid dns 1123 subdomain name, optionally prefixed by '*.', and at most 253 characters in length. + It must consist only of lowercase alphanumeric characters, hyphens, periods and the optional preceding asterisk. + maxLength: 253 + type: string + x-kubernetes-validations: + - message: hostname must be a valid dns 1123 subdomain + name, optionally prefixed by '*.'. It must consist + only of lowercase alphanumeric characters, hyphens, + periods and the optional preceding asterisk. + rule: 'self.startsWith(''*.'') ? !format.dns1123Subdomain().validate(self.replace(''*.'', + '''', 1)).hasValue() : !format.dns1123Subdomain().validate(self).hasValue()' + type: object + x-kubernetes-validations: + - message: at least one of email or hostname must be set + in pkiCertificateSubject + rule: has(self.email) || has(self.hostname) + required: + - caRootsData + - pkiCertificateSubject + type: object + policyType: + description: |- + policyType is a required field specifies the type of the policy for verification. This field must correspond to how the policy was generated. + Allowed values are "PublicKey", "FulcioCAWithRekor", and "PKI". + When set to "PublicKey", the policy relies on a sigstore publicKey and may optionally use a Rekor verification. + When set to "FulcioCAWithRekor", the policy is based on the Fulcio certification and incorporates a Rekor verification. + When set to "PKI", the policy is based on the certificates from Bring Your Own Public Key Infrastructure (BYOPKI). This value is enabled by turning on the SigstoreImageVerificationPKI feature gate. + enum: + - PublicKey + - FulcioCAWithRekor + - PKI + type: string + publicKey: + description: |- + publicKey defines the root of trust configuration based on a sigstore public key. Optionally include a Rekor public key for Rekor verification. + publicKey is required when policyType is PublicKey, and forbidden otherwise. + properties: + keyData: + description: |- + keyData is a required field contains inline base64-encoded data for the PEM format public key. + keyData must be at most 8192 characters. + format: byte + maxLength: 8192 + minLength: 68 + type: string + x-kubernetes-validations: + - message: the keyData must start with base64 encoding + of '-----BEGIN PUBLIC KEY-----'. + rule: string(self).startsWith('-----BEGIN PUBLIC KEY-----') + - message: the keyData must end with base64 encoding of + '-----END PUBLIC KEY-----'. + rule: string(self).endsWith('-----END PUBLIC KEY-----\n') + || string(self).endsWith('-----END PUBLIC KEY-----') + rekorKeyData: + description: |- + rekorKeyData is an optional field contains inline base64-encoded data for the PEM format from the Rekor public key. + rekorKeyData must be at most 8192 characters. + format: byte + maxLength: 8192 + type: string + x-kubernetes-validations: + - message: the rekorKeyData must start with base64 encoding + of '-----BEGIN PUBLIC KEY-----'. + rule: string(self).startsWith('-----BEGIN PUBLIC KEY-----') + - message: the rekorKeyData must end with base64 encoding + of '-----END PUBLIC KEY-----'. + rule: string(self).endsWith('-----END PUBLIC KEY-----\n') + || string(self).endsWith('-----END PUBLIC KEY-----') + required: + - keyData + type: object + required: + - policyType + type: object + x-kubernetes-validations: + - message: pki is required when policyType is PKI, and forbidden + otherwise + rule: 'has(self.policyType) && self.policyType == ''PKI'' ? + has(self.pki) : !has(self.pki)' + - message: publicKey is required when policyType is PublicKey, + and forbidden otherwise + rule: 'has(self.policyType) && self.policyType == ''PublicKey'' + ? has(self.publicKey) : !has(self.publicKey)' + - message: fulcioCAWithRekor is required when policyType is FulcioCAWithRekor, + and forbidden otherwise + rule: 'has(self.policyType) && self.policyType == ''FulcioCAWithRekor'' + ? has(self.fulcioCAWithRekor) : !has(self.fulcioCAWithRekor)' + signedIdentity: + description: |- + signedIdentity is an optional field specifies what image identity the signature claims about the image. This is useful when the image identity in the signature differs from the original image spec, such as when mirror registry is configured for the image scope, the signature from the mirror registry contains the image identity of the mirror instead of the original scope. + The required matchPolicy field specifies the approach used in the verification process to verify the identity in the signature and the actual image identity, the default matchPolicy is "MatchRepoDigestOrExact". + properties: + exactRepository: + description: |- + exactRepository specifies the repository that must be exactly matched by the identity in the signature. + exactRepository is required if matchPolicy is set to "ExactRepository". It is used to verify that the signature claims an identity matching this exact repository, rather than the original image identity. + properties: + repository: + description: |- + repository is the reference of the image identity to be matched. + repository is required if matchPolicy is set to "ExactRepository". + The value should be a repository name (by omitting the tag or digest) in a registry implementing the "Docker Registry HTTP API V2". For example, docker.io/library/busybox + maxLength: 512 + type: string + x-kubernetes-validations: + - message: invalid repository or prefix in the signedIdentity, + should not include the tag or digest + rule: 'self.matches(''.*:([\\w][\\w.-]{0,127})$'')? + self.matches(''^(localhost:[0-9]+)$''): true' + - message: invalid repository or prefix in the signedIdentity. + The repository or prefix must starts with 'localhost' + or a valid '.' separated domain. If contains registry + paths, the path component names must start with at + least one letter or number, with following parts able + to be separated by one period, one or two underscore + and multiple dashes. + rule: self.matches('^(((?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9])(?:\\.(?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9]))+(?::[0-9]+)?)|(localhost(?::[0-9]+)?))(?:(?:/[a-z0-9]+(?:(?:(?:[._]|__|[-]*)[a-z0-9]+)+)?)+)?$') + required: + - repository + type: object + matchPolicy: + description: |- + matchPolicy is a required filed specifies matching strategy to verify the image identity in the signature against the image scope. + Allowed values are "MatchRepoDigestOrExact", "MatchRepository", "ExactRepository", "RemapIdentity". When omitted, the default value is "MatchRepoDigestOrExact". + When set to "MatchRepoDigestOrExact", the identity in the signature must be in the same repository as the image identity if the image identity is referenced by a digest. Otherwise, the identity in the signature must be the same as the image identity. + When set to "MatchRepository", the identity in the signature must be in the same repository as the image identity. + When set to "ExactRepository", the exactRepository must be specified. The identity in the signature must be in the same repository as a specific identity specified by "repository". + When set to "RemapIdentity", the remapIdentity must be specified. The signature must be in the same as the remapped image identity. Remapped image identity is obtained by replacing the "prefix" with the specified “signedPrefix” if the the image identity matches the specified remapPrefix. + enum: + - MatchRepoDigestOrExact + - MatchRepository + - ExactRepository + - RemapIdentity + type: string + remapIdentity: + description: |- + remapIdentity specifies the prefix remapping rule for verifying image identity. + remapIdentity is required if matchPolicy is set to "RemapIdentity". It is used to verify that the signature claims a different registry/repository prefix than the original image. + properties: + prefix: + description: |- + prefix is required if matchPolicy is set to "RemapIdentity". + prefix is the prefix of the image identity to be matched. + If the image identity matches the specified prefix, that prefix is replaced by the specified “signedPrefix” (otherwise it is used as unchanged and no remapping takes place). + This is useful when verifying signatures for a mirror of some other repository namespace that preserves the vendor’s repository structure. + The prefix and signedPrefix values can be either host[:port] values (matching exactly the same host[:port], string), repository namespaces, + or repositories (i.e. they must not contain tags/digests), and match as prefixes of the fully expanded form. + For example, docker.io/library/busybox (not busybox) to specify that single repository, or docker.io/library (not an empty string) to specify the parent namespace of docker.io/library/busybox. + maxLength: 512 + type: string + x-kubernetes-validations: + - message: invalid repository or prefix in the signedIdentity, + should not include the tag or digest + rule: 'self.matches(''.*:([\\w][\\w.-]{0,127})$'')? + self.matches(''^(localhost:[0-9]+)$''): true' + - message: invalid repository or prefix in the signedIdentity. + The repository or prefix must starts with 'localhost' + or a valid '.' separated domain. If contains registry + paths, the path component names must start with at + least one letter or number, with following parts able + to be separated by one period, one or two underscore + and multiple dashes. + rule: self.matches('^(((?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9])(?:\\.(?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9]))+(?::[0-9]+)?)|(localhost(?::[0-9]+)?))(?:(?:/[a-z0-9]+(?:(?:(?:[._]|__|[-]*)[a-z0-9]+)+)?)+)?$') + signedPrefix: + description: |- + signedPrefix is required if matchPolicy is set to "RemapIdentity". + signedPrefix is the prefix of the image identity to be matched in the signature. The format is the same as "prefix". The values can be either host[:port] values (matching exactly the same host[:port], string), repository namespaces, + or repositories (i.e. they must not contain tags/digests), and match as prefixes of the fully expanded form. + For example, docker.io/library/busybox (not busybox) to specify that single repository, or docker.io/library (not an empty string) to specify the parent namespace of docker.io/library/busybox. + maxLength: 512 + type: string + x-kubernetes-validations: + - message: invalid repository or prefix in the signedIdentity, + should not include the tag or digest + rule: 'self.matches(''.*:([\\w][\\w.-]{0,127})$'')? + self.matches(''^(localhost:[0-9]+)$''): true' + - message: invalid repository or prefix in the signedIdentity. + The repository or prefix must starts with 'localhost' + or a valid '.' separated domain. If contains registry + paths, the path component names must start with at + least one letter or number, with following parts able + to be separated by one period, one or two underscore + and multiple dashes. + rule: self.matches('^(((?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9])(?:\\.(?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9]))+(?::[0-9]+)?)|(localhost(?::[0-9]+)?))(?:(?:/[a-z0-9]+(?:(?:(?:[._]|__|[-]*)[a-z0-9]+)+)?)+)?$') + required: + - prefix + - signedPrefix + type: object + required: + - matchPolicy + type: object + x-kubernetes-validations: + - message: exactRepository is required when matchPolicy is ExactRepository, + and forbidden otherwise + rule: '(has(self.matchPolicy) && self.matchPolicy == ''ExactRepository'') + ? has(self.exactRepository) : !has(self.exactRepository)' + - message: remapIdentity is required when matchPolicy is RemapIdentity, + and forbidden otherwise + rule: '(has(self.matchPolicy) && self.matchPolicy == ''RemapIdentity'') + ? has(self.remapIdentity) : !has(self.remapIdentity)' + required: + - rootOfTrust + type: object + scopes: + description: |- + scopes is a required field that defines the list of image identities assigned to a policy. Each item refers to a scope in a registry implementing the "Docker Registry HTTP API V2". + Scopes matching individual images are named Docker references in the fully expanded form, either using a tag or digest. For example, docker.io/library/busybox:latest (not busybox:latest). + More general scopes are prefixes of individual-image scopes, and specify a repository (by omitting the tag or digest), a repository + namespace, or a registry host (by only specifying the host name and possibly a port number) or a wildcard expression starting with `*.`, for matching all subdomains (not including a port number). + Wildcards are only supported for subdomain matching, and may not be used in the middle of the host, i.e. *.example.com is a valid case, but example*.*.com is not. + This support no more than 256 scopes in one object. If multiple scopes match a given image, only the policy requirements for the most specific scope apply. The policy requirements for more general scopes are ignored. + In addition to setting a policy appropriate for your own deployed applications, make sure that a policy on the OpenShift image repositories + quay.io/openshift-release-dev/ocp-release, quay.io/openshift-release-dev/ocp-v4.0-art-dev (or on a more general scope) allows deployment of the OpenShift images required for cluster operation. + If a scope is configured in both the ClusterImagePolicy and the ImagePolicy, or if the scope in ImagePolicy is nested under one of the scopes from the ClusterImagePolicy, only the policy from the ClusterImagePolicy will be applied. + For additional details about the format, please refer to the document explaining the docker transport field, + which can be found at: https://github.com/containers/image/blob/main/docs/containers-policy.json.5.md#docker + items: + maxLength: 512 + type: string + x-kubernetes-validations: + - message: invalid image scope format, scope must contain a fully + qualified domain name or 'localhost' + rule: 'size(self.split(''/'')[0].split(''.'')) == 1 ? self.split(''/'')[0].split(''.'')[0].split('':'')[0] + == ''localhost'' : true' + - message: invalid image scope with wildcard, a wildcard can only + be at the start of the domain and is only supported for subdomain + matching, not path matching + rule: 'self.contains(''*'') ? self.matches(''^\\*(?:\\.(?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9]))+$'') + : true' + - message: invalid repository namespace or image specification in + the image scope + rule: '!self.contains(''*'') ? self.matches(''^((((?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9])(?:\\.(?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9]))+(?::[0-9]+)?)|(localhost(?::[0-9]+)?))(?:(?:/[a-z0-9]+(?:(?:(?:[._]|__|[-]*)[a-z0-9]+)+)?)+)?)(?::([\\w][\\w.-]{0,127}))?(?:@([A-Za-z][A-Za-z0-9]*(?:[-_+.][A-Za-z][A-Za-z0-9]*)*[:][[:xdigit:]]{32,}))?$'') + : true' + maxItems: 256 + type: array + x-kubernetes-list-type: set + required: + - policy + - scopes + type: object + status: + description: status contains the observed state of the resource. + properties: + conditions: + description: |- + conditions provide details on the status of this API Resource. + condition type 'Pending' indicates that the customer resource contains a policy that cannot take effect. It is either overwritten by a global policy or the image scope is not valid. + items: + description: Condition contains details for one aspect of the current + state of this API Resource. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + minItems: 1 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} diff --git a/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_imagepolicies-DevPreviewNoUpgrade.crd.yaml b/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_imagepolicies-DevPreviewNoUpgrade.crd.yaml new file mode 100644 index 0000000000..99d2af1333 --- /dev/null +++ b/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_imagepolicies-DevPreviewNoUpgrade.crd.yaml @@ -0,0 +1,511 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.openshift.io: https://github.com/openshift/api/pull/2310 + api.openshift.io/merged-by-featuregates: "true" + include.release.openshift.io/ibm-cloud-managed: "true" + include.release.openshift.io/self-managed-high-availability: "true" + release.openshift.io/feature-set: DevPreviewNoUpgrade + name: imagepolicies.config.openshift.io +spec: + group: config.openshift.io + names: + kind: ImagePolicy + listKind: ImagePolicyList + plural: imagepolicies + singular: imagepolicy + scope: Namespaced + versions: + - name: v1 + schema: + openAPIV3Schema: + description: |- + ImagePolicy holds namespace-wide configuration for image signature verification + + Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer). + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: spec holds user settable values for configuration + properties: + policy: + description: |- + policy is a required field that contains configuration to allow scopes to be verified, and defines how + images not matching the verification policy will be treated. + properties: + rootOfTrust: + description: |- + rootOfTrust is a required field that defines the root of trust for verifying image signatures during retrieval. + This allows image consumers to specify policyType and corresponding configuration of the policy, matching how the policy was generated. + properties: + fulcioCAWithRekor: + description: |- + fulcioCAWithRekor defines the root of trust configuration based on the Fulcio certificate and the Rekor public key. + fulcioCAWithRekor is required when policyType is FulcioCAWithRekor, and forbidden otherwise + For more information about Fulcio and Rekor, please refer to the document at: + https://github.com/sigstore/fulcio and https://github.com/sigstore/rekor + properties: + fulcioCAData: + description: |- + fulcioCAData is a required field contains inline base64-encoded data for the PEM format fulcio CA. + fulcioCAData must be at most 8192 characters. + format: byte + maxLength: 8192 + type: string + x-kubernetes-validations: + - message: the fulcioCAData must start with base64 encoding + of '-----BEGIN CERTIFICATE-----'. + rule: string(self).startsWith('-----BEGIN CERTIFICATE-----') + - message: the fulcioCAData must end with base64 encoding + of '-----END CERTIFICATE-----'. + rule: string(self).endsWith('-----END CERTIFICATE-----\n') + || string(self).endsWith('-----END CERTIFICATE-----') + fulcioSubject: + description: fulcioSubject is a required field specifies + OIDC issuer and the email of the Fulcio authentication + configuration. + properties: + oidcIssuer: + description: |- + oidcIssuer is a required filed contains the expected OIDC issuer. The oidcIssuer must be a valid URL and at most 2048 characters in length. + It will be verified that the Fulcio-issued certificate contains a (Fulcio-defined) certificate extension pointing at this OIDC issuer URL. + When Fulcio issues certificates, it includes a value based on an URL inside the client-provided ID token. + Example: "https://expected.OIDC.issuer/" + maxLength: 2048 + type: string + x-kubernetes-validations: + - message: oidcIssuer must be a valid URL + rule: isURL(self) + signedEmail: + description: |- + signedEmail is a required field holds the email address that the Fulcio certificate is issued for. + The signedEmail must be a valid email address and at most 320 characters in length. + Example: "expected-signing-user@example.com" + maxLength: 320 + type: string + x-kubernetes-validations: + - message: invalid email address + rule: self.matches('^\\S+@\\S+$') + required: + - oidcIssuer + - signedEmail + type: object + rekorKeyData: + description: |- + rekorKeyData is a required field contains inline base64-encoded data for the PEM format from the Rekor public key. + rekorKeyData must be at most 8192 characters. + format: byte + maxLength: 8192 + type: string + x-kubernetes-validations: + - message: the rekorKeyData must start with base64 encoding + of '-----BEGIN PUBLIC KEY-----'. + rule: string(self).startsWith('-----BEGIN PUBLIC KEY-----') + - message: the rekorKeyData must end with base64 encoding + of '-----END PUBLIC KEY-----'. + rule: string(self).endsWith('-----END PUBLIC KEY-----\n') + || string(self).endsWith('-----END PUBLIC KEY-----') + required: + - fulcioCAData + - fulcioSubject + - rekorKeyData + type: object + pki: + description: |- + pki defines the root of trust configuration based on Bring Your Own Public Key Infrastructure (BYOPKI) Root CA(s) and corresponding intermediate certificates. + pki is required when policyType is PKI, and forbidden otherwise. + properties: + caIntermediatesData: + description: |- + caIntermediatesData contains base64-encoded data of a certificate bundle PEM file, which contains one or more intermediate certificates in the PEM format. The total length of the data must not exceed 8192 characters. + caIntermediatesData requires caRootsData to be set. + format: byte + maxLength: 8192 + minLength: 72 + type: string + x-kubernetes-validations: + - message: the caIntermediatesData must start with base64 + encoding of '-----BEGIN CERTIFICATE-----'. + rule: string(self).startsWith('-----BEGIN CERTIFICATE-----') + - message: the caIntermediatesData must end with base64 + encoding of '-----END CERTIFICATE-----'. + rule: string(self).endsWith('-----END CERTIFICATE-----\n') + || string(self).endsWith('-----END CERTIFICATE-----') + - message: caIntermediatesData must be base64 encoding + of valid PEM format data contain the same number of + '-----BEGIN CERTIFICATE-----' and '-----END CERTIFICATE-----' + markers. + rule: string(self).findAll('-----BEGIN CERTIFICATE-----').size() + == string(self).findAll('-----END CERTIFICATE-----').size() + caRootsData: + description: caRootsData contains base64-encoded data + of a certificate bundle PEM file, which contains one + or more CA roots in the PEM format. The total length + of the data must not exceed 8192 characters. + format: byte + maxLength: 8192 + minLength: 72 + type: string + x-kubernetes-validations: + - message: the caRootsData must start with base64 encoding + of '-----BEGIN CERTIFICATE-----'. + rule: string(self).startsWith('-----BEGIN CERTIFICATE-----') + - message: the caRootsData must end with base64 encoding + of '-----END CERTIFICATE-----'. + rule: string(self).endsWith('-----END CERTIFICATE-----\n') + || string(self).endsWith('-----END CERTIFICATE-----') + - message: caRootsData must be base64 encoding of valid + PEM format data contain the same number of '-----BEGIN + CERTIFICATE-----' and '-----END CERTIFICATE-----' + markers. + rule: string(self).findAll('-----BEGIN CERTIFICATE-----').size() + == string(self).findAll('-----END CERTIFICATE-----').size() + pkiCertificateSubject: + description: pkiCertificateSubject defines the requirements + imposed on the subject to which the certificate was + issued. + properties: + email: + description: |- + email specifies the expected email address imposed on the subject to which the certificate was issued, and must match the email address listed in the Subject Alternative Name (SAN) field of the certificate. + The email must be a valid email address and at most 320 characters in length. + maxLength: 320 + type: string + x-kubernetes-validations: + - message: invalid email address + rule: self.matches('^\\S+@\\S+$') + hostname: + description: |- + hostname specifies the expected hostname imposed on the subject to which the certificate was issued, and it must match the hostname listed in the Subject Alternative Name (SAN) DNS field of the certificate. + The hostname must be a valid dns 1123 subdomain name, optionally prefixed by '*.', and at most 253 characters in length. + It must consist only of lowercase alphanumeric characters, hyphens, periods and the optional preceding asterisk. + maxLength: 253 + type: string + x-kubernetes-validations: + - message: hostname must be a valid dns 1123 subdomain + name, optionally prefixed by '*.'. It must consist + only of lowercase alphanumeric characters, hyphens, + periods and the optional preceding asterisk. + rule: 'self.startsWith(''*.'') ? !format.dns1123Subdomain().validate(self.replace(''*.'', + '''', 1)).hasValue() : !format.dns1123Subdomain().validate(self).hasValue()' + type: object + x-kubernetes-validations: + - message: at least one of email or hostname must be set + in pkiCertificateSubject + rule: has(self.email) || has(self.hostname) + required: + - caRootsData + - pkiCertificateSubject + type: object + policyType: + description: |- + policyType is a required field specifies the type of the policy for verification. This field must correspond to how the policy was generated. + Allowed values are "PublicKey", "FulcioCAWithRekor", and "PKI". + When set to "PublicKey", the policy relies on a sigstore publicKey and may optionally use a Rekor verification. + When set to "FulcioCAWithRekor", the policy is based on the Fulcio certification and incorporates a Rekor verification. + When set to "PKI", the policy is based on the certificates from Bring Your Own Public Key Infrastructure (BYOPKI). This value is enabled by turning on the SigstoreImageVerificationPKI feature gate. + enum: + - PublicKey + - FulcioCAWithRekor + - PKI + type: string + publicKey: + description: |- + publicKey defines the root of trust configuration based on a sigstore public key. Optionally include a Rekor public key for Rekor verification. + publicKey is required when policyType is PublicKey, and forbidden otherwise. + properties: + keyData: + description: |- + keyData is a required field contains inline base64-encoded data for the PEM format public key. + keyData must be at most 8192 characters. + format: byte + maxLength: 8192 + minLength: 68 + type: string + x-kubernetes-validations: + - message: the keyData must start with base64 encoding + of '-----BEGIN PUBLIC KEY-----'. + rule: string(self).startsWith('-----BEGIN PUBLIC KEY-----') + - message: the keyData must end with base64 encoding of + '-----END PUBLIC KEY-----'. + rule: string(self).endsWith('-----END PUBLIC KEY-----\n') + || string(self).endsWith('-----END PUBLIC KEY-----') + rekorKeyData: + description: |- + rekorKeyData is an optional field contains inline base64-encoded data for the PEM format from the Rekor public key. + rekorKeyData must be at most 8192 characters. + format: byte + maxLength: 8192 + type: string + x-kubernetes-validations: + - message: the rekorKeyData must start with base64 encoding + of '-----BEGIN PUBLIC KEY-----'. + rule: string(self).startsWith('-----BEGIN PUBLIC KEY-----') + - message: the rekorKeyData must end with base64 encoding + of '-----END PUBLIC KEY-----'. + rule: string(self).endsWith('-----END PUBLIC KEY-----\n') + || string(self).endsWith('-----END PUBLIC KEY-----') + required: + - keyData + type: object + required: + - policyType + type: object + x-kubernetes-validations: + - message: pki is required when policyType is PKI, and forbidden + otherwise + rule: 'has(self.policyType) && self.policyType == ''PKI'' ? + has(self.pki) : !has(self.pki)' + - message: publicKey is required when policyType is PublicKey, + and forbidden otherwise + rule: 'has(self.policyType) && self.policyType == ''PublicKey'' + ? has(self.publicKey) : !has(self.publicKey)' + - message: fulcioCAWithRekor is required when policyType is FulcioCAWithRekor, + and forbidden otherwise + rule: 'has(self.policyType) && self.policyType == ''FulcioCAWithRekor'' + ? has(self.fulcioCAWithRekor) : !has(self.fulcioCAWithRekor)' + signedIdentity: + description: |- + signedIdentity is an optional field specifies what image identity the signature claims about the image. This is useful when the image identity in the signature differs from the original image spec, such as when mirror registry is configured for the image scope, the signature from the mirror registry contains the image identity of the mirror instead of the original scope. + The required matchPolicy field specifies the approach used in the verification process to verify the identity in the signature and the actual image identity, the default matchPolicy is "MatchRepoDigestOrExact". + properties: + exactRepository: + description: |- + exactRepository specifies the repository that must be exactly matched by the identity in the signature. + exactRepository is required if matchPolicy is set to "ExactRepository". It is used to verify that the signature claims an identity matching this exact repository, rather than the original image identity. + properties: + repository: + description: |- + repository is the reference of the image identity to be matched. + repository is required if matchPolicy is set to "ExactRepository". + The value should be a repository name (by omitting the tag or digest) in a registry implementing the "Docker Registry HTTP API V2". For example, docker.io/library/busybox + maxLength: 512 + type: string + x-kubernetes-validations: + - message: invalid repository or prefix in the signedIdentity, + should not include the tag or digest + rule: 'self.matches(''.*:([\\w][\\w.-]{0,127})$'')? + self.matches(''^(localhost:[0-9]+)$''): true' + - message: invalid repository or prefix in the signedIdentity. + The repository or prefix must starts with 'localhost' + or a valid '.' separated domain. If contains registry + paths, the path component names must start with at + least one letter or number, with following parts able + to be separated by one period, one or two underscore + and multiple dashes. + rule: self.matches('^(((?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9])(?:\\.(?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9]))+(?::[0-9]+)?)|(localhost(?::[0-9]+)?))(?:(?:/[a-z0-9]+(?:(?:(?:[._]|__|[-]*)[a-z0-9]+)+)?)+)?$') + required: + - repository + type: object + matchPolicy: + description: |- + matchPolicy is a required filed specifies matching strategy to verify the image identity in the signature against the image scope. + Allowed values are "MatchRepoDigestOrExact", "MatchRepository", "ExactRepository", "RemapIdentity". When omitted, the default value is "MatchRepoDigestOrExact". + When set to "MatchRepoDigestOrExact", the identity in the signature must be in the same repository as the image identity if the image identity is referenced by a digest. Otherwise, the identity in the signature must be the same as the image identity. + When set to "MatchRepository", the identity in the signature must be in the same repository as the image identity. + When set to "ExactRepository", the exactRepository must be specified. The identity in the signature must be in the same repository as a specific identity specified by "repository". + When set to "RemapIdentity", the remapIdentity must be specified. The signature must be in the same as the remapped image identity. Remapped image identity is obtained by replacing the "prefix" with the specified “signedPrefix” if the the image identity matches the specified remapPrefix. + enum: + - MatchRepoDigestOrExact + - MatchRepository + - ExactRepository + - RemapIdentity + type: string + remapIdentity: + description: |- + remapIdentity specifies the prefix remapping rule for verifying image identity. + remapIdentity is required if matchPolicy is set to "RemapIdentity". It is used to verify that the signature claims a different registry/repository prefix than the original image. + properties: + prefix: + description: |- + prefix is required if matchPolicy is set to "RemapIdentity". + prefix is the prefix of the image identity to be matched. + If the image identity matches the specified prefix, that prefix is replaced by the specified “signedPrefix” (otherwise it is used as unchanged and no remapping takes place). + This is useful when verifying signatures for a mirror of some other repository namespace that preserves the vendor’s repository structure. + The prefix and signedPrefix values can be either host[:port] values (matching exactly the same host[:port], string), repository namespaces, + or repositories (i.e. they must not contain tags/digests), and match as prefixes of the fully expanded form. + For example, docker.io/library/busybox (not busybox) to specify that single repository, or docker.io/library (not an empty string) to specify the parent namespace of docker.io/library/busybox. + maxLength: 512 + type: string + x-kubernetes-validations: + - message: invalid repository or prefix in the signedIdentity, + should not include the tag or digest + rule: 'self.matches(''.*:([\\w][\\w.-]{0,127})$'')? + self.matches(''^(localhost:[0-9]+)$''): true' + - message: invalid repository or prefix in the signedIdentity. + The repository or prefix must starts with 'localhost' + or a valid '.' separated domain. If contains registry + paths, the path component names must start with at + least one letter or number, with following parts able + to be separated by one period, one or two underscore + and multiple dashes. + rule: self.matches('^(((?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9])(?:\\.(?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9]))+(?::[0-9]+)?)|(localhost(?::[0-9]+)?))(?:(?:/[a-z0-9]+(?:(?:(?:[._]|__|[-]*)[a-z0-9]+)+)?)+)?$') + signedPrefix: + description: |- + signedPrefix is required if matchPolicy is set to "RemapIdentity". + signedPrefix is the prefix of the image identity to be matched in the signature. The format is the same as "prefix". The values can be either host[:port] values (matching exactly the same host[:port], string), repository namespaces, + or repositories (i.e. they must not contain tags/digests), and match as prefixes of the fully expanded form. + For example, docker.io/library/busybox (not busybox) to specify that single repository, or docker.io/library (not an empty string) to specify the parent namespace of docker.io/library/busybox. + maxLength: 512 + type: string + x-kubernetes-validations: + - message: invalid repository or prefix in the signedIdentity, + should not include the tag or digest + rule: 'self.matches(''.*:([\\w][\\w.-]{0,127})$'')? + self.matches(''^(localhost:[0-9]+)$''): true' + - message: invalid repository or prefix in the signedIdentity. + The repository or prefix must starts with 'localhost' + or a valid '.' separated domain. If contains registry + paths, the path component names must start with at + least one letter or number, with following parts able + to be separated by one period, one or two underscore + and multiple dashes. + rule: self.matches('^(((?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9])(?:\\.(?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9]))+(?::[0-9]+)?)|(localhost(?::[0-9]+)?))(?:(?:/[a-z0-9]+(?:(?:(?:[._]|__|[-]*)[a-z0-9]+)+)?)+)?$') + required: + - prefix + - signedPrefix + type: object + required: + - matchPolicy + type: object + x-kubernetes-validations: + - message: exactRepository is required when matchPolicy is ExactRepository, + and forbidden otherwise + rule: '(has(self.matchPolicy) && self.matchPolicy == ''ExactRepository'') + ? has(self.exactRepository) : !has(self.exactRepository)' + - message: remapIdentity is required when matchPolicy is RemapIdentity, + and forbidden otherwise + rule: '(has(self.matchPolicy) && self.matchPolicy == ''RemapIdentity'') + ? has(self.remapIdentity) : !has(self.remapIdentity)' + required: + - rootOfTrust + type: object + scopes: + description: |- + scopes is a required field that defines the list of image identities assigned to a policy. Each item refers to a scope in a registry implementing the "Docker Registry HTTP API V2". + Scopes matching individual images are named Docker references in the fully expanded form, either using a tag or digest. For example, docker.io/library/busybox:latest (not busybox:latest). + More general scopes are prefixes of individual-image scopes, and specify a repository (by omitting the tag or digest), a repository + namespace, or a registry host (by only specifying the host name and possibly a port number) or a wildcard expression starting with `*.`, for matching all subdomains (not including a port number). + Wildcards are only supported for subdomain matching, and may not be used in the middle of the host, i.e. *.example.com is a valid case, but example*.*.com is not. + This support no more than 256 scopes in one object. If multiple scopes match a given image, only the policy requirements for the most specific scope apply. The policy requirements for more general scopes are ignored. + In addition to setting a policy appropriate for your own deployed applications, make sure that a policy on the OpenShift image repositories + quay.io/openshift-release-dev/ocp-release, quay.io/openshift-release-dev/ocp-v4.0-art-dev (or on a more general scope) allows deployment of the OpenShift images required for cluster operation. + If a scope is configured in both the ClusterImagePolicy and the ImagePolicy, or if the scope in ImagePolicy is nested under one of the scopes from the ClusterImagePolicy, only the policy from the ClusterImagePolicy will be applied. + For additional details about the format, please refer to the document explaining the docker transport field, + which can be found at: https://github.com/containers/image/blob/main/docs/containers-policy.json.5.md#docker + items: + maxLength: 512 + type: string + x-kubernetes-validations: + - message: invalid image scope format, scope must contain a fully + qualified domain name or 'localhost' + rule: 'size(self.split(''/'')[0].split(''.'')) == 1 ? self.split(''/'')[0].split(''.'')[0].split('':'')[0] + == ''localhost'' : true' + - message: invalid image scope with wildcard, a wildcard can only + be at the start of the domain and is only supported for subdomain + matching, not path matching + rule: 'self.contains(''*'') ? self.matches(''^\\*(?:\\.(?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9]))+$'') + : true' + - message: invalid repository namespace or image specification in + the image scope + rule: '!self.contains(''*'') ? self.matches(''^((((?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9])(?:\\.(?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9]))+(?::[0-9]+)?)|(localhost(?::[0-9]+)?))(?:(?:/[a-z0-9]+(?:(?:(?:[._]|__|[-]*)[a-z0-9]+)+)?)+)?)(?::([\\w][\\w.-]{0,127}))?(?:@([A-Za-z][A-Za-z0-9]*(?:[-_+.][A-Za-z][A-Za-z0-9]*)*[:][[:xdigit:]]{32,}))?$'') + : true' + maxItems: 256 + type: array + x-kubernetes-list-type: set + required: + - policy + - scopes + type: object + status: + description: status contains the observed state of the resource. + properties: + conditions: + description: |- + conditions provide details on the status of this API Resource. + condition type 'Pending' indicates that the customer resource contains a policy that cannot take effect. It is either overwritten by a global policy or the image scope is not valid. + items: + description: Condition contains details for one aspect of the current + state of this API Resource. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + minItems: 1 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} diff --git a/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_imagepolicies-TechPreviewNoUpgrade.crd.yaml b/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_imagepolicies-TechPreviewNoUpgrade.crd.yaml new file mode 100644 index 0000000000..a8b7aba7c2 --- /dev/null +++ b/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_imagepolicies-TechPreviewNoUpgrade.crd.yaml @@ -0,0 +1,511 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.openshift.io: https://github.com/openshift/api/pull/2310 + api.openshift.io/merged-by-featuregates: "true" + include.release.openshift.io/ibm-cloud-managed: "true" + include.release.openshift.io/self-managed-high-availability: "true" + release.openshift.io/feature-set: TechPreviewNoUpgrade + name: imagepolicies.config.openshift.io +spec: + group: config.openshift.io + names: + kind: ImagePolicy + listKind: ImagePolicyList + plural: imagepolicies + singular: imagepolicy + scope: Namespaced + versions: + - name: v1 + schema: + openAPIV3Schema: + description: |- + ImagePolicy holds namespace-wide configuration for image signature verification + + Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer). + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: spec holds user settable values for configuration + properties: + policy: + description: |- + policy is a required field that contains configuration to allow scopes to be verified, and defines how + images not matching the verification policy will be treated. + properties: + rootOfTrust: + description: |- + rootOfTrust is a required field that defines the root of trust for verifying image signatures during retrieval. + This allows image consumers to specify policyType and corresponding configuration of the policy, matching how the policy was generated. + properties: + fulcioCAWithRekor: + description: |- + fulcioCAWithRekor defines the root of trust configuration based on the Fulcio certificate and the Rekor public key. + fulcioCAWithRekor is required when policyType is FulcioCAWithRekor, and forbidden otherwise + For more information about Fulcio and Rekor, please refer to the document at: + https://github.com/sigstore/fulcio and https://github.com/sigstore/rekor + properties: + fulcioCAData: + description: |- + fulcioCAData is a required field contains inline base64-encoded data for the PEM format fulcio CA. + fulcioCAData must be at most 8192 characters. + format: byte + maxLength: 8192 + type: string + x-kubernetes-validations: + - message: the fulcioCAData must start with base64 encoding + of '-----BEGIN CERTIFICATE-----'. + rule: string(self).startsWith('-----BEGIN CERTIFICATE-----') + - message: the fulcioCAData must end with base64 encoding + of '-----END CERTIFICATE-----'. + rule: string(self).endsWith('-----END CERTIFICATE-----\n') + || string(self).endsWith('-----END CERTIFICATE-----') + fulcioSubject: + description: fulcioSubject is a required field specifies + OIDC issuer and the email of the Fulcio authentication + configuration. + properties: + oidcIssuer: + description: |- + oidcIssuer is a required filed contains the expected OIDC issuer. The oidcIssuer must be a valid URL and at most 2048 characters in length. + It will be verified that the Fulcio-issued certificate contains a (Fulcio-defined) certificate extension pointing at this OIDC issuer URL. + When Fulcio issues certificates, it includes a value based on an URL inside the client-provided ID token. + Example: "https://expected.OIDC.issuer/" + maxLength: 2048 + type: string + x-kubernetes-validations: + - message: oidcIssuer must be a valid URL + rule: isURL(self) + signedEmail: + description: |- + signedEmail is a required field holds the email address that the Fulcio certificate is issued for. + The signedEmail must be a valid email address and at most 320 characters in length. + Example: "expected-signing-user@example.com" + maxLength: 320 + type: string + x-kubernetes-validations: + - message: invalid email address + rule: self.matches('^\\S+@\\S+$') + required: + - oidcIssuer + - signedEmail + type: object + rekorKeyData: + description: |- + rekorKeyData is a required field contains inline base64-encoded data for the PEM format from the Rekor public key. + rekorKeyData must be at most 8192 characters. + format: byte + maxLength: 8192 + type: string + x-kubernetes-validations: + - message: the rekorKeyData must start with base64 encoding + of '-----BEGIN PUBLIC KEY-----'. + rule: string(self).startsWith('-----BEGIN PUBLIC KEY-----') + - message: the rekorKeyData must end with base64 encoding + of '-----END PUBLIC KEY-----'. + rule: string(self).endsWith('-----END PUBLIC KEY-----\n') + || string(self).endsWith('-----END PUBLIC KEY-----') + required: + - fulcioCAData + - fulcioSubject + - rekorKeyData + type: object + pki: + description: |- + pki defines the root of trust configuration based on Bring Your Own Public Key Infrastructure (BYOPKI) Root CA(s) and corresponding intermediate certificates. + pki is required when policyType is PKI, and forbidden otherwise. + properties: + caIntermediatesData: + description: |- + caIntermediatesData contains base64-encoded data of a certificate bundle PEM file, which contains one or more intermediate certificates in the PEM format. The total length of the data must not exceed 8192 characters. + caIntermediatesData requires caRootsData to be set. + format: byte + maxLength: 8192 + minLength: 72 + type: string + x-kubernetes-validations: + - message: the caIntermediatesData must start with base64 + encoding of '-----BEGIN CERTIFICATE-----'. + rule: string(self).startsWith('-----BEGIN CERTIFICATE-----') + - message: the caIntermediatesData must end with base64 + encoding of '-----END CERTIFICATE-----'. + rule: string(self).endsWith('-----END CERTIFICATE-----\n') + || string(self).endsWith('-----END CERTIFICATE-----') + - message: caIntermediatesData must be base64 encoding + of valid PEM format data contain the same number of + '-----BEGIN CERTIFICATE-----' and '-----END CERTIFICATE-----' + markers. + rule: string(self).findAll('-----BEGIN CERTIFICATE-----').size() + == string(self).findAll('-----END CERTIFICATE-----').size() + caRootsData: + description: caRootsData contains base64-encoded data + of a certificate bundle PEM file, which contains one + or more CA roots in the PEM format. The total length + of the data must not exceed 8192 characters. + format: byte + maxLength: 8192 + minLength: 72 + type: string + x-kubernetes-validations: + - message: the caRootsData must start with base64 encoding + of '-----BEGIN CERTIFICATE-----'. + rule: string(self).startsWith('-----BEGIN CERTIFICATE-----') + - message: the caRootsData must end with base64 encoding + of '-----END CERTIFICATE-----'. + rule: string(self).endsWith('-----END CERTIFICATE-----\n') + || string(self).endsWith('-----END CERTIFICATE-----') + - message: caRootsData must be base64 encoding of valid + PEM format data contain the same number of '-----BEGIN + CERTIFICATE-----' and '-----END CERTIFICATE-----' + markers. + rule: string(self).findAll('-----BEGIN CERTIFICATE-----').size() + == string(self).findAll('-----END CERTIFICATE-----').size() + pkiCertificateSubject: + description: pkiCertificateSubject defines the requirements + imposed on the subject to which the certificate was + issued. + properties: + email: + description: |- + email specifies the expected email address imposed on the subject to which the certificate was issued, and must match the email address listed in the Subject Alternative Name (SAN) field of the certificate. + The email must be a valid email address and at most 320 characters in length. + maxLength: 320 + type: string + x-kubernetes-validations: + - message: invalid email address + rule: self.matches('^\\S+@\\S+$') + hostname: + description: |- + hostname specifies the expected hostname imposed on the subject to which the certificate was issued, and it must match the hostname listed in the Subject Alternative Name (SAN) DNS field of the certificate. + The hostname must be a valid dns 1123 subdomain name, optionally prefixed by '*.', and at most 253 characters in length. + It must consist only of lowercase alphanumeric characters, hyphens, periods and the optional preceding asterisk. + maxLength: 253 + type: string + x-kubernetes-validations: + - message: hostname must be a valid dns 1123 subdomain + name, optionally prefixed by '*.'. It must consist + only of lowercase alphanumeric characters, hyphens, + periods and the optional preceding asterisk. + rule: 'self.startsWith(''*.'') ? !format.dns1123Subdomain().validate(self.replace(''*.'', + '''', 1)).hasValue() : !format.dns1123Subdomain().validate(self).hasValue()' + type: object + x-kubernetes-validations: + - message: at least one of email or hostname must be set + in pkiCertificateSubject + rule: has(self.email) || has(self.hostname) + required: + - caRootsData + - pkiCertificateSubject + type: object + policyType: + description: |- + policyType is a required field specifies the type of the policy for verification. This field must correspond to how the policy was generated. + Allowed values are "PublicKey", "FulcioCAWithRekor", and "PKI". + When set to "PublicKey", the policy relies on a sigstore publicKey and may optionally use a Rekor verification. + When set to "FulcioCAWithRekor", the policy is based on the Fulcio certification and incorporates a Rekor verification. + When set to "PKI", the policy is based on the certificates from Bring Your Own Public Key Infrastructure (BYOPKI). This value is enabled by turning on the SigstoreImageVerificationPKI feature gate. + enum: + - PublicKey + - FulcioCAWithRekor + - PKI + type: string + publicKey: + description: |- + publicKey defines the root of trust configuration based on a sigstore public key. Optionally include a Rekor public key for Rekor verification. + publicKey is required when policyType is PublicKey, and forbidden otherwise. + properties: + keyData: + description: |- + keyData is a required field contains inline base64-encoded data for the PEM format public key. + keyData must be at most 8192 characters. + format: byte + maxLength: 8192 + minLength: 68 + type: string + x-kubernetes-validations: + - message: the keyData must start with base64 encoding + of '-----BEGIN PUBLIC KEY-----'. + rule: string(self).startsWith('-----BEGIN PUBLIC KEY-----') + - message: the keyData must end with base64 encoding of + '-----END PUBLIC KEY-----'. + rule: string(self).endsWith('-----END PUBLIC KEY-----\n') + || string(self).endsWith('-----END PUBLIC KEY-----') + rekorKeyData: + description: |- + rekorKeyData is an optional field contains inline base64-encoded data for the PEM format from the Rekor public key. + rekorKeyData must be at most 8192 characters. + format: byte + maxLength: 8192 + type: string + x-kubernetes-validations: + - message: the rekorKeyData must start with base64 encoding + of '-----BEGIN PUBLIC KEY-----'. + rule: string(self).startsWith('-----BEGIN PUBLIC KEY-----') + - message: the rekorKeyData must end with base64 encoding + of '-----END PUBLIC KEY-----'. + rule: string(self).endsWith('-----END PUBLIC KEY-----\n') + || string(self).endsWith('-----END PUBLIC KEY-----') + required: + - keyData + type: object + required: + - policyType + type: object + x-kubernetes-validations: + - message: pki is required when policyType is PKI, and forbidden + otherwise + rule: 'has(self.policyType) && self.policyType == ''PKI'' ? + has(self.pki) : !has(self.pki)' + - message: publicKey is required when policyType is PublicKey, + and forbidden otherwise + rule: 'has(self.policyType) && self.policyType == ''PublicKey'' + ? has(self.publicKey) : !has(self.publicKey)' + - message: fulcioCAWithRekor is required when policyType is FulcioCAWithRekor, + and forbidden otherwise + rule: 'has(self.policyType) && self.policyType == ''FulcioCAWithRekor'' + ? has(self.fulcioCAWithRekor) : !has(self.fulcioCAWithRekor)' + signedIdentity: + description: |- + signedIdentity is an optional field specifies what image identity the signature claims about the image. This is useful when the image identity in the signature differs from the original image spec, such as when mirror registry is configured for the image scope, the signature from the mirror registry contains the image identity of the mirror instead of the original scope. + The required matchPolicy field specifies the approach used in the verification process to verify the identity in the signature and the actual image identity, the default matchPolicy is "MatchRepoDigestOrExact". + properties: + exactRepository: + description: |- + exactRepository specifies the repository that must be exactly matched by the identity in the signature. + exactRepository is required if matchPolicy is set to "ExactRepository". It is used to verify that the signature claims an identity matching this exact repository, rather than the original image identity. + properties: + repository: + description: |- + repository is the reference of the image identity to be matched. + repository is required if matchPolicy is set to "ExactRepository". + The value should be a repository name (by omitting the tag or digest) in a registry implementing the "Docker Registry HTTP API V2". For example, docker.io/library/busybox + maxLength: 512 + type: string + x-kubernetes-validations: + - message: invalid repository or prefix in the signedIdentity, + should not include the tag or digest + rule: 'self.matches(''.*:([\\w][\\w.-]{0,127})$'')? + self.matches(''^(localhost:[0-9]+)$''): true' + - message: invalid repository or prefix in the signedIdentity. + The repository or prefix must starts with 'localhost' + or a valid '.' separated domain. If contains registry + paths, the path component names must start with at + least one letter or number, with following parts able + to be separated by one period, one or two underscore + and multiple dashes. + rule: self.matches('^(((?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9])(?:\\.(?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9]))+(?::[0-9]+)?)|(localhost(?::[0-9]+)?))(?:(?:/[a-z0-9]+(?:(?:(?:[._]|__|[-]*)[a-z0-9]+)+)?)+)?$') + required: + - repository + type: object + matchPolicy: + description: |- + matchPolicy is a required filed specifies matching strategy to verify the image identity in the signature against the image scope. + Allowed values are "MatchRepoDigestOrExact", "MatchRepository", "ExactRepository", "RemapIdentity". When omitted, the default value is "MatchRepoDigestOrExact". + When set to "MatchRepoDigestOrExact", the identity in the signature must be in the same repository as the image identity if the image identity is referenced by a digest. Otherwise, the identity in the signature must be the same as the image identity. + When set to "MatchRepository", the identity in the signature must be in the same repository as the image identity. + When set to "ExactRepository", the exactRepository must be specified. The identity in the signature must be in the same repository as a specific identity specified by "repository". + When set to "RemapIdentity", the remapIdentity must be specified. The signature must be in the same as the remapped image identity. Remapped image identity is obtained by replacing the "prefix" with the specified “signedPrefix” if the the image identity matches the specified remapPrefix. + enum: + - MatchRepoDigestOrExact + - MatchRepository + - ExactRepository + - RemapIdentity + type: string + remapIdentity: + description: |- + remapIdentity specifies the prefix remapping rule for verifying image identity. + remapIdentity is required if matchPolicy is set to "RemapIdentity". It is used to verify that the signature claims a different registry/repository prefix than the original image. + properties: + prefix: + description: |- + prefix is required if matchPolicy is set to "RemapIdentity". + prefix is the prefix of the image identity to be matched. + If the image identity matches the specified prefix, that prefix is replaced by the specified “signedPrefix” (otherwise it is used as unchanged and no remapping takes place). + This is useful when verifying signatures for a mirror of some other repository namespace that preserves the vendor’s repository structure. + The prefix and signedPrefix values can be either host[:port] values (matching exactly the same host[:port], string), repository namespaces, + or repositories (i.e. they must not contain tags/digests), and match as prefixes of the fully expanded form. + For example, docker.io/library/busybox (not busybox) to specify that single repository, or docker.io/library (not an empty string) to specify the parent namespace of docker.io/library/busybox. + maxLength: 512 + type: string + x-kubernetes-validations: + - message: invalid repository or prefix in the signedIdentity, + should not include the tag or digest + rule: 'self.matches(''.*:([\\w][\\w.-]{0,127})$'')? + self.matches(''^(localhost:[0-9]+)$''): true' + - message: invalid repository or prefix in the signedIdentity. + The repository or prefix must starts with 'localhost' + or a valid '.' separated domain. If contains registry + paths, the path component names must start with at + least one letter or number, with following parts able + to be separated by one period, one or two underscore + and multiple dashes. + rule: self.matches('^(((?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9])(?:\\.(?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9]))+(?::[0-9]+)?)|(localhost(?::[0-9]+)?))(?:(?:/[a-z0-9]+(?:(?:(?:[._]|__|[-]*)[a-z0-9]+)+)?)+)?$') + signedPrefix: + description: |- + signedPrefix is required if matchPolicy is set to "RemapIdentity". + signedPrefix is the prefix of the image identity to be matched in the signature. The format is the same as "prefix". The values can be either host[:port] values (matching exactly the same host[:port], string), repository namespaces, + or repositories (i.e. they must not contain tags/digests), and match as prefixes of the fully expanded form. + For example, docker.io/library/busybox (not busybox) to specify that single repository, or docker.io/library (not an empty string) to specify the parent namespace of docker.io/library/busybox. + maxLength: 512 + type: string + x-kubernetes-validations: + - message: invalid repository or prefix in the signedIdentity, + should not include the tag or digest + rule: 'self.matches(''.*:([\\w][\\w.-]{0,127})$'')? + self.matches(''^(localhost:[0-9]+)$''): true' + - message: invalid repository or prefix in the signedIdentity. + The repository or prefix must starts with 'localhost' + or a valid '.' separated domain. If contains registry + paths, the path component names must start with at + least one letter or number, with following parts able + to be separated by one period, one or two underscore + and multiple dashes. + rule: self.matches('^(((?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9])(?:\\.(?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9]))+(?::[0-9]+)?)|(localhost(?::[0-9]+)?))(?:(?:/[a-z0-9]+(?:(?:(?:[._]|__|[-]*)[a-z0-9]+)+)?)+)?$') + required: + - prefix + - signedPrefix + type: object + required: + - matchPolicy + type: object + x-kubernetes-validations: + - message: exactRepository is required when matchPolicy is ExactRepository, + and forbidden otherwise + rule: '(has(self.matchPolicy) && self.matchPolicy == ''ExactRepository'') + ? has(self.exactRepository) : !has(self.exactRepository)' + - message: remapIdentity is required when matchPolicy is RemapIdentity, + and forbidden otherwise + rule: '(has(self.matchPolicy) && self.matchPolicy == ''RemapIdentity'') + ? has(self.remapIdentity) : !has(self.remapIdentity)' + required: + - rootOfTrust + type: object + scopes: + description: |- + scopes is a required field that defines the list of image identities assigned to a policy. Each item refers to a scope in a registry implementing the "Docker Registry HTTP API V2". + Scopes matching individual images are named Docker references in the fully expanded form, either using a tag or digest. For example, docker.io/library/busybox:latest (not busybox:latest). + More general scopes are prefixes of individual-image scopes, and specify a repository (by omitting the tag or digest), a repository + namespace, or a registry host (by only specifying the host name and possibly a port number) or a wildcard expression starting with `*.`, for matching all subdomains (not including a port number). + Wildcards are only supported for subdomain matching, and may not be used in the middle of the host, i.e. *.example.com is a valid case, but example*.*.com is not. + This support no more than 256 scopes in one object. If multiple scopes match a given image, only the policy requirements for the most specific scope apply. The policy requirements for more general scopes are ignored. + In addition to setting a policy appropriate for your own deployed applications, make sure that a policy on the OpenShift image repositories + quay.io/openshift-release-dev/ocp-release, quay.io/openshift-release-dev/ocp-v4.0-art-dev (or on a more general scope) allows deployment of the OpenShift images required for cluster operation. + If a scope is configured in both the ClusterImagePolicy and the ImagePolicy, or if the scope in ImagePolicy is nested under one of the scopes from the ClusterImagePolicy, only the policy from the ClusterImagePolicy will be applied. + For additional details about the format, please refer to the document explaining the docker transport field, + which can be found at: https://github.com/containers/image/blob/main/docs/containers-policy.json.5.md#docker + items: + maxLength: 512 + type: string + x-kubernetes-validations: + - message: invalid image scope format, scope must contain a fully + qualified domain name or 'localhost' + rule: 'size(self.split(''/'')[0].split(''.'')) == 1 ? self.split(''/'')[0].split(''.'')[0].split('':'')[0] + == ''localhost'' : true' + - message: invalid image scope with wildcard, a wildcard can only + be at the start of the domain and is only supported for subdomain + matching, not path matching + rule: 'self.contains(''*'') ? self.matches(''^\\*(?:\\.(?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9]))+$'') + : true' + - message: invalid repository namespace or image specification in + the image scope + rule: '!self.contains(''*'') ? self.matches(''^((((?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9])(?:\\.(?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9]))+(?::[0-9]+)?)|(localhost(?::[0-9]+)?))(?:(?:/[a-z0-9]+(?:(?:(?:[._]|__|[-]*)[a-z0-9]+)+)?)+)?)(?::([\\w][\\w.-]{0,127}))?(?:@([A-Za-z][A-Za-z0-9]*(?:[-_+.][A-Za-z][A-Za-z0-9]*)*[:][[:xdigit:]]{32,}))?$'') + : true' + maxItems: 256 + type: array + x-kubernetes-list-type: set + required: + - policy + - scopes + type: object + status: + description: status contains the observed state of the resource. + properties: + conditions: + description: |- + conditions provide details on the status of this API Resource. + condition type 'Pending' indicates that the customer resource contains a policy that cannot take effect. It is either overwritten by a global policy or the image scope is not valid. + items: + description: Condition contains details for one aspect of the current + state of this API Resource. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + minItems: 1 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} diff --git a/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_infrastructures-CustomNoUpgrade.crd.yaml b/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_infrastructures-CustomNoUpgrade.crd.yaml index d984f8f9c9..02ae2dcb45 100644 --- a/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_infrastructures-CustomNoUpgrade.crd.yaml +++ b/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_infrastructures-CustomNoUpgrade.crd.yaml @@ -1917,7 +1917,6 @@ spec: - IAM - ServiceUsage - Storage - - TagManager type: string url: description: |- @@ -1943,7 +1942,7 @@ spec: - name - url type: object - maxItems: 9 + maxItems: 8 type: array x-kubernetes-list-map-keys: - name diff --git a/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_infrastructures-Default.crd.yaml b/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_infrastructures-Default.crd.yaml index 5f569b44e6..6dcc0cfb6a 100644 --- a/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_infrastructures-Default.crd.yaml +++ b/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_infrastructures-Default.crd.yaml @@ -718,7 +718,7 @@ spec: //network/. items: type: string - maxItems: 1 + maxItems: 10 minItems: 1 type: array x-kubernetes-list-type: atomic diff --git a/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_infrastructures-DevPreviewNoUpgrade.crd.yaml b/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_infrastructures-DevPreviewNoUpgrade.crd.yaml index 7c16c2b686..f0e96f9fa4 100644 --- a/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_infrastructures-DevPreviewNoUpgrade.crd.yaml +++ b/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_infrastructures-DevPreviewNoUpgrade.crd.yaml @@ -1917,7 +1917,6 @@ spec: - IAM - ServiceUsage - Storage - - TagManager type: string url: description: |- @@ -1943,7 +1942,7 @@ spec: - name - url type: object - maxItems: 9 + maxItems: 8 type: array x-kubernetes-list-map-keys: - name diff --git a/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_infrastructures-TechPreviewNoUpgrade.crd.yaml b/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_infrastructures-TechPreviewNoUpgrade.crd.yaml index 14727c9beb..0391eb184d 100644 --- a/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_infrastructures-TechPreviewNoUpgrade.crd.yaml +++ b/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_infrastructures-TechPreviewNoUpgrade.crd.yaml @@ -1916,7 +1916,6 @@ spec: - IAM - ServiceUsage - Storage - - TagManager type: string url: description: |- @@ -1942,7 +1941,7 @@ spec: - name - url type: object - maxItems: 9 + maxItems: 8 type: array x-kubernetes-list-map-keys: - name diff --git a/vendor/github.com/openshift/api/config/v1/zz_generated.deepcopy.go b/vendor/github.com/openshift/api/config/v1/zz_generated.deepcopy.go index 38aa2f6f33..70edc17699 100644 --- a/vendor/github.com/openshift/api/config/v1/zz_generated.deepcopy.go +++ b/vendor/github.com/openshift/api/config/v1/zz_generated.deepcopy.go @@ -1024,6 +1024,112 @@ func (in *ClusterCondition) DeepCopy() *ClusterCondition { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *ClusterImagePolicy) DeepCopyInto(out *ClusterImagePolicy) { + *out = *in + out.TypeMeta = in.TypeMeta + in.ObjectMeta.DeepCopyInto(&out.ObjectMeta) + in.Spec.DeepCopyInto(&out.Spec) + in.Status.DeepCopyInto(&out.Status) + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ClusterImagePolicy. +func (in *ClusterImagePolicy) DeepCopy() *ClusterImagePolicy { + if in == nil { + return nil + } + out := new(ClusterImagePolicy) + in.DeepCopyInto(out) + return out +} + +// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. +func (in *ClusterImagePolicy) DeepCopyObject() runtime.Object { + if c := in.DeepCopy(); c != nil { + return c + } + return nil +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *ClusterImagePolicyList) DeepCopyInto(out *ClusterImagePolicyList) { + *out = *in + out.TypeMeta = in.TypeMeta + in.ListMeta.DeepCopyInto(&out.ListMeta) + if in.Items != nil { + in, out := &in.Items, &out.Items + *out = make([]ClusterImagePolicy, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ClusterImagePolicyList. +func (in *ClusterImagePolicyList) DeepCopy() *ClusterImagePolicyList { + if in == nil { + return nil + } + out := new(ClusterImagePolicyList) + in.DeepCopyInto(out) + return out +} + +// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. +func (in *ClusterImagePolicyList) DeepCopyObject() runtime.Object { + if c := in.DeepCopy(); c != nil { + return c + } + return nil +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *ClusterImagePolicySpec) DeepCopyInto(out *ClusterImagePolicySpec) { + *out = *in + if in.Scopes != nil { + in, out := &in.Scopes, &out.Scopes + *out = make([]ImageScope, len(*in)) + copy(*out, *in) + } + in.Policy.DeepCopyInto(&out.Policy) + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ClusterImagePolicySpec. +func (in *ClusterImagePolicySpec) DeepCopy() *ClusterImagePolicySpec { + if in == nil { + return nil + } + out := new(ClusterImagePolicySpec) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *ClusterImagePolicyStatus) DeepCopyInto(out *ClusterImagePolicyStatus) { + *out = *in + if in.Conditions != nil { + in, out := &in.Conditions, &out.Conditions + *out = make([]metav1.Condition, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ClusterImagePolicyStatus. +func (in *ClusterImagePolicyStatus) DeepCopy() *ClusterImagePolicyStatus { + if in == nil { + return nil + } + out := new(ClusterImagePolicyStatus) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *ClusterNetworkEntry) DeepCopyInto(out *ClusterNetworkEntry) { *out = *in @@ -2229,6 +2335,33 @@ func (in *FeatureGateTests) DeepCopy() *FeatureGateTests { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *FulcioCAWithRekor) DeepCopyInto(out *FulcioCAWithRekor) { + *out = *in + if in.FulcioCAData != nil { + in, out := &in.FulcioCAData, &out.FulcioCAData + *out = make([]byte, len(*in)) + copy(*out, *in) + } + if in.RekorKeyData != nil { + in, out := &in.RekorKeyData, &out.RekorKeyData + *out = make([]byte, len(*in)) + copy(*out, *in) + } + out.FulcioSubject = in.FulcioSubject + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FulcioCAWithRekor. +func (in *FulcioCAWithRekor) DeepCopy() *FulcioCAWithRekor { + if in == nil { + return nil + } + out := new(FulcioCAWithRekor) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *GCPPlatformSpec) DeepCopyInto(out *GCPPlatformSpec) { *out = *in @@ -2922,6 +3055,112 @@ func (in *ImageList) DeepCopyObject() runtime.Object { return nil } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *ImagePolicy) DeepCopyInto(out *ImagePolicy) { + *out = *in + out.TypeMeta = in.TypeMeta + in.ObjectMeta.DeepCopyInto(&out.ObjectMeta) + in.Spec.DeepCopyInto(&out.Spec) + in.Status.DeepCopyInto(&out.Status) + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ImagePolicy. +func (in *ImagePolicy) DeepCopy() *ImagePolicy { + if in == nil { + return nil + } + out := new(ImagePolicy) + in.DeepCopyInto(out) + return out +} + +// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. +func (in *ImagePolicy) DeepCopyObject() runtime.Object { + if c := in.DeepCopy(); c != nil { + return c + } + return nil +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *ImagePolicyList) DeepCopyInto(out *ImagePolicyList) { + *out = *in + out.TypeMeta = in.TypeMeta + in.ListMeta.DeepCopyInto(&out.ListMeta) + if in.Items != nil { + in, out := &in.Items, &out.Items + *out = make([]ImagePolicy, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ImagePolicyList. +func (in *ImagePolicyList) DeepCopy() *ImagePolicyList { + if in == nil { + return nil + } + out := new(ImagePolicyList) + in.DeepCopyInto(out) + return out +} + +// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. +func (in *ImagePolicyList) DeepCopyObject() runtime.Object { + if c := in.DeepCopy(); c != nil { + return c + } + return nil +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *ImagePolicySpec) DeepCopyInto(out *ImagePolicySpec) { + *out = *in + if in.Scopes != nil { + in, out := &in.Scopes, &out.Scopes + *out = make([]ImageScope, len(*in)) + copy(*out, *in) + } + in.Policy.DeepCopyInto(&out.Policy) + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ImagePolicySpec. +func (in *ImagePolicySpec) DeepCopy() *ImagePolicySpec { + if in == nil { + return nil + } + out := new(ImagePolicySpec) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *ImagePolicyStatus) DeepCopyInto(out *ImagePolicyStatus) { + *out = *in + if in.Conditions != nil { + in, out := &in.Conditions, &out.Conditions + *out = make([]metav1.Condition, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ImagePolicyStatus. +func (in *ImagePolicyStatus) DeepCopy() *ImagePolicyStatus { + if in == nil { + return nil + } + out := new(ImagePolicyStatus) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *ImageSpec) DeepCopyInto(out *ImageSpec) { *out = *in @@ -4732,6 +4971,49 @@ func (in *OvirtPlatformStatus) DeepCopy() *OvirtPlatformStatus { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *PKI) DeepCopyInto(out *PKI) { + *out = *in + if in.CertificateAuthorityRootsData != nil { + in, out := &in.CertificateAuthorityRootsData, &out.CertificateAuthorityRootsData + *out = make([]byte, len(*in)) + copy(*out, *in) + } + if in.CertificateAuthorityIntermediatesData != nil { + in, out := &in.CertificateAuthorityIntermediatesData, &out.CertificateAuthorityIntermediatesData + *out = make([]byte, len(*in)) + copy(*out, *in) + } + out.PKICertificateSubject = in.PKICertificateSubject + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PKI. +func (in *PKI) DeepCopy() *PKI { + if in == nil { + return nil + } + out := new(PKI) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *PKICertificateSubject) DeepCopyInto(out *PKICertificateSubject) { + *out = *in + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PKICertificateSubject. +func (in *PKICertificateSubject) DeepCopy() *PKICertificateSubject { + if in == nil { + return nil + } + out := new(PKICertificateSubject) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *PlatformSpec) DeepCopyInto(out *PlatformSpec) { *out = *in @@ -4904,6 +5186,133 @@ func (in *PlatformStatus) DeepCopy() *PlatformStatus { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *Policy) DeepCopyInto(out *Policy) { + *out = *in + in.RootOfTrust.DeepCopyInto(&out.RootOfTrust) + if in.SignedIdentity != nil { + in, out := &in.SignedIdentity, &out.SignedIdentity + *out = new(PolicyIdentity) + (*in).DeepCopyInto(*out) + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Policy. +func (in *Policy) DeepCopy() *Policy { + if in == nil { + return nil + } + out := new(Policy) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *PolicyFulcioSubject) DeepCopyInto(out *PolicyFulcioSubject) { + *out = *in + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PolicyFulcioSubject. +func (in *PolicyFulcioSubject) DeepCopy() *PolicyFulcioSubject { + if in == nil { + return nil + } + out := new(PolicyFulcioSubject) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *PolicyIdentity) DeepCopyInto(out *PolicyIdentity) { + *out = *in + if in.PolicyMatchExactRepository != nil { + in, out := &in.PolicyMatchExactRepository, &out.PolicyMatchExactRepository + *out = new(PolicyMatchExactRepository) + **out = **in + } + if in.PolicyMatchRemapIdentity != nil { + in, out := &in.PolicyMatchRemapIdentity, &out.PolicyMatchRemapIdentity + *out = new(PolicyMatchRemapIdentity) + **out = **in + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PolicyIdentity. +func (in *PolicyIdentity) DeepCopy() *PolicyIdentity { + if in == nil { + return nil + } + out := new(PolicyIdentity) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *PolicyMatchExactRepository) DeepCopyInto(out *PolicyMatchExactRepository) { + *out = *in + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PolicyMatchExactRepository. +func (in *PolicyMatchExactRepository) DeepCopy() *PolicyMatchExactRepository { + if in == nil { + return nil + } + out := new(PolicyMatchExactRepository) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *PolicyMatchRemapIdentity) DeepCopyInto(out *PolicyMatchRemapIdentity) { + *out = *in + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PolicyMatchRemapIdentity. +func (in *PolicyMatchRemapIdentity) DeepCopy() *PolicyMatchRemapIdentity { + if in == nil { + return nil + } + out := new(PolicyMatchRemapIdentity) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *PolicyRootOfTrust) DeepCopyInto(out *PolicyRootOfTrust) { + *out = *in + if in.PublicKey != nil { + in, out := &in.PublicKey, &out.PublicKey + *out = new(PublicKey) + (*in).DeepCopyInto(*out) + } + if in.FulcioCAWithRekor != nil { + in, out := &in.FulcioCAWithRekor, &out.FulcioCAWithRekor + *out = new(FulcioCAWithRekor) + (*in).DeepCopyInto(*out) + } + if in.PKI != nil { + in, out := &in.PKI, &out.PKI + *out = new(PKI) + (*in).DeepCopyInto(*out) + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PolicyRootOfTrust. +func (in *PolicyRootOfTrust) DeepCopy() *PolicyRootOfTrust { + if in == nil { + return nil + } + out := new(PolicyRootOfTrust) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *PowerVSPlatformSpec) DeepCopyInto(out *PowerVSPlatformSpec) { *out = *in @@ -5204,6 +5613,32 @@ func (in *ProxyStatus) DeepCopy() *ProxyStatus { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *PublicKey) DeepCopyInto(out *PublicKey) { + *out = *in + if in.KeyData != nil { + in, out := &in.KeyData, &out.KeyData + *out = make([]byte, len(*in)) + copy(*out, *in) + } + if in.RekorKeyData != nil { + in, out := &in.RekorKeyData, &out.RekorKeyData + *out = make([]byte, len(*in)) + copy(*out, *in) + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PublicKey. +func (in *PublicKey) DeepCopy() *PublicKey { + if in == nil { + return nil + } + out := new(PublicKey) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *RegistryLocation) DeepCopyInto(out *RegistryLocation) { *out = *in @@ -5902,7 +6337,6 @@ func (in *UpdateHistory) DeepCopy() *UpdateHistory { // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *UsernameClaimMapping) DeepCopyInto(out *UsernameClaimMapping) { *out = *in - out.TokenClaimMapping = in.TokenClaimMapping if in.Prefix != nil { in, out := &in.Prefix, &out.Prefix *out = new(UsernamePrefix) diff --git a/vendor/github.com/openshift/api/config/v1/zz_generated.featuregated-crd-manifests.yaml b/vendor/github.com/openshift/api/config/v1/zz_generated.featuregated-crd-manifests.yaml index d8768ad0c3..19a304c17b 100644 --- a/vendor/github.com/openshift/api/config/v1/zz_generated.featuregated-crd-manifests.yaml +++ b/vendor/github.com/openshift/api/config/v1/zz_generated.featuregated-crd-manifests.yaml @@ -66,6 +66,30 @@ builds.config.openshift.io: TopLevelFeatureGates: [] Version: v1 +clusterimagepolicies.config.openshift.io: + Annotations: {} + ApprovedPRNumber: https://github.com/openshift/api/pull/2310 + CRDName: clusterimagepolicies.config.openshift.io + Capability: "" + Category: "" + FeatureGates: + - SigstoreImageVerification + - SigstoreImageVerificationPKI + FilenameOperatorName: config-operator + FilenameOperatorOrdering: "01" + FilenameRunLevel: "0000_10" + GroupName: config.openshift.io + HasStatus: true + KindName: ClusterImagePolicy + Labels: {} + PluralName: clusterimagepolicies + PrinterColumns: [] + Scope: Cluster + ShortNames: null + TopLevelFeatureGates: + - SigstoreImageVerification + Version: v1 + clusteroperators.config.openshift.io: Annotations: include.release.openshift.io/self-managed-high-availability: "true" @@ -282,6 +306,30 @@ imagedigestmirrorsets.config.openshift.io: TopLevelFeatureGates: [] Version: v1 +imagepolicies.config.openshift.io: + Annotations: {} + ApprovedPRNumber: https://github.com/openshift/api/pull/2310 + CRDName: imagepolicies.config.openshift.io + Capability: "" + Category: "" + FeatureGates: + - SigstoreImageVerification + - SigstoreImageVerificationPKI + FilenameOperatorName: config-operator + FilenameOperatorOrdering: "01" + FilenameRunLevel: "0000_10" + GroupName: config.openshift.io + HasStatus: true + KindName: ImagePolicy + Labels: {} + PluralName: imagepolicies + PrinterColumns: [] + Scope: Namespaced + ShortNames: null + TopLevelFeatureGates: + - SigstoreImageVerification + Version: v1 + imagetagmirrorsets.config.openshift.io: Annotations: release.openshift.io/bootstrap-required: "true" @@ -314,7 +362,6 @@ infrastructures.config.openshift.io: Category: "" FeatureGates: - AWSClusterHostedDNS - - BareMetalLoadBalancer - DualReplica - DyanmicServiceEndpointIBMCloud - GCPClusterHostedDNS @@ -325,7 +372,6 @@ infrastructures.config.openshift.io: - NutanixMultiSubnets - VSphereHostVMGroupZonal - VSphereMultiNetworks - - VSphereMultiVCenters FilenameOperatorName: config-operator FilenameOperatorOrdering: "01" FilenameRunLevel: "0000_10" diff --git a/vendor/github.com/openshift/api/config/v1/zz_generated.swagger_doc_generated.go b/vendor/github.com/openshift/api/config/v1/zz_generated.swagger_doc_generated.go index 5f99eedd72..eb78ad7ca6 100644 --- a/vendor/github.com/openshift/api/config/v1/zz_generated.swagger_doc_generated.go +++ b/vendor/github.com/openshift/api/config/v1/zz_generated.swagger_doc_generated.go @@ -407,11 +407,12 @@ func (ExtraMapping) SwaggerDoc() map[string]string { } var map_OIDCClientConfig = map[string]string{ - "componentName": "componentName is the name of the component that is supposed to consume this client configuration", - "componentNamespace": "componentNamespace is the namespace of the component that is supposed to consume this client configuration", - "clientID": "clientID is the identifier of the OIDC client from the OIDC provider", - "clientSecret": "clientSecret refers to a secret in the `openshift-config` namespace that contains the client secret in the `clientSecret` key of the `.data` field", - "extraScopes": "extraScopes is an optional set of scopes to request tokens with.", + "": "OIDCClientConfig configures how platform clients interact with identity providers as an authentication method", + "componentName": "componentName is a required field that specifies the name of the platform component being configured to use the identity provider as an authentication mode. It is used in combination with componentNamespace as a unique identifier.\n\ncomponentName must not be an empty string (\"\") and must not exceed 256 characters in length.", + "componentNamespace": "componentNamespace is a required field that specifies the namespace in which the platform component being configured to use the identity provider as an authentication mode is running. It is used in combination with componentName as a unique identifier.\n\ncomponentNamespace must not be an empty string (\"\") and must not exceed 63 characters in length.", + "clientID": "clientID is a required field that configures the client identifier, from the identity provider, that the platform component uses for authentication requests made to the identity provider. The identity provider must accept this identifier for platform components to be able to use the identity provider as an authentication mode.\n\nclientID must not be an empty string (\"\").", + "clientSecret": "clientSecret is an optional field that configures the client secret used by the platform component when making authentication requests to the identity provider.\n\nWhen not specified, no client secret will be used when making authentication requests to the identity provider.\n\nWhen specified, clientSecret references a Secret in the 'openshift-config' namespace that contains the client secret in the 'clientSecret' key of the '.data' field. The client secret will be used when making authentication requests to the identity provider.\n\nPublic clients do not require a client secret but private clients do require a client secret to work with the identity provider.", + "extraScopes": "extraScopes is an optional field that configures the extra scopes that should be requested by the platform component when making authentication requests to the identity provider. This is useful if you have configured claim mappings that requires specific scopes to be requested beyond the standard OIDC scopes.\n\nWhen omitted, no additional scopes are requested.", } func (OIDCClientConfig) SwaggerDoc() map[string]string { @@ -419,9 +420,10 @@ func (OIDCClientConfig) SwaggerDoc() map[string]string { } var map_OIDCClientReference = map[string]string{ - "oidcProviderName": "OIDCName refers to the `name` of the provider from `oidcProviders`", - "issuerURL": "URL is the serving URL of the token issuer. Must use the https:// scheme.", - "clientID": "clientID is the identifier of the OIDC client from the OIDC provider", + "": "OIDCClientReference is a reference to a platform component client configuration.", + "oidcProviderName": "oidcProviderName is a required reference to the 'name' of the identity provider configured in 'oidcProviders' that this client is associated with.\n\noidcProviderName must not be an empty string (\"\").", + "issuerURL": "issuerURL is a required field that specifies the URL of the identity provider that this client is configured to make requests against.\n\nissuerURL must use the 'https' scheme.", + "clientID": "clientID is a required field that specifies the client identifier, from the identity provider, that the platform component is using for authentication requests made to the identity provider.\n\nclientID must not be empty.", } func (OIDCClientReference) SwaggerDoc() map[string]string { @@ -429,10 +431,11 @@ func (OIDCClientReference) SwaggerDoc() map[string]string { } var map_OIDCClientStatus = map[string]string{ - "componentName": "componentName is the name of the component that will consume a client configuration.", - "componentNamespace": "componentNamespace is the namespace of the component that will consume a client configuration.", - "currentOIDCClients": "currentOIDCClients is a list of clients that the component is currently using.", - "consumingUsers": "consumingUsers is a slice of ServiceAccounts that need to have read permission on the `clientSecret` secret.", + "": "OIDCClientStatus represents the current state of platform components and how they interact with the configured identity providers.", + "componentName": "componentName is a required field that specifies the name of the platform component using the identity provider as an authentication mode. It is used in combination with componentNamespace as a unique identifier.\n\ncomponentName must not be an empty string (\"\") and must not exceed 256 characters in length.", + "componentNamespace": "componentNamespace is a required field that specifies the namespace in which the platform component using the identity provider as an authentication mode is running. It is used in combination with componentName as a unique identifier.\n\ncomponentNamespace must not be an empty string (\"\") and must not exceed 63 characters in length.", + "currentOIDCClients": "currentOIDCClients is an optional list of clients that the component is currently using. Entries must have unique issuerURL/clientID pairs.", + "consumingUsers": "consumingUsers is an optional list of ServiceAccounts requiring read permissions on the `clientSecret` secret.\n\nconsumingUsers must not exceed 5 entries.", "conditions": "conditions are used to communicate the state of the `oidcClients` entry.\n\nSupported conditions include Available, Degraded and Progressing.\n\nIf Available is true, the component is successfully using the configured client. If Degraded is true, that means something has gone wrong trying to handle the client configuration. If Progressing is true, that means the component is taking some action related to the `oidcClients` entry.", } @@ -441,11 +444,11 @@ func (OIDCClientStatus) SwaggerDoc() map[string]string { } var map_OIDCProvider = map[string]string{ - "name": "name of the OIDC provider", - "issuer": "issuer describes atributes of the OIDC token issuer", - "oidcClients": "oidcClients contains configuration for the platform's clients that need to request tokens from the issuer", - "claimMappings": "claimMappings describes rules on how to transform information from an ID token into a cluster identity", - "claimValidationRules": "claimValidationRules are rules that are applied to validate token claims to authenticate users.", + "name": "name is a required field that configures the unique human-readable identifier associated with the identity provider. It is used to distinguish between multiple identity providers and has no impact on token validation or authentication mechanics.\n\nname must not be an empty string (\"\").", + "issuer": "issuer is a required field that configures how the platform interacts with the identity provider and how tokens issued from the identity provider are evaluated by the Kubernetes API server.", + "oidcClients": "oidcClients is an optional field that configures how on-cluster, platform clients should request tokens from the identity provider. oidcClients must not exceed 20 entries and entries must have unique namespace/name pairs.", + "claimMappings": "claimMappings is a required field that configures the rules to be used by the Kubernetes API server for translating claims in a JWT token, issued by the identity provider, to a cluster identity.", + "claimValidationRules": "claimValidationRules is an optional field that configures the rules to be used by the Kubernetes API server for validating the claims in a JWT token issued by the identity provider.\n\nValidation rules are joined via an AND operation.", } func (OIDCProvider) SwaggerDoc() map[string]string { @@ -453,7 +456,8 @@ func (OIDCProvider) SwaggerDoc() map[string]string { } var map_PrefixedClaimMapping = map[string]string{ - "prefix": "prefix is a string to prefix the value from the token in the result of the claim mapping.\n\nBy default, no prefixing occurs.\n\nExample: if `prefix` is set to \"myoidc:\"\" and the `claim` in JWT contains an array of strings \"a\", \"b\" and \"c\", the mapping will result in an array of string \"myoidc:a\", \"myoidc:b\" and \"myoidc:c\".", + "": "PrefixedClaimMapping configures a claim mapping that allows for an optional prefix.", + "prefix": "prefix is an optional field that configures the prefix that will be applied to the cluster identity attribute during the process of mapping JWT claims to cluster identity attributes.\n\nWhen omitted (\"\"), no prefix is applied to the cluster identity attribute.\n\nExample: if `prefix` is set to \"myoidc:\" and the `claim` in JWT contains an array of strings \"a\", \"b\" and \"c\", the mapping will result in an array of string \"myoidc:a\", \"myoidc:b\" and \"myoidc:c\".", } func (PrefixedClaimMapping) SwaggerDoc() map[string]string { @@ -461,7 +465,8 @@ func (PrefixedClaimMapping) SwaggerDoc() map[string]string { } var map_TokenClaimMapping = map[string]string{ - "claim": "claim is a JWT token claim to be used in the mapping", + "": "TokenClaimMapping allows specifying a JWT token claim to be used when mapping claims from an authentication token to cluster identities.", + "claim": "claim is a required field that configures the JWT token claim whose value is assigned to the cluster identity field associated with this mapping.", } func (TokenClaimMapping) SwaggerDoc() map[string]string { @@ -469,8 +474,8 @@ func (TokenClaimMapping) SwaggerDoc() map[string]string { } var map_TokenClaimMappings = map[string]string{ - "username": "username is a name of the claim that should be used to construct usernames for the cluster identity.\n\nDefault value: \"sub\"", - "groups": "groups is a name of the claim that should be used to construct groups for the cluster identity. The referenced claim must use array of strings values.", + "username": "username is a required field that configures how the username of a cluster identity should be constructed from the claims in a JWT token issued by the identity provider.", + "groups": "groups is an optional field that configures how the groups of a cluster identity should be constructed from the claims in a JWT token issued by the identity provider. When referencing a claim, if the claim is present in the JWT token, its value must be a list of groups separated by a comma (','). For example - '\"example\"' and '\"exampleOne\", \"exampleTwo\", \"exampleThree\"' are valid claim values.", "uid": "uid is an optional field for configuring the claim mapping used to construct the uid for the cluster identity.\n\nWhen using uid.claim to specify the claim it must be a single string value. When using uid.expression the expression must result in a single string value.\n\nWhen omitted, this means the user has no opinion and the platform is left to choose a default, which is subject to change over time. The current default is to use the 'sub' claim.", "extra": "extra is an optional field for configuring the mappings used to construct the extra attribute for the cluster identity. When omitted, no extra attributes will be present on the cluster identity. key values for extra mappings must be unique. A maximum of 64 extra attribute mappings may be provided.", } @@ -490,8 +495,8 @@ func (TokenClaimOrExpressionMapping) SwaggerDoc() map[string]string { } var map_TokenClaimValidationRule = map[string]string{ - "type": "type sets the type of the validation rule", - "requiredClaim": "requiredClaim allows configuring a required claim name and its expected value", + "type": "type is an optional field that configures the type of the validation rule.\n\nAllowed values are 'RequiredClaim' and omitted (not provided or an empty string).\n\nWhen set to 'RequiredClaim', the Kubernetes API server will be configured to validate that the incoming JWT contains the required claim and that its value matches the required value.\n\nDefaults to 'RequiredClaim'.", + "requiredClaim": "requiredClaim is an optional field that configures the required claim and value that the Kubernetes API server will use to validate if an incoming JWT is valid for this identity provider.", } func (TokenClaimValidationRule) SwaggerDoc() map[string]string { @@ -499,9 +504,9 @@ func (TokenClaimValidationRule) SwaggerDoc() map[string]string { } var map_TokenIssuer = map[string]string{ - "issuerURL": "URL is the serving URL of the token issuer. Must use the https:// scheme.", - "audiences": "audiences is an array of audiences that the token was issued for. Valid tokens must include at least one of these values in their \"aud\" claim. Must be set to exactly one value.", - "issuerCertificateAuthority": "CertificateAuthority is a reference to a config map in the configuration namespace. The .data of the configMap must contain the \"ca-bundle.crt\" key. If unset, system trust is used instead.", + "issuerURL": "issuerURL is a required field that configures the URL used to issue tokens by the identity provider. The Kubernetes API server determines how authentication tokens should be handled by matching the 'iss' claim in the JWT to the issuerURL of configured identity providers.\n\nissuerURL must use the 'https' scheme.", + "audiences": "audiences is a required field that configures the acceptable audiences the JWT token, issued by the identity provider, must be issued to. At least one of the entries must match the 'aud' claim in the JWT token.\n\naudiences must contain at least one entry and must not exceed ten entries.", + "issuerCertificateAuthority": "issuerCertificateAuthority is an optional field that configures the certificate authority, used by the Kubernetes API server, to validate the connection to the identity provider when fetching discovery information.\n\nWhen not specified, the system trust is used.\n\nWhen specified, it must reference a ConfigMap in the openshift-config namespace containing the PEM-encoded CA certificates under the 'ca-bundle.crt' key in the data field of the ConfigMap.", } func (TokenIssuer) SwaggerDoc() map[string]string { @@ -509,8 +514,8 @@ func (TokenIssuer) SwaggerDoc() map[string]string { } var map_TokenRequiredClaim = map[string]string{ - "claim": "claim is a name of a required claim. Only claims with string values are supported.", - "requiredValue": "requiredValue is the required value for the claim.", + "claim": "claim is a required field that configures the name of the required claim. When taken from the JWT claims, claim must be a string value.\n\nclaim must not be an empty string (\"\").", + "requiredValue": "requiredValue is a required field that configures the value that 'claim' must have when taken from the incoming JWT claims. If the value in the JWT claims does not match, the token will be rejected for authentication.\n\nrequiredValue must not be an empty string (\"\").", } func (TokenRequiredClaim) SwaggerDoc() map[string]string { @@ -518,13 +523,24 @@ func (TokenRequiredClaim) SwaggerDoc() map[string]string { } var map_UsernameClaimMapping = map[string]string{ - "prefixPolicy": "prefixPolicy specifies how a prefix should apply.\n\nBy default, claims other than `email` will be prefixed with the issuer URL to prevent naming clashes with other plugins.\n\nSet to \"NoPrefix\" to disable prefixing.\n\nExample:\n (1) `prefix` is set to \"myoidc:\" and `claim` is set to \"username\".\n If the JWT claim `username` contains value `userA`, the resulting\n mapped value will be \"myoidc:userA\".\n (2) `prefix` is set to \"myoidc:\" and `claim` is set to \"email\". If the\n JWT `email` claim contains value \"userA@myoidc.tld\", the resulting\n mapped value will be \"myoidc:userA@myoidc.tld\".\n (3) `prefix` is unset, `issuerURL` is set to `https://myoidc.tld`,\n the JWT claims include \"username\":\"userA\" and \"email\":\"userA@myoidc.tld\",\n and `claim` is set to:\n (a) \"username\": the mapped value will be \"https://myoidc.tld#userA\"\n (b) \"email\": the mapped value will be \"userA@myoidc.tld\"", + "claim": "claim is a required field that configures the JWT token claim whose value is assigned to the cluster identity field associated with this mapping.\n\nclaim must not be an empty string (\"\") and must not exceed 256 characters.", + "prefixPolicy": "prefixPolicy is an optional field that configures how a prefix should be applied to the value of the JWT claim specified in the 'claim' field.\n\nAllowed values are 'Prefix', 'NoPrefix', and omitted (not provided or an empty string).\n\nWhen set to 'Prefix', the value specified in the prefix field will be prepended to the value of the JWT claim. The prefix field must be set when prefixPolicy is 'Prefix'.\n\nWhen set to 'NoPrefix', no prefix will be prepended to the value of the JWT claim.\n\nWhen omitted, this means no opinion and the platform is left to choose any prefixes that are applied which is subject to change over time. Currently, the platform prepends `{issuerURL}#` to the value of the JWT claim when the claim is not 'email'. As an example, consider the following scenario:\n `prefix` is unset, `issuerURL` is set to `https://myoidc.tld`,\n the JWT claims include \"username\":\"userA\" and \"email\":\"userA@myoidc.tld\",\n and `claim` is set to:\n - \"username\": the mapped value will be \"https://myoidc.tld#userA\"\n - \"email\": the mapped value will be \"userA@myoidc.tld\"", + "prefix": "prefix configures the prefix that should be prepended to the value of the JWT claim.\n\nprefix must be set when prefixPolicy is set to 'Prefix' and must be unset otherwise.", } func (UsernameClaimMapping) SwaggerDoc() map[string]string { return map_UsernameClaimMapping } +var map_UsernamePrefix = map[string]string{ + "": "UsernamePrefix configures the string that should be used as a prefix for username claim mappings.", + "prefixString": "prefixString is a required field that configures the prefix that will be applied to cluster identity username attribute during the process of mapping JWT claims to cluster identity attributes.\n\nprefixString must not be an empty string (\"\").", +} + +func (UsernamePrefix) SwaggerDoc() map[string]string { + return map_UsernamePrefix +} + var map_WebhookTokenAuthenticator = map[string]string{ "": "webhookTokenAuthenticator holds the necessary configuration options for a remote token authenticator", "kubeConfig": "kubeConfig references a secret that contains kube config file data which describes how to access the remote webhook service. The namespace for the referenced secret is openshift-config.\n\nFor further details, see:\n\nhttps://kubernetes.io/docs/reference/access-authn-authz/authentication/#webhook-token-authentication\n\nThe key \"kubeConfig\" is used to locate the data. If the secret or expected key is not found, the webhook is not honored. If the specified kube config data is not valid, the webhook is not honored.", @@ -595,6 +611,45 @@ func (ImageLabel) SwaggerDoc() map[string]string { return map_ImageLabel } +var map_ClusterImagePolicy = map[string]string{ + "": "ClusterImagePolicy holds cluster-wide configuration for image signature verification\n\nCompatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).", + "metadata": "metadata is the standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata", + "spec": "spec contains the configuration for the cluster image policy.", + "status": "status contains the observed state of the resource.", +} + +func (ClusterImagePolicy) SwaggerDoc() map[string]string { + return map_ClusterImagePolicy +} + +var map_ClusterImagePolicyList = map[string]string{ + "": "ClusterImagePolicyList is a list of ClusterImagePolicy resources\n\nCompatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).", + "metadata": "metadata is the standard list's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata", + "items": "items is a list of ClusterImagePolices", +} + +func (ClusterImagePolicyList) SwaggerDoc() map[string]string { + return map_ClusterImagePolicyList +} + +var map_ClusterImagePolicySpec = map[string]string{ + "": "CLusterImagePolicySpec is the specification of the ClusterImagePolicy custom resource.", + "scopes": "scopes is a required field that defines the list of image identities assigned to a policy. Each item refers to a scope in a registry implementing the \"Docker Registry HTTP API V2\". Scopes matching individual images are named Docker references in the fully expanded form, either using a tag or digest. For example, docker.io/library/busybox:latest (not busybox:latest). More general scopes are prefixes of individual-image scopes, and specify a repository (by omitting the tag or digest), a repository namespace, or a registry host (by only specifying the host name and possibly a port number) or a wildcard expression starting with `*.`, for matching all subdomains (not including a port number). Wildcards are only supported for subdomain matching, and may not be used in the middle of the host, i.e. *.example.com is a valid case, but example*.*.com is not. This support no more than 256 scopes in one object. If multiple scopes match a given image, only the policy requirements for the most specific scope apply. The policy requirements for more general scopes are ignored. In addition to setting a policy appropriate for your own deployed applications, make sure that a policy on the OpenShift image repositories quay.io/openshift-release-dev/ocp-release, quay.io/openshift-release-dev/ocp-v4.0-art-dev (or on a more general scope) allows deployment of the OpenShift images required for cluster operation. If a scope is configured in both the ClusterImagePolicy and the ImagePolicy, or if the scope in ImagePolicy is nested under one of the scopes from the ClusterImagePolicy, only the policy from the ClusterImagePolicy will be applied. For additional details about the format, please refer to the document explaining the docker transport field, which can be found at: https://github.com/containers/image/blob/main/docs/containers-policy.json.5.md#docker", + "policy": "policy is a required field that contains configuration to allow scopes to be verified, and defines how images not matching the verification policy will be treated.", +} + +func (ClusterImagePolicySpec) SwaggerDoc() map[string]string { + return map_ClusterImagePolicySpec +} + +var map_ClusterImagePolicyStatus = map[string]string{ + "conditions": "conditions provide details on the status of this API Resource.", +} + +func (ClusterImagePolicyStatus) SwaggerDoc() map[string]string { + return map_ClusterImagePolicyStatus +} + var map_ClusterOperator = map[string]string{ "": "ClusterOperator is the Custom Resource object which holds the current state of an operator. This object is used by operators to convey their state to the rest of the cluster.\n\nCompatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).", "metadata": "metadata is the standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata", @@ -724,7 +779,7 @@ var map_ClusterVersionSpec = map[string]string{ "clusterID": "clusterID uniquely identifies this cluster. This is expected to be an RFC4122 UUID value (xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx in hexadecimal values). This is a required field.", "desiredUpdate": "desiredUpdate is an optional field that indicates the desired value of the cluster version. Setting this value will trigger an upgrade (if the current version does not match the desired version). The set of recommended update values is listed as part of available updates in status, and setting values outside that range may cause the upgrade to fail.\n\nSome of the fields are inter-related with restrictions and meanings described here. 1. image is specified, version is specified, architecture is specified. API validation error. 2. image is specified, version is specified, architecture is not specified. The version extracted from the referenced image must match the specified version. 3. image is specified, version is not specified, architecture is specified. API validation error. 4. image is specified, version is not specified, architecture is not specified. image is used. 5. image is not specified, version is specified, architecture is specified. version and desired architecture are used to select an image. 6. image is not specified, version is specified, architecture is not specified. version and current architecture are used to select an image. 7. image is not specified, version is not specified, architecture is specified. API validation error. 8. image is not specified, version is not specified, architecture is not specified. API validation error.\n\nIf an upgrade fails the operator will halt and report status about the failing component. Setting the desired update value back to the previous version will cause a rollback to be attempted. Not all rollbacks will succeed.", "upstream": "upstream may be used to specify the preferred update server. By default it will use the appropriate update server for the cluster and region.", - "channel": "channel is an identifier for explicitly requesting that a non-default set of updates be applied to this cluster. The default channel will be contain stable updates that are appropriate for production clusters.", + "channel": "channel is an identifier for explicitly requesting a non-default set of updates to be applied to this cluster. The default channel will contain stable updates that are appropriate for production clusters.", "capabilities": "capabilities configures the installation of optional, core cluster components. A null value here is identical to an empty object; see the child properties for default semantics.", "signatureStores": "signatureStores contains the upstream URIs to verify release signatures and optional reference to a config map by name containing the PEM-encoded CA bundle.\n\nBy default, CVO will use existing signature stores if this property is empty. The CVO will check the release signatures in the local ConfigMaps first. It will search for a valid signature in these stores in parallel only when local ConfigMaps did not include a valid signature. Validation will fail if none of the signature stores reply with valid signature before timeout. Setting signatureStores will replace the default signature stores with custom signature stores. Default stores can be used with custom signature stores by adding them manually.\n\nA maximum of 32 signature stores may be configured.", "overrides": "overrides is list of overides for components that are managed by cluster version operator. Marking a component unmanaged will prevent the operator from creating or updating the object.", @@ -1159,6 +1214,147 @@ func (ImageDigestMirrors) SwaggerDoc() map[string]string { return map_ImageDigestMirrors } +var map_FulcioCAWithRekor = map[string]string{ + "": "FulcioCAWithRekor defines the root of trust based on the Fulcio certificate and the Rekor public key.", + "fulcioCAData": "fulcioCAData is a required field contains inline base64-encoded data for the PEM format fulcio CA. fulcioCAData must be at most 8192 characters. ", + "rekorKeyData": "rekorKeyData is a required field contains inline base64-encoded data for the PEM format from the Rekor public key. rekorKeyData must be at most 8192 characters. ", + "fulcioSubject": "fulcioSubject is a required field specifies OIDC issuer and the email of the Fulcio authentication configuration.", +} + +func (FulcioCAWithRekor) SwaggerDoc() map[string]string { + return map_FulcioCAWithRekor +} + +var map_ImagePolicy = map[string]string{ + "": "ImagePolicy holds namespace-wide configuration for image signature verification\n\nCompatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).", + "metadata": "metadata is the standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata", + "spec": "spec holds user settable values for configuration", + "status": "status contains the observed state of the resource.", +} + +func (ImagePolicy) SwaggerDoc() map[string]string { + return map_ImagePolicy +} + +var map_ImagePolicyList = map[string]string{ + "": "ImagePolicyList is a list of ImagePolicy resources\n\nCompatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).", + "metadata": "metadata is the standard list's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata", + "items": "items is a list of ImagePolicies", +} + +func (ImagePolicyList) SwaggerDoc() map[string]string { + return map_ImagePolicyList +} + +var map_ImagePolicySpec = map[string]string{ + "": "ImagePolicySpec is the specification of the ImagePolicy CRD.", + "scopes": "scopes is a required field that defines the list of image identities assigned to a policy. Each item refers to a scope in a registry implementing the \"Docker Registry HTTP API V2\". Scopes matching individual images are named Docker references in the fully expanded form, either using a tag or digest. For example, docker.io/library/busybox:latest (not busybox:latest). More general scopes are prefixes of individual-image scopes, and specify a repository (by omitting the tag or digest), a repository namespace, or a registry host (by only specifying the host name and possibly a port number) or a wildcard expression starting with `*.`, for matching all subdomains (not including a port number). Wildcards are only supported for subdomain matching, and may not be used in the middle of the host, i.e. *.example.com is a valid case, but example*.*.com is not. This support no more than 256 scopes in one object. If multiple scopes match a given image, only the policy requirements for the most specific scope apply. The policy requirements for more general scopes are ignored. In addition to setting a policy appropriate for your own deployed applications, make sure that a policy on the OpenShift image repositories quay.io/openshift-release-dev/ocp-release, quay.io/openshift-release-dev/ocp-v4.0-art-dev (or on a more general scope) allows deployment of the OpenShift images required for cluster operation. If a scope is configured in both the ClusterImagePolicy and the ImagePolicy, or if the scope in ImagePolicy is nested under one of the scopes from the ClusterImagePolicy, only the policy from the ClusterImagePolicy will be applied. For additional details about the format, please refer to the document explaining the docker transport field, which can be found at: https://github.com/containers/image/blob/main/docs/containers-policy.json.5.md#docker", + "policy": "policy is a required field that contains configuration to allow scopes to be verified, and defines how images not matching the verification policy will be treated.", +} + +func (ImagePolicySpec) SwaggerDoc() map[string]string { + return map_ImagePolicySpec +} + +var map_ImagePolicyStatus = map[string]string{ + "conditions": "conditions provide details on the status of this API Resource. condition type 'Pending' indicates that the customer resource contains a policy that cannot take effect. It is either overwritten by a global policy or the image scope is not valid.", +} + +func (ImagePolicyStatus) SwaggerDoc() map[string]string { + return map_ImagePolicyStatus +} + +var map_PKI = map[string]string{ + "": "PKI defines the root of trust based on Root CA(s) and corresponding intermediate certificates.", + "caRootsData": "caRootsData contains base64-encoded data of a certificate bundle PEM file, which contains one or more CA roots in the PEM format. The total length of the data must not exceed 8192 characters. ", + "caIntermediatesData": "caIntermediatesData contains base64-encoded data of a certificate bundle PEM file, which contains one or more intermediate certificates in the PEM format. The total length of the data must not exceed 8192 characters. caIntermediatesData requires caRootsData to be set. ", + "pkiCertificateSubject": "pkiCertificateSubject defines the requirements imposed on the subject to which the certificate was issued.", +} + +func (PKI) SwaggerDoc() map[string]string { + return map_PKI +} + +var map_PKICertificateSubject = map[string]string{ + "": "PKICertificateSubject defines the requirements imposed on the subject to which the certificate was issued.", + "email": "email specifies the expected email address imposed on the subject to which the certificate was issued, and must match the email address listed in the Subject Alternative Name (SAN) field of the certificate. The email must be a valid email address and at most 320 characters in length.", + "hostname": "hostname specifies the expected hostname imposed on the subject to which the certificate was issued, and it must match the hostname listed in the Subject Alternative Name (SAN) DNS field of the certificate. The hostname must be a valid dns 1123 subdomain name, optionally prefixed by '*.', and at most 253 characters in length. It must consist only of lowercase alphanumeric characters, hyphens, periods and the optional preceding asterisk.", +} + +func (PKICertificateSubject) SwaggerDoc() map[string]string { + return map_PKICertificateSubject +} + +var map_Policy = map[string]string{ + "": "Policy defines the verification policy for the items in the scopes list.", + "rootOfTrust": "rootOfTrust is a required field that defines the root of trust for verifying image signatures during retrieval. This allows image consumers to specify policyType and corresponding configuration of the policy, matching how the policy was generated.", + "signedIdentity": "signedIdentity is an optional field specifies what image identity the signature claims about the image. This is useful when the image identity in the signature differs from the original image spec, such as when mirror registry is configured for the image scope, the signature from the mirror registry contains the image identity of the mirror instead of the original scope. The required matchPolicy field specifies the approach used in the verification process to verify the identity in the signature and the actual image identity, the default matchPolicy is \"MatchRepoDigestOrExact\".", +} + +func (Policy) SwaggerDoc() map[string]string { + return map_Policy +} + +var map_PolicyFulcioSubject = map[string]string{ + "": "PolicyFulcioSubject defines the OIDC issuer and the email of the Fulcio authentication configuration.", + "oidcIssuer": "oidcIssuer is a required filed contains the expected OIDC issuer. The oidcIssuer must be a valid URL and at most 2048 characters in length. It will be verified that the Fulcio-issued certificate contains a (Fulcio-defined) certificate extension pointing at this OIDC issuer URL. When Fulcio issues certificates, it includes a value based on an URL inside the client-provided ID token. Example: \"https://expected.OIDC.issuer/\"", + "signedEmail": "signedEmail is a required field holds the email address that the Fulcio certificate is issued for. The signedEmail must be a valid email address and at most 320 characters in length. Example: \"expected-signing-user@example.com\"", +} + +func (PolicyFulcioSubject) SwaggerDoc() map[string]string { + return map_PolicyFulcioSubject +} + +var map_PolicyIdentity = map[string]string{ + "": "PolicyIdentity defines image identity the signature claims about the image. When omitted, the default matchPolicy is \"MatchRepoDigestOrExact\".", + "matchPolicy": "matchPolicy is a required filed specifies matching strategy to verify the image identity in the signature against the image scope. Allowed values are \"MatchRepoDigestOrExact\", \"MatchRepository\", \"ExactRepository\", \"RemapIdentity\". When omitted, the default value is \"MatchRepoDigestOrExact\". When set to \"MatchRepoDigestOrExact\", the identity in the signature must be in the same repository as the image identity if the image identity is referenced by a digest. Otherwise, the identity in the signature must be the same as the image identity. When set to \"MatchRepository\", the identity in the signature must be in the same repository as the image identity. When set to \"ExactRepository\", the exactRepository must be specified. The identity in the signature must be in the same repository as a specific identity specified by \"repository\". When set to \"RemapIdentity\", the remapIdentity must be specified. The signature must be in the same as the remapped image identity. Remapped image identity is obtained by replacing the \"prefix\" with the specified “signedPrefix” if the the image identity matches the specified remapPrefix.", + "exactRepository": "exactRepository specifies the repository that must be exactly matched by the identity in the signature. exactRepository is required if matchPolicy is set to \"ExactRepository\". It is used to verify that the signature claims an identity matching this exact repository, rather than the original image identity.", + "remapIdentity": "remapIdentity specifies the prefix remapping rule for verifying image identity. remapIdentity is required if matchPolicy is set to \"RemapIdentity\". It is used to verify that the signature claims a different registry/repository prefix than the original image.", +} + +func (PolicyIdentity) SwaggerDoc() map[string]string { + return map_PolicyIdentity +} + +var map_PolicyMatchExactRepository = map[string]string{ + "repository": "repository is the reference of the image identity to be matched. repository is required if matchPolicy is set to \"ExactRepository\". The value should be a repository name (by omitting the tag or digest) in a registry implementing the \"Docker Registry HTTP API V2\". For example, docker.io/library/busybox", +} + +func (PolicyMatchExactRepository) SwaggerDoc() map[string]string { + return map_PolicyMatchExactRepository +} + +var map_PolicyMatchRemapIdentity = map[string]string{ + "prefix": "prefix is required if matchPolicy is set to \"RemapIdentity\". prefix is the prefix of the image identity to be matched. If the image identity matches the specified prefix, that prefix is replaced by the specified “signedPrefix” (otherwise it is used as unchanged and no remapping takes place). This is useful when verifying signatures for a mirror of some other repository namespace that preserves the vendor’s repository structure. The prefix and signedPrefix values can be either host[:port] values (matching exactly the same host[:port], string), repository namespaces, or repositories (i.e. they must not contain tags/digests), and match as prefixes of the fully expanded form. For example, docker.io/library/busybox (not busybox) to specify that single repository, or docker.io/library (not an empty string) to specify the parent namespace of docker.io/library/busybox.", + "signedPrefix": "signedPrefix is required if matchPolicy is set to \"RemapIdentity\". signedPrefix is the prefix of the image identity to be matched in the signature. The format is the same as \"prefix\". The values can be either host[:port] values (matching exactly the same host[:port], string), repository namespaces, or repositories (i.e. they must not contain tags/digests), and match as prefixes of the fully expanded form. For example, docker.io/library/busybox (not busybox) to specify that single repository, or docker.io/library (not an empty string) to specify the parent namespace of docker.io/library/busybox.", +} + +func (PolicyMatchRemapIdentity) SwaggerDoc() map[string]string { + return map_PolicyMatchRemapIdentity +} + +var map_PolicyRootOfTrust = map[string]string{ + "": "PolicyRootOfTrust defines the root of trust based on the selected policyType.", + "policyType": "policyType is a required field specifies the type of the policy for verification. This field must correspond to how the policy was generated. Allowed values are \"PublicKey\", \"FulcioCAWithRekor\", and \"PKI\". When set to \"PublicKey\", the policy relies on a sigstore publicKey and may optionally use a Rekor verification. When set to \"FulcioCAWithRekor\", the policy is based on the Fulcio certification and incorporates a Rekor verification. When set to \"PKI\", the policy is based on the certificates from Bring Your Own Public Key Infrastructure (BYOPKI). This value is enabled by turning on the SigstoreImageVerificationPKI feature gate.", + "publicKey": "publicKey defines the root of trust configuration based on a sigstore public key. Optionally include a Rekor public key for Rekor verification. publicKey is required when policyType is PublicKey, and forbidden otherwise.", + "fulcioCAWithRekor": "fulcioCAWithRekor defines the root of trust configuration based on the Fulcio certificate and the Rekor public key. fulcioCAWithRekor is required when policyType is FulcioCAWithRekor, and forbidden otherwise For more information about Fulcio and Rekor, please refer to the document at: https://github.com/sigstore/fulcio and https://github.com/sigstore/rekor", + "pki": "pki defines the root of trust configuration based on Bring Your Own Public Key Infrastructure (BYOPKI) Root CA(s) and corresponding intermediate certificates. pki is required when policyType is PKI, and forbidden otherwise.", +} + +func (PolicyRootOfTrust) SwaggerDoc() map[string]string { + return map_PolicyRootOfTrust +} + +var map_PublicKey = map[string]string{ + "": "PublicKey defines the root of trust based on a sigstore public key.", + "keyData": "keyData is a required field contains inline base64-encoded data for the PEM format public key. keyData must be at most 8192 characters. ", + "rekorKeyData": "rekorKeyData is an optional field contains inline base64-encoded data for the PEM format from the Rekor public key. rekorKeyData must be at most 8192 characters. ", +} + +func (PublicKey) SwaggerDoc() map[string]string { + return map_PublicKey +} + var map_ImageTagMirrorSet = map[string]string{ "": "ImageTagMirrorSet holds cluster-wide information about how to handle registry mirror rules on using tag pull specification. When multiple policies are defined, the outcome of the behavior is defined on each field.\n\nCompatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).", "metadata": "metadata is the standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata", diff --git a/vendor/github.com/openshift/api/config/v1alpha1/types_image_policy.go b/vendor/github.com/openshift/api/config/v1alpha1/types_image_policy.go index 24ff257c93..5ffeac40d9 100644 --- a/vendor/github.com/openshift/api/config/v1alpha1/types_image_policy.go +++ b/vendor/github.com/openshift/api/config/v1alpha1/types_image_policy.go @@ -78,7 +78,7 @@ type PolicyRootOfTrust struct { // policyType serves as the union's discriminator. Users are required to assign a value to this field, choosing one of the policy types that define the root of trust. // "PublicKey" indicates that the policy relies on a sigstore publicKey and may optionally use a Rekor verification. // "FulcioCAWithRekor" indicates that the policy is based on the Fulcio certification and incorporates a Rekor verification. - // "PKI" is a DevPreview feature that indicates that the policy is based on the certificates from Bring Your Own Public Key Infrastructure (BYOPKI). This value is enabled by turning on the SigstoreImageVerificationPKI feature gate. + // "PKI" indicates that the policy is based on the certificates from Bring Your Own Public Key Infrastructure (BYOPKI). This value is enabled by turning on the SigstoreImageVerificationPKI feature gate. // +unionDiscriminator // +required PolicyType PolicyType `json:"policyType"` diff --git a/vendor/github.com/openshift/api/config/v1alpha1/zz_generated.crd-manifests/0000_10_config-operator_01_clusterimagepolicies-CustomNoUpgrade.crd.yaml b/vendor/github.com/openshift/api/config/v1alpha1/zz_generated.crd-manifests/0000_10_config-operator_01_clusterimagepolicies-CustomNoUpgrade.crd.yaml index a28b3d96ac..bb8153a46b 100644 --- a/vendor/github.com/openshift/api/config/v1alpha1/zz_generated.crd-manifests/0000_10_config-operator_01_clusterimagepolicies-CustomNoUpgrade.crd.yaml +++ b/vendor/github.com/openshift/api/config/v1alpha1/zz_generated.crd-manifests/0000_10_config-operator_01_clusterimagepolicies-CustomNoUpgrade.crd.yaml @@ -192,7 +192,7 @@ spec: policyType serves as the union's discriminator. Users are required to assign a value to this field, choosing one of the policy types that define the root of trust. "PublicKey" indicates that the policy relies on a sigstore publicKey and may optionally use a Rekor verification. "FulcioCAWithRekor" indicates that the policy is based on the Fulcio certification and incorporates a Rekor verification. - "PKI" is a DevPreview feature that indicates that the policy is based on the certificates from Bring Your Own Public Key Infrastructure (BYOPKI). This value is enabled by turning on the SigstoreImageVerificationPKI feature gate. + "PKI" indicates that the policy is based on the certificates from Bring Your Own Public Key Infrastructure (BYOPKI). This value is enabled by turning on the SigstoreImageVerificationPKI feature gate. enum: - PublicKey - FulcioCAWithRekor diff --git a/vendor/github.com/openshift/api/config/v1alpha1/zz_generated.crd-manifests/0000_10_config-operator_01_clusterimagepolicies-DevPreviewNoUpgrade.crd.yaml b/vendor/github.com/openshift/api/config/v1alpha1/zz_generated.crd-manifests/0000_10_config-operator_01_clusterimagepolicies-DevPreviewNoUpgrade.crd.yaml index 54eb27b8c9..7679f6ceb9 100644 --- a/vendor/github.com/openshift/api/config/v1alpha1/zz_generated.crd-manifests/0000_10_config-operator_01_clusterimagepolicies-DevPreviewNoUpgrade.crd.yaml +++ b/vendor/github.com/openshift/api/config/v1alpha1/zz_generated.crd-manifests/0000_10_config-operator_01_clusterimagepolicies-DevPreviewNoUpgrade.crd.yaml @@ -192,7 +192,7 @@ spec: policyType serves as the union's discriminator. Users are required to assign a value to this field, choosing one of the policy types that define the root of trust. "PublicKey" indicates that the policy relies on a sigstore publicKey and may optionally use a Rekor verification. "FulcioCAWithRekor" indicates that the policy is based on the Fulcio certification and incorporates a Rekor verification. - "PKI" is a DevPreview feature that indicates that the policy is based on the certificates from Bring Your Own Public Key Infrastructure (BYOPKI). This value is enabled by turning on the SigstoreImageVerificationPKI feature gate. + "PKI" indicates that the policy is based on the certificates from Bring Your Own Public Key Infrastructure (BYOPKI). This value is enabled by turning on the SigstoreImageVerificationPKI feature gate. enum: - PublicKey - FulcioCAWithRekor diff --git a/vendor/github.com/openshift/api/config/v1alpha1/zz_generated.crd-manifests/0000_10_config-operator_01_clusterimagepolicies-TechPreviewNoUpgrade.crd.yaml b/vendor/github.com/openshift/api/config/v1alpha1/zz_generated.crd-manifests/0000_10_config-operator_01_clusterimagepolicies-TechPreviewNoUpgrade.crd.yaml index 6c6a33d081..a705342474 100644 --- a/vendor/github.com/openshift/api/config/v1alpha1/zz_generated.crd-manifests/0000_10_config-operator_01_clusterimagepolicies-TechPreviewNoUpgrade.crd.yaml +++ b/vendor/github.com/openshift/api/config/v1alpha1/zz_generated.crd-manifests/0000_10_config-operator_01_clusterimagepolicies-TechPreviewNoUpgrade.crd.yaml @@ -102,12 +102,101 @@ spec: - fulcioSubject - rekorKeyData type: object + pki: + description: pki defines the root of trust based on Bring + Your Own Public Key Infrastructure (BYOPKI) Root CA(s) and + corresponding intermediate certificates. + properties: + caIntermediatesData: + description: |- + caIntermediatesData contains base64-encoded data of a certificate bundle PEM file, which contains one or more intermediate certificates in the PEM format. The total length of the data must not exceed 8192 characters. + caIntermediatesData requires caRootsData to be set. + format: byte + maxLength: 8192 + type: string + x-kubernetes-validations: + - message: the caIntermediatesData must start with base64 + encoding of '-----BEGIN CERTIFICATE-----'. + rule: string(self).startsWith('-----BEGIN CERTIFICATE-----') + - message: the caIntermediatesData must end with base64 + encoding of '-----END CERTIFICATE-----'. + rule: string(self).endsWith('-----END CERTIFICATE-----\n') + || string(self).endsWith('-----END CERTIFICATE-----') + - message: caIntermediatesData must be base64 encoding + of valid PEM format data contain the same number of + '-----BEGIN CERTIFICATE-----' and '-----END CERTIFICATE-----' + markers. + rule: string(self).findAll('-----BEGIN CERTIFICATE-----').size() + == string(self).findAll('-----END CERTIFICATE-----').size() + caRootsData: + description: caRootsData contains base64-encoded data + of a certificate bundle PEM file, which contains one + or more CA roots in the PEM format. The total length + of the data must not exceed 8192 characters. + format: byte + maxLength: 8192 + type: string + x-kubernetes-validations: + - message: the caRootsData must start with base64 encoding + of '-----BEGIN CERTIFICATE-----'. + rule: string(self).startsWith('-----BEGIN CERTIFICATE-----') + - message: the caRootsData must end with base64 encoding + of '-----END CERTIFICATE-----'. + rule: string(self).endsWith('-----END CERTIFICATE-----\n') + || string(self).endsWith('-----END CERTIFICATE-----') + - message: caRootsData must be base64 encoding of valid + PEM format data contain the same number of '-----BEGIN + CERTIFICATE-----' and '-----END CERTIFICATE-----' + markers. + rule: string(self).findAll('-----BEGIN CERTIFICATE-----').size() + == string(self).findAll('-----END CERTIFICATE-----').size() + pkiCertificateSubject: + description: pkiCertificateSubject defines the requirements + imposed on the subject to which the certificate was + issued. + properties: + email: + description: |- + email specifies the expected email address imposed on the subject to which the certificate was issued, and must match the email address listed in the Subject Alternative Name (SAN) field of the certificate. + The email should be a valid email address and at most 320 characters in length. + maxLength: 320 + type: string + x-kubernetes-validations: + - message: invalid email address in pkiCertificateSubject + rule: self.matches('^\\S+@\\S+$') + hostname: + description: |- + hostname specifies the expected hostname imposed on the subject to which the certificate was issued, and it must match the hostname listed in the Subject Alternative Name (SAN) DNS field of the certificate. + The hostname should be a valid dns 1123 subdomain name, optionally prefixed by '*.', and at most 253 characters in length. + It should consist only of lowercase alphanumeric characters, hyphens, periods and the optional preceding asterisk. + maxLength: 253 + type: string + x-kubernetes-validations: + - message: hostname should be a valid dns 1123 subdomain + name, optionally prefixed by '*.'. It should consist + only of lowercase alphanumeric characters, hyphens, + periods and the optional preceding asterisk. + rule: 'self.startsWith(''*.'') ? !format.dns1123Subdomain().validate(self.replace(''*.'', + '''', 1)).hasValue() : !format.dns1123Subdomain().validate(self).hasValue()' + type: object + x-kubernetes-validations: + - message: at least one of email or hostname must be set + in pkiCertificateSubject + rule: has(self.email) || has(self.hostname) + required: + - caRootsData + - pkiCertificateSubject + type: object policyType: description: |- policyType serves as the union's discriminator. Users are required to assign a value to this field, choosing one of the policy types that define the root of trust. "PublicKey" indicates that the policy relies on a sigstore publicKey and may optionally use a Rekor verification. "FulcioCAWithRekor" indicates that the policy is based on the Fulcio certification and incorporates a Rekor verification. - "PKI" is a DevPreview feature that indicates that the policy is based on the certificates from Bring Your Own Public Key Infrastructure (BYOPKI). This value is enabled by turning on the SigstoreImageVerificationPKI feature gate. + "PKI" indicates that the policy is based on the certificates from Bring Your Own Public Key Infrastructure (BYOPKI). This value is enabled by turning on the SigstoreImageVerificationPKI feature gate. + enum: + - PublicKey + - FulcioCAWithRekor + - PKI type: string publicKey: description: publicKey defines the root of trust based on @@ -134,6 +223,10 @@ spec: - policyType type: object x-kubernetes-validations: + - message: pki is required when policyType is PKI, and forbidden + otherwise + rule: 'has(self.policyType) && self.policyType == ''PKI'' ? + has(self.pki) : !has(self.pki)' - message: publicKey is required when policyType is PublicKey, and forbidden otherwise rule: 'has(self.policyType) && self.policyType == ''PublicKey'' diff --git a/vendor/github.com/openshift/api/config/v1alpha1/zz_generated.crd-manifests/0000_10_config-operator_01_imagepolicies-CustomNoUpgrade.crd.yaml b/vendor/github.com/openshift/api/config/v1alpha1/zz_generated.crd-manifests/0000_10_config-operator_01_imagepolicies-CustomNoUpgrade.crd.yaml index a5388dd5c0..6427e97830 100644 --- a/vendor/github.com/openshift/api/config/v1alpha1/zz_generated.crd-manifests/0000_10_config-operator_01_imagepolicies-CustomNoUpgrade.crd.yaml +++ b/vendor/github.com/openshift/api/config/v1alpha1/zz_generated.crd-manifests/0000_10_config-operator_01_imagepolicies-CustomNoUpgrade.crd.yaml @@ -192,7 +192,7 @@ spec: policyType serves as the union's discriminator. Users are required to assign a value to this field, choosing one of the policy types that define the root of trust. "PublicKey" indicates that the policy relies on a sigstore publicKey and may optionally use a Rekor verification. "FulcioCAWithRekor" indicates that the policy is based on the Fulcio certification and incorporates a Rekor verification. - "PKI" is a DevPreview feature that indicates that the policy is based on the certificates from Bring Your Own Public Key Infrastructure (BYOPKI). This value is enabled by turning on the SigstoreImageVerificationPKI feature gate. + "PKI" indicates that the policy is based on the certificates from Bring Your Own Public Key Infrastructure (BYOPKI). This value is enabled by turning on the SigstoreImageVerificationPKI feature gate. enum: - PublicKey - FulcioCAWithRekor diff --git a/vendor/github.com/openshift/api/config/v1alpha1/zz_generated.crd-manifests/0000_10_config-operator_01_imagepolicies-DevPreviewNoUpgrade.crd.yaml b/vendor/github.com/openshift/api/config/v1alpha1/zz_generated.crd-manifests/0000_10_config-operator_01_imagepolicies-DevPreviewNoUpgrade.crd.yaml index 8ecf5eea9f..16ffd2179a 100644 --- a/vendor/github.com/openshift/api/config/v1alpha1/zz_generated.crd-manifests/0000_10_config-operator_01_imagepolicies-DevPreviewNoUpgrade.crd.yaml +++ b/vendor/github.com/openshift/api/config/v1alpha1/zz_generated.crd-manifests/0000_10_config-operator_01_imagepolicies-DevPreviewNoUpgrade.crd.yaml @@ -192,7 +192,7 @@ spec: policyType serves as the union's discriminator. Users are required to assign a value to this field, choosing one of the policy types that define the root of trust. "PublicKey" indicates that the policy relies on a sigstore publicKey and may optionally use a Rekor verification. "FulcioCAWithRekor" indicates that the policy is based on the Fulcio certification and incorporates a Rekor verification. - "PKI" is a DevPreview feature that indicates that the policy is based on the certificates from Bring Your Own Public Key Infrastructure (BYOPKI). This value is enabled by turning on the SigstoreImageVerificationPKI feature gate. + "PKI" indicates that the policy is based on the certificates from Bring Your Own Public Key Infrastructure (BYOPKI). This value is enabled by turning on the SigstoreImageVerificationPKI feature gate. enum: - PublicKey - FulcioCAWithRekor diff --git a/vendor/github.com/openshift/api/config/v1alpha1/zz_generated.crd-manifests/0000_10_config-operator_01_imagepolicies-TechPreviewNoUpgrade.crd.yaml b/vendor/github.com/openshift/api/config/v1alpha1/zz_generated.crd-manifests/0000_10_config-operator_01_imagepolicies-TechPreviewNoUpgrade.crd.yaml index 86f26ea810..1bc3638ad2 100644 --- a/vendor/github.com/openshift/api/config/v1alpha1/zz_generated.crd-manifests/0000_10_config-operator_01_imagepolicies-TechPreviewNoUpgrade.crd.yaml +++ b/vendor/github.com/openshift/api/config/v1alpha1/zz_generated.crd-manifests/0000_10_config-operator_01_imagepolicies-TechPreviewNoUpgrade.crd.yaml @@ -102,12 +102,101 @@ spec: - fulcioSubject - rekorKeyData type: object + pki: + description: pki defines the root of trust based on Bring + Your Own Public Key Infrastructure (BYOPKI) Root CA(s) and + corresponding intermediate certificates. + properties: + caIntermediatesData: + description: |- + caIntermediatesData contains base64-encoded data of a certificate bundle PEM file, which contains one or more intermediate certificates in the PEM format. The total length of the data must not exceed 8192 characters. + caIntermediatesData requires caRootsData to be set. + format: byte + maxLength: 8192 + type: string + x-kubernetes-validations: + - message: the caIntermediatesData must start with base64 + encoding of '-----BEGIN CERTIFICATE-----'. + rule: string(self).startsWith('-----BEGIN CERTIFICATE-----') + - message: the caIntermediatesData must end with base64 + encoding of '-----END CERTIFICATE-----'. + rule: string(self).endsWith('-----END CERTIFICATE-----\n') + || string(self).endsWith('-----END CERTIFICATE-----') + - message: caIntermediatesData must be base64 encoding + of valid PEM format data contain the same number of + '-----BEGIN CERTIFICATE-----' and '-----END CERTIFICATE-----' + markers. + rule: string(self).findAll('-----BEGIN CERTIFICATE-----').size() + == string(self).findAll('-----END CERTIFICATE-----').size() + caRootsData: + description: caRootsData contains base64-encoded data + of a certificate bundle PEM file, which contains one + or more CA roots in the PEM format. The total length + of the data must not exceed 8192 characters. + format: byte + maxLength: 8192 + type: string + x-kubernetes-validations: + - message: the caRootsData must start with base64 encoding + of '-----BEGIN CERTIFICATE-----'. + rule: string(self).startsWith('-----BEGIN CERTIFICATE-----') + - message: the caRootsData must end with base64 encoding + of '-----END CERTIFICATE-----'. + rule: string(self).endsWith('-----END CERTIFICATE-----\n') + || string(self).endsWith('-----END CERTIFICATE-----') + - message: caRootsData must be base64 encoding of valid + PEM format data contain the same number of '-----BEGIN + CERTIFICATE-----' and '-----END CERTIFICATE-----' + markers. + rule: string(self).findAll('-----BEGIN CERTIFICATE-----').size() + == string(self).findAll('-----END CERTIFICATE-----').size() + pkiCertificateSubject: + description: pkiCertificateSubject defines the requirements + imposed on the subject to which the certificate was + issued. + properties: + email: + description: |- + email specifies the expected email address imposed on the subject to which the certificate was issued, and must match the email address listed in the Subject Alternative Name (SAN) field of the certificate. + The email should be a valid email address and at most 320 characters in length. + maxLength: 320 + type: string + x-kubernetes-validations: + - message: invalid email address in pkiCertificateSubject + rule: self.matches('^\\S+@\\S+$') + hostname: + description: |- + hostname specifies the expected hostname imposed on the subject to which the certificate was issued, and it must match the hostname listed in the Subject Alternative Name (SAN) DNS field of the certificate. + The hostname should be a valid dns 1123 subdomain name, optionally prefixed by '*.', and at most 253 characters in length. + It should consist only of lowercase alphanumeric characters, hyphens, periods and the optional preceding asterisk. + maxLength: 253 + type: string + x-kubernetes-validations: + - message: hostname should be a valid dns 1123 subdomain + name, optionally prefixed by '*.'. It should consist + only of lowercase alphanumeric characters, hyphens, + periods and the optional preceding asterisk. + rule: 'self.startsWith(''*.'') ? !format.dns1123Subdomain().validate(self.replace(''*.'', + '''', 1)).hasValue() : !format.dns1123Subdomain().validate(self).hasValue()' + type: object + x-kubernetes-validations: + - message: at least one of email or hostname must be set + in pkiCertificateSubject + rule: has(self.email) || has(self.hostname) + required: + - caRootsData + - pkiCertificateSubject + type: object policyType: description: |- policyType serves as the union's discriminator. Users are required to assign a value to this field, choosing one of the policy types that define the root of trust. "PublicKey" indicates that the policy relies on a sigstore publicKey and may optionally use a Rekor verification. "FulcioCAWithRekor" indicates that the policy is based on the Fulcio certification and incorporates a Rekor verification. - "PKI" is a DevPreview feature that indicates that the policy is based on the certificates from Bring Your Own Public Key Infrastructure (BYOPKI). This value is enabled by turning on the SigstoreImageVerificationPKI feature gate. + "PKI" indicates that the policy is based on the certificates from Bring Your Own Public Key Infrastructure (BYOPKI). This value is enabled by turning on the SigstoreImageVerificationPKI feature gate. + enum: + - PublicKey + - FulcioCAWithRekor + - PKI type: string publicKey: description: publicKey defines the root of trust based on @@ -134,6 +223,10 @@ spec: - policyType type: object x-kubernetes-validations: + - message: pki is required when policyType is PKI, and forbidden + otherwise + rule: 'has(self.policyType) && self.policyType == ''PKI'' ? + has(self.pki) : !has(self.pki)' - message: publicKey is required when policyType is PublicKey, and forbidden otherwise rule: 'has(self.policyType) && self.policyType == ''PublicKey'' diff --git a/vendor/github.com/openshift/api/config/v1alpha1/zz_generated.swagger_doc_generated.go b/vendor/github.com/openshift/api/config/v1alpha1/zz_generated.swagger_doc_generated.go index 504281540b..3b145db6cf 100644 --- a/vendor/github.com/openshift/api/config/v1alpha1/zz_generated.swagger_doc_generated.go +++ b/vendor/github.com/openshift/api/config/v1alpha1/zz_generated.swagger_doc_generated.go @@ -285,7 +285,7 @@ func (PolicyMatchRemapIdentity) SwaggerDoc() map[string]string { var map_PolicyRootOfTrust = map[string]string{ "": "PolicyRootOfTrust defines the root of trust based on the selected policyType.", - "policyType": "policyType serves as the union's discriminator. Users are required to assign a value to this field, choosing one of the policy types that define the root of trust. \"PublicKey\" indicates that the policy relies on a sigstore publicKey and may optionally use a Rekor verification. \"FulcioCAWithRekor\" indicates that the policy is based on the Fulcio certification and incorporates a Rekor verification. \"PKI\" is a DevPreview feature that indicates that the policy is based on the certificates from Bring Your Own Public Key Infrastructure (BYOPKI). This value is enabled by turning on the SigstoreImageVerificationPKI feature gate.", + "policyType": "policyType serves as the union's discriminator. Users are required to assign a value to this field, choosing one of the policy types that define the root of trust. \"PublicKey\" indicates that the policy relies on a sigstore publicKey and may optionally use a Rekor verification. \"FulcioCAWithRekor\" indicates that the policy is based on the Fulcio certification and incorporates a Rekor verification. \"PKI\" indicates that the policy is based on the certificates from Bring Your Own Public Key Infrastructure (BYOPKI). This value is enabled by turning on the SigstoreImageVerificationPKI feature gate.", "publicKey": "publicKey defines the root of trust based on a sigstore public key.", "fulcioCAWithRekor": "fulcioCAWithRekor defines the root of trust based on the Fulcio certificate and the Rekor public key. For more information about Fulcio and Rekor, please refer to the document at: https://github.com/sigstore/fulcio and https://github.com/sigstore/rekor", "pki": "pki defines the root of trust based on Bring Your Own Public Key Infrastructure (BYOPKI) Root CA(s) and corresponding intermediate certificates.", diff --git a/vendor/github.com/openshift/api/features.md b/vendor/github.com/openshift/api/features.md index 9db4d74325..e8c5a19308 100644 --- a/vendor/github.com/openshift/api/features.md +++ b/vendor/github.com/openshift/api/features.md @@ -4,18 +4,25 @@ | EventedPLEG| | | | | | | | MachineAPIOperatorDisableMachineHealthCheckController| | | | | | | | MultiArchInstallAzure| | | | | | | +| MutatingAdmissionPolicy| | | | | | | | ShortCertRotation| | | | | | | +| BootImageSkewEnforcement| | | Enabled | Enabled | | | | ClusterVersionOperatorConfiguration| | | Enabled | Enabled | | | | DualReplica| | | Enabled | Enabled | | | | Example2| | | Enabled | Enabled | | | | NewOLMCatalogdAPIV1Metas| | | | Enabled | | Enabled | +| NewOLMOwnSingleNamespace| | | | Enabled | | Enabled | | NewOLMPreflightPermissionChecks| | | | Enabled | | Enabled | -| SELinuxChangePolicy| | | Enabled | Enabled | | | +| NewOLMWebhookProviderOpenshiftServiceCA| | | | Enabled | | Enabled | | SELinuxMount| | | Enabled | Enabled | | | -| SigstoreImageVerificationPKI| | | Enabled | Enabled | | | +| VSphereMixedNodeEnv| | | Enabled | Enabled | | | | NewOLM| | Enabled | | Enabled | | Enabled | | AWSClusterHostedDNS| | | Enabled | Enabled | Enabled | Enabled | +| AWSDedicatedHosts| | | Enabled | Enabled | Enabled | Enabled | +| AWSServiceLBNetworkSecurityGroup| | | Enabled | Enabled | Enabled | Enabled | | AutomatedEtcdBackup| | | Enabled | Enabled | Enabled | Enabled | +| AzureDedicatedHosts| | | Enabled | Enabled | Enabled | Enabled | +| AzureMultiDisk| | | Enabled | Enabled | Enabled | Enabled | | BootcNodeManagement| | | Enabled | Enabled | Enabled | Enabled | | ClusterAPIInstallIBMCloud| | | Enabled | Enabled | Enabled | Enabled | | ClusterMonitoringConfig| | | Enabled | Enabled | Enabled | Enabled | @@ -28,6 +35,7 @@ | GCPClusterHostedDNS| | | Enabled | Enabled | Enabled | Enabled | | GCPCustomAPIEndpoints| | | Enabled | Enabled | Enabled | Enabled | | HighlyAvailableArbiter| | | Enabled | Enabled | Enabled | Enabled | +| ImageModeStatusReporting| | | Enabled | Enabled | Enabled | Enabled | | ImageStreamImportMode| | | Enabled | Enabled | Enabled | Enabled | | IngressControllerDynamicConfigurationManager| | | Enabled | Enabled | Enabled | Enabled | | InsightsConfig| | | Enabled | Enabled | Enabled | Enabled | @@ -36,29 +44,23 @@ | InsightsRuntimeExtractor| | | Enabled | Enabled | Enabled | Enabled | | KMSEncryptionProvider| | | Enabled | Enabled | Enabled | Enabled | | MachineAPIMigration| | | Enabled | Enabled | Enabled | Enabled | -| MachineAPIProviderOpenStack| | | Enabled | Enabled | Enabled | Enabled | -| MachineConfigNodes| | | Enabled | Enabled | Enabled | Enabled | +| ManagedBootImagesAzure| | | Enabled | Enabled | Enabled | Enabled | +| ManagedBootImagesvSphere| | | Enabled | Enabled | Enabled | Enabled | | MaxUnavailableStatefulSet| | | Enabled | Enabled | Enabled | Enabled | | MinimumKubeletVersion| | | Enabled | Enabled | Enabled | Enabled | | MixedCPUsAllocation| | | Enabled | Enabled | Enabled | Enabled | | NodeSwap| | | Enabled | Enabled | Enabled | Enabled | | NutanixMultiSubnets| | | Enabled | Enabled | Enabled | Enabled | | OVNObservability| | | Enabled | Enabled | Enabled | Enabled | -| PinnedImages| | | Enabled | Enabled | Enabled | Enabled | -| PlatformOperators| | | Enabled | Enabled | Enabled | Enabled | -| ProcMountType| | | Enabled | Enabled | Enabled | Enabled | -| RouteAdvertisements| | | Enabled | Enabled | Enabled | Enabled | -| ServiceAccountTokenNodeBinding| | | Enabled | Enabled | Enabled | Enabled | +| PreconfiguredUDNAddresses| | | Enabled | Enabled | Enabled | Enabled | | SignatureStores| | | Enabled | Enabled | Enabled | Enabled | | SigstoreImageVerification| | | Enabled | Enabled | Enabled | Enabled | +| SigstoreImageVerificationPKI| | | Enabled | Enabled | Enabled | Enabled | | TranslateStreamCloseWebsocketRequests| | | Enabled | Enabled | Enabled | Enabled | | UpgradeStatus| | | Enabled | Enabled | Enabled | Enabled | -| UserNamespacesPodSecurityStandards| | | Enabled | Enabled | Enabled | Enabled | -| UserNamespacesSupport| | | Enabled | Enabled | Enabled | Enabled | | VSphereConfigurableMaxAllowedBlockVolumesPerNode| | | Enabled | Enabled | Enabled | Enabled | | VSphereHostVMGroupZonal| | | Enabled | Enabled | Enabled | Enabled | | VSphereMultiDisk| | | Enabled | Enabled | Enabled | Enabled | -| VSphereMultiNetworks| | | Enabled | Enabled | Enabled | Enabled | | VolumeAttributesClass| | | Enabled | Enabled | Enabled | Enabled | | VolumeGroupSnapshot| | | Enabled | Enabled | Enabled | Enabled | | ExternalOIDC| Enabled | | Enabled | Enabled | Enabled | Enabled | @@ -67,34 +69,33 @@ | AdminNetworkPolicy| Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | | AlibabaPlatform| Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | | AzureWorkloadIdentity| Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | -| BareMetalLoadBalancer| Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | | BuildCSIVolumes| Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | | CPMSMachineNamePrefix| Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | | ChunkSizeMiB| Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | -| CloudDualStackNodeIPs| Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | | ConsolePluginContentSecurityPolicy| Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | -| DisableKubeletCloudCredentialProviders| Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | | GCPLabelsTags| Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | | GatewayAPI| Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | | GatewayAPIController| Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | | HardwareSpeed| Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | | IngressControllerLBSubnetsAWS| Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | | KMSv1| Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | +| MachineConfigNodes| Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | | ManagedBootImages| Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | | ManagedBootImagesAWS| Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | | MetricsCollectionProfiles| Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | -| MultiArchInstallAWS| Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | -| MultiArchInstallGCP| Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | | NetworkDiagnosticsConfig| Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | | NetworkLiveMigration| Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | | NetworkSegmentation| Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | -| NodeDisruptionPolicy| Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | | OnClusterBuild| Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | | OpenShiftPodSecurityAdmission| Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | | PersistentIPsForVirtualization| Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | -| PrivateHostedZoneAWS| Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | +| PinnedImages| Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | +| ProcMountType| Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | +| RouteAdvertisements| Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | | RouteExternalCertificate| Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | +| ServiceAccountTokenNodeBinding| Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | | SetEIPForNLBIngressController| Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | -| VSphereDriverConfiguration| Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | -| VSphereMultiVCenters| Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | +| UserNamespacesPodSecurityStandards| Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | +| UserNamespacesSupport| Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | +| VSphereMultiNetworks| Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | | ValidatingAdmissionPolicy| Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | diff --git a/vendor/github.com/openshift/api/features/features.go b/vendor/github.com/openshift/api/features/features.go index 17786fa40a..9e0763e4cf 100644 --- a/vendor/github.com/openshift/api/features/features.go +++ b/vendor/github.com/openshift/api/features/features.go @@ -46,10 +46,10 @@ var ( FeatureGateServiceAccountTokenNodeBinding = newFeatureGate("ServiceAccountTokenNodeBinding"). reportProblemsToJiraComponent("apiserver-auth"). - contactPerson("stlaz"). + contactPerson("ibihim"). productScope(kubernetes). enhancementPR("https://github.com/kubernetes/enhancements/issues/4193"). - enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). + enableIn(configv1.Default, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). mustRegister() FeatureGateValidatingAdmissionPolicy = newFeatureGate("ValidatingAdmissionPolicy"). @@ -60,6 +60,14 @@ var ( enableIn(configv1.Default, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). mustRegister() + FeatureGateMutatingAdmissionPolicy = newFeatureGate("MutatingAdmissionPolicy"). + reportProblemsToJiraComponent("kube-apiserver"). + contactPerson("benluddy"). + productScope(kubernetes). + enhancementPR("https://github.com/kubernetes/enhancements/issues/3962"). + enableIn(). + mustRegister() + FeatureGateGatewayAPI = newFeatureGate("GatewayAPI"). reportProblemsToJiraComponent("Routing"). contactPerson("miciah"). @@ -100,14 +108,6 @@ var ( enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). mustRegister() - FeatureGateMachineAPIProviderOpenStack = newFeatureGate("MachineAPIProviderOpenStack"). - reportProblemsToJiraComponent("openstack"). - contactPerson("egarcia"). - productScope(ocpSpecific). - enhancementPR(legacyFeatureGateWithoutEnhancement). - enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). - mustRegister() - FeatureGateInsightsConfigAPI = newFeatureGate("InsightsConfigAPI"). reportProblemsToJiraComponent("insights"). contactPerson("tremes"). @@ -140,6 +140,14 @@ var ( enableIn(configv1.Default, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). mustRegister() + FeatureGateAzureDedicatedHosts = newFeatureGate("AzureDedicatedHosts"). + reportProblemsToJiraComponent("installer"). + contactPerson("rvanderp3"). + productScope(ocpSpecific). + enhancementPR("https://github.com/openshift/enhancements/pull/1783"). + enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). + mustRegister() + FeatureGateMaxUnavailableStatefulSet = newFeatureGate("MaxUnavailableStatefulSet"). reportProblemsToJiraComponent("apps"). contactPerson("atiratree"). @@ -155,14 +163,6 @@ var ( enhancementPR("https://github.com/kubernetes/enhancements/issues/3386"). mustRegister() - FeatureGatePrivateHostedZoneAWS = newFeatureGate("PrivateHostedZoneAWS"). - reportProblemsToJiraComponent("Routing"). - contactPerson("miciah"). - productScope(ocpSpecific). - enhancementPR(legacyFeatureGateWithoutEnhancement). - enableIn(configv1.Default, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). - mustRegister() - FeatureGateSigstoreImageVerification = newFeatureGate("SigstoreImageVerification"). reportProblemsToJiraComponent("node"). contactPerson("sgrunert"). @@ -176,7 +176,7 @@ var ( contactPerson("QiWang"). productScope(ocpSpecific). enhancementPR("https://github.com/openshift/enhancements/pull/1658"). - enableIn(configv1.DevPreviewNoUpgrade). + enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). mustRegister() FeatureGateGCPLabelsTags = newFeatureGate("GCPLabelsTags"). @@ -195,14 +195,6 @@ var ( enableIn(configv1.Default, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). mustRegister() - FeatureGateCloudDualStackNodeIPs = newFeatureGate("CloudDualStackNodeIPs"). - reportProblemsToJiraComponent("machine-config-operator/platform-baremetal"). - contactPerson("mkowalsk"). - productScope(kubernetes). - enhancementPR("https://github.com/kubernetes/enhancements/issues/3705"). - enableIn(configv1.Default, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). - mustRegister() - FeatureGateVSphereHostVMGroupZonal = newFeatureGate("VSphereHostVMGroupZonal"). reportProblemsToJiraComponent("splat"). contactPerson("jcpowermac"). @@ -219,14 +211,6 @@ var ( enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). mustRegister() - FeatureGateVSphereMultiVCenters = newFeatureGate("VSphereMultiVCenters"). - reportProblemsToJiraComponent("splat"). - contactPerson("vr4manta"). - productScope(ocpSpecific). - enhancementPR(legacyFeatureGateWithoutEnhancement). - enableIn(configv1.Default, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). - mustRegister() - FeatureGateRouteExternalCertificate = newFeatureGate("RouteExternalCertificate"). reportProblemsToJiraComponent("router"). contactPerson("chiragkyal"). @@ -272,7 +256,7 @@ var ( contactPerson("jcaamano"). productScope(ocpSpecific). enhancementPR(legacyFeatureGateWithoutEnhancement). - enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). + enableIn(configv1.Default, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). mustRegister() FeatureGateNetworkLiveMigration = newFeatureGate("NetworkLiveMigration"). @@ -340,12 +324,20 @@ var ( FeatureGateMachineConfigNodes = newFeatureGate("MachineConfigNodes"). reportProblemsToJiraComponent("MachineConfigOperator"). - contactPerson("cdoern"). + contactPerson("ijanssen"). productScope(ocpSpecific). - enhancementPR(legacyFeatureGateWithoutEnhancement). - enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). + enhancementPR("https://github.com/openshift/enhancements/pull/1765"). + enableIn(configv1.Default, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). mustRegister() + FeatureGateImageModeStatusReporting = newFeatureGate("ImageModeStatusReporting"). + reportProblemsToJiraComponent("MachineConfigOperator"). + contactPerson("ijanssen"). + productScope(ocpSpecific). + enhancementPR("https://github.com/openshift/enhancements/pull/1809"). + enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). + mustRegister() + FeatureGateClusterAPIInstall = newFeatureGate("ClusterAPIInstall"). reportProblemsToJiraComponent("Installer"). contactPerson("vincepri"). @@ -393,13 +385,29 @@ var ( enableIn(configv1.Default, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). mustRegister() - FeatureGateDisableKubeletCloudCredentialProviders = newFeatureGate("DisableKubeletCloudCredentialProviders"). - reportProblemsToJiraComponent("cloud-provider"). - contactPerson("jspeed"). - productScope(kubernetes). - enhancementPR("https://github.com/kubernetes/enhancements/issues/2395"). - enableIn(configv1.Default, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). - mustRegister() + FeatureGateManagedBootImagesvSphere = newFeatureGate("ManagedBootImagesvSphere"). + reportProblemsToJiraComponent("MachineConfigOperator"). + contactPerson("rsaini"). + productScope(ocpSpecific). + enhancementPR("https://github.com/openshift/enhancements/pull/1496"). + enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). + mustRegister() + + FeatureGateManagedBootImagesAzure = newFeatureGate("ManagedBootImagesAzure"). + reportProblemsToJiraComponent("MachineConfigOperator"). + contactPerson("djoshy"). + productScope(ocpSpecific). + enhancementPR("https://github.com/openshift/enhancements/pull/1761"). + enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). + mustRegister() + + FeatureGateBootImageSkewEnforcement = newFeatureGate("BootImageSkewEnforcement"). + reportProblemsToJiraComponent("MachineConfigOperator"). + contactPerson("djoshy"). + productScope(ocpSpecific). + enhancementPR("https://github.com/openshift/enhancements/pull/1761"). + enableIn(configv1.DevPreviewNoUpgrade). + mustRegister() FeatureGateOnClusterBuild = newFeatureGate("OnClusterBuild"). reportProblemsToJiraComponent("MachineConfigOperator"). @@ -435,10 +443,10 @@ var ( FeatureGatePinnedImages = newFeatureGate("PinnedImages"). reportProblemsToJiraComponent("MachineConfigOperator"). - contactPerson("jhernand"). + contactPerson("RishabhSaini"). productScope(ocpSpecific). enhancementPR(legacyFeatureGateWithoutEnhancement). - enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). + enableIn(configv1.Default, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). mustRegister() FeatureGateUpgradeStatus = newFeatureGate("UpgradeStatus"). @@ -483,13 +491,13 @@ var ( mustRegister() FeatureGateExternalOIDCWithAdditionalClaimMappings = newFeatureGate("ExternalOIDCWithUIDAndExtraClaimMappings"). - reportProblemsToJiraComponent("authentication"). - contactPerson("bpalmer"). - productScope(ocpSpecific). - enhancementPR("https://github.com/openshift/enhancements/pull/1777"). - enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). - enableForClusterProfile(Hypershift, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). - mustRegister() + reportProblemsToJiraComponent("authentication"). + contactPerson("bpalmer"). + productScope(ocpSpecific). + enhancementPR("https://github.com/openshift/enhancements/pull/1777"). + enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). + enableForClusterProfile(Hypershift, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). + mustRegister() FeatureGateExample = newFeatureGate("Example"). reportProblemsToJiraComponent("cluster-config"). @@ -507,14 +515,6 @@ var ( enableIn(configv1.DevPreviewNoUpgrade). mustRegister() - FeatureGatePlatformOperators = newFeatureGate("PlatformOperators"). - reportProblemsToJiraComponent("olm"). - contactPerson("joe"). - productScope(ocpSpecific). - enhancementPR(legacyFeatureGateWithoutEnhancement). - enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). - mustRegister() - FeatureGateNewOLM = newFeatureGate("NewOLM"). reportProblemsToJiraComponent("olm"). contactPerson("joe"). @@ -539,6 +539,22 @@ var ( enableForClusterProfile(SelfManaged, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). mustRegister() + FeatureGateNewOLMOwnSingleNamespace = newFeatureGate("NewOLMOwnSingleNamespace"). + reportProblemsToJiraComponent("olm"). + contactPerson("nschieder"). + productScope(ocpSpecific). + enhancementPR("https://github.com/openshift/enhancements/pull/1774"). + enableForClusterProfile(SelfManaged, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). + mustRegister() + + FeatureGateNewOLMWebhookProviderOpenshiftServiceCA = newFeatureGate("NewOLMWebhookProviderOpenshiftServiceCA"). + reportProblemsToJiraComponent("olm"). + contactPerson("pegoncal"). + productScope(ocpSpecific). + enhancementPR("https://github.com/openshift/enhancements/pull/1799"). + enableForClusterProfile(SelfManaged, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). + mustRegister() + FeatureGateInsightsOnDemandDataGather = newFeatureGate("InsightsOnDemandDataGather"). reportProblemsToJiraComponent("insights"). contactPerson("tremes"). @@ -547,14 +563,6 @@ var ( enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). mustRegister() - FeatureGateBareMetalLoadBalancer = newFeatureGate("BareMetalLoadBalancer"). - reportProblemsToJiraComponent("metal"). - contactPerson("EmilienM"). - productScope(ocpSpecific). - enhancementPR(legacyFeatureGateWithoutEnhancement). - enableIn(configv1.Default, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). - mustRegister() - FeatureGateInsightsConfig = newFeatureGate("InsightsConfig"). reportProblemsToJiraComponent("insights"). contactPerson("tremes"). @@ -563,14 +571,6 @@ var ( enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). mustRegister() - FeatureGateNodeDisruptionPolicy = newFeatureGate("NodeDisruptionPolicy"). - reportProblemsToJiraComponent("MachineConfigOperator"). - contactPerson("jerzhang"). - productScope(ocpSpecific). - enhancementPR(legacyFeatureGateWithoutEnhancement). - enableIn(configv1.Default, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). - mustRegister() - FeatureGateMetricsCollectionProfiles = newFeatureGate("MetricsCollectionProfiles"). reportProblemsToJiraComponent("Monitoring"). contactPerson("rexagod"). @@ -579,14 +579,6 @@ var ( enableIn(configv1.Default, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). mustRegister() - FeatureGateVSphereDriverConfiguration = newFeatureGate("VSphereDriverConfiguration"). - reportProblemsToJiraComponent("Storage / Kubernetes External Components"). - contactPerson("rbednar"). - productScope(ocpSpecific). - enhancementPR(legacyFeatureGateWithoutEnhancement). - enableIn(configv1.Default, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). - mustRegister() - FeatureGateClusterAPIInstallIBMCloud = newFeatureGate("ClusterAPIInstallIBMCloud"). reportProblemsToJiraComponent("Installer"). contactPerson("cjschaef"). @@ -627,14 +619,6 @@ var ( enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). mustRegister() - FeatureGateMultiArchInstallAWS = newFeatureGate("MultiArchInstallAWS"). - reportProblemsToJiraComponent("Installer"). - contactPerson("r4f4"). - productScope(ocpSpecific). - enhancementPR(legacyFeatureGateWithoutEnhancement). - enableIn(configv1.Default, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). - mustRegister() - FeatureGateMultiArchInstallAzure = newFeatureGate("MultiArchInstallAzure"). reportProblemsToJiraComponent("Installer"). contactPerson("r4f4"). @@ -642,14 +626,6 @@ var ( enhancementPR(legacyFeatureGateWithoutEnhancement). mustRegister() - FeatureGateMultiArchInstallGCP = newFeatureGate("MultiArchInstallGCP"). - reportProblemsToJiraComponent("Installer"). - contactPerson("r4f4"). - productScope(ocpSpecific). - enhancementPR(legacyFeatureGateWithoutEnhancement). - enableIn(configv1.Default, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). - mustRegister() - FeatureGateIngressControllerLBSubnetsAWS = newFeatureGate("IngressControllerLBSubnetsAWS"). reportProblemsToJiraComponent("Routing"). contactPerson("miciah"). @@ -679,15 +655,18 @@ var ( contactPerson("haircommander"). productScope(kubernetes). enhancementPR("https://github.com/kubernetes/enhancements/issues/127"). - enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). + enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade, configv1.Default). mustRegister() + // Note: this feature is perma-alpha, but it is safe and desireable to enable. + // It was an oversight in upstream to not remove the feature gate after the version skew became safe in 1.33. + // See https://github.com/kubernetes/enhancements/tree/d4226c42/keps/sig-node/127-user-namespaces#pod-security-standards-pss-integration FeatureGateUserNamespacesPodSecurityStandards = newFeatureGate("UserNamespacesPodSecurityStandards"). reportProblemsToJiraComponent("Node"). contactPerson("haircommander"). productScope(kubernetes). enhancementPR("https://github.com/kubernetes/enhancements/issues/127"). - enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). + enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade, configv1.Default). mustRegister() FeatureGateProcMountType = newFeatureGate("ProcMountType"). @@ -695,7 +674,7 @@ var ( contactPerson("haircommander"). productScope(kubernetes). enhancementPR("https://github.com/kubernetes/enhancements/issues/4265"). - enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). + enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade, configv1.Default). mustRegister() FeatureGateVSphereMultiNetworks = newFeatureGate("VSphereMultiNetworks"). @@ -703,7 +682,7 @@ var ( contactPerson("rvanderp"). productScope(ocpSpecific). enhancementPR(legacyFeatureGateWithoutEnhancement). - enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). + enableIn(configv1.Default, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). mustRegister() FeatureGateIngressControllerDynamicConfigurationManager = newFeatureGate("IngressControllerDynamicConfigurationManager"). @@ -773,14 +752,6 @@ var ( enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). mustRegister() - FeatureGateSELinuxChangePolicy = newFeatureGate("SELinuxChangePolicy"). - reportProblemsToJiraComponent("Storage / Kubernetes"). - contactPerson("jsafrane"). - productScope(kubernetes). - enhancementPR("https://github.com/kubernetes/enhancements/issues/1710"). - enableIn(configv1.DevPreviewNoUpgrade). - mustRegister() - FeatureGateSELinuxMount = newFeatureGate("SELinuxMount"). reportProblemsToJiraComponent("Storage / Kubernetes"). contactPerson("jsafrane"). @@ -827,4 +798,44 @@ var ( enhancementPR("https://github.com/openshift/enhancements/pull/1748"). enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). mustRegister() + + FeatureGateAzureMultiDisk = newFeatureGate("AzureMultiDisk"). + reportProblemsToJiraComponent("splat"). + contactPerson("jcpowermac"). + productScope(ocpSpecific). + enhancementPR("https://github.com/openshift/enhancements/pull/1779"). + enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). + mustRegister() + + FeatureGateAWSDedicatedHosts = newFeatureGate("AWSDedicatedHosts"). + reportProblemsToJiraComponent("Installer"). + contactPerson("faermanj"). + productScope(ocpSpecific). + enhancementPR("https://github.com/openshift/enhancements/pull/1781"). + enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). + mustRegister() + + FeatureGateVSphereMixedNodeEnv = newFeatureGate("VSphereMixedNodeEnv"). + reportProblemsToJiraComponent("splat"). + contactPerson("vr4manta"). + productScope(ocpSpecific). + enhancementPR("https://github.com/openshift/enhancements/pull/1772"). + enableIn(configv1.DevPreviewNoUpgrade). + mustRegister() + + FeatureGatePreconfiguredUDNAddresses = newFeatureGate("PreconfiguredUDNAddresses"). + reportProblemsToJiraComponent("Networking/ovn-kubernetes"). + contactPerson("kyrtapz"). + productScope(ocpSpecific). + enhancementPR("https://github.com/openshift/enhancements/pull/1793"). + enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). + mustRegister() + + FeatureGateAWSServiceLBNetworkSecurityGroup = newFeatureGate("AWSServiceLBNetworkSecurityGroup"). + reportProblemsToJiraComponent("Cloud Compute / Cloud Controller Manager"). + contactPerson("mtulio"). + productScope(ocpSpecific). + enhancementPR("https://github.com/openshift/enhancements/pull/1802"). + enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). + mustRegister() ) diff --git a/vendor/github.com/openshift/api/features/legacyfeaturegates.go b/vendor/github.com/openshift/api/features/legacyfeaturegates.go index 132a3dacb3..67572c31ca 100644 --- a/vendor/github.com/openshift/api/features/legacyfeaturegates.go +++ b/vendor/github.com/openshift/api/features/legacyfeaturegates.go @@ -17,8 +17,6 @@ var legacyFeatureGates = sets.New( // never add to this list, if you think you have an exception ask @deads2k "AzureWorkloadIdentity", // never add to this list, if you think you have an exception ask @deads2k - "BareMetalLoadBalancer", - // never add to this list, if you think you have an exception ask @deads2k "BootcNodeManagement", // never add to this list, if you think you have an exception ask @deads2k "BuildCSIVolumes", @@ -93,8 +91,6 @@ var legacyFeatureGates = sets.New( // never add to this list, if you think you have an exception ask @deads2k "NewOLM", // never add to this list, if you think you have an exception ask @deads2k - "NodeDisruptionPolicy", - // never add to this list, if you think you have an exception ask @deads2k "OVNObservability", // never add to this list, if you think you have an exception ask @deads2k "OnClusterBuild", @@ -103,8 +99,6 @@ var legacyFeatureGates = sets.New( // never add to this list, if you think you have an exception ask @deads2k "PinnedImages", // never add to this list, if you think you have an exception ask @deads2k - "PlatformOperators", - // never add to this list, if you think you have an exception ask @deads2k "PrivateHostedZoneAWS", // never add to this list, if you think you have an exception ask @deads2k "RouteAdvertisements", diff --git a/vendor/github.com/openshift/api/machine/v1beta1/types_awsprovider.go b/vendor/github.com/openshift/api/machine/v1beta1/types_awsprovider.go index d69bcd0233..db15df2cc4 100644 --- a/vendor/github.com/openshift/api/machine/v1beta1/types_awsprovider.go +++ b/vendor/github.com/openshift/api/machine/v1beta1/types_awsprovider.go @@ -140,8 +140,10 @@ type BlockDeviceMappingSpec struct { // https://docs.aws.amazon.com/goto/WebAPI/ec2-2016-11-15/EbsBlockDevice type EBSBlockDeviceSpec struct { // Indicates whether the EBS volume is deleted on machine termination. + // + // Deprecated: setting this field has no effect. // +optional - DeleteOnTermination *bool `json:"deleteOnTermination,omitempty"` + DeprecatedDeleteOnTermination *bool `json:"deleteOnTermination,omitempty"` // Indicates whether the EBS volume is encrypted. Encrypted Amazon EBS volumes // may only be attached to machines that support Amazon EBS encryption. // +optional diff --git a/vendor/github.com/openshift/api/machine/v1beta1/zz_generated.deepcopy.go b/vendor/github.com/openshift/api/machine/v1beta1/zz_generated.deepcopy.go index ef8f1a55fe..7763435a9e 100644 --- a/vendor/github.com/openshift/api/machine/v1beta1/zz_generated.deepcopy.go +++ b/vendor/github.com/openshift/api/machine/v1beta1/zz_generated.deepcopy.go @@ -518,8 +518,8 @@ func (in *DiskSettings) DeepCopy() *DiskSettings { // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *EBSBlockDeviceSpec) DeepCopyInto(out *EBSBlockDeviceSpec) { *out = *in - if in.DeleteOnTermination != nil { - in, out := &in.DeleteOnTermination, &out.DeleteOnTermination + if in.DeprecatedDeleteOnTermination != nil { + in, out := &in.DeprecatedDeleteOnTermination, &out.DeprecatedDeleteOnTermination *out = new(bool) **out = **in } diff --git a/vendor/github.com/openshift/api/machine/v1beta1/zz_generated.swagger_doc_generated.go b/vendor/github.com/openshift/api/machine/v1beta1/zz_generated.swagger_doc_generated.go index b2e55376fe..2667a0aa24 100644 --- a/vendor/github.com/openshift/api/machine/v1beta1/zz_generated.swagger_doc_generated.go +++ b/vendor/github.com/openshift/api/machine/v1beta1/zz_generated.swagger_doc_generated.go @@ -84,7 +84,7 @@ func (BlockDeviceMappingSpec) SwaggerDoc() map[string]string { var map_EBSBlockDeviceSpec = map[string]string{ "": "EBSBlockDeviceSpec describes a block device for an EBS volume. https://docs.aws.amazon.com/goto/WebAPI/ec2-2016-11-15/EbsBlockDevice", - "deleteOnTermination": "Indicates whether the EBS volume is deleted on machine termination.", + "deleteOnTermination": "Indicates whether the EBS volume is deleted on machine termination.\n\nDeprecated: setting this field has no effect.", "encrypted": "Indicates whether the EBS volume is encrypted. Encrypted Amazon EBS volumes may only be attached to machines that support Amazon EBS encryption.", "kmsKey": "Indicates the KMS key that should be used to encrypt the Amazon EBS volume.", "iops": "The number of I/O operations per second (IOPS) that the volume supports. For io1, this represents the number of IOPS that are provisioned for the volume. For gp2, this represents the baseline performance of the volume and the rate at which the volume accumulates I/O credits for bursting. For more information about General Purpose SSD baseline performance, I/O credits, and bursting, see Amazon EBS Volume Types (http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSVolumeTypes.html) in the Amazon Elastic Compute Cloud User Guide.\n\nMinimal and maximal IOPS for io1 and gp2 are constrained. Please, check https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSVolumeTypes.html for precise boundaries for individual volumes.\n\nCondition: This parameter is required for requests to create io1 volumes; it is not used in requests to create gp2, st1, sc1, or standard volumes.", diff --git a/vendor/github.com/openshift/api/machineconfiguration/v1/types_machineosbuild.go b/vendor/github.com/openshift/api/machineconfiguration/v1/types_machineosbuild.go index beea7e7dcd..4a1681fb5e 100644 --- a/vendor/github.com/openshift/api/machineconfiguration/v1/types_machineosbuild.go +++ b/vendor/github.com/openshift/api/machineconfiguration/v1/types_machineosbuild.go @@ -179,10 +179,10 @@ type ObjectReference struct { Group string `json:"group"` // resource of the referent. // This value should consist of at most 63 characters, and of only lowercase alphanumeric characters and hyphens, - // and should start and end with an alphanumeric character. + // and should start with an alphabetic character and end with an alphanumeric character. // Example: "deployments", "deploymentconfigs", "pods", etc. // +required - // +kubebuilder:validation:XValidation:rule=`!format.dns1123Label().validate(self).hasValue()`,message="the value must consist of only lowercase alphanumeric characters and hyphens" + // +kubebuilder:validation:XValidation:rule=`!format.dns1035Label().validate(self).hasValue()`,message="a DNS-1035 label must consist of lower case alphanumeric characters or '-', start with an alphabetic character, and end with an alphanumeric character" // +kubebuilder:validation:MinLength=1 // +kubebuilder:validation:MaxLength=63 Resource string `json:"resource"` diff --git a/vendor/github.com/openshift/api/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_controllerconfigs-CustomNoUpgrade.crd.yaml b/vendor/github.com/openshift/api/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_controllerconfigs-CustomNoUpgrade.crd.yaml index 5333ad825a..71a4bf482f 100644 --- a/vendor/github.com/openshift/api/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_controllerconfigs-CustomNoUpgrade.crd.yaml +++ b/vendor/github.com/openshift/api/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_controllerconfigs-CustomNoUpgrade.crd.yaml @@ -2197,7 +2197,6 @@ spec: - IAM - ServiceUsage - Storage - - TagManager type: string url: description: |- @@ -2223,7 +2222,7 @@ spec: - name - url type: object - maxItems: 9 + maxItems: 8 type: array x-kubernetes-list-map-keys: - name diff --git a/vendor/github.com/openshift/api/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_controllerconfigs-Default.crd.yaml b/vendor/github.com/openshift/api/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_controllerconfigs-Default.crd.yaml index 41e49f7d39..c6b83d3254 100644 --- a/vendor/github.com/openshift/api/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_controllerconfigs-Default.crd.yaml +++ b/vendor/github.com/openshift/api/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_controllerconfigs-Default.crd.yaml @@ -1001,7 +1001,7 @@ spec: //network/. items: type: string - maxItems: 1 + maxItems: 10 minItems: 1 type: array x-kubernetes-list-type: atomic diff --git a/vendor/github.com/openshift/api/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_controllerconfigs-DevPreviewNoUpgrade.crd.yaml b/vendor/github.com/openshift/api/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_controllerconfigs-DevPreviewNoUpgrade.crd.yaml index 67ce832c92..7eef7d358c 100644 --- a/vendor/github.com/openshift/api/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_controllerconfigs-DevPreviewNoUpgrade.crd.yaml +++ b/vendor/github.com/openshift/api/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_controllerconfigs-DevPreviewNoUpgrade.crd.yaml @@ -2197,7 +2197,6 @@ spec: - IAM - ServiceUsage - Storage - - TagManager type: string url: description: |- @@ -2223,7 +2222,7 @@ spec: - name - url type: object - maxItems: 9 + maxItems: 8 type: array x-kubernetes-list-map-keys: - name diff --git a/vendor/github.com/openshift/api/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_controllerconfigs-TechPreviewNoUpgrade.crd.yaml b/vendor/github.com/openshift/api/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_controllerconfigs-TechPreviewNoUpgrade.crd.yaml index c454190ec0..e7085a8826 100644 --- a/vendor/github.com/openshift/api/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_controllerconfigs-TechPreviewNoUpgrade.crd.yaml +++ b/vendor/github.com/openshift/api/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_controllerconfigs-TechPreviewNoUpgrade.crd.yaml @@ -2196,7 +2196,6 @@ spec: - IAM - ServiceUsage - Storage - - TagManager type: string url: description: |- @@ -2222,7 +2221,7 @@ spec: - name - url type: object - maxItems: 9 + maxItems: 8 type: array x-kubernetes-list-map-keys: - name diff --git a/vendor/github.com/openshift/api/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_machineconfignodes-DevPreviewNoUpgrade.crd.yaml b/vendor/github.com/openshift/api/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_machineconfignodes-DevPreviewNoUpgrade.crd.yaml deleted file mode 100644 index b3cfdf48ca..0000000000 --- a/vendor/github.com/openshift/api/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_machineconfignodes-DevPreviewNoUpgrade.crd.yaml +++ /dev/null @@ -1,379 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - api-approved.openshift.io: https://github.com/openshift/api/pull/2255 - api.openshift.io/merged-by-featuregates: "true" - include.release.openshift.io/ibm-cloud-managed: "true" - include.release.openshift.io/self-managed-high-availability: "true" - release.openshift.io/feature-set: DevPreviewNoUpgrade - labels: - openshift.io/operator-managed: "" - name: machineconfignodes.machineconfiguration.openshift.io -spec: - group: machineconfiguration.openshift.io - names: - kind: MachineConfigNode - listKind: MachineConfigNodeList - plural: machineconfignodes - singular: machineconfignode - scope: Cluster - versions: - - additionalPrinterColumns: - - jsonPath: .spec.pool.name - name: PoolName - type: string - - jsonPath: .spec.configVersion.desired - name: DesiredConfig - type: string - - jsonPath: .status.configVersion.current - name: CurrentConfig - type: string - - jsonPath: .status.conditions[?(@.type=="Updated")].status - name: Updated - type: string - - jsonPath: .status.conditions[?(@.type=="UpdatePrepared")].status - name: UpdatePrepared - priority: 1 - type: string - - jsonPath: .status.conditions[?(@.type=="UpdateExecuted")].status - name: UpdateExecuted - priority: 1 - type: string - - jsonPath: .status.conditions[?(@.type=="UpdatePostActionComplete")].status - name: UpdatePostActionComplete - priority: 1 - type: string - - jsonPath: .status.conditions[?(@.type=="UpdateComplete")].status - name: UpdateComplete - priority: 1 - type: string - - jsonPath: .status.conditions[?(@.type=="Resumed")].status - name: Resumed - priority: 1 - type: string - - jsonPath: .status.conditions[?(@.type=="AppliedFilesAndOS")].status - name: UpdatedFilesAndOS - priority: 1 - type: string - - jsonPath: .status.conditions[?(@.type=="Cordoned")].status - name: CordonedNode - priority: 1 - type: string - - jsonPath: .status.conditions[?(@.type=="Drained")].status - name: DrainedNode - priority: 1 - type: string - - jsonPath: .status.conditions[?(@.type=="RebootedNode")].status - name: RebootedNode - priority: 1 - type: string - - jsonPath: .status.conditions[?(@.type=="Uncordoned")].status - name: UncordonedNode - priority: 1 - type: string - name: v1 - schema: - openAPIV3Schema: - description: |- - MachineConfigNode describes the health of the Machines on the system - Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer). - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: spec describes the configuration of the machine config node. - properties: - configVersion: - description: |- - configVersion holds the desired config version for the node targeted by this machine config node resource. - The desired version represents the machine config the node will attempt to update to and gets set before the machine config operator validates - the new machine config against the current machine config. - properties: - desired: - description: |- - desired is the name of the machine config that the the node should be upgraded to. - This value is set when the machine config pool generates a new version of its rendered configuration. - When this value is changed, the machine config daemon starts the node upgrade process. - This value gets set in the machine config node spec once the machine config has been targeted for upgrade and before it is validated. - Must be a lowercase RFC-1123 subdomain name (https://tools.ietf.org/html/rfc1123) consisting - of only lowercase alphanumeric characters, hyphens (-), and periods (.), and must start and end - with an alphanumeric character, and be at most 253 characters in length. - maxLength: 253 - type: string - x-kubernetes-validations: - - message: a lowercase RFC 1123 subdomain must consist of lower - case alphanumeric characters, '-' or '.', and must start and - end with an alphanumeric character. - rule: '!format.dns1123Subdomain().validate(self).hasValue()' - required: - - desired - type: object - node: - description: node contains a reference to the node for this machine - config node. - properties: - name: - description: |- - name is the name of the object being referenced. For example, this can represent a machine - config pool or node name. - Must be a lowercase RFC-1123 subdomain name (https://tools.ietf.org/html/rfc1123) consisting - of only lowercase alphanumeric characters, hyphens (-), and periods (.), and must start and end - with an alphanumeric character, and be at most 253 characters in length. - maxLength: 253 - type: string - x-kubernetes-validations: - - message: a lowercase RFC 1123 subdomain must consist of lower - case alphanumeric characters, '-' or '.', and must start and - end with an alphanumeric character. - rule: '!format.dns1123Subdomain().validate(self).hasValue()' - required: - - name - type: object - pool: - description: |- - pool contains a reference to the machine config pool that this machine config node's - referenced node belongs to. - properties: - name: - description: |- - name is the name of the object being referenced. For example, this can represent a machine - config pool or node name. - Must be a lowercase RFC-1123 subdomain name (https://tools.ietf.org/html/rfc1123) consisting - of only lowercase alphanumeric characters, hyphens (-), and periods (.), and must start and end - with an alphanumeric character, and be at most 253 characters in length. - maxLength: 253 - type: string - x-kubernetes-validations: - - message: a lowercase RFC 1123 subdomain must consist of lower - case alphanumeric characters, '-' or '.', and must start and - end with an alphanumeric character. - rule: '!format.dns1123Subdomain().validate(self).hasValue()' - required: - - name - type: object - required: - - configVersion - - node - - pool - type: object - status: - description: status describes the last observed state of this machine - config node. - properties: - conditions: - description: |- - conditions represent the observations of a machine config node's current state. Valid types are: - UpdatePrepared, UpdateExecuted, UpdatePostActionComplete, UpdateComplete, Updated, Resumed, - Drained, AppliedFilesAndOS, Cordoned, Uncordoned, RebootedNode, NodeDegraded, PinnedImageSetsProgressing, - and PinnedImageSetsDegraded. - items: - description: Condition contains details for one aspect of the current - state of this API Resource. - properties: - lastTransitionTime: - description: |- - lastTransitionTime is the last time the condition transitioned from one status to another. - This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: |- - message is a human readable message indicating details about the transition. - This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: - description: |- - observedGeneration represents the .metadata.generation that the condition was set based upon. - For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date - with respect to the current state of the instance. - format: int64 - minimum: 0 - type: integer - reason: - description: |- - reason contains a programmatic identifier indicating the reason for the condition's last transition. - Producers of specific condition types may define expected values and meanings for this field, - and whether the values are considered a guaranteed API. - The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, False, Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - message - - reason - - status - - type - type: object - maxItems: 20 - type: array - x-kubernetes-list-map-keys: - - type - x-kubernetes-list-type: map - configVersion: - description: configVersion describes the current and desired machine - config version for this node. - properties: - current: - description: |- - current is the name of the machine config currently in use on the node. - This value is updated once the machine config daemon has completed the update of the configuration for the node. - This value should match the desired version unless an upgrade is in progress. - Must be a lowercase RFC-1123 subdomain name (https://tools.ietf.org/html/rfc1123) consisting - of only lowercase alphanumeric characters, hyphens (-), and periods (.), and must start and end - with an alphanumeric character, and be at most 253 characters in length. - maxLength: 253 - type: string - x-kubernetes-validations: - - message: a lowercase RFC 1123 subdomain must consist of lower - case alphanumeric characters, '-' or '.', and must start and - end with an alphanumeric character. - rule: '!format.dns1123Subdomain().validate(self).hasValue()' - desired: - description: |- - desired is the MachineConfig the node wants to upgrade to. - This value gets set in the machine config node status once the machine config has been validated - against the current machine config. - Must be a lowercase RFC-1123 subdomain name (https://tools.ietf.org/html/rfc1123) consisting - of only lowercase alphanumeric characters, hyphens (-), and periods (.), and must start and end - with an alphanumeric character, and be at most 253 characters in length. - maxLength: 253 - type: string - x-kubernetes-validations: - - message: a lowercase RFC 1123 subdomain must consist of lower - case alphanumeric characters, '-' or '.', and must start and - end with an alphanumeric character. - rule: '!format.dns1123Subdomain().validate(self).hasValue()' - required: - - desired - type: object - observedGeneration: - description: |- - observedGeneration represents the generation of the MachineConfigNode object observed by the Machine Config Operator's controller. - This field is updated when the controller observes a change to the desiredConfig in the configVersion of the machine config node spec. - format: int64 - minimum: 1 - type: integer - x-kubernetes-validations: - - message: observedGeneration must not decrease - rule: self >= oldSelf - pinnedImageSets: - description: pinnedImageSets describes the current and desired pinned - image sets for this node. - items: - description: MachineConfigNodeStatusPinnedImageSet holds information - about the current, desired, and failed pinned image sets for the - observed machine config node. - properties: - currentGeneration: - description: currentGeneration is the generation of the pinned - image set that has most recently been successfully pulled - and pinned on this node. - format: int32 - minimum: 1 - type: integer - x-kubernetes-validations: - - message: currentGeneration must not decrease - rule: self >= oldSelf - desiredGeneration: - description: desiredGeneration is the generation of the pinned - image set that is targeted to be pulled and pinned on this - node. - format: int32 - minimum: 1 - type: integer - x-kubernetes-validations: - - message: desiredGeneration must not decrease - rule: self >= oldSelf - lastFailedGeneration: - description: lastFailedGeneration is the generation of the most - recent pinned image set that failed to be pulled and pinned - on this node. - format: int32 - minimum: 1 - type: integer - x-kubernetes-validations: - - message: lastFailedGeneration must not decrease - rule: self >= oldSelf - lastFailedGenerationError: - description: |- - lastFailedGenerationError is the error explaining why the desired images failed to be pulled and pinned. - The error is an empty string if the image pull and pin is successful. - maxLength: 32768 - type: string - name: - description: |- - name is the name of the pinned image set. - Must be a lowercase RFC-1123 subdomain name (https://tools.ietf.org/html/rfc1123) consisting - of only lowercase alphanumeric characters, hyphens (-), and periods (.), and must start and end - with an alphanumeric character, and be at most 253 characters in length. - maxLength: 253 - type: string - x-kubernetes-validations: - - message: a lowercase RFC 1123 subdomain must consist of lower - case alphanumeric characters, '-' or '.', and must start - and end with an alphanumeric character. - rule: '!format.dns1123Subdomain().validate(self).hasValue()' - required: - - name - type: object - x-kubernetes-validations: - - message: desired generation must be greater than or equal to the - current generation - rule: 'has(self.desiredGeneration) && has(self.currentGeneration) - ? self.desiredGeneration >= self.currentGeneration : true' - - message: desired generation must be greater than or equal to the - last failed generation - rule: 'has(self.lastFailedGeneration) && has(self.desiredGeneration) - ? self.desiredGeneration >= self.lastFailedGeneration : true' - - message: last failed generation error must be defined on image - pull and pin failure - rule: 'has(self.lastFailedGeneration) ? has(self.lastFailedGenerationError) - : true' - maxItems: 100 - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - type: object - required: - - spec - type: object - x-kubernetes-validations: - - message: spec.node.name should match metadata.name - rule: self.metadata.name == self.spec.node.name - served: true - storage: true - subresources: - status: {} diff --git a/vendor/github.com/openshift/api/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_machineconfignodes-TechPreviewNoUpgrade.crd.yaml b/vendor/github.com/openshift/api/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_machineconfignodes-TechPreviewNoUpgrade.crd.yaml deleted file mode 100644 index aa3267e1c8..0000000000 --- a/vendor/github.com/openshift/api/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_machineconfignodes-TechPreviewNoUpgrade.crd.yaml +++ /dev/null @@ -1,379 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - api-approved.openshift.io: https://github.com/openshift/api/pull/2255 - api.openshift.io/merged-by-featuregates: "true" - include.release.openshift.io/ibm-cloud-managed: "true" - include.release.openshift.io/self-managed-high-availability: "true" - release.openshift.io/feature-set: TechPreviewNoUpgrade - labels: - openshift.io/operator-managed: "" - name: machineconfignodes.machineconfiguration.openshift.io -spec: - group: machineconfiguration.openshift.io - names: - kind: MachineConfigNode - listKind: MachineConfigNodeList - plural: machineconfignodes - singular: machineconfignode - scope: Cluster - versions: - - additionalPrinterColumns: - - jsonPath: .spec.pool.name - name: PoolName - type: string - - jsonPath: .spec.configVersion.desired - name: DesiredConfig - type: string - - jsonPath: .status.configVersion.current - name: CurrentConfig - type: string - - jsonPath: .status.conditions[?(@.type=="Updated")].status - name: Updated - type: string - - jsonPath: .status.conditions[?(@.type=="UpdatePrepared")].status - name: UpdatePrepared - priority: 1 - type: string - - jsonPath: .status.conditions[?(@.type=="UpdateExecuted")].status - name: UpdateExecuted - priority: 1 - type: string - - jsonPath: .status.conditions[?(@.type=="UpdatePostActionComplete")].status - name: UpdatePostActionComplete - priority: 1 - type: string - - jsonPath: .status.conditions[?(@.type=="UpdateComplete")].status - name: UpdateComplete - priority: 1 - type: string - - jsonPath: .status.conditions[?(@.type=="Resumed")].status - name: Resumed - priority: 1 - type: string - - jsonPath: .status.conditions[?(@.type=="AppliedFilesAndOS")].status - name: UpdatedFilesAndOS - priority: 1 - type: string - - jsonPath: .status.conditions[?(@.type=="Cordoned")].status - name: CordonedNode - priority: 1 - type: string - - jsonPath: .status.conditions[?(@.type=="Drained")].status - name: DrainedNode - priority: 1 - type: string - - jsonPath: .status.conditions[?(@.type=="RebootedNode")].status - name: RebootedNode - priority: 1 - type: string - - jsonPath: .status.conditions[?(@.type=="Uncordoned")].status - name: UncordonedNode - priority: 1 - type: string - name: v1 - schema: - openAPIV3Schema: - description: |- - MachineConfigNode describes the health of the Machines on the system - Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer). - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: spec describes the configuration of the machine config node. - properties: - configVersion: - description: |- - configVersion holds the desired config version for the node targeted by this machine config node resource. - The desired version represents the machine config the node will attempt to update to and gets set before the machine config operator validates - the new machine config against the current machine config. - properties: - desired: - description: |- - desired is the name of the machine config that the the node should be upgraded to. - This value is set when the machine config pool generates a new version of its rendered configuration. - When this value is changed, the machine config daemon starts the node upgrade process. - This value gets set in the machine config node spec once the machine config has been targeted for upgrade and before it is validated. - Must be a lowercase RFC-1123 subdomain name (https://tools.ietf.org/html/rfc1123) consisting - of only lowercase alphanumeric characters, hyphens (-), and periods (.), and must start and end - with an alphanumeric character, and be at most 253 characters in length. - maxLength: 253 - type: string - x-kubernetes-validations: - - message: a lowercase RFC 1123 subdomain must consist of lower - case alphanumeric characters, '-' or '.', and must start and - end with an alphanumeric character. - rule: '!format.dns1123Subdomain().validate(self).hasValue()' - required: - - desired - type: object - node: - description: node contains a reference to the node for this machine - config node. - properties: - name: - description: |- - name is the name of the object being referenced. For example, this can represent a machine - config pool or node name. - Must be a lowercase RFC-1123 subdomain name (https://tools.ietf.org/html/rfc1123) consisting - of only lowercase alphanumeric characters, hyphens (-), and periods (.), and must start and end - with an alphanumeric character, and be at most 253 characters in length. - maxLength: 253 - type: string - x-kubernetes-validations: - - message: a lowercase RFC 1123 subdomain must consist of lower - case alphanumeric characters, '-' or '.', and must start and - end with an alphanumeric character. - rule: '!format.dns1123Subdomain().validate(self).hasValue()' - required: - - name - type: object - pool: - description: |- - pool contains a reference to the machine config pool that this machine config node's - referenced node belongs to. - properties: - name: - description: |- - name is the name of the object being referenced. For example, this can represent a machine - config pool or node name. - Must be a lowercase RFC-1123 subdomain name (https://tools.ietf.org/html/rfc1123) consisting - of only lowercase alphanumeric characters, hyphens (-), and periods (.), and must start and end - with an alphanumeric character, and be at most 253 characters in length. - maxLength: 253 - type: string - x-kubernetes-validations: - - message: a lowercase RFC 1123 subdomain must consist of lower - case alphanumeric characters, '-' or '.', and must start and - end with an alphanumeric character. - rule: '!format.dns1123Subdomain().validate(self).hasValue()' - required: - - name - type: object - required: - - configVersion - - node - - pool - type: object - status: - description: status describes the last observed state of this machine - config node. - properties: - conditions: - description: |- - conditions represent the observations of a machine config node's current state. Valid types are: - UpdatePrepared, UpdateExecuted, UpdatePostActionComplete, UpdateComplete, Updated, Resumed, - Drained, AppliedFilesAndOS, Cordoned, Uncordoned, RebootedNode, NodeDegraded, PinnedImageSetsProgressing, - and PinnedImageSetsDegraded. - items: - description: Condition contains details for one aspect of the current - state of this API Resource. - properties: - lastTransitionTime: - description: |- - lastTransitionTime is the last time the condition transitioned from one status to another. - This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: |- - message is a human readable message indicating details about the transition. - This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: - description: |- - observedGeneration represents the .metadata.generation that the condition was set based upon. - For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date - with respect to the current state of the instance. - format: int64 - minimum: 0 - type: integer - reason: - description: |- - reason contains a programmatic identifier indicating the reason for the condition's last transition. - Producers of specific condition types may define expected values and meanings for this field, - and whether the values are considered a guaranteed API. - The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, False, Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - message - - reason - - status - - type - type: object - maxItems: 20 - type: array - x-kubernetes-list-map-keys: - - type - x-kubernetes-list-type: map - configVersion: - description: configVersion describes the current and desired machine - config version for this node. - properties: - current: - description: |- - current is the name of the machine config currently in use on the node. - This value is updated once the machine config daemon has completed the update of the configuration for the node. - This value should match the desired version unless an upgrade is in progress. - Must be a lowercase RFC-1123 subdomain name (https://tools.ietf.org/html/rfc1123) consisting - of only lowercase alphanumeric characters, hyphens (-), and periods (.), and must start and end - with an alphanumeric character, and be at most 253 characters in length. - maxLength: 253 - type: string - x-kubernetes-validations: - - message: a lowercase RFC 1123 subdomain must consist of lower - case alphanumeric characters, '-' or '.', and must start and - end with an alphanumeric character. - rule: '!format.dns1123Subdomain().validate(self).hasValue()' - desired: - description: |- - desired is the MachineConfig the node wants to upgrade to. - This value gets set in the machine config node status once the machine config has been validated - against the current machine config. - Must be a lowercase RFC-1123 subdomain name (https://tools.ietf.org/html/rfc1123) consisting - of only lowercase alphanumeric characters, hyphens (-), and periods (.), and must start and end - with an alphanumeric character, and be at most 253 characters in length. - maxLength: 253 - type: string - x-kubernetes-validations: - - message: a lowercase RFC 1123 subdomain must consist of lower - case alphanumeric characters, '-' or '.', and must start and - end with an alphanumeric character. - rule: '!format.dns1123Subdomain().validate(self).hasValue()' - required: - - desired - type: object - observedGeneration: - description: |- - observedGeneration represents the generation of the MachineConfigNode object observed by the Machine Config Operator's controller. - This field is updated when the controller observes a change to the desiredConfig in the configVersion of the machine config node spec. - format: int64 - minimum: 1 - type: integer - x-kubernetes-validations: - - message: observedGeneration must not decrease - rule: self >= oldSelf - pinnedImageSets: - description: pinnedImageSets describes the current and desired pinned - image sets for this node. - items: - description: MachineConfigNodeStatusPinnedImageSet holds information - about the current, desired, and failed pinned image sets for the - observed machine config node. - properties: - currentGeneration: - description: currentGeneration is the generation of the pinned - image set that has most recently been successfully pulled - and pinned on this node. - format: int32 - minimum: 1 - type: integer - x-kubernetes-validations: - - message: currentGeneration must not decrease - rule: self >= oldSelf - desiredGeneration: - description: desiredGeneration is the generation of the pinned - image set that is targeted to be pulled and pinned on this - node. - format: int32 - minimum: 1 - type: integer - x-kubernetes-validations: - - message: desiredGeneration must not decrease - rule: self >= oldSelf - lastFailedGeneration: - description: lastFailedGeneration is the generation of the most - recent pinned image set that failed to be pulled and pinned - on this node. - format: int32 - minimum: 1 - type: integer - x-kubernetes-validations: - - message: lastFailedGeneration must not decrease - rule: self >= oldSelf - lastFailedGenerationError: - description: |- - lastFailedGenerationError is the error explaining why the desired images failed to be pulled and pinned. - The error is an empty string if the image pull and pin is successful. - maxLength: 32768 - type: string - name: - description: |- - name is the name of the pinned image set. - Must be a lowercase RFC-1123 subdomain name (https://tools.ietf.org/html/rfc1123) consisting - of only lowercase alphanumeric characters, hyphens (-), and periods (.), and must start and end - with an alphanumeric character, and be at most 253 characters in length. - maxLength: 253 - type: string - x-kubernetes-validations: - - message: a lowercase RFC 1123 subdomain must consist of lower - case alphanumeric characters, '-' or '.', and must start - and end with an alphanumeric character. - rule: '!format.dns1123Subdomain().validate(self).hasValue()' - required: - - name - type: object - x-kubernetes-validations: - - message: desired generation must be greater than or equal to the - current generation - rule: 'has(self.desiredGeneration) && has(self.currentGeneration) - ? self.desiredGeneration >= self.currentGeneration : true' - - message: desired generation must be greater than or equal to the - last failed generation - rule: 'has(self.lastFailedGeneration) && has(self.desiredGeneration) - ? self.desiredGeneration >= self.lastFailedGeneration : true' - - message: last failed generation error must be defined on image - pull and pin failure - rule: 'has(self.lastFailedGeneration) ? has(self.lastFailedGenerationError) - : true' - maxItems: 100 - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - type: object - required: - - spec - type: object - x-kubernetes-validations: - - message: spec.node.name should match metadata.name - rule: self.metadata.name == self.spec.node.name - served: true - storage: true - subresources: - status: {} diff --git a/vendor/github.com/openshift/api/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_machineconfignodes-CustomNoUpgrade.crd.yaml b/vendor/github.com/openshift/api/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_machineconfignodes.crd.yaml similarity index 99% rename from vendor/github.com/openshift/api/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_machineconfignodes-CustomNoUpgrade.crd.yaml rename to vendor/github.com/openshift/api/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_machineconfignodes.crd.yaml index b386ad31f7..0631b41096 100644 --- a/vendor/github.com/openshift/api/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_machineconfignodes-CustomNoUpgrade.crd.yaml +++ b/vendor/github.com/openshift/api/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_machineconfignodes.crd.yaml @@ -6,7 +6,6 @@ metadata: api.openshift.io/merged-by-featuregates: "true" include.release.openshift.io/ibm-cloud-managed: "true" include.release.openshift.io/self-managed-high-availability: "true" - release.openshift.io/feature-set: CustomNoUpgrade labels: openshift.io/operator-managed: "" name: machineconfignodes.machineconfiguration.openshift.io diff --git a/vendor/github.com/openshift/api/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_machineconfigpools-Default.crd.yaml b/vendor/github.com/openshift/api/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_machineconfigpools-Default.crd.yaml deleted file mode 100644 index a198447e08..0000000000 --- a/vendor/github.com/openshift/api/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_machineconfigpools-Default.crd.yaml +++ /dev/null @@ -1,500 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - api-approved.openshift.io: https://github.com/openshift/api/pull/1453 - api.openshift.io/merged-by-featuregates: "true" - include.release.openshift.io/ibm-cloud-managed: "true" - include.release.openshift.io/self-managed-high-availability: "true" - release.openshift.io/feature-set: Default - labels: - openshift.io/operator-managed: "" - name: machineconfigpools.machineconfiguration.openshift.io -spec: - group: machineconfiguration.openshift.io - names: - kind: MachineConfigPool - listKind: MachineConfigPoolList - plural: machineconfigpools - shortNames: - - mcp - singular: machineconfigpool - scope: Cluster - versions: - - additionalPrinterColumns: - - jsonPath: .status.configuration.name - name: Config - type: string - - description: When all the machines in the pool are updated to the correct machine - config. - jsonPath: .status.conditions[?(@.type=="Updated")].status - name: Updated - type: string - - description: When at least one of machine is not either not updated or is in - the process of updating to the desired machine config. - jsonPath: .status.conditions[?(@.type=="Updating")].status - name: Updating - type: string - - description: When progress is blocked on updating one or more nodes or the pool - configuration is failing. - jsonPath: .status.conditions[?(@.type=="Degraded")].status - name: Degraded - type: string - - description: Total number of machines in the machine config pool - jsonPath: .status.machineCount - name: MachineCount - type: number - - description: Total number of ready machines targeted by the pool - jsonPath: .status.readyMachineCount - name: ReadyMachineCount - type: number - - description: Total number of machines targeted by the pool that have the CurrentMachineConfig - as their config - jsonPath: .status.updatedMachineCount - name: UpdatedMachineCount - type: number - - description: Total number of machines marked degraded (or unreconcilable) - jsonPath: .status.degradedMachineCount - name: DegradedMachineCount - type: number - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1 - schema: - openAPIV3Schema: - description: |- - MachineConfigPool describes a pool of MachineConfigs. - - Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer). - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: spec contains the desired machine config pool configuration. - properties: - configuration: - description: The targeted MachineConfig object for the machine config - pool. - properties: - apiVersion: - description: API version of the referent. - type: string - fieldPath: - description: |- - If referring to a piece of an object instead of an entire object, this string - should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. - For example, if the object reference is to a container within a pod, this would take on a value like: - "spec.containers{name}" (where "name" refers to the name of the container that triggered - the event) or if no container name is specified "spec.containers[2]" (container with - index 2 in this pod). This syntax is chosen only to have some well-defined way of - referencing a part of an object. - type: string - kind: - description: |- - Kind of the referent. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - name: - description: |- - Name of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - namespace: - description: |- - Namespace of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ - type: string - resourceVersion: - description: |- - Specific resourceVersion to which this reference is made, if any. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency - type: string - source: - description: source is the list of MachineConfig objects that - were used to generate the single MachineConfig object specified - in `content`. - items: - description: ObjectReference contains enough information to - let you inspect or modify the referred object. - properties: - apiVersion: - description: API version of the referent. - type: string - fieldPath: - description: |- - If referring to a piece of an object instead of an entire object, this string - should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. - For example, if the object reference is to a container within a pod, this would take on a value like: - "spec.containers{name}" (where "name" refers to the name of the container that triggered - the event) or if no container name is specified "spec.containers[2]" (container with - index 2 in this pod). This syntax is chosen only to have some well-defined way of - referencing a part of an object. - type: string - kind: - description: |- - Kind of the referent. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - name: - description: |- - Name of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - namespace: - description: |- - Namespace of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ - type: string - resourceVersion: - description: |- - Specific resourceVersion to which this reference is made, if any. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency - type: string - uid: - description: |- - UID of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids - type: string - type: object - x-kubernetes-map-type: atomic - type: array - x-kubernetes-list-type: atomic - uid: - description: |- - UID of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids - type: string - type: object - x-kubernetes-map-type: atomic - machineConfigSelector: - description: |- - machineConfigSelector specifies a label selector for MachineConfigs. - Refer https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ on how label and selectors work. - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. - The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector applies - to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - maxUnavailable: - anyOf: - - type: integer - - type: string - description: |- - maxUnavailable defines either an integer number or percentage - of nodes in the pool that can go Unavailable during an update. - This includes nodes Unavailable for any reason, including user - initiated cordons, failing nodes, etc. The default value is 1. - - A value larger than 1 will mean multiple nodes going unavailable during - the update, which may affect your workload stress on the remaining nodes. - You cannot set this value to 0 to stop updates (it will default back to 1); - to stop updates, use the 'paused' property instead. Drain will respect - Pod Disruption Budgets (PDBs) such as etcd quorum guards, even if - maxUnavailable is greater than one. - x-kubernetes-int-or-string: true - nodeSelector: - description: nodeSelector specifies a label selector for Machines - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. - The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector applies - to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - paused: - description: |- - paused specifies whether or not changes to this machine config pool should be stopped. - This includes generating new desiredMachineConfig and update of machines. - type: boolean - type: object - status: - description: status contains observed information about the machine config - pool. - properties: - certExpirys: - description: certExpirys keeps track of important certificate expiration - data - items: - description: ceryExpiry contains the bundle name and the expiry - date - properties: - bundle: - description: bundle is the name of the bundle in which the subject - certificate resides - type: string - expiry: - description: expiry is the date after which the certificate - will no longer be valid - format: date-time - type: string - subject: - description: subject is the subject of the certificate - type: string - required: - - bundle - - subject - type: object - type: array - x-kubernetes-list-type: atomic - conditions: - description: conditions represents the latest available observations - of current state. - items: - description: MachineConfigPoolCondition contains condition information - for an MachineConfigPool. - properties: - lastTransitionTime: - description: |- - lastTransitionTime is the timestamp corresponding to the last status - change of this condition. - format: date-time - nullable: true - type: string - message: - description: |- - message is a human readable description of the details of the last - transition, complementing reason. - type: string - reason: - description: |- - reason is a brief machine readable explanation for the condition's last - transition. - type: string - status: - description: status of the condition, one of ('True', 'False', - 'Unknown'). - type: string - type: - description: type of the condition, currently ('Done', 'Updating', - 'Failed'). - type: string - type: object - type: array - x-kubernetes-list-type: atomic - configuration: - description: configuration represents the current MachineConfig object - for the machine config pool. - properties: - apiVersion: - description: API version of the referent. - type: string - fieldPath: - description: |- - If referring to a piece of an object instead of an entire object, this string - should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. - For example, if the object reference is to a container within a pod, this would take on a value like: - "spec.containers{name}" (where "name" refers to the name of the container that triggered - the event) or if no container name is specified "spec.containers[2]" (container with - index 2 in this pod). This syntax is chosen only to have some well-defined way of - referencing a part of an object. - type: string - kind: - description: |- - Kind of the referent. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - name: - description: |- - Name of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - namespace: - description: |- - Namespace of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ - type: string - resourceVersion: - description: |- - Specific resourceVersion to which this reference is made, if any. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency - type: string - source: - description: source is the list of MachineConfig objects that - were used to generate the single MachineConfig object specified - in `content`. - items: - description: ObjectReference contains enough information to - let you inspect or modify the referred object. - properties: - apiVersion: - description: API version of the referent. - type: string - fieldPath: - description: |- - If referring to a piece of an object instead of an entire object, this string - should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. - For example, if the object reference is to a container within a pod, this would take on a value like: - "spec.containers{name}" (where "name" refers to the name of the container that triggered - the event) or if no container name is specified "spec.containers[2]" (container with - index 2 in this pod). This syntax is chosen only to have some well-defined way of - referencing a part of an object. - type: string - kind: - description: |- - Kind of the referent. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - name: - description: |- - Name of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - namespace: - description: |- - Namespace of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ - type: string - resourceVersion: - description: |- - Specific resourceVersion to which this reference is made, if any. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency - type: string - uid: - description: |- - UID of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids - type: string - type: object - x-kubernetes-map-type: atomic - type: array - x-kubernetes-list-type: atomic - uid: - description: |- - UID of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids - type: string - type: object - x-kubernetes-map-type: atomic - degradedMachineCount: - description: |- - degradedMachineCount represents the total number of machines marked degraded (or unreconcilable). - A node is marked degraded if applying a configuration failed.. - format: int32 - type: integer - machineCount: - description: machineCount represents the total number of machines - in the machine config pool. - format: int32 - type: integer - observedGeneration: - description: observedGeneration represents the generation observed - by the controller. - format: int64 - type: integer - readyMachineCount: - description: readyMachineCount represents the total number of ready - machines targeted by the pool. - format: int32 - type: integer - unavailableMachineCount: - description: |- - unavailableMachineCount represents the total number of unavailable (non-ready) machines targeted by the pool. - A node is marked unavailable if it is in updating state or NodeReady condition is false. - format: int32 - type: integer - updatedMachineCount: - description: updatedMachineCount represents the total number of machines - targeted by the pool that have the CurrentMachineConfig as their - config. - format: int32 - type: integer - type: object - required: - - spec - type: object - served: true - storage: true - subresources: - status: {} diff --git a/vendor/github.com/openshift/api/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_machineconfigpools-DevPreviewNoUpgrade.crd.yaml b/vendor/github.com/openshift/api/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_machineconfigpools-DevPreviewNoUpgrade.crd.yaml deleted file mode 100644 index ddd7c3b682..0000000000 --- a/vendor/github.com/openshift/api/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_machineconfigpools-DevPreviewNoUpgrade.crd.yaml +++ /dev/null @@ -1,617 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - api-approved.openshift.io: https://github.com/openshift/api/pull/1453 - api.openshift.io/merged-by-featuregates: "true" - include.release.openshift.io/ibm-cloud-managed: "true" - include.release.openshift.io/self-managed-high-availability: "true" - release.openshift.io/feature-set: DevPreviewNoUpgrade - labels: - openshift.io/operator-managed: "" - name: machineconfigpools.machineconfiguration.openshift.io -spec: - group: machineconfiguration.openshift.io - names: - kind: MachineConfigPool - listKind: MachineConfigPoolList - plural: machineconfigpools - shortNames: - - mcp - singular: machineconfigpool - scope: Cluster - versions: - - additionalPrinterColumns: - - jsonPath: .status.configuration.name - name: Config - type: string - - description: When all the machines in the pool are updated to the correct machine - config. - jsonPath: .status.conditions[?(@.type=="Updated")].status - name: Updated - type: string - - description: When at least one of machine is not either not updated or is in - the process of updating to the desired machine config. - jsonPath: .status.conditions[?(@.type=="Updating")].status - name: Updating - type: string - - description: When progress is blocked on updating one or more nodes or the pool - configuration is failing. - jsonPath: .status.conditions[?(@.type=="Degraded")].status - name: Degraded - type: string - - description: Total number of machines in the machine config pool - jsonPath: .status.machineCount - name: MachineCount - type: number - - description: Total number of ready machines targeted by the pool - jsonPath: .status.readyMachineCount - name: ReadyMachineCount - type: number - - description: Total number of machines targeted by the pool that have the CurrentMachineConfig - as their config - jsonPath: .status.updatedMachineCount - name: UpdatedMachineCount - type: number - - description: Total number of machines marked degraded (or unreconcilable) - jsonPath: .status.degradedMachineCount - name: DegradedMachineCount - type: number - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1 - schema: - openAPIV3Schema: - description: |- - MachineConfigPool describes a pool of MachineConfigs. - - Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer). - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: spec contains the desired machine config pool configuration. - properties: - configuration: - description: The targeted MachineConfig object for the machine config - pool. - properties: - apiVersion: - description: API version of the referent. - type: string - fieldPath: - description: |- - If referring to a piece of an object instead of an entire object, this string - should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. - For example, if the object reference is to a container within a pod, this would take on a value like: - "spec.containers{name}" (where "name" refers to the name of the container that triggered - the event) or if no container name is specified "spec.containers[2]" (container with - index 2 in this pod). This syntax is chosen only to have some well-defined way of - referencing a part of an object. - type: string - kind: - description: |- - Kind of the referent. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - name: - description: |- - Name of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - namespace: - description: |- - Namespace of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ - type: string - resourceVersion: - description: |- - Specific resourceVersion to which this reference is made, if any. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency - type: string - source: - description: source is the list of MachineConfig objects that - were used to generate the single MachineConfig object specified - in `content`. - items: - description: ObjectReference contains enough information to - let you inspect or modify the referred object. - properties: - apiVersion: - description: API version of the referent. - type: string - fieldPath: - description: |- - If referring to a piece of an object instead of an entire object, this string - should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. - For example, if the object reference is to a container within a pod, this would take on a value like: - "spec.containers{name}" (where "name" refers to the name of the container that triggered - the event) or if no container name is specified "spec.containers[2]" (container with - index 2 in this pod). This syntax is chosen only to have some well-defined way of - referencing a part of an object. - type: string - kind: - description: |- - Kind of the referent. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - name: - description: |- - Name of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - namespace: - description: |- - Namespace of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ - type: string - resourceVersion: - description: |- - Specific resourceVersion to which this reference is made, if any. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency - type: string - uid: - description: |- - UID of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids - type: string - type: object - x-kubernetes-map-type: atomic - type: array - x-kubernetes-list-type: atomic - uid: - description: |- - UID of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids - type: string - type: object - x-kubernetes-map-type: atomic - machineConfigSelector: - description: |- - machineConfigSelector specifies a label selector for MachineConfigs. - Refer https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ on how label and selectors work. - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. - The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector applies - to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - maxUnavailable: - anyOf: - - type: integer - - type: string - description: |- - maxUnavailable defines either an integer number or percentage - of nodes in the pool that can go Unavailable during an update. - This includes nodes Unavailable for any reason, including user - initiated cordons, failing nodes, etc. The default value is 1. - - A value larger than 1 will mean multiple nodes going unavailable during - the update, which may affect your workload stress on the remaining nodes. - You cannot set this value to 0 to stop updates (it will default back to 1); - to stop updates, use the 'paused' property instead. Drain will respect - Pod Disruption Budgets (PDBs) such as etcd quorum guards, even if - maxUnavailable is greater than one. - x-kubernetes-int-or-string: true - nodeSelector: - description: nodeSelector specifies a label selector for Machines - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. - The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector applies - to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - paused: - description: |- - paused specifies whether or not changes to this machine config pool should be stopped. - This includes generating new desiredMachineConfig and update of machines. - type: boolean - pinnedImageSets: - description: |- - pinnedImageSets specifies a sequence of PinnedImageSetRef objects for the - pool. Nodes within this pool will preload and pin images defined in the - PinnedImageSet. Before pulling images the MachineConfigDaemon will ensure - the total uncompressed size of all the images does not exceed available - resources. If the total size of the images exceeds the available - resources the controller will report a Degraded status to the - MachineConfigPool and not attempt to pull any images. Also to help ensure - the kubelet can mitigate storage risk, the pinned_image configuration and - subsequent service reload will happen only after all of the images have - been pulled for each set. Images from multiple PinnedImageSets are loaded - and pinned sequentially as listed. Duplicate and existing images will be - skipped. - - Any failure to prefetch or pin images will result in a Degraded pool. - Resolving these failures is the responsibility of the user. The admin - should be proactive in ensuring adequate storage and proper image - authentication exists in advance. - items: - properties: - name: - description: |- - name is a reference to the name of a PinnedImageSet. Must adhere to - RFC-1123 (https://tools.ietf.org/html/rfc1123). - Made up of one of more period-separated (.) segments, where each segment - consists of alphanumeric characters and hyphens (-), must begin and end - with an alphanumeric character, and is at most 63 characters in length. - The total length of the name must not exceed 253 characters. - maxLength: 253 - minLength: 1 - pattern: ^([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\-]{0,61}[a-zA-Z0-9])(\.([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\-]{0,61}[a-zA-Z0-9]))*$ - type: string - required: - - name - type: object - maxItems: 100 - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - type: object - status: - description: status contains observed information about the machine config - pool. - properties: - certExpirys: - description: certExpirys keeps track of important certificate expiration - data - items: - description: ceryExpiry contains the bundle name and the expiry - date - properties: - bundle: - description: bundle is the name of the bundle in which the subject - certificate resides - type: string - expiry: - description: expiry is the date after which the certificate - will no longer be valid - format: date-time - type: string - subject: - description: subject is the subject of the certificate - type: string - required: - - bundle - - subject - type: object - type: array - x-kubernetes-list-type: atomic - conditions: - description: conditions represents the latest available observations - of current state. - items: - description: MachineConfigPoolCondition contains condition information - for an MachineConfigPool. - properties: - lastTransitionTime: - description: |- - lastTransitionTime is the timestamp corresponding to the last status - change of this condition. - format: date-time - nullable: true - type: string - message: - description: |- - message is a human readable description of the details of the last - transition, complementing reason. - type: string - reason: - description: |- - reason is a brief machine readable explanation for the condition's last - transition. - type: string - status: - description: status of the condition, one of ('True', 'False', - 'Unknown'). - type: string - type: - description: type of the condition, currently ('Done', 'Updating', - 'Failed'). - type: string - type: object - type: array - x-kubernetes-list-type: atomic - configuration: - description: configuration represents the current MachineConfig object - for the machine config pool. - properties: - apiVersion: - description: API version of the referent. - type: string - fieldPath: - description: |- - If referring to a piece of an object instead of an entire object, this string - should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. - For example, if the object reference is to a container within a pod, this would take on a value like: - "spec.containers{name}" (where "name" refers to the name of the container that triggered - the event) or if no container name is specified "spec.containers[2]" (container with - index 2 in this pod). This syntax is chosen only to have some well-defined way of - referencing a part of an object. - type: string - kind: - description: |- - Kind of the referent. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - name: - description: |- - Name of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - namespace: - description: |- - Namespace of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ - type: string - resourceVersion: - description: |- - Specific resourceVersion to which this reference is made, if any. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency - type: string - source: - description: source is the list of MachineConfig objects that - were used to generate the single MachineConfig object specified - in `content`. - items: - description: ObjectReference contains enough information to - let you inspect or modify the referred object. - properties: - apiVersion: - description: API version of the referent. - type: string - fieldPath: - description: |- - If referring to a piece of an object instead of an entire object, this string - should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. - For example, if the object reference is to a container within a pod, this would take on a value like: - "spec.containers{name}" (where "name" refers to the name of the container that triggered - the event) or if no container name is specified "spec.containers[2]" (container with - index 2 in this pod). This syntax is chosen only to have some well-defined way of - referencing a part of an object. - type: string - kind: - description: |- - Kind of the referent. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - name: - description: |- - Name of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - namespace: - description: |- - Namespace of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ - type: string - resourceVersion: - description: |- - Specific resourceVersion to which this reference is made, if any. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency - type: string - uid: - description: |- - UID of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids - type: string - type: object - x-kubernetes-map-type: atomic - type: array - x-kubernetes-list-type: atomic - uid: - description: |- - UID of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids - type: string - type: object - x-kubernetes-map-type: atomic - degradedMachineCount: - description: |- - degradedMachineCount represents the total number of machines marked degraded (or unreconcilable). - A node is marked degraded if applying a configuration failed.. - format: int32 - type: integer - machineCount: - description: machineCount represents the total number of machines - in the machine config pool. - format: int32 - type: integer - observedGeneration: - description: observedGeneration represents the generation observed - by the controller. - format: int64 - type: integer - poolSynchronizersStatus: - description: poolSynchronizersStatus is the status of the machines - managed by the pool synchronizers. - items: - properties: - availableMachineCount: - description: availableMachineCount is the number of machines - managed by the node synchronizer which are available. - format: int64 - minimum: 0 - type: integer - machineCount: - description: machineCount is the number of machines that are - managed by the node synchronizer. - format: int64 - minimum: 0 - type: integer - observedGeneration: - description: observedGeneration is the last generation change - that has been applied. - format: int64 - minimum: 0 - type: integer - x-kubernetes-validations: - - message: observedGeneration must not move backwards except - to zero - rule: self >= oldSelf || (self == 0 && oldSelf > 0) - poolSynchronizerType: - description: poolSynchronizerType describes the type of the - pool synchronizer. - enum: - - PinnedImageSets - maxLength: 256 - type: string - readyMachineCount: - description: readyMachineCount is the number of machines managed - by the node synchronizer that are in a ready state. - format: int64 - minimum: 0 - type: integer - unavailableMachineCount: - description: unavailableMachineCount is the number of machines - managed by the node synchronizer but are unavailable. - format: int64 - minimum: 0 - type: integer - updatedMachineCount: - description: updatedMachineCount is the number of machines that - have been updated by the node synchronizer. - format: int64 - minimum: 0 - type: integer - required: - - availableMachineCount - - machineCount - - poolSynchronizerType - - readyMachineCount - - unavailableMachineCount - - updatedMachineCount - type: object - x-kubernetes-validations: - - message: machineCount must be greater than or equal to updatedMachineCount - rule: self.machineCount >= self.updatedMachineCount - - message: machineCount must be greater than or equal to availableMachineCount - rule: self.machineCount >= self.availableMachineCount - - message: machineCount must be greater than or equal to unavailableMachineCount - rule: self.machineCount >= self.unavailableMachineCount - - message: machineCount must be greater than or equal to readyMachineCount - rule: self.machineCount >= self.readyMachineCount - - message: availableMachineCount must be greater than or equal to - readyMachineCount - rule: self.availableMachineCount >= self.readyMachineCount - type: array - x-kubernetes-list-map-keys: - - poolSynchronizerType - x-kubernetes-list-type: map - readyMachineCount: - description: readyMachineCount represents the total number of ready - machines targeted by the pool. - format: int32 - type: integer - unavailableMachineCount: - description: |- - unavailableMachineCount represents the total number of unavailable (non-ready) machines targeted by the pool. - A node is marked unavailable if it is in updating state or NodeReady condition is false. - format: int32 - type: integer - updatedMachineCount: - description: updatedMachineCount represents the total number of machines - targeted by the pool that have the CurrentMachineConfig as their - config. - format: int32 - type: integer - type: object - required: - - spec - type: object - served: true - storage: true - subresources: - status: {} diff --git a/vendor/github.com/openshift/api/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_machineconfigpools-TechPreviewNoUpgrade.crd.yaml b/vendor/github.com/openshift/api/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_machineconfigpools-TechPreviewNoUpgrade.crd.yaml deleted file mode 100644 index ef048f6a84..0000000000 --- a/vendor/github.com/openshift/api/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_machineconfigpools-TechPreviewNoUpgrade.crd.yaml +++ /dev/null @@ -1,617 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - api-approved.openshift.io: https://github.com/openshift/api/pull/1453 - api.openshift.io/merged-by-featuregates: "true" - include.release.openshift.io/ibm-cloud-managed: "true" - include.release.openshift.io/self-managed-high-availability: "true" - release.openshift.io/feature-set: TechPreviewNoUpgrade - labels: - openshift.io/operator-managed: "" - name: machineconfigpools.machineconfiguration.openshift.io -spec: - group: machineconfiguration.openshift.io - names: - kind: MachineConfigPool - listKind: MachineConfigPoolList - plural: machineconfigpools - shortNames: - - mcp - singular: machineconfigpool - scope: Cluster - versions: - - additionalPrinterColumns: - - jsonPath: .status.configuration.name - name: Config - type: string - - description: When all the machines in the pool are updated to the correct machine - config. - jsonPath: .status.conditions[?(@.type=="Updated")].status - name: Updated - type: string - - description: When at least one of machine is not either not updated or is in - the process of updating to the desired machine config. - jsonPath: .status.conditions[?(@.type=="Updating")].status - name: Updating - type: string - - description: When progress is blocked on updating one or more nodes or the pool - configuration is failing. - jsonPath: .status.conditions[?(@.type=="Degraded")].status - name: Degraded - type: string - - description: Total number of machines in the machine config pool - jsonPath: .status.machineCount - name: MachineCount - type: number - - description: Total number of ready machines targeted by the pool - jsonPath: .status.readyMachineCount - name: ReadyMachineCount - type: number - - description: Total number of machines targeted by the pool that have the CurrentMachineConfig - as their config - jsonPath: .status.updatedMachineCount - name: UpdatedMachineCount - type: number - - description: Total number of machines marked degraded (or unreconcilable) - jsonPath: .status.degradedMachineCount - name: DegradedMachineCount - type: number - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1 - schema: - openAPIV3Schema: - description: |- - MachineConfigPool describes a pool of MachineConfigs. - - Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer). - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: spec contains the desired machine config pool configuration. - properties: - configuration: - description: The targeted MachineConfig object for the machine config - pool. - properties: - apiVersion: - description: API version of the referent. - type: string - fieldPath: - description: |- - If referring to a piece of an object instead of an entire object, this string - should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. - For example, if the object reference is to a container within a pod, this would take on a value like: - "spec.containers{name}" (where "name" refers to the name of the container that triggered - the event) or if no container name is specified "spec.containers[2]" (container with - index 2 in this pod). This syntax is chosen only to have some well-defined way of - referencing a part of an object. - type: string - kind: - description: |- - Kind of the referent. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - name: - description: |- - Name of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - namespace: - description: |- - Namespace of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ - type: string - resourceVersion: - description: |- - Specific resourceVersion to which this reference is made, if any. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency - type: string - source: - description: source is the list of MachineConfig objects that - were used to generate the single MachineConfig object specified - in `content`. - items: - description: ObjectReference contains enough information to - let you inspect or modify the referred object. - properties: - apiVersion: - description: API version of the referent. - type: string - fieldPath: - description: |- - If referring to a piece of an object instead of an entire object, this string - should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. - For example, if the object reference is to a container within a pod, this would take on a value like: - "spec.containers{name}" (where "name" refers to the name of the container that triggered - the event) or if no container name is specified "spec.containers[2]" (container with - index 2 in this pod). This syntax is chosen only to have some well-defined way of - referencing a part of an object. - type: string - kind: - description: |- - Kind of the referent. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - name: - description: |- - Name of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - namespace: - description: |- - Namespace of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ - type: string - resourceVersion: - description: |- - Specific resourceVersion to which this reference is made, if any. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency - type: string - uid: - description: |- - UID of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids - type: string - type: object - x-kubernetes-map-type: atomic - type: array - x-kubernetes-list-type: atomic - uid: - description: |- - UID of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids - type: string - type: object - x-kubernetes-map-type: atomic - machineConfigSelector: - description: |- - machineConfigSelector specifies a label selector for MachineConfigs. - Refer https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ on how label and selectors work. - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. - The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector applies - to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - maxUnavailable: - anyOf: - - type: integer - - type: string - description: |- - maxUnavailable defines either an integer number or percentage - of nodes in the pool that can go Unavailable during an update. - This includes nodes Unavailable for any reason, including user - initiated cordons, failing nodes, etc. The default value is 1. - - A value larger than 1 will mean multiple nodes going unavailable during - the update, which may affect your workload stress on the remaining nodes. - You cannot set this value to 0 to stop updates (it will default back to 1); - to stop updates, use the 'paused' property instead. Drain will respect - Pod Disruption Budgets (PDBs) such as etcd quorum guards, even if - maxUnavailable is greater than one. - x-kubernetes-int-or-string: true - nodeSelector: - description: nodeSelector specifies a label selector for Machines - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. - The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector applies - to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - paused: - description: |- - paused specifies whether or not changes to this machine config pool should be stopped. - This includes generating new desiredMachineConfig and update of machines. - type: boolean - pinnedImageSets: - description: |- - pinnedImageSets specifies a sequence of PinnedImageSetRef objects for the - pool. Nodes within this pool will preload and pin images defined in the - PinnedImageSet. Before pulling images the MachineConfigDaemon will ensure - the total uncompressed size of all the images does not exceed available - resources. If the total size of the images exceeds the available - resources the controller will report a Degraded status to the - MachineConfigPool and not attempt to pull any images. Also to help ensure - the kubelet can mitigate storage risk, the pinned_image configuration and - subsequent service reload will happen only after all of the images have - been pulled for each set. Images from multiple PinnedImageSets are loaded - and pinned sequentially as listed. Duplicate and existing images will be - skipped. - - Any failure to prefetch or pin images will result in a Degraded pool. - Resolving these failures is the responsibility of the user. The admin - should be proactive in ensuring adequate storage and proper image - authentication exists in advance. - items: - properties: - name: - description: |- - name is a reference to the name of a PinnedImageSet. Must adhere to - RFC-1123 (https://tools.ietf.org/html/rfc1123). - Made up of one of more period-separated (.) segments, where each segment - consists of alphanumeric characters and hyphens (-), must begin and end - with an alphanumeric character, and is at most 63 characters in length. - The total length of the name must not exceed 253 characters. - maxLength: 253 - minLength: 1 - pattern: ^([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\-]{0,61}[a-zA-Z0-9])(\.([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\-]{0,61}[a-zA-Z0-9]))*$ - type: string - required: - - name - type: object - maxItems: 100 - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - type: object - status: - description: status contains observed information about the machine config - pool. - properties: - certExpirys: - description: certExpirys keeps track of important certificate expiration - data - items: - description: ceryExpiry contains the bundle name and the expiry - date - properties: - bundle: - description: bundle is the name of the bundle in which the subject - certificate resides - type: string - expiry: - description: expiry is the date after which the certificate - will no longer be valid - format: date-time - type: string - subject: - description: subject is the subject of the certificate - type: string - required: - - bundle - - subject - type: object - type: array - x-kubernetes-list-type: atomic - conditions: - description: conditions represents the latest available observations - of current state. - items: - description: MachineConfigPoolCondition contains condition information - for an MachineConfigPool. - properties: - lastTransitionTime: - description: |- - lastTransitionTime is the timestamp corresponding to the last status - change of this condition. - format: date-time - nullable: true - type: string - message: - description: |- - message is a human readable description of the details of the last - transition, complementing reason. - type: string - reason: - description: |- - reason is a brief machine readable explanation for the condition's last - transition. - type: string - status: - description: status of the condition, one of ('True', 'False', - 'Unknown'). - type: string - type: - description: type of the condition, currently ('Done', 'Updating', - 'Failed'). - type: string - type: object - type: array - x-kubernetes-list-type: atomic - configuration: - description: configuration represents the current MachineConfig object - for the machine config pool. - properties: - apiVersion: - description: API version of the referent. - type: string - fieldPath: - description: |- - If referring to a piece of an object instead of an entire object, this string - should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. - For example, if the object reference is to a container within a pod, this would take on a value like: - "spec.containers{name}" (where "name" refers to the name of the container that triggered - the event) or if no container name is specified "spec.containers[2]" (container with - index 2 in this pod). This syntax is chosen only to have some well-defined way of - referencing a part of an object. - type: string - kind: - description: |- - Kind of the referent. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - name: - description: |- - Name of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - namespace: - description: |- - Namespace of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ - type: string - resourceVersion: - description: |- - Specific resourceVersion to which this reference is made, if any. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency - type: string - source: - description: source is the list of MachineConfig objects that - were used to generate the single MachineConfig object specified - in `content`. - items: - description: ObjectReference contains enough information to - let you inspect or modify the referred object. - properties: - apiVersion: - description: API version of the referent. - type: string - fieldPath: - description: |- - If referring to a piece of an object instead of an entire object, this string - should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. - For example, if the object reference is to a container within a pod, this would take on a value like: - "spec.containers{name}" (where "name" refers to the name of the container that triggered - the event) or if no container name is specified "spec.containers[2]" (container with - index 2 in this pod). This syntax is chosen only to have some well-defined way of - referencing a part of an object. - type: string - kind: - description: |- - Kind of the referent. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - name: - description: |- - Name of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - namespace: - description: |- - Namespace of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ - type: string - resourceVersion: - description: |- - Specific resourceVersion to which this reference is made, if any. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency - type: string - uid: - description: |- - UID of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids - type: string - type: object - x-kubernetes-map-type: atomic - type: array - x-kubernetes-list-type: atomic - uid: - description: |- - UID of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids - type: string - type: object - x-kubernetes-map-type: atomic - degradedMachineCount: - description: |- - degradedMachineCount represents the total number of machines marked degraded (or unreconcilable). - A node is marked degraded if applying a configuration failed.. - format: int32 - type: integer - machineCount: - description: machineCount represents the total number of machines - in the machine config pool. - format: int32 - type: integer - observedGeneration: - description: observedGeneration represents the generation observed - by the controller. - format: int64 - type: integer - poolSynchronizersStatus: - description: poolSynchronizersStatus is the status of the machines - managed by the pool synchronizers. - items: - properties: - availableMachineCount: - description: availableMachineCount is the number of machines - managed by the node synchronizer which are available. - format: int64 - minimum: 0 - type: integer - machineCount: - description: machineCount is the number of machines that are - managed by the node synchronizer. - format: int64 - minimum: 0 - type: integer - observedGeneration: - description: observedGeneration is the last generation change - that has been applied. - format: int64 - minimum: 0 - type: integer - x-kubernetes-validations: - - message: observedGeneration must not move backwards except - to zero - rule: self >= oldSelf || (self == 0 && oldSelf > 0) - poolSynchronizerType: - description: poolSynchronizerType describes the type of the - pool synchronizer. - enum: - - PinnedImageSets - maxLength: 256 - type: string - readyMachineCount: - description: readyMachineCount is the number of machines managed - by the node synchronizer that are in a ready state. - format: int64 - minimum: 0 - type: integer - unavailableMachineCount: - description: unavailableMachineCount is the number of machines - managed by the node synchronizer but are unavailable. - format: int64 - minimum: 0 - type: integer - updatedMachineCount: - description: updatedMachineCount is the number of machines that - have been updated by the node synchronizer. - format: int64 - minimum: 0 - type: integer - required: - - availableMachineCount - - machineCount - - poolSynchronizerType - - readyMachineCount - - unavailableMachineCount - - updatedMachineCount - type: object - x-kubernetes-validations: - - message: machineCount must be greater than or equal to updatedMachineCount - rule: self.machineCount >= self.updatedMachineCount - - message: machineCount must be greater than or equal to availableMachineCount - rule: self.machineCount >= self.availableMachineCount - - message: machineCount must be greater than or equal to unavailableMachineCount - rule: self.machineCount >= self.unavailableMachineCount - - message: machineCount must be greater than or equal to readyMachineCount - rule: self.machineCount >= self.readyMachineCount - - message: availableMachineCount must be greater than or equal to - readyMachineCount - rule: self.availableMachineCount >= self.readyMachineCount - type: array - x-kubernetes-list-map-keys: - - poolSynchronizerType - x-kubernetes-list-type: map - readyMachineCount: - description: readyMachineCount represents the total number of ready - machines targeted by the pool. - format: int32 - type: integer - unavailableMachineCount: - description: |- - unavailableMachineCount represents the total number of unavailable (non-ready) machines targeted by the pool. - A node is marked unavailable if it is in updating state or NodeReady condition is false. - format: int32 - type: integer - updatedMachineCount: - description: updatedMachineCount represents the total number of machines - targeted by the pool that have the CurrentMachineConfig as their - config. - format: int32 - type: integer - type: object - required: - - spec - type: object - served: true - storage: true - subresources: - status: {} diff --git a/vendor/github.com/openshift/api/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_machineconfigpools-CustomNoUpgrade.crd.yaml b/vendor/github.com/openshift/api/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_machineconfigpools.crd.yaml similarity index 99% rename from vendor/github.com/openshift/api/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_machineconfigpools-CustomNoUpgrade.crd.yaml rename to vendor/github.com/openshift/api/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_machineconfigpools.crd.yaml index e4cd170511..5d69585f08 100644 --- a/vendor/github.com/openshift/api/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_machineconfigpools-CustomNoUpgrade.crd.yaml +++ b/vendor/github.com/openshift/api/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_machineconfigpools.crd.yaml @@ -6,7 +6,6 @@ metadata: api.openshift.io/merged-by-featuregates: "true" include.release.openshift.io/ibm-cloud-managed: "true" include.release.openshift.io/self-managed-high-availability: "true" - release.openshift.io/feature-set: CustomNoUpgrade labels: openshift.io/operator-managed: "" name: machineconfigpools.machineconfiguration.openshift.io diff --git a/vendor/github.com/openshift/api/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_machineosbuilds.crd.yaml b/vendor/github.com/openshift/api/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_machineosbuilds.crd.yaml index 33d7523d59..23880a38ee 100644 --- a/vendor/github.com/openshift/api/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_machineosbuilds.crd.yaml +++ b/vendor/github.com/openshift/api/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_machineosbuilds.crd.yaml @@ -206,15 +206,16 @@ spec: description: |- resource of the referent. This value should consist of at most 63 characters, and of only lowercase alphanumeric characters and hyphens, - and should start and end with an alphanumeric character. + and should start with an alphabetic character and end with an alphanumeric character. Example: "deployments", "deploymentconfigs", "pods", etc. maxLength: 63 minLength: 1 type: string x-kubernetes-validations: - - message: the value must consist of only lowercase alphanumeric - characters and hyphens - rule: '!format.dns1123Label().validate(self).hasValue()' + - message: a DNS-1035 label must consist of lower case alphanumeric + characters or '-', start with an alphabetic character, + and end with an alphanumeric character + rule: '!format.dns1035Label().validate(self).hasValue()' required: - group - name @@ -367,15 +368,16 @@ spec: description: |- resource of the referent. This value should consist of at most 63 characters, and of only lowercase alphanumeric characters and hyphens, - and should start and end with an alphanumeric character. + and should start with an alphabetic character and end with an alphanumeric character. Example: "deployments", "deploymentconfigs", "pods", etc. maxLength: 63 minLength: 1 type: string x-kubernetes-validations: - - message: the value must consist of only lowercase alphanumeric - characters and hyphens - rule: '!format.dns1123Label().validate(self).hasValue()' + - message: a DNS-1035 label must consist of lower case alphanumeric + characters or '-', start with an alphabetic character, and + end with an alphanumeric character + rule: '!format.dns1035Label().validate(self).hasValue()' required: - group - name diff --git a/vendor/github.com/openshift/api/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_machineosconfigs.crd.yaml b/vendor/github.com/openshift/api/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_machineosconfigs.crd.yaml index 36aca1b9ef..6e8dd52e54 100644 --- a/vendor/github.com/openshift/api/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_machineosconfigs.crd.yaml +++ b/vendor/github.com/openshift/api/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_machineosconfigs.crd.yaml @@ -317,15 +317,16 @@ spec: description: |- resource of the referent. This value should consist of at most 63 characters, and of only lowercase alphanumeric characters and hyphens, - and should start and end with an alphanumeric character. + and should start with an alphabetic character and end with an alphanumeric character. Example: "deployments", "deploymentconfigs", "pods", etc. maxLength: 63 minLength: 1 type: string x-kubernetes-validations: - - message: the value must consist of only lowercase alphanumeric - characters and hyphens - rule: '!format.dns1123Label().validate(self).hasValue()' + - message: a DNS-1035 label must consist of lower case alphanumeric + characters or '-', start with an alphabetic character, and + end with an alphanumeric character + rule: '!format.dns1035Label().validate(self).hasValue()' required: - group - name diff --git a/vendor/github.com/openshift/api/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_pinnedimagesets-DevPreviewNoUpgrade.crd.yaml b/vendor/github.com/openshift/api/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_pinnedimagesets-DevPreviewNoUpgrade.crd.yaml deleted file mode 100644 index 18775703be..0000000000 --- a/vendor/github.com/openshift/api/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_pinnedimagesets-DevPreviewNoUpgrade.crd.yaml +++ /dev/null @@ -1,102 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - api-approved.openshift.io: https://github.com/openshift/api/pull/2198 - api.openshift.io/merged-by-featuregates: "true" - include.release.openshift.io/ibm-cloud-managed: "true" - include.release.openshift.io/self-managed-high-availability: "true" - release.openshift.io/feature-set: DevPreviewNoUpgrade - labels: - openshift.io/operator-managed: "" - name: pinnedimagesets.machineconfiguration.openshift.io -spec: - group: machineconfiguration.openshift.io - names: - kind: PinnedImageSet - listKind: PinnedImageSetList - plural: pinnedimagesets - singular: pinnedimageset - scope: Cluster - versions: - - name: v1 - schema: - openAPIV3Schema: - description: |- - PinnedImageSet describes a set of images that should be pinned by CRI-O and - pulled to the nodes which are members of the declared MachineConfigPools. - - Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer). - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: spec describes the configuration of this pinned image set. - properties: - pinnedImages: - description: |- - pinnedImages is a list of OCI Image referenced by digest that should be - pinned and pre-loaded by the nodes of a MachineConfigPool. - Translates into a new file inside the /etc/crio/crio.conf.d directory - with content similar to this: - - pinned_images = [ - "quay.io/openshift-release-dev/ocp-release@sha256:...", - "quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:...", - "quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:...", - ... - ] - - Image references must be by digest. - A maximum of 500 images may be specified. - items: - description: PinnedImageRef represents a reference to an OCI image - properties: - name: - description: |- - name is an OCI Image referenced by digest. - The format of the image pull spec is: host[:port][/namespace]/name@sha256:, - where the digest must be 64 characters long, and consist only of lowercase hexadecimal characters, a-f and 0-9. - The length of the whole spec must be between 1 to 447 characters. - maxLength: 447 - minLength: 1 - type: string - x-kubernetes-validations: - - message: the OCI Image reference must end with a valid '@sha256:' - suffix, where '' is 64 characters long - rule: (self.split('@').size() == 2 && self.split('@')[1].matches('^sha256:[a-f0-9]{64}$')) - - message: the OCI Image name should follow the host[:port][/namespace]/name - format, resembling a valid URL without the scheme - rule: (self.split('@')[0].matches('^([a-zA-Z0-9-]+\\.)+[a-zA-Z0-9-]+(:[0-9]{2,5})?/([a-zA-Z0-9-_]{0,61}/)?[a-zA-Z0-9-_.]*?$')) - required: - - name - type: object - maxItems: 500 - minItems: 1 - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - required: - - pinnedImages - type: object - required: - - spec - type: object - served: true - storage: true diff --git a/vendor/github.com/openshift/api/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_pinnedimagesets-TechPreviewNoUpgrade.crd.yaml b/vendor/github.com/openshift/api/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_pinnedimagesets-TechPreviewNoUpgrade.crd.yaml deleted file mode 100644 index f0bf8d539a..0000000000 --- a/vendor/github.com/openshift/api/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_pinnedimagesets-TechPreviewNoUpgrade.crd.yaml +++ /dev/null @@ -1,102 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - api-approved.openshift.io: https://github.com/openshift/api/pull/2198 - api.openshift.io/merged-by-featuregates: "true" - include.release.openshift.io/ibm-cloud-managed: "true" - include.release.openshift.io/self-managed-high-availability: "true" - release.openshift.io/feature-set: TechPreviewNoUpgrade - labels: - openshift.io/operator-managed: "" - name: pinnedimagesets.machineconfiguration.openshift.io -spec: - group: machineconfiguration.openshift.io - names: - kind: PinnedImageSet - listKind: PinnedImageSetList - plural: pinnedimagesets - singular: pinnedimageset - scope: Cluster - versions: - - name: v1 - schema: - openAPIV3Schema: - description: |- - PinnedImageSet describes a set of images that should be pinned by CRI-O and - pulled to the nodes which are members of the declared MachineConfigPools. - - Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer). - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: spec describes the configuration of this pinned image set. - properties: - pinnedImages: - description: |- - pinnedImages is a list of OCI Image referenced by digest that should be - pinned and pre-loaded by the nodes of a MachineConfigPool. - Translates into a new file inside the /etc/crio/crio.conf.d directory - with content similar to this: - - pinned_images = [ - "quay.io/openshift-release-dev/ocp-release@sha256:...", - "quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:...", - "quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:...", - ... - ] - - Image references must be by digest. - A maximum of 500 images may be specified. - items: - description: PinnedImageRef represents a reference to an OCI image - properties: - name: - description: |- - name is an OCI Image referenced by digest. - The format of the image pull spec is: host[:port][/namespace]/name@sha256:, - where the digest must be 64 characters long, and consist only of lowercase hexadecimal characters, a-f and 0-9. - The length of the whole spec must be between 1 to 447 characters. - maxLength: 447 - minLength: 1 - type: string - x-kubernetes-validations: - - message: the OCI Image reference must end with a valid '@sha256:' - suffix, where '' is 64 characters long - rule: (self.split('@').size() == 2 && self.split('@')[1].matches('^sha256:[a-f0-9]{64}$')) - - message: the OCI Image name should follow the host[:port][/namespace]/name - format, resembling a valid URL without the scheme - rule: (self.split('@')[0].matches('^([a-zA-Z0-9-]+\\.)+[a-zA-Z0-9-]+(:[0-9]{2,5})?/([a-zA-Z0-9-_]{0,61}/)?[a-zA-Z0-9-_.]*?$')) - required: - - name - type: object - maxItems: 500 - minItems: 1 - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - required: - - pinnedImages - type: object - required: - - spec - type: object - served: true - storage: true diff --git a/vendor/github.com/openshift/api/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_pinnedimagesets-CustomNoUpgrade.crd.yaml b/vendor/github.com/openshift/api/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_pinnedimagesets.crd.yaml similarity index 98% rename from vendor/github.com/openshift/api/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_pinnedimagesets-CustomNoUpgrade.crd.yaml rename to vendor/github.com/openshift/api/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_pinnedimagesets.crd.yaml index 5aebd9b228..49fd8d52f6 100644 --- a/vendor/github.com/openshift/api/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_pinnedimagesets-CustomNoUpgrade.crd.yaml +++ b/vendor/github.com/openshift/api/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_pinnedimagesets.crd.yaml @@ -6,7 +6,6 @@ metadata: api.openshift.io/merged-by-featuregates: "true" include.release.openshift.io/ibm-cloud-managed: "true" include.release.openshift.io/self-managed-high-availability: "true" - release.openshift.io/feature-set: CustomNoUpgrade labels: openshift.io/operator-managed: "" name: pinnedimagesets.machineconfiguration.openshift.io diff --git a/vendor/github.com/openshift/api/machineconfiguration/v1/zz_generated.featuregated-crd-manifests.yaml b/vendor/github.com/openshift/api/machineconfiguration/v1/zz_generated.featuregated-crd-manifests.yaml index 72289b00a3..beb838caf6 100644 --- a/vendor/github.com/openshift/api/machineconfiguration/v1/zz_generated.featuregated-crd-manifests.yaml +++ b/vendor/github.com/openshift/api/machineconfiguration/v1/zz_generated.featuregated-crd-manifests.yaml @@ -29,7 +29,6 @@ controllerconfigs.machineconfiguration.openshift.io: Category: "" FeatureGates: - AWSClusterHostedDNS - - BareMetalLoadBalancer - DualReplica - DyanmicServiceEndpointIBMCloud - GCPClusterHostedDNS @@ -39,7 +38,6 @@ controllerconfigs.machineconfiguration.openshift.io: - HighlyAvailableArbiter+DualReplica - NutanixMultiSubnets - VSphereMultiNetworks - - VSphereMultiVCenters FilenameOperatorName: machine-config FilenameOperatorOrdering: "01" FilenameRunLevel: "0000_80" diff --git a/vendor/github.com/openshift/api/machineconfiguration/v1/zz_generated.swagger_doc_generated.go b/vendor/github.com/openshift/api/machineconfiguration/v1/zz_generated.swagger_doc_generated.go index 8a92be70f4..92f536b9a8 100644 --- a/vendor/github.com/openshift/api/machineconfiguration/v1/zz_generated.swagger_doc_generated.go +++ b/vendor/github.com/openshift/api/machineconfiguration/v1/zz_generated.swagger_doc_generated.go @@ -530,7 +530,7 @@ func (MachineOSConfigReference) SwaggerDoc() map[string]string { var map_ObjectReference = map[string]string{ "": "ObjectReference contains enough information to let you inspect or modify the referred object.", "group": "group of the referent. The name must contain only lowercase alphanumeric characters, '-' or '.' and start/end with an alphanumeric character. Example: \"\", \"apps\", \"build.openshift.io\", etc.", - "resource": "resource of the referent. This value should consist of at most 63 characters, and of only lowercase alphanumeric characters and hyphens, and should start and end with an alphanumeric character. Example: \"deployments\", \"deploymentconfigs\", \"pods\", etc.", + "resource": "resource of the referent. This value should consist of at most 63 characters, and of only lowercase alphanumeric characters and hyphens, and should start with an alphabetic character and end with an alphanumeric character. Example: \"deployments\", \"deploymentconfigs\", \"pods\", etc.", "namespace": "namespace of the referent. This value should consist of at most 63 characters, and of only lowercase alphanumeric characters and hyphens, and should start and end with an alphanumeric character.", "name": "name of the referent. The name must contain only lowercase alphanumeric characters, '-' or '.' and start/end with an alphanumeric character.", } diff --git a/vendor/github.com/openshift/api/machineconfiguration/v1alpha1/zz_generated.crd-manifests/0000_80_machine-config_01_machineconfignodes-DevPreviewNoUpgrade.crd.yaml b/vendor/github.com/openshift/api/machineconfiguration/v1alpha1/zz_generated.crd-manifests/0000_80_machine-config_01_machineconfignodes-DevPreviewNoUpgrade.crd.yaml deleted file mode 100644 index 374dc144db..0000000000 --- a/vendor/github.com/openshift/api/machineconfiguration/v1alpha1/zz_generated.crd-manifests/0000_80_machine-config_01_machineconfignodes-DevPreviewNoUpgrade.crd.yaml +++ /dev/null @@ -1,378 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - api-approved.openshift.io: https://github.com/openshift/api/pull/2256 - api.openshift.io/merged-by-featuregates: "true" - include.release.openshift.io/ibm-cloud-managed: "true" - include.release.openshift.io/self-managed-high-availability: "true" - release.openshift.io/feature-set: DevPreviewNoUpgrade - labels: - openshift.io/operator-managed: "" - name: machineconfignodes.machineconfiguration.openshift.io -spec: - group: machineconfiguration.openshift.io - names: - kind: MachineConfigNode - listKind: MachineConfigNodeList - plural: machineconfignodes - singular: machineconfignode - scope: Cluster - versions: - - additionalPrinterColumns: - - jsonPath: .spec.pool.name - name: PoolName - type: string - - jsonPath: .spec.configVersion.desired - name: DesiredConfig - type: string - - jsonPath: .status.configVersion.current - name: CurrentConfig - type: string - - jsonPath: .status.conditions[?(@.type=="Updated")].status - name: Updated - type: string - - jsonPath: .status.conditions[?(@.type=="UpdatePrepared")].status - name: UpdatePrepared - priority: 1 - type: string - - jsonPath: .status.conditions[?(@.type=="UpdateExecuted")].status - name: UpdateExecuted - priority: 1 - type: string - - jsonPath: .status.conditions[?(@.type=="UpdatePostActionComplete")].status - name: UpdatePostActionComplete - priority: 1 - type: string - - jsonPath: .status.conditions[?(@.type=="UpdateComplete")].status - name: UpdateComplete - priority: 1 - type: string - - jsonPath: .status.conditions[?(@.type=="Resumed")].status - name: Resumed - priority: 1 - type: string - - jsonPath: .status.conditions[?(@.type=="AppliedFilesAndOS")].status - name: UpdatedFilesAndOS - priority: 1 - type: string - - jsonPath: .status.conditions[?(@.type=="Cordoned")].status - name: CordonedNode - priority: 1 - type: string - - jsonPath: .status.conditions[?(@.type=="Drained")].status - name: DrainedNode - priority: 1 - type: string - - jsonPath: .status.conditions[?(@.type=="RebootedNode")].status - name: RebootedNode - priority: 1 - type: string - - jsonPath: .status.conditions[?(@.type=="Uncordoned")].status - name: UncordonedNode - priority: 1 - type: string - name: v1alpha1 - schema: - openAPIV3Schema: - description: |- - MachineConfigNode describes the health of the Machines on the system - Compatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: spec describes the configuration of the machine config node. - properties: - configVersion: - description: |- - configVersion holds the desired config version for the node targeted by this machine config node resource. - The desired version represents the machine config the node will attempt to update to and gets set before the machine config operator validates - the new machine config against the current machine config. - properties: - desired: - description: |- - desired is the name of the machine config that the the node should be upgraded to. - This value is set when the machine config pool generates a new version of its rendered configuration. - When this value is changed, the machine config daemon starts the node upgrade process. - This value gets set in the machine config node spec once the machine config has been targeted for upgrade and before it is validated. - Must be a lowercase RFC-1123 subdomain name (https://tools.ietf.org/html/rfc1123) consisting - of only lowercase alphanumeric characters, hyphens (-), and periods (.), and must start and end - with an alphanumeric character, and be at most 253 characters in length. - maxLength: 253 - type: string - x-kubernetes-validations: - - message: a lowercase RFC 1123 subdomain must consist of lower - case alphanumeric characters, '-' or '.', and must start and - end with an alphanumeric character. - rule: '!format.dns1123Subdomain().validate(self).hasValue()' - required: - - desired - type: object - node: - description: node contains a reference to the node for this machine - config node. - properties: - name: - description: |- - name is the name of the object being referenced. For example, this can represent a machine - config pool or node name. - Must be a lowercase RFC-1123 subdomain name (https://tools.ietf.org/html/rfc1123) consisting - of only lowercase alphanumeric characters, hyphens (-), and periods (.), and must start and end - with an alphanumeric character, and be at most 253 characters in length. - maxLength: 253 - type: string - x-kubernetes-validations: - - message: a lowercase RFC 1123 subdomain must consist of lower - case alphanumeric characters, '-' or '.', and must start and - end with an alphanumeric character. - rule: '!format.dns1123Subdomain().validate(self).hasValue()' - required: - - name - type: object - pool: - description: |- - pool contains a reference to the machine config pool that this machine config node's - referenced node belongs to. - properties: - name: - description: |- - name is the name of the object being referenced. For example, this can represent a machine - config pool or node name. - Must be a lowercase RFC-1123 subdomain name (https://tools.ietf.org/html/rfc1123) consisting - of only lowercase alphanumeric characters, hyphens (-), and periods (.), and must start and end - with an alphanumeric character, and be at most 253 characters in length. - maxLength: 253 - type: string - x-kubernetes-validations: - - message: a lowercase RFC 1123 subdomain must consist of lower - case alphanumeric characters, '-' or '.', and must start and - end with an alphanumeric character. - rule: '!format.dns1123Subdomain().validate(self).hasValue()' - required: - - name - type: object - required: - - configVersion - - node - - pool - type: object - status: - description: status describes the last observed state of this machine - config node. - properties: - conditions: - description: conditions represent the observations of a machine config - node's current state. - items: - description: Condition contains details for one aspect of the current - state of this API Resource. - properties: - lastTransitionTime: - description: |- - lastTransitionTime is the last time the condition transitioned from one status to another. - This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: |- - message is a human readable message indicating details about the transition. - This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: - description: |- - observedGeneration represents the .metadata.generation that the condition was set based upon. - For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date - with respect to the current state of the instance. - format: int64 - minimum: 0 - type: integer - reason: - description: |- - reason contains a programmatic identifier indicating the reason for the condition's last transition. - Producers of specific condition types may define expected values and meanings for this field, - and whether the values are considered a guaranteed API. - The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, False, Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - message - - reason - - status - - type - type: object - maxItems: 20 - type: array - x-kubernetes-list-map-keys: - - type - x-kubernetes-list-type: map - configVersion: - description: configVersion describes the current and desired machine - config version for this node. - properties: - current: - description: |- - current is the name of the machine config currently in use on the node. - This value is updated once the machine config daemon has completed the update of the configuration for the node. - This value should match the desired version unless an upgrade is in progress. - Must be a lowercase RFC-1123 subdomain name (https://tools.ietf.org/html/rfc1123) consisting - of only lowercase alphanumeric characters, hyphens (-), and periods (.), and must start and end - with an alphanumeric character, and be at most 253 characters in length. - maxLength: 253 - type: string - x-kubernetes-validations: - - message: a lowercase RFC 1123 subdomain must consist of lower - case alphanumeric characters, '-' or '.', and must start and - end with an alphanumeric character. - rule: '!format.dns1123Subdomain().validate(self).hasValue()' - desired: - description: |- - desired is the MachineConfig the node wants to upgrade to. - This value gets set in the machine config node status once the machine config has been validated - against the current machine config. - Must be a lowercase RFC-1123 subdomain name (https://tools.ietf.org/html/rfc1123) consisting - of only lowercase alphanumeric characters, hyphens (-), and periods (.), and must start and end - with an alphanumeric character, and be at most 253 characters in length. - maxLength: 253 - type: string - x-kubernetes-validations: - - message: a lowercase RFC 1123 subdomain must consist of lower - case alphanumeric characters, '-' or '.', and must start and - end with an alphanumeric character. - rule: '!format.dns1123Subdomain().validate(self).hasValue()' - required: - - desired - type: object - observedGeneration: - description: |- - observedGeneration represents the generation of the MachineConfigNode object observed by the Machine Config Operator's controller. - This field is updated when the controller observes a change to the desiredConfig in the configVersion of the machine config node spec. - format: int64 - minimum: 0 - type: integer - x-kubernetes-validations: - - message: observedGeneration must not decrease - rule: self >= oldSelf - pinnedImageSets: - description: pinnedImageSets describes the current and desired pinned - image sets for this node. - items: - description: MachineConfigNodeStatusPinnedImageSet holds information - about the current, desired, and failed pinned image sets for the - observed machine config node. - properties: - currentGeneration: - description: currentGeneration is the generation of the pinned - image set that has most recently been successfully pulled - and pinned on this node. - format: int32 - minimum: 0 - type: integer - x-kubernetes-validations: - - message: currentGeneration must not decrease - rule: self >= oldSelf - desiredGeneration: - description: desiredGeneration is the generation of the pinned - image set that is targeted to be pulled and pinned on this - node. - format: int32 - minimum: 0 - type: integer - x-kubernetes-validations: - - message: desiredGeneration must not decrease - rule: self >= oldSelf - lastFailedGeneration: - description: lastFailedGeneration is the generation of the most - recent pinned image set that failed to be pulled and pinned - on this node. - format: int32 - minimum: 0 - type: integer - x-kubernetes-validations: - - message: lastFailedGeneration must not decrease - rule: self >= oldSelf - lastFailedGenerationError: - description: |- - lastFailedGenerationError is the error explaining why the desired images failed to be pulled and pinned. - The error is an empty string if the image pull and pin is successful. - maxLength: 32768 - type: string - name: - description: |- - name is the name of the pinned image set. - Must be a lowercase RFC-1123 subdomain name (https://tools.ietf.org/html/rfc1123) consisting - of only lowercase alphanumeric characters, hyphens (-), and periods (.), and must start and end - with an alphanumeric character, and be at most 253 characters in length. - maxLength: 253 - type: string - x-kubernetes-validations: - - message: a lowercase RFC 1123 subdomain must consist of lower - case alphanumeric characters, '-' or '.', and must start - and end with an alphanumeric character. - rule: '!format.dns1123Subdomain().validate(self).hasValue()' - required: - - name - type: object - x-kubernetes-validations: - - message: desired generation must be greater than or equal to the - current generation - rule: 'has(self.desiredGeneration) && has(self.currentGeneration) - ? self.desiredGeneration >= self.currentGeneration : true' - - message: desired generation must be greater than or equal to the - last failed generation - rule: 'has(self.lastFailedGeneration) && has(self.desiredGeneration) - ? self.desiredGeneration >= self.lastFailedGeneration : true' - - message: last failed generation error must be defined on image - pull and pin failure - rule: 'has(self.lastFailedGeneration) ? has(self.lastFailedGenerationError) - : true' - maxItems: 100 - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - required: - - configVersion - type: object - required: - - spec - type: object - x-kubernetes-validations: - - message: spec.node.name should match metadata.name - rule: self.metadata.name == self.spec.node.name - served: true - storage: true - subresources: - status: {} diff --git a/vendor/github.com/openshift/api/machineconfiguration/v1alpha1/zz_generated.crd-manifests/0000_80_machine-config_01_machineconfignodes-TechPreviewNoUpgrade.crd.yaml b/vendor/github.com/openshift/api/machineconfiguration/v1alpha1/zz_generated.crd-manifests/0000_80_machine-config_01_machineconfignodes-TechPreviewNoUpgrade.crd.yaml deleted file mode 100644 index 938a4b71c5..0000000000 --- a/vendor/github.com/openshift/api/machineconfiguration/v1alpha1/zz_generated.crd-manifests/0000_80_machine-config_01_machineconfignodes-TechPreviewNoUpgrade.crd.yaml +++ /dev/null @@ -1,378 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - api-approved.openshift.io: https://github.com/openshift/api/pull/2256 - api.openshift.io/merged-by-featuregates: "true" - include.release.openshift.io/ibm-cloud-managed: "true" - include.release.openshift.io/self-managed-high-availability: "true" - release.openshift.io/feature-set: TechPreviewNoUpgrade - labels: - openshift.io/operator-managed: "" - name: machineconfignodes.machineconfiguration.openshift.io -spec: - group: machineconfiguration.openshift.io - names: - kind: MachineConfigNode - listKind: MachineConfigNodeList - plural: machineconfignodes - singular: machineconfignode - scope: Cluster - versions: - - additionalPrinterColumns: - - jsonPath: .spec.pool.name - name: PoolName - type: string - - jsonPath: .spec.configVersion.desired - name: DesiredConfig - type: string - - jsonPath: .status.configVersion.current - name: CurrentConfig - type: string - - jsonPath: .status.conditions[?(@.type=="Updated")].status - name: Updated - type: string - - jsonPath: .status.conditions[?(@.type=="UpdatePrepared")].status - name: UpdatePrepared - priority: 1 - type: string - - jsonPath: .status.conditions[?(@.type=="UpdateExecuted")].status - name: UpdateExecuted - priority: 1 - type: string - - jsonPath: .status.conditions[?(@.type=="UpdatePostActionComplete")].status - name: UpdatePostActionComplete - priority: 1 - type: string - - jsonPath: .status.conditions[?(@.type=="UpdateComplete")].status - name: UpdateComplete - priority: 1 - type: string - - jsonPath: .status.conditions[?(@.type=="Resumed")].status - name: Resumed - priority: 1 - type: string - - jsonPath: .status.conditions[?(@.type=="AppliedFilesAndOS")].status - name: UpdatedFilesAndOS - priority: 1 - type: string - - jsonPath: .status.conditions[?(@.type=="Cordoned")].status - name: CordonedNode - priority: 1 - type: string - - jsonPath: .status.conditions[?(@.type=="Drained")].status - name: DrainedNode - priority: 1 - type: string - - jsonPath: .status.conditions[?(@.type=="RebootedNode")].status - name: RebootedNode - priority: 1 - type: string - - jsonPath: .status.conditions[?(@.type=="Uncordoned")].status - name: UncordonedNode - priority: 1 - type: string - name: v1alpha1 - schema: - openAPIV3Schema: - description: |- - MachineConfigNode describes the health of the Machines on the system - Compatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: spec describes the configuration of the machine config node. - properties: - configVersion: - description: |- - configVersion holds the desired config version for the node targeted by this machine config node resource. - The desired version represents the machine config the node will attempt to update to and gets set before the machine config operator validates - the new machine config against the current machine config. - properties: - desired: - description: |- - desired is the name of the machine config that the the node should be upgraded to. - This value is set when the machine config pool generates a new version of its rendered configuration. - When this value is changed, the machine config daemon starts the node upgrade process. - This value gets set in the machine config node spec once the machine config has been targeted for upgrade and before it is validated. - Must be a lowercase RFC-1123 subdomain name (https://tools.ietf.org/html/rfc1123) consisting - of only lowercase alphanumeric characters, hyphens (-), and periods (.), and must start and end - with an alphanumeric character, and be at most 253 characters in length. - maxLength: 253 - type: string - x-kubernetes-validations: - - message: a lowercase RFC 1123 subdomain must consist of lower - case alphanumeric characters, '-' or '.', and must start and - end with an alphanumeric character. - rule: '!format.dns1123Subdomain().validate(self).hasValue()' - required: - - desired - type: object - node: - description: node contains a reference to the node for this machine - config node. - properties: - name: - description: |- - name is the name of the object being referenced. For example, this can represent a machine - config pool or node name. - Must be a lowercase RFC-1123 subdomain name (https://tools.ietf.org/html/rfc1123) consisting - of only lowercase alphanumeric characters, hyphens (-), and periods (.), and must start and end - with an alphanumeric character, and be at most 253 characters in length. - maxLength: 253 - type: string - x-kubernetes-validations: - - message: a lowercase RFC 1123 subdomain must consist of lower - case alphanumeric characters, '-' or '.', and must start and - end with an alphanumeric character. - rule: '!format.dns1123Subdomain().validate(self).hasValue()' - required: - - name - type: object - pool: - description: |- - pool contains a reference to the machine config pool that this machine config node's - referenced node belongs to. - properties: - name: - description: |- - name is the name of the object being referenced. For example, this can represent a machine - config pool or node name. - Must be a lowercase RFC-1123 subdomain name (https://tools.ietf.org/html/rfc1123) consisting - of only lowercase alphanumeric characters, hyphens (-), and periods (.), and must start and end - with an alphanumeric character, and be at most 253 characters in length. - maxLength: 253 - type: string - x-kubernetes-validations: - - message: a lowercase RFC 1123 subdomain must consist of lower - case alphanumeric characters, '-' or '.', and must start and - end with an alphanumeric character. - rule: '!format.dns1123Subdomain().validate(self).hasValue()' - required: - - name - type: object - required: - - configVersion - - node - - pool - type: object - status: - description: status describes the last observed state of this machine - config node. - properties: - conditions: - description: conditions represent the observations of a machine config - node's current state. - items: - description: Condition contains details for one aspect of the current - state of this API Resource. - properties: - lastTransitionTime: - description: |- - lastTransitionTime is the last time the condition transitioned from one status to another. - This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: |- - message is a human readable message indicating details about the transition. - This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: - description: |- - observedGeneration represents the .metadata.generation that the condition was set based upon. - For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date - with respect to the current state of the instance. - format: int64 - minimum: 0 - type: integer - reason: - description: |- - reason contains a programmatic identifier indicating the reason for the condition's last transition. - Producers of specific condition types may define expected values and meanings for this field, - and whether the values are considered a guaranteed API. - The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, False, Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - message - - reason - - status - - type - type: object - maxItems: 20 - type: array - x-kubernetes-list-map-keys: - - type - x-kubernetes-list-type: map - configVersion: - description: configVersion describes the current and desired machine - config version for this node. - properties: - current: - description: |- - current is the name of the machine config currently in use on the node. - This value is updated once the machine config daemon has completed the update of the configuration for the node. - This value should match the desired version unless an upgrade is in progress. - Must be a lowercase RFC-1123 subdomain name (https://tools.ietf.org/html/rfc1123) consisting - of only lowercase alphanumeric characters, hyphens (-), and periods (.), and must start and end - with an alphanumeric character, and be at most 253 characters in length. - maxLength: 253 - type: string - x-kubernetes-validations: - - message: a lowercase RFC 1123 subdomain must consist of lower - case alphanumeric characters, '-' or '.', and must start and - end with an alphanumeric character. - rule: '!format.dns1123Subdomain().validate(self).hasValue()' - desired: - description: |- - desired is the MachineConfig the node wants to upgrade to. - This value gets set in the machine config node status once the machine config has been validated - against the current machine config. - Must be a lowercase RFC-1123 subdomain name (https://tools.ietf.org/html/rfc1123) consisting - of only lowercase alphanumeric characters, hyphens (-), and periods (.), and must start and end - with an alphanumeric character, and be at most 253 characters in length. - maxLength: 253 - type: string - x-kubernetes-validations: - - message: a lowercase RFC 1123 subdomain must consist of lower - case alphanumeric characters, '-' or '.', and must start and - end with an alphanumeric character. - rule: '!format.dns1123Subdomain().validate(self).hasValue()' - required: - - desired - type: object - observedGeneration: - description: |- - observedGeneration represents the generation of the MachineConfigNode object observed by the Machine Config Operator's controller. - This field is updated when the controller observes a change to the desiredConfig in the configVersion of the machine config node spec. - format: int64 - minimum: 0 - type: integer - x-kubernetes-validations: - - message: observedGeneration must not decrease - rule: self >= oldSelf - pinnedImageSets: - description: pinnedImageSets describes the current and desired pinned - image sets for this node. - items: - description: MachineConfigNodeStatusPinnedImageSet holds information - about the current, desired, and failed pinned image sets for the - observed machine config node. - properties: - currentGeneration: - description: currentGeneration is the generation of the pinned - image set that has most recently been successfully pulled - and pinned on this node. - format: int32 - minimum: 0 - type: integer - x-kubernetes-validations: - - message: currentGeneration must not decrease - rule: self >= oldSelf - desiredGeneration: - description: desiredGeneration is the generation of the pinned - image set that is targeted to be pulled and pinned on this - node. - format: int32 - minimum: 0 - type: integer - x-kubernetes-validations: - - message: desiredGeneration must not decrease - rule: self >= oldSelf - lastFailedGeneration: - description: lastFailedGeneration is the generation of the most - recent pinned image set that failed to be pulled and pinned - on this node. - format: int32 - minimum: 0 - type: integer - x-kubernetes-validations: - - message: lastFailedGeneration must not decrease - rule: self >= oldSelf - lastFailedGenerationError: - description: |- - lastFailedGenerationError is the error explaining why the desired images failed to be pulled and pinned. - The error is an empty string if the image pull and pin is successful. - maxLength: 32768 - type: string - name: - description: |- - name is the name of the pinned image set. - Must be a lowercase RFC-1123 subdomain name (https://tools.ietf.org/html/rfc1123) consisting - of only lowercase alphanumeric characters, hyphens (-), and periods (.), and must start and end - with an alphanumeric character, and be at most 253 characters in length. - maxLength: 253 - type: string - x-kubernetes-validations: - - message: a lowercase RFC 1123 subdomain must consist of lower - case alphanumeric characters, '-' or '.', and must start - and end with an alphanumeric character. - rule: '!format.dns1123Subdomain().validate(self).hasValue()' - required: - - name - type: object - x-kubernetes-validations: - - message: desired generation must be greater than or equal to the - current generation - rule: 'has(self.desiredGeneration) && has(self.currentGeneration) - ? self.desiredGeneration >= self.currentGeneration : true' - - message: desired generation must be greater than or equal to the - last failed generation - rule: 'has(self.lastFailedGeneration) && has(self.desiredGeneration) - ? self.desiredGeneration >= self.lastFailedGeneration : true' - - message: last failed generation error must be defined on image - pull and pin failure - rule: 'has(self.lastFailedGeneration) ? has(self.lastFailedGenerationError) - : true' - maxItems: 100 - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - required: - - configVersion - type: object - required: - - spec - type: object - x-kubernetes-validations: - - message: spec.node.name should match metadata.name - rule: self.metadata.name == self.spec.node.name - served: true - storage: true - subresources: - status: {} diff --git a/vendor/github.com/openshift/api/machineconfiguration/v1alpha1/zz_generated.crd-manifests/0000_80_machine-config_01_machineconfignodes-CustomNoUpgrade.crd.yaml b/vendor/github.com/openshift/api/machineconfiguration/v1alpha1/zz_generated.crd-manifests/0000_80_machine-config_01_machineconfignodes.crd.yaml similarity index 99% rename from vendor/github.com/openshift/api/machineconfiguration/v1alpha1/zz_generated.crd-manifests/0000_80_machine-config_01_machineconfignodes-CustomNoUpgrade.crd.yaml rename to vendor/github.com/openshift/api/machineconfiguration/v1alpha1/zz_generated.crd-manifests/0000_80_machine-config_01_machineconfignodes.crd.yaml index 89bbbd61d7..21a3919ae9 100644 --- a/vendor/github.com/openshift/api/machineconfiguration/v1alpha1/zz_generated.crd-manifests/0000_80_machine-config_01_machineconfignodes-CustomNoUpgrade.crd.yaml +++ b/vendor/github.com/openshift/api/machineconfiguration/v1alpha1/zz_generated.crd-manifests/0000_80_machine-config_01_machineconfignodes.crd.yaml @@ -6,7 +6,6 @@ metadata: api.openshift.io/merged-by-featuregates: "true" include.release.openshift.io/ibm-cloud-managed: "true" include.release.openshift.io/self-managed-high-availability: "true" - release.openshift.io/feature-set: CustomNoUpgrade labels: openshift.io/operator-managed: "" name: machineconfignodes.machineconfiguration.openshift.io diff --git a/vendor/github.com/openshift/api/machineconfiguration/v1alpha1/zz_generated.crd-manifests/0000_80_machine-config_01_pinnedimagesets-DevPreviewNoUpgrade.crd.yaml b/vendor/github.com/openshift/api/machineconfiguration/v1alpha1/zz_generated.crd-manifests/0000_80_machine-config_01_pinnedimagesets-DevPreviewNoUpgrade.crd.yaml deleted file mode 100644 index 2beccbb27f..0000000000 --- a/vendor/github.com/openshift/api/machineconfiguration/v1alpha1/zz_generated.crd-manifests/0000_80_machine-config_01_pinnedimagesets-DevPreviewNoUpgrade.crd.yaml +++ /dev/null @@ -1,168 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - api-approved.openshift.io: https://github.com/openshift/api/pull/1713 - api.openshift.io/merged-by-featuregates: "true" - include.release.openshift.io/ibm-cloud-managed: "true" - include.release.openshift.io/self-managed-high-availability: "true" - release.openshift.io/feature-set: DevPreviewNoUpgrade - labels: - openshift.io/operator-managed: "" - name: pinnedimagesets.machineconfiguration.openshift.io -spec: - group: machineconfiguration.openshift.io - names: - kind: PinnedImageSet - listKind: PinnedImageSetList - plural: pinnedimagesets - singular: pinnedimageset - scope: Cluster - versions: - - name: v1alpha1 - schema: - openAPIV3Schema: - description: |- - PinnedImageSet describes a set of images that should be pinned by CRI-O and - pulled to the nodes which are members of the declared MachineConfigPools. - - Compatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: spec describes the configuration of this pinned image set. - properties: - pinnedImages: - description: |- - pinnedImages is a list of OCI Image referenced by digest that should be - pinned and pre-loaded by the nodes of a MachineConfigPool. - Translates into a new file inside the /etc/crio/crio.conf.d directory - with content similar to this: - - pinned_images = [ - "quay.io/openshift-release-dev/ocp-release@sha256:...", - "quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:...", - "quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:...", - ... - ] - - These image references should all be by digest, tags aren't allowed. - items: - properties: - name: - description: |- - name is an OCI Image referenced by digest. - - The format of the image ref is: - host[:port][/namespace]/name@sha256: - maxLength: 447 - minLength: 1 - type: string - x-kubernetes-validations: - - message: the OCI Image reference must end with a valid '@sha256:' - suffix, where '' is 64 characters long - rule: self.split('@').size() == 2 && self.split('@')[1].matches('^sha256:[a-f0-9]{64}$') - - message: the OCI Image name should follow the host[:port][/namespace]/name - format, resembling a valid URL without the scheme - rule: self.split('@')[0].matches('^([a-zA-Z0-9-]+\\.)+[a-zA-Z0-9-]+(:[0-9]{2,5})?/([a-zA-Z0-9-_]{0,61}/)?[a-zA-Z0-9-_.]*?$') - required: - - name - type: object - maxItems: 500 - minItems: 1 - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - required: - - pinnedImages - type: object - status: - description: status describes the last observed state of this pinned image - set. - properties: - conditions: - description: conditions represent the observations of a pinned image - set's current state. - items: - description: Condition contains details for one aspect of the current - state of this API Resource. - properties: - lastTransitionTime: - description: |- - lastTransitionTime is the last time the condition transitioned from one status to another. - This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: |- - message is a human readable message indicating details about the transition. - This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: - description: |- - observedGeneration represents the .metadata.generation that the condition was set based upon. - For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date - with respect to the current state of the instance. - format: int64 - minimum: 0 - type: integer - reason: - description: |- - reason contains a programmatic identifier indicating the reason for the condition's last transition. - Producers of specific condition types may define expected values and meanings for this field, - and whether the values are considered a guaranteed API. - The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, False, Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - message - - reason - - status - - type - type: object - type: array - x-kubernetes-list-map-keys: - - type - x-kubernetes-list-type: map - type: object - required: - - spec - type: object - served: true - storage: true - subresources: - status: {} diff --git a/vendor/github.com/openshift/api/machineconfiguration/v1alpha1/zz_generated.crd-manifests/0000_80_machine-config_01_pinnedimagesets-TechPreviewNoUpgrade.crd.yaml b/vendor/github.com/openshift/api/machineconfiguration/v1alpha1/zz_generated.crd-manifests/0000_80_machine-config_01_pinnedimagesets-TechPreviewNoUpgrade.crd.yaml deleted file mode 100644 index 6463640005..0000000000 --- a/vendor/github.com/openshift/api/machineconfiguration/v1alpha1/zz_generated.crd-manifests/0000_80_machine-config_01_pinnedimagesets-TechPreviewNoUpgrade.crd.yaml +++ /dev/null @@ -1,168 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - api-approved.openshift.io: https://github.com/openshift/api/pull/1713 - api.openshift.io/merged-by-featuregates: "true" - include.release.openshift.io/ibm-cloud-managed: "true" - include.release.openshift.io/self-managed-high-availability: "true" - release.openshift.io/feature-set: TechPreviewNoUpgrade - labels: - openshift.io/operator-managed: "" - name: pinnedimagesets.machineconfiguration.openshift.io -spec: - group: machineconfiguration.openshift.io - names: - kind: PinnedImageSet - listKind: PinnedImageSetList - plural: pinnedimagesets - singular: pinnedimageset - scope: Cluster - versions: - - name: v1alpha1 - schema: - openAPIV3Schema: - description: |- - PinnedImageSet describes a set of images that should be pinned by CRI-O and - pulled to the nodes which are members of the declared MachineConfigPools. - - Compatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: spec describes the configuration of this pinned image set. - properties: - pinnedImages: - description: |- - pinnedImages is a list of OCI Image referenced by digest that should be - pinned and pre-loaded by the nodes of a MachineConfigPool. - Translates into a new file inside the /etc/crio/crio.conf.d directory - with content similar to this: - - pinned_images = [ - "quay.io/openshift-release-dev/ocp-release@sha256:...", - "quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:...", - "quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:...", - ... - ] - - These image references should all be by digest, tags aren't allowed. - items: - properties: - name: - description: |- - name is an OCI Image referenced by digest. - - The format of the image ref is: - host[:port][/namespace]/name@sha256: - maxLength: 447 - minLength: 1 - type: string - x-kubernetes-validations: - - message: the OCI Image reference must end with a valid '@sha256:' - suffix, where '' is 64 characters long - rule: self.split('@').size() == 2 && self.split('@')[1].matches('^sha256:[a-f0-9]{64}$') - - message: the OCI Image name should follow the host[:port][/namespace]/name - format, resembling a valid URL without the scheme - rule: self.split('@')[0].matches('^([a-zA-Z0-9-]+\\.)+[a-zA-Z0-9-]+(:[0-9]{2,5})?/([a-zA-Z0-9-_]{0,61}/)?[a-zA-Z0-9-_.]*?$') - required: - - name - type: object - maxItems: 500 - minItems: 1 - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - required: - - pinnedImages - type: object - status: - description: status describes the last observed state of this pinned image - set. - properties: - conditions: - description: conditions represent the observations of a pinned image - set's current state. - items: - description: Condition contains details for one aspect of the current - state of this API Resource. - properties: - lastTransitionTime: - description: |- - lastTransitionTime is the last time the condition transitioned from one status to another. - This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: |- - message is a human readable message indicating details about the transition. - This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: - description: |- - observedGeneration represents the .metadata.generation that the condition was set based upon. - For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date - with respect to the current state of the instance. - format: int64 - minimum: 0 - type: integer - reason: - description: |- - reason contains a programmatic identifier indicating the reason for the condition's last transition. - Producers of specific condition types may define expected values and meanings for this field, - and whether the values are considered a guaranteed API. - The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, False, Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - message - - reason - - status - - type - type: object - type: array - x-kubernetes-list-map-keys: - - type - x-kubernetes-list-type: map - type: object - required: - - spec - type: object - served: true - storage: true - subresources: - status: {} diff --git a/vendor/github.com/openshift/api/machineconfiguration/v1alpha1/zz_generated.crd-manifests/0000_80_machine-config_01_pinnedimagesets-CustomNoUpgrade.crd.yaml b/vendor/github.com/openshift/api/machineconfiguration/v1alpha1/zz_generated.crd-manifests/0000_80_machine-config_01_pinnedimagesets.crd.yaml similarity index 99% rename from vendor/github.com/openshift/api/machineconfiguration/v1alpha1/zz_generated.crd-manifests/0000_80_machine-config_01_pinnedimagesets-CustomNoUpgrade.crd.yaml rename to vendor/github.com/openshift/api/machineconfiguration/v1alpha1/zz_generated.crd-manifests/0000_80_machine-config_01_pinnedimagesets.crd.yaml index 1d18ba185f..74624b5ea6 100644 --- a/vendor/github.com/openshift/api/machineconfiguration/v1alpha1/zz_generated.crd-manifests/0000_80_machine-config_01_pinnedimagesets-CustomNoUpgrade.crd.yaml +++ b/vendor/github.com/openshift/api/machineconfiguration/v1alpha1/zz_generated.crd-manifests/0000_80_machine-config_01_pinnedimagesets.crd.yaml @@ -6,7 +6,6 @@ metadata: api.openshift.io/merged-by-featuregates: "true" include.release.openshift.io/ibm-cloud-managed: "true" include.release.openshift.io/self-managed-high-availability: "true" - release.openshift.io/feature-set: CustomNoUpgrade labels: openshift.io/operator-managed: "" name: pinnedimagesets.machineconfiguration.openshift.io diff --git a/vendor/github.com/openshift/api/openshiftcontrolplane/v1/types.go b/vendor/github.com/openshift/api/openshiftcontrolplane/v1/types.go index 498f78df6d..0d71e3f8b0 100644 --- a/vendor/github.com/openshift/api/openshiftcontrolplane/v1/types.go +++ b/vendor/github.com/openshift/api/openshiftcontrolplane/v1/types.go @@ -258,7 +258,10 @@ const ( type OpenShiftControllerManagerConfig struct { metav1.TypeMeta `json:",inline"` - KubeClientConfig configv1.KubeClientConfig `json:"kubeClientConfig"` + // KubeClientConfig is no longer being used. + // The field is being ignored by OCM. + // + // KubeClientConfig configv1.KubeClientConfig `json:"kubeClientConfig"` // servingInfo describes how to start serving ServingInfo *configv1.HTTPServingInfo `json:"servingInfo"` diff --git a/vendor/github.com/openshift/api/openshiftcontrolplane/v1/zz_generated.deepcopy.go b/vendor/github.com/openshift/api/openshiftcontrolplane/v1/zz_generated.deepcopy.go index fbb2e5e2b9..4d7774caa4 100644 --- a/vendor/github.com/openshift/api/openshiftcontrolplane/v1/zz_generated.deepcopy.go +++ b/vendor/github.com/openshift/api/openshiftcontrolplane/v1/zz_generated.deepcopy.go @@ -459,7 +459,6 @@ func (in *OpenShiftAPIServerConfig) DeepCopyObject() runtime.Object { func (in *OpenShiftControllerManagerConfig) DeepCopyInto(out *OpenShiftControllerManagerConfig) { *out = *in out.TypeMeta = in.TypeMeta - out.KubeClientConfig = in.KubeClientConfig if in.ServingInfo != nil { in, out := &in.ServingInfo, &out.ServingInfo *out = new(configv1.HTTPServingInfo) diff --git a/vendor/github.com/openshift/api/operator/v1/types_csi_cluster_driver.go b/vendor/github.com/openshift/api/operator/v1/types_csi_cluster_driver.go index b25133a42f..cf7922fcd8 100644 --- a/vendor/github.com/openshift/api/operator/v1/types_csi_cluster_driver.go +++ b/vendor/github.com/openshift/api/operator/v1/types_csi_cluster_driver.go @@ -348,7 +348,6 @@ type VSphereCSIDriverConfigSpec struct { // Volume snapshot documentation: https://docs.vmware.com/en/VMware-vSphere-Container-Storage-Plug-in/3.0/vmware-vsphere-csp-getting-started/GUID-E0B41C69-7EEB-450F-A73D-5FD2FF39E891.html // +kubebuilder:validation:Minimum=1 // +kubebuilder:validation:Maximum=32 - // +openshift:enable:FeatureGate=VSphereDriverConfiguration // +optional GlobalMaxSnapshotsPerBlockVolume *uint32 `json:"globalMaxSnapshotsPerBlockVolume,omitempty"` @@ -357,7 +356,6 @@ type VSphereCSIDriverConfigSpec struct { // Snapshots for VSAN can not be disabled using this parameter. // +kubebuilder:validation:Minimum=1 // +kubebuilder:validation:Maximum=32 - // +openshift:enable:FeatureGate=VSphereDriverConfiguration // +optional GranularMaxSnapshotsPerBlockVolumeInVSAN *uint32 `json:"granularMaxSnapshotsPerBlockVolumeInVSAN,omitempty"` @@ -366,7 +364,6 @@ type VSphereCSIDriverConfigSpec struct { // Snapshots for VVOL can not be disabled using this parameter. // +kubebuilder:validation:Minimum=1 // +kubebuilder:validation:Maximum=32 - // +openshift:enable:FeatureGate=VSphereDriverConfiguration // +optional GranularMaxSnapshotsPerBlockVolumeInVVOL *uint32 `json:"granularMaxSnapshotsPerBlockVolumeInVVOL,omitempty"` diff --git a/vendor/github.com/openshift/api/operator/v1/types_machineconfiguration.go b/vendor/github.com/openshift/api/operator/v1/types_machineconfiguration.go index 4c53734d86..2d88bcd770 100644 --- a/vendor/github.com/openshift/api/operator/v1/types_machineconfiguration.go +++ b/vendor/github.com/openshift/api/operator/v1/types_machineconfiguration.go @@ -53,7 +53,6 @@ type MachineConfigurationSpec struct { // MachineConfig-based updates, such as drains, service reloads, etc. Specifying this will allow // for less downtime when doing small configuration updates to the cluster. This configuration // has no effect on cluster upgrades which will still incur node disruption where required. - // +openshift:enable:FeatureGate=NodeDisruptionPolicy // +optional NodeDisruptionPolicy NodeDisruptionPolicyConfig `json:"nodeDisruptionPolicy"` } @@ -94,7 +93,6 @@ type MachineConfigurationStatus struct { // nodeDisruptionPolicyStatus status reflects what the latest cluster-validated policies are, // and will be used by the Machine Config Daemon during future node updates. - // +openshift:enable:FeatureGate=NodeDisruptionPolicy // +optional NodeDisruptionPolicyStatus NodeDisruptionPolicyStatus `json:"nodeDisruptionPolicyStatus"` diff --git a/vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_70_network_01_networks-Default.crd.yaml b/vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_70_network_01_networks-Default.crd.yaml deleted file mode 100644 index e900bb1195..0000000000 --- a/vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_70_network_01_networks-Default.crd.yaml +++ /dev/null @@ -1,1028 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - api-approved.openshift.io: https://github.com/openshift/api/pull/475 - api.openshift.io/merged-by-featuregates: "true" - include.release.openshift.io/ibm-cloud-managed: "true" - include.release.openshift.io/self-managed-high-availability: "true" - release.openshift.io/feature-set: Default - name: networks.operator.openshift.io -spec: - group: operator.openshift.io - names: - kind: Network - listKind: NetworkList - plural: networks - singular: network - scope: Cluster - versions: - - name: v1 - schema: - openAPIV3Schema: - description: |- - Network describes the cluster's desired network configuration. It is - consumed by the cluster-network-operator. - - Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer). - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: NetworkSpec is the top-level network configuration object. - properties: - additionalNetworks: - description: |- - additionalNetworks is a list of extra networks to make available to pods - when multiple networks are enabled. - items: - description: |- - AdditionalNetworkDefinition configures an extra network that is available but not - created by default. Instead, pods must request them by name. - type must be specified, along with exactly one "Config" that matches the type. - properties: - name: - description: |- - name is the name of the network. This will be populated in the resulting CRD - This must be unique. - type: string - namespace: - description: |- - namespace is the namespace of the network. This will be populated in the resulting CRD - If not given the network will be created in the default namespace. - type: string - rawCNIConfig: - description: |- - rawCNIConfig is the raw CNI configuration json to create in the - NetworkAttachmentDefinition CRD - type: string - simpleMacvlanConfig: - description: simpleMacvlanConfig configures the macvlan interface - in case of type:NetworkTypeSimpleMacvlan - properties: - ipamConfig: - description: ipamConfig configures IPAM module will be used - for IP Address Management (IPAM). - properties: - staticIPAMConfig: - description: staticIPAMConfig configures the static - IP address in case of type:IPAMTypeStatic - properties: - addresses: - description: addresses configures IP address for - the interface - items: - description: StaticIPAMAddresses provides IP address - and Gateway for static IPAM addresses - properties: - address: - description: address is the IP address in - CIDR format - type: string - gateway: - description: gateway is IP inside of subnet - to designate as the gateway - type: string - type: object - type: array - x-kubernetes-list-type: atomic - dns: - description: dns configures DNS for the interface - properties: - domain: - description: domain configures the domainname - the local domain used for short hostname lookups - type: string - nameservers: - description: nameservers points DNS servers - for IP lookup - items: - type: string - type: array - x-kubernetes-list-type: atomic - search: - description: search configures priority ordered - search domains for short hostname lookups - items: - type: string - type: array - x-kubernetes-list-type: atomic - type: object - routes: - description: routes configures IP routes for the - interface - items: - description: StaticIPAMRoutes provides Destination/Gateway - pairs for static IPAM routes - properties: - destination: - description: destination points the IP route - destination - type: string - gateway: - description: |- - gateway is the route's next-hop IP address - If unset, a default gateway is assumed (as determined by the CNI plugin). - type: string - type: object - type: array - x-kubernetes-list-type: atomic - type: object - type: - description: |- - type is the type of IPAM module will be used for IP Address Management(IPAM). - The supported values are IPAMTypeDHCP, IPAMTypeStatic - type: string - type: object - master: - description: |- - master is the host interface to create the macvlan interface from. - If not specified, it will be default route interface - type: string - mode: - description: 'mode is the macvlan mode: bridge, private, - vepa, passthru. The default is bridge' - type: string - mtu: - description: |- - mtu is the mtu to use for the macvlan interface. if unset, host's - kernel will select the value. - format: int32 - minimum: 0 - type: integer - type: object - type: - description: |- - type is the type of network - The supported values are NetworkTypeRaw, NetworkTypeSimpleMacvlan - type: string - required: - - name - type: object - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - additionalRoutingCapabilities: - description: |- - additionalRoutingCapabilities describes components and relevant - configuration providing additional routing capabilities. When set, it - enables such components and the usage of the routing capabilities they - provide for the machine network. Upstream operators, like MetalLB - operator, requiring these capabilities may rely on, or automatically set - this attribute. Network plugins may leverage advanced routing - capabilities acquired through the enablement of these components but may - require specific configuration on their side to do so; refer to their - respective documentation and configuration options. - properties: - providers: - description: |- - providers is a set of enabled components that provide additional routing - capabilities. Entries on this list must be unique. The only valid value - is currrently "FRR" which provides FRR routing capabilities through the - deployment of FRR. - items: - description: RoutingCapabilitiesProvider is a component providing - routing capabilities. - enum: - - FRR - type: string - maxItems: 1 - minItems: 1 - type: array - x-kubernetes-list-type: atomic - x-kubernetes-validations: - - rule: self.all(x, self.exists_one(y, x == y)) - required: - - providers - type: object - clusterNetwork: - description: |- - clusterNetwork is the IP address pool to use for pod IPs. - Some network providers support multiple ClusterNetworks. - Others only support one. This is equivalent to the cluster-cidr. - items: - description: |- - ClusterNetworkEntry is a subnet from which to allocate PodIPs. A network of size - HostPrefix (in CIDR notation) will be allocated when nodes join the cluster. If - the HostPrefix field is not used by the plugin, it can be left unset. - Not all network providers support multiple ClusterNetworks - properties: - cidr: - type: string - hostPrefix: - format: int32 - minimum: 0 - type: integer - type: object - type: array - x-kubernetes-list-type: atomic - defaultNetwork: - description: defaultNetwork is the "default" network that all pods - will receive - properties: - openshiftSDNConfig: - description: |- - openshiftSDNConfig was previously used to configure the openshift-sdn plugin. - DEPRECATED: OpenShift SDN is no longer supported. - properties: - enableUnidling: - description: |- - enableUnidling controls whether or not the service proxy will support idling - and unidling of services. By default, unidling is enabled. - type: boolean - mode: - description: mode is one of "Multitenant", "Subnet", or "NetworkPolicy" - type: string - mtu: - description: |- - mtu is the mtu to use for the tunnel interface. Defaults to 1450 if unset. - This must be 50 bytes smaller than the machine's uplink. - format: int32 - minimum: 0 - type: integer - useExternalOpenvswitch: - description: |- - useExternalOpenvswitch used to control whether the operator would deploy an OVS - DaemonSet itself or expect someone else to start OVS. As of 4.6, OVS is always - run as a system service, and this flag is ignored. - type: boolean - vxlanPort: - description: vxlanPort is the port to use for all vxlan packets. - The default is 4789. - format: int32 - minimum: 0 - type: integer - type: object - ovnKubernetesConfig: - description: ovnKubernetesConfig configures the ovn-kubernetes - plugin. - properties: - egressIPConfig: - description: egressIPConfig holds the configuration for EgressIP - options. - properties: - reachabilityTotalTimeoutSeconds: - description: |- - reachabilityTotalTimeout configures the EgressIP node reachability check total timeout in seconds. - If the EgressIP node cannot be reached within this timeout, the node is declared down. - Setting a large value may cause the EgressIP feature to react slowly to node changes. - In particular, it may react slowly for EgressIP nodes that really have a genuine problem and are unreachable. - When omitted, this means the user has no opinion and the platform is left to choose a reasonable default, which is subject to change over time. - The current default is 1 second. - A value of 0 disables the EgressIP node's reachability check. - format: int32 - maximum: 60 - minimum: 0 - type: integer - type: object - gatewayConfig: - description: gatewayConfig holds the configuration for node - gateway options. - properties: - ipForwarding: - description: |- - ipForwarding controls IP forwarding for all traffic on OVN-Kubernetes managed interfaces (such as br-ex). - By default this is set to Restricted, and Kubernetes related traffic is still forwarded appropriately, but other - IP traffic will not be routed by the OCP node. If there is a desire to allow the host to forward traffic across - OVN-Kubernetes managed interfaces, then set this field to "Global". - The supported values are "Restricted" and "Global". - type: string - ipv4: - description: |- - ipv4 allows users to configure IP settings for IPv4 connections. When omitted, this means no opinion and the default - configuration is used. Check individual members fields within ipv4 for details of default values. - properties: - internalMasqueradeSubnet: - description: |- - internalMasqueradeSubnet contains the masquerade addresses in IPV4 CIDR format used internally by - ovn-kubernetes to enable host to service traffic. Each host in the cluster is configured with these - addresses, as well as the shared gateway bridge interface. The values can be changed after - installation. The subnet chosen should not overlap with other networks specified for - OVN-Kubernetes as well as other networks used on the host. Additionally the subnet must - be large enough to accommodate 6 IPs (maximum prefix length /29). - When omitted, this means no opinion and the platform is left to choose a reasonable default which is subject to change over time. - The current default subnet is 169.254.169.0/29 - The value must be in proper IPV4 CIDR format - maxLength: 18 - type: string - x-kubernetes-validations: - - message: Subnet must be in valid IPV4 CIDR format - rule: isCIDR(self) && cidr(self).ip().family() == - 4 - - message: subnet must be in the range /0 to /29 inclusive - rule: isCIDR(self) && cidr(self).prefixLength() - <= 29 - - message: first IP address octet must not be 0 - rule: isCIDR(self) && int(self.split('.')[0]) > - 0 - type: object - ipv6: - description: |- - ipv6 allows users to configure IP settings for IPv6 connections. When omitted, this means no opinion and the default - configuration is used. Check individual members fields within ipv6 for details of default values. - properties: - internalMasqueradeSubnet: - description: |- - internalMasqueradeSubnet contains the masquerade addresses in IPV6 CIDR format used internally by - ovn-kubernetes to enable host to service traffic. Each host in the cluster is configured with these - addresses, as well as the shared gateway bridge interface. The values can be changed after - installation. The subnet chosen should not overlap with other networks specified for - OVN-Kubernetes as well as other networks used on the host. Additionally the subnet must - be large enough to accommodate 6 IPs (maximum prefix length /125). - When omitted, this means no opinion and the platform is left to choose a reasonable default which is subject to change over time. - The current default subnet is fd69::/125 - Note that IPV6 dual addresses are not permitted - type: string - x-kubernetes-validations: - - message: Subnet must be in valid IPV6 CIDR format - rule: isCIDR(self) && cidr(self).ip().family() == - 6 - - message: subnet must be in the range /0 to /125 - inclusive - rule: isCIDR(self) && cidr(self).prefixLength() - <= 125 - type: object - routingViaHost: - default: false - description: |- - routingViaHost allows pod egress traffic to exit via the ovn-k8s-mp0 management port - into the host before sending it out. If this is not set, traffic will always egress directly - from OVN to outside without touching the host stack. Setting this to true means hardware - offload will not be supported. Default is false if GatewayConfig is specified. - type: boolean - type: object - genevePort: - description: |- - geneve port is the UDP port to be used by geneve encapulation. - Default is 6081 - format: int32 - minimum: 1 - type: integer - hybridOverlayConfig: - description: |- - hybridOverlayConfig configures an additional overlay network for peers that are - not using OVN. - properties: - hybridClusterNetwork: - description: hybridClusterNetwork defines a network space - given to nodes on an additional overlay network. - items: - description: |- - ClusterNetworkEntry is a subnet from which to allocate PodIPs. A network of size - HostPrefix (in CIDR notation) will be allocated when nodes join the cluster. If - the HostPrefix field is not used by the plugin, it can be left unset. - Not all network providers support multiple ClusterNetworks - properties: - cidr: - type: string - hostPrefix: - format: int32 - minimum: 0 - type: integer - type: object - type: array - x-kubernetes-list-type: atomic - hybridOverlayVXLANPort: - description: |- - hybridOverlayVXLANPort defines the VXLAN port number to be used by the additional overlay network. - Default is 4789 - format: int32 - type: integer - type: object - ipsecConfig: - default: - mode: Disabled - description: |- - ipsecConfig enables and configures IPsec for pods on the pod network within the - cluster. - properties: - full: - description: |- - full defines configuration parameters for the IPsec `Full` mode. - This is permitted only when mode is configured with `Full`, - and forbidden otherwise. - minProperties: 1 - properties: - encapsulation: - description: |- - encapsulation option to configure libreswan on how inter-pod traffic across nodes - are encapsulated to handle NAT traversal. When configured it uses UDP port 4500 - for the encapsulation. - Valid values are Always, Auto and omitted. - Always means enable UDP encapsulation regardless of whether NAT is detected. - Auto means enable UDP encapsulation based on the detection of NAT. - When omitted, this means no opinion and the platform is left to choose a reasonable - default, which is subject to change over time. The current default is Auto. - enum: - - Always - - Auto - type: string - type: object - mode: - description: |- - mode defines the behaviour of the ipsec configuration within the platform. - Valid values are `Disabled`, `External` and `Full`. - When 'Disabled', ipsec will not be enabled at the node level. - When 'External', ipsec is enabled on the node level but requires the user to configure the secure communication parameters. - This mode is for external secure communications and the configuration can be done using the k8s-nmstate operator. - When 'Full', ipsec is configured on the node level and inter-pod secure communication within the cluster is configured. - Note with `Full`, if ipsec is desired for communication with external (to the cluster) entities (such as storage arrays), - this is left to the user to configure. - enum: - - Disabled - - External - - Full - type: string - type: object - x-kubernetes-validations: - - message: ipsecConfig.mode is required - rule: self == oldSelf || has(self.mode) - - message: full is forbidden when mode is not Full - rule: 'has(self.mode) && self.mode == ''Full'' ? true : - !has(self.full)' - ipv4: - description: |- - ipv4 allows users to configure IP settings for IPv4 connections. When ommitted, - this means no opinions and the default configuration is used. Check individual - fields within ipv4 for details of default values. - properties: - internalJoinSubnet: - description: |- - internalJoinSubnet is a v4 subnet used internally by ovn-kubernetes in case the - default one is being already used by something else. It must not overlap with - any other subnet being used by OpenShift or by the node network. The size of the - subnet must be larger than the number of nodes. The value cannot be changed - after installation. - The current default value is 100.64.0.0/16 - The subnet must be large enough to accomadate one IP per node in your cluster - The value must be in proper IPV4 CIDR format - maxLength: 18 - type: string - x-kubernetes-validations: - - message: Subnet must be in valid IPV4 CIDR format - rule: isCIDR(self) && cidr(self).ip().family() == 4 - - message: subnet must be in the range /0 to /30 inclusive - rule: isCIDR(self) && cidr(self).prefixLength() <= 30 - - message: first IP address octet must not be 0 - rule: isCIDR(self) && int(self.split('.')[0]) > 0 - internalTransitSwitchSubnet: - description: |- - internalTransitSwitchSubnet is a v4 subnet in IPV4 CIDR format used internally - by OVN-Kubernetes for the distributed transit switch in the OVN Interconnect - architecture that connects the cluster routers on each node together to enable - east west traffic. The subnet chosen should not overlap with other networks - specified for OVN-Kubernetes as well as other networks used on the host. - The value cannot be changed after installation. - When ommitted, this means no opinion and the platform is left to choose a reasonable - default which is subject to change over time. - The current default subnet is 100.88.0.0/16 - The subnet must be large enough to accomadate one IP per node in your cluster - The value must be in proper IPV4 CIDR format - maxLength: 18 - type: string - x-kubernetes-validations: - - message: Subnet must be in valid IPV4 CIDR format - rule: isCIDR(self) && cidr(self).ip().family() == 4 - - message: subnet must be in the range /0 to /30 inclusive - rule: isCIDR(self) && cidr(self).prefixLength() <= 30 - - message: first IP address octet must not be 0 - rule: isCIDR(self) && int(self.split('.')[0]) > 0 - type: object - ipv6: - description: |- - ipv6 allows users to configure IP settings for IPv6 connections. When ommitted, - this means no opinions and the default configuration is used. Check individual - fields within ipv4 for details of default values. - properties: - internalJoinSubnet: - description: |- - internalJoinSubnet is a v6 subnet used internally by ovn-kubernetes in case the - default one is being already used by something else. It must not overlap with - any other subnet being used by OpenShift or by the node network. The size of the - subnet must be larger than the number of nodes. The value cannot be changed - after installation. - The subnet must be large enough to accomadate one IP per node in your cluster - The current default value is fd98::/64 - The value must be in proper IPV6 CIDR format - Note that IPV6 dual addresses are not permitted - maxLength: 48 - type: string - x-kubernetes-validations: - - message: Subnet must be in valid IPV6 CIDR format - rule: isCIDR(self) && cidr(self).ip().family() == 6 - - message: subnet must be in the range /0 to /125 inclusive - rule: isCIDR(self) && cidr(self).prefixLength() <= 125 - internalTransitSwitchSubnet: - description: |- - internalTransitSwitchSubnet is a v4 subnet in IPV4 CIDR format used internally - by OVN-Kubernetes for the distributed transit switch in the OVN Interconnect - architecture that connects the cluster routers on each node together to enable - east west traffic. The subnet chosen should not overlap with other networks - specified for OVN-Kubernetes as well as other networks used on the host. - The value cannot be changed after installation. - When ommitted, this means no opinion and the platform is left to choose a reasonable - default which is subject to change over time. - The subnet must be large enough to accomadate one IP per node in your cluster - The current default subnet is fd97::/64 - The value must be in proper IPV6 CIDR format - Note that IPV6 dual addresses are not permitted - maxLength: 48 - type: string - x-kubernetes-validations: - - message: Subnet must be in valid IPV6 CIDR format - rule: isCIDR(self) && cidr(self).ip().family() == 6 - - message: subnet must be in the range /0 to /125 inclusive - rule: isCIDR(self) && cidr(self).prefixLength() <= 125 - type: object - mtu: - description: |- - mtu is the MTU to use for the tunnel interface. This must be 100 - bytes smaller than the uplink mtu. - Default is 1400 - format: int32 - minimum: 0 - type: integer - policyAuditConfig: - description: |- - policyAuditConfig is the configuration for network policy audit events. If unset, - reported defaults are used. - properties: - destination: - default: "null" - description: |- - destination is the location for policy log messages. - Regardless of this config, persistent logs will always be dumped to the host - at /var/log/ovn/ however - Additionally syslog output may be configured as follows. - Valid values are: - - "libc" -> to use the libc syslog() function of the host node's journdald process - - "udp:host:port" -> for sending syslog over UDP - - "unix:file" -> for using the UNIX domain socket directly - - "null" -> to discard all messages logged to syslog - The default is "null" - type: string - maxFileSize: - default: 50 - description: |- - maxFilesSize is the max size an ACL_audit log file is allowed to reach before rotation occurs - Units are in MB and the Default is 50MB - format: int32 - minimum: 1 - type: integer - maxLogFiles: - default: 5 - description: maxLogFiles specifies the maximum number - of ACL_audit log files that can be present. - format: int32 - minimum: 1 - type: integer - rateLimit: - default: 20 - description: |- - rateLimit is the approximate maximum number of messages to generate per-second per-node. If - unset the default of 20 msg/sec is used. - format: int32 - minimum: 1 - type: integer - syslogFacility: - default: local0 - description: syslogFacility the RFC5424 facility for generated - messages, e.g. "kern". Default is "local0" - type: string - type: object - v4InternalSubnet: - description: |- - v4InternalSubnet is a v4 subnet used internally by ovn-kubernetes in case the - default one is being already used by something else. It must not overlap with - any other subnet being used by OpenShift or by the node network. The size of the - subnet must be larger than the number of nodes. The value cannot be changed - after installation. - Default is 100.64.0.0/16 - type: string - v6InternalSubnet: - description: |- - v6InternalSubnet is a v6 subnet used internally by ovn-kubernetes in case the - default one is being already used by something else. It must not overlap with - any other subnet being used by OpenShift or by the node network. The size of the - subnet must be larger than the number of nodes. The value cannot be changed - after installation. - Default is fd98::/64 - type: string - type: object - type: - description: |- - type is the type of network - All NetworkTypes are supported except for NetworkTypeRaw - type: string - type: object - deployKubeProxy: - description: |- - deployKubeProxy specifies whether or not a standalone kube-proxy should - be deployed by the operator. Some network providers include kube-proxy - or similar functionality. If unset, the plugin will attempt to select - the correct value, which is false when ovn-kubernetes is used and true - otherwise. - type: boolean - disableMultiNetwork: - description: |- - disableMultiNetwork defaults to 'false' and this setting enables the pod multi-networking capability. - disableMultiNetwork when set to 'true' at cluster install time does not install the components, typically the Multus CNI and the network-attachment-definition CRD, - that enable the pod multi-networking capability. Setting the parameter to 'true' might be useful when you need install third-party CNI plugins, - but these plugins are not supported by Red Hat. Changing the parameter value as a postinstallation cluster task has no effect. - type: boolean - disableNetworkDiagnostics: - default: false - description: |- - disableNetworkDiagnostics specifies whether or not PodNetworkConnectivityCheck - CRs from a test pod to every node, apiserver and LB should be disabled or not. - If unset, this property defaults to 'false' and network diagnostics is enabled. - Setting this to 'true' would reduce the additional load of the pods performing the checks. - type: boolean - exportNetworkFlows: - description: |- - exportNetworkFlows enables and configures the export of network flow metadata from the pod network - by using protocols NetFlow, SFlow or IPFIX. Currently only supported on OVN-Kubernetes plugin. - If unset, flows will not be exported to any collector. - properties: - ipfix: - description: ipfix defines IPFIX configuration. - properties: - collectors: - description: ipfixCollectors is list of strings formatted - as ip:port with a maximum of ten items - items: - pattern: ^(([0-9]|[0-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[0-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5]):([1-9][0-9]{0,3}|[1-5][0-9]{4}|6[0-4][0-9]{3}|65[0-4][0-9]{2}|655[0-2][0-9]|6553[0-5])$ - type: string - maxItems: 10 - minItems: 1 - type: array - x-kubernetes-list-type: atomic - type: object - netFlow: - description: netFlow defines the NetFlow configuration. - properties: - collectors: - description: |- - netFlow defines the NetFlow collectors that will consume the flow data exported from OVS. - It is a list of strings formatted as ip:port with a maximum of ten items - items: - pattern: ^(([0-9]|[0-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[0-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5]):([1-9][0-9]{0,3}|[1-5][0-9]{4}|6[0-4][0-9]{3}|65[0-4][0-9]{2}|655[0-2][0-9]|6553[0-5])$ - type: string - maxItems: 10 - minItems: 1 - type: array - x-kubernetes-list-type: atomic - type: object - sFlow: - description: sFlow defines the SFlow configuration. - properties: - collectors: - description: sFlowCollectors is list of strings formatted - as ip:port with a maximum of ten items - items: - pattern: ^(([0-9]|[0-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[0-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5]):([1-9][0-9]{0,3}|[1-5][0-9]{4}|6[0-4][0-9]{3}|65[0-4][0-9]{2}|655[0-2][0-9]|6553[0-5])$ - type: string - maxItems: 10 - minItems: 1 - type: array - x-kubernetes-list-type: atomic - type: object - type: object - kubeProxyConfig: - description: |- - kubeProxyConfig lets us configure desired proxy configuration, if - deployKubeProxy is true. If not specified, sensible defaults will be chosen by - OpenShift directly. - properties: - bindAddress: - description: |- - The address to "bind" on - Defaults to 0.0.0.0 - type: string - iptablesSyncPeriod: - description: |- - An internal kube-proxy parameter. In older releases of OCP, this sometimes needed to be adjusted - in large clusters for performance reasons, but this is no longer necessary, and there is no reason - to change this from the default value. - Default: 30s - type: string - proxyArguments: - additionalProperties: - description: ProxyArgumentList is a list of arguments to pass - to the kubeproxy process - items: - type: string - type: array - x-kubernetes-list-type: atomic - description: Any additional arguments to pass to the kubeproxy - process - type: object - type: object - logLevel: - default: Normal - description: |- - logLevel is an intent based logging for an overall component. It does not give fine grained control, but it is a - simple way to manage coarse grained logging choices that operators have to interpret for their operands. - - Valid values are: "Normal", "Debug", "Trace", "TraceAll". - Defaults to "Normal". - enum: - - "" - - Normal - - Debug - - Trace - - TraceAll - type: string - managementState: - description: managementState indicates whether and how the operator - should manage the component - pattern: ^(Managed|Unmanaged|Force|Removed)$ - type: string - migration: - description: |- - migration enables and configures cluster network migration, for network changes - that cannot be made instantly. - properties: - features: - description: |- - features was previously used to configure which network plugin features - would be migrated in a network type migration. - DEPRECATED: network type migration is no longer supported, and setting - this to a non-empty value will result in the network operator rejecting - the configuration. - properties: - egressFirewall: - default: true - description: |- - egressFirewall specified whether or not the Egress Firewall configuration was migrated. - DEPRECATED: network type migration is no longer supported. - type: boolean - egressIP: - default: true - description: |- - egressIP specified whether or not the Egress IP configuration was migrated. - DEPRECATED: network type migration is no longer supported. - type: boolean - multicast: - default: true - description: |- - multicast specified whether or not the multicast configuration was migrated. - DEPRECATED: network type migration is no longer supported. - type: boolean - type: object - mode: - description: |- - mode indicates the mode of network type migration. - DEPRECATED: network type migration is no longer supported, and setting - this to a non-empty value will result in the network operator rejecting - the configuration. - enum: - - Live - - Offline - - "" - type: string - mtu: - description: |- - mtu contains the MTU migration configuration. Set this to allow changing - the MTU values for the default network. If unset, the operation of - changing the MTU for the default network will be rejected. - properties: - machine: - description: |- - machine contains MTU migration configuration for the machine's uplink. - Needs to be migrated along with the default network MTU unless the - current uplink MTU already accommodates the default network MTU. - properties: - from: - description: from is the MTU to migrate from. - format: int32 - minimum: 0 - type: integer - to: - description: to is the MTU to migrate to. - format: int32 - minimum: 0 - type: integer - type: object - network: - description: |- - network contains information about MTU migration for the default network. - Migrations are only allowed to MTU values lower than the machine's uplink - MTU by the minimum appropriate offset. - properties: - from: - description: from is the MTU to migrate from. - format: int32 - minimum: 0 - type: integer - to: - description: to is the MTU to migrate to. - format: int32 - minimum: 0 - type: integer - type: object - type: object - networkType: - description: |- - networkType was previously used when changing the default network type. - DEPRECATED: network type migration is no longer supported, and setting - this to a non-empty value will result in the network operator rejecting - the configuration. - type: string - type: object - x-kubernetes-validations: - - message: networkType migration in mode other than 'Live' may not - be configured at the same time as mtu migration - rule: '!has(self.mtu) || !has(self.networkType) || self.networkType - == "" || has(self.mode) && self.mode == ''Live''' - observedConfig: - description: |- - observedConfig holds a sparse config that controller has observed from the cluster state. It exists in spec because - it is an input to the level for the operator - nullable: true - type: object - x-kubernetes-preserve-unknown-fields: true - operatorLogLevel: - default: Normal - description: |- - operatorLogLevel is an intent based logging for the operator itself. It does not give fine grained control, but it is a - simple way to manage coarse grained logging choices that operators have to interpret for themselves. - - Valid values are: "Normal", "Debug", "Trace", "TraceAll". - Defaults to "Normal". - enum: - - "" - - Normal - - Debug - - Trace - - TraceAll - type: string - serviceNetwork: - description: |- - serviceNetwork is the ip address pool to use for Service IPs - Currently, all existing network providers only support a single value - here, but this is an array to allow for growth. - items: - type: string - type: array - x-kubernetes-list-type: atomic - unsupportedConfigOverrides: - description: |- - unsupportedConfigOverrides overrides the final configuration that was computed by the operator. - Red Hat does not support the use of this field. - Misuse of this field could lead to unexpected behavior or conflict with other configuration options. - Seek guidance from the Red Hat support before using this field. - Use of this property blocks cluster upgrades, it must be removed before upgrading your cluster. - nullable: true - type: object - x-kubernetes-preserve-unknown-fields: true - useMultiNetworkPolicy: - description: |- - useMultiNetworkPolicy enables a controller which allows for - MultiNetworkPolicy objects to be used on additional networks as - created by Multus CNI. MultiNetworkPolicy are similar to NetworkPolicy - objects, but NetworkPolicy objects only apply to the primary interface. - With MultiNetworkPolicy, you can control the traffic that a pod can receive - over the secondary interfaces. If unset, this property defaults to 'false' - and MultiNetworkPolicy objects are ignored. If 'disableMultiNetwork' is - 'true' then the value of this field is ignored. - type: boolean - type: object - x-kubernetes-validations: - - message: invalid value for IPForwarding, valid values are 'Restricted' - or 'Global' - rule: '!has(self.defaultNetwork) || !has(self.defaultNetwork.ovnKubernetesConfig) - || !has(self.defaultNetwork.ovnKubernetesConfig.gatewayConfig) || - !has(self.defaultNetwork.ovnKubernetesConfig.gatewayConfig.ipForwarding) - || self.defaultNetwork.ovnKubernetesConfig.gatewayConfig.ipForwarding - == oldSelf.defaultNetwork.ovnKubernetesConfig.gatewayConfig.ipForwarding - || self.defaultNetwork.ovnKubernetesConfig.gatewayConfig.ipForwarding - == ''Restricted'' || self.defaultNetwork.ovnKubernetesConfig.gatewayConfig.ipForwarding - == ''Global''' - status: - description: |- - NetworkStatus is detailed operator status, which is distilled - up to the Network clusteroperator object. - properties: - conditions: - description: conditions is a list of conditions and their status - items: - description: OperatorCondition is just the standard condition fields. - properties: - lastTransitionTime: - description: |- - lastTransitionTime is the last time the condition transitioned from one status to another. - This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. - format: date-time - type: string - message: - type: string - reason: - type: string - status: - description: status of the condition, one of True, False, Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - status - - type - type: object - type: array - x-kubernetes-list-map-keys: - - type - x-kubernetes-list-type: map - generations: - description: generations are used to determine when an item needs - to be reconciled or has changed in a way that needs a reaction. - items: - description: GenerationStatus keeps track of the generation for - a given resource so that decisions about forced updates can be - made. - properties: - group: - description: group is the group of the thing you're tracking - type: string - hash: - description: hash is an optional field set for resources without - generation that are content sensitive like secrets and configmaps - type: string - lastGeneration: - description: lastGeneration is the last generation of the workload - controller involved - format: int64 - type: integer - name: - description: name is the name of the thing you're tracking - type: string - namespace: - description: namespace is where the thing you're tracking is - type: string - resource: - description: resource is the resource type of the thing you're - tracking - type: string - required: - - group - - name - - namespace - - resource - type: object - type: array - x-kubernetes-list-map-keys: - - group - - resource - - namespace - - name - x-kubernetes-list-type: map - latestAvailableRevision: - description: latestAvailableRevision is the deploymentID of the most - recent deployment - format: int32 - type: integer - x-kubernetes-validations: - - message: must only increase - rule: self >= oldSelf - observedGeneration: - description: observedGeneration is the last generation change you've - dealt with - format: int64 - type: integer - readyReplicas: - description: readyReplicas indicates how many replicas are ready and - at the desired state - format: int32 - type: integer - version: - description: version is the level this availability applies to - type: string - type: object - type: object - served: true - storage: true - subresources: - status: {} diff --git a/vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_70_network_01_networks-DevPreviewNoUpgrade.crd.yaml b/vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_70_network_01_networks-DevPreviewNoUpgrade.crd.yaml deleted file mode 100644 index 89b8f8b58d..0000000000 --- a/vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_70_network_01_networks-DevPreviewNoUpgrade.crd.yaml +++ /dev/null @@ -1,1051 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - api-approved.openshift.io: https://github.com/openshift/api/pull/475 - api.openshift.io/merged-by-featuregates: "true" - include.release.openshift.io/ibm-cloud-managed: "true" - include.release.openshift.io/self-managed-high-availability: "true" - release.openshift.io/feature-set: DevPreviewNoUpgrade - name: networks.operator.openshift.io -spec: - group: operator.openshift.io - names: - kind: Network - listKind: NetworkList - plural: networks - singular: network - scope: Cluster - versions: - - name: v1 - schema: - openAPIV3Schema: - description: |- - Network describes the cluster's desired network configuration. It is - consumed by the cluster-network-operator. - - Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer). - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: NetworkSpec is the top-level network configuration object. - properties: - additionalNetworks: - description: |- - additionalNetworks is a list of extra networks to make available to pods - when multiple networks are enabled. - items: - description: |- - AdditionalNetworkDefinition configures an extra network that is available but not - created by default. Instead, pods must request them by name. - type must be specified, along with exactly one "Config" that matches the type. - properties: - name: - description: |- - name is the name of the network. This will be populated in the resulting CRD - This must be unique. - type: string - namespace: - description: |- - namespace is the namespace of the network. This will be populated in the resulting CRD - If not given the network will be created in the default namespace. - type: string - rawCNIConfig: - description: |- - rawCNIConfig is the raw CNI configuration json to create in the - NetworkAttachmentDefinition CRD - type: string - simpleMacvlanConfig: - description: simpleMacvlanConfig configures the macvlan interface - in case of type:NetworkTypeSimpleMacvlan - properties: - ipamConfig: - description: ipamConfig configures IPAM module will be used - for IP Address Management (IPAM). - properties: - staticIPAMConfig: - description: staticIPAMConfig configures the static - IP address in case of type:IPAMTypeStatic - properties: - addresses: - description: addresses configures IP address for - the interface - items: - description: StaticIPAMAddresses provides IP address - and Gateway for static IPAM addresses - properties: - address: - description: address is the IP address in - CIDR format - type: string - gateway: - description: gateway is IP inside of subnet - to designate as the gateway - type: string - type: object - type: array - x-kubernetes-list-type: atomic - dns: - description: dns configures DNS for the interface - properties: - domain: - description: domain configures the domainname - the local domain used for short hostname lookups - type: string - nameservers: - description: nameservers points DNS servers - for IP lookup - items: - type: string - type: array - x-kubernetes-list-type: atomic - search: - description: search configures priority ordered - search domains for short hostname lookups - items: - type: string - type: array - x-kubernetes-list-type: atomic - type: object - routes: - description: routes configures IP routes for the - interface - items: - description: StaticIPAMRoutes provides Destination/Gateway - pairs for static IPAM routes - properties: - destination: - description: destination points the IP route - destination - type: string - gateway: - description: |- - gateway is the route's next-hop IP address - If unset, a default gateway is assumed (as determined by the CNI plugin). - type: string - type: object - type: array - x-kubernetes-list-type: atomic - type: object - type: - description: |- - type is the type of IPAM module will be used for IP Address Management(IPAM). - The supported values are IPAMTypeDHCP, IPAMTypeStatic - type: string - type: object - master: - description: |- - master is the host interface to create the macvlan interface from. - If not specified, it will be default route interface - type: string - mode: - description: 'mode is the macvlan mode: bridge, private, - vepa, passthru. The default is bridge' - type: string - mtu: - description: |- - mtu is the mtu to use for the macvlan interface. if unset, host's - kernel will select the value. - format: int32 - minimum: 0 - type: integer - type: object - type: - description: |- - type is the type of network - The supported values are NetworkTypeRaw, NetworkTypeSimpleMacvlan - type: string - required: - - name - type: object - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - additionalRoutingCapabilities: - description: |- - additionalRoutingCapabilities describes components and relevant - configuration providing additional routing capabilities. When set, it - enables such components and the usage of the routing capabilities they - provide for the machine network. Upstream operators, like MetalLB - operator, requiring these capabilities may rely on, or automatically set - this attribute. Network plugins may leverage advanced routing - capabilities acquired through the enablement of these components but may - require specific configuration on their side to do so; refer to their - respective documentation and configuration options. - properties: - providers: - description: |- - providers is a set of enabled components that provide additional routing - capabilities. Entries on this list must be unique. The only valid value - is currrently "FRR" which provides FRR routing capabilities through the - deployment of FRR. - items: - description: RoutingCapabilitiesProvider is a component providing - routing capabilities. - enum: - - FRR - type: string - maxItems: 1 - minItems: 1 - type: array - x-kubernetes-list-type: atomic - x-kubernetes-validations: - - rule: self.all(x, self.exists_one(y, x == y)) - required: - - providers - type: object - clusterNetwork: - description: |- - clusterNetwork is the IP address pool to use for pod IPs. - Some network providers support multiple ClusterNetworks. - Others only support one. This is equivalent to the cluster-cidr. - items: - description: |- - ClusterNetworkEntry is a subnet from which to allocate PodIPs. A network of size - HostPrefix (in CIDR notation) will be allocated when nodes join the cluster. If - the HostPrefix field is not used by the plugin, it can be left unset. - Not all network providers support multiple ClusterNetworks - properties: - cidr: - type: string - hostPrefix: - format: int32 - minimum: 0 - type: integer - type: object - type: array - x-kubernetes-list-type: atomic - defaultNetwork: - description: defaultNetwork is the "default" network that all pods - will receive - properties: - openshiftSDNConfig: - description: |- - openshiftSDNConfig was previously used to configure the openshift-sdn plugin. - DEPRECATED: OpenShift SDN is no longer supported. - properties: - enableUnidling: - description: |- - enableUnidling controls whether or not the service proxy will support idling - and unidling of services. By default, unidling is enabled. - type: boolean - mode: - description: mode is one of "Multitenant", "Subnet", or "NetworkPolicy" - type: string - mtu: - description: |- - mtu is the mtu to use for the tunnel interface. Defaults to 1450 if unset. - This must be 50 bytes smaller than the machine's uplink. - format: int32 - minimum: 0 - type: integer - useExternalOpenvswitch: - description: |- - useExternalOpenvswitch used to control whether the operator would deploy an OVS - DaemonSet itself or expect someone else to start OVS. As of 4.6, OVS is always - run as a system service, and this flag is ignored. - type: boolean - vxlanPort: - description: vxlanPort is the port to use for all vxlan packets. - The default is 4789. - format: int32 - minimum: 0 - type: integer - type: object - ovnKubernetesConfig: - description: ovnKubernetesConfig configures the ovn-kubernetes - plugin. - properties: - egressIPConfig: - description: egressIPConfig holds the configuration for EgressIP - options. - properties: - reachabilityTotalTimeoutSeconds: - description: |- - reachabilityTotalTimeout configures the EgressIP node reachability check total timeout in seconds. - If the EgressIP node cannot be reached within this timeout, the node is declared down. - Setting a large value may cause the EgressIP feature to react slowly to node changes. - In particular, it may react slowly for EgressIP nodes that really have a genuine problem and are unreachable. - When omitted, this means the user has no opinion and the platform is left to choose a reasonable default, which is subject to change over time. - The current default is 1 second. - A value of 0 disables the EgressIP node's reachability check. - format: int32 - maximum: 60 - minimum: 0 - type: integer - type: object - gatewayConfig: - description: gatewayConfig holds the configuration for node - gateway options. - properties: - ipForwarding: - description: |- - ipForwarding controls IP forwarding for all traffic on OVN-Kubernetes managed interfaces (such as br-ex). - By default this is set to Restricted, and Kubernetes related traffic is still forwarded appropriately, but other - IP traffic will not be routed by the OCP node. If there is a desire to allow the host to forward traffic across - OVN-Kubernetes managed interfaces, then set this field to "Global". - The supported values are "Restricted" and "Global". - type: string - ipv4: - description: |- - ipv4 allows users to configure IP settings for IPv4 connections. When omitted, this means no opinion and the default - configuration is used. Check individual members fields within ipv4 for details of default values. - properties: - internalMasqueradeSubnet: - description: |- - internalMasqueradeSubnet contains the masquerade addresses in IPV4 CIDR format used internally by - ovn-kubernetes to enable host to service traffic. Each host in the cluster is configured with these - addresses, as well as the shared gateway bridge interface. The values can be changed after - installation. The subnet chosen should not overlap with other networks specified for - OVN-Kubernetes as well as other networks used on the host. Additionally the subnet must - be large enough to accommodate 6 IPs (maximum prefix length /29). - When omitted, this means no opinion and the platform is left to choose a reasonable default which is subject to change over time. - The current default subnet is 169.254.169.0/29 - The value must be in proper IPV4 CIDR format - maxLength: 18 - type: string - x-kubernetes-validations: - - message: Subnet must be in valid IPV4 CIDR format - rule: isCIDR(self) && cidr(self).ip().family() == - 4 - - message: subnet must be in the range /0 to /29 inclusive - rule: isCIDR(self) && cidr(self).prefixLength() - <= 29 - - message: first IP address octet must not be 0 - rule: isCIDR(self) && int(self.split('.')[0]) > - 0 - type: object - ipv6: - description: |- - ipv6 allows users to configure IP settings for IPv6 connections. When omitted, this means no opinion and the default - configuration is used. Check individual members fields within ipv6 for details of default values. - properties: - internalMasqueradeSubnet: - description: |- - internalMasqueradeSubnet contains the masquerade addresses in IPV6 CIDR format used internally by - ovn-kubernetes to enable host to service traffic. Each host in the cluster is configured with these - addresses, as well as the shared gateway bridge interface. The values can be changed after - installation. The subnet chosen should not overlap with other networks specified for - OVN-Kubernetes as well as other networks used on the host. Additionally the subnet must - be large enough to accommodate 6 IPs (maximum prefix length /125). - When omitted, this means no opinion and the platform is left to choose a reasonable default which is subject to change over time. - The current default subnet is fd69::/125 - Note that IPV6 dual addresses are not permitted - type: string - x-kubernetes-validations: - - message: Subnet must be in valid IPV6 CIDR format - rule: isCIDR(self) && cidr(self).ip().family() == - 6 - - message: subnet must be in the range /0 to /125 - inclusive - rule: isCIDR(self) && cidr(self).prefixLength() - <= 125 - type: object - routingViaHost: - default: false - description: |- - routingViaHost allows pod egress traffic to exit via the ovn-k8s-mp0 management port - into the host before sending it out. If this is not set, traffic will always egress directly - from OVN to outside without touching the host stack. Setting this to true means hardware - offload will not be supported. Default is false if GatewayConfig is specified. - type: boolean - type: object - genevePort: - description: |- - geneve port is the UDP port to be used by geneve encapulation. - Default is 6081 - format: int32 - minimum: 1 - type: integer - hybridOverlayConfig: - description: |- - hybridOverlayConfig configures an additional overlay network for peers that are - not using OVN. - properties: - hybridClusterNetwork: - description: hybridClusterNetwork defines a network space - given to nodes on an additional overlay network. - items: - description: |- - ClusterNetworkEntry is a subnet from which to allocate PodIPs. A network of size - HostPrefix (in CIDR notation) will be allocated when nodes join the cluster. If - the HostPrefix field is not used by the plugin, it can be left unset. - Not all network providers support multiple ClusterNetworks - properties: - cidr: - type: string - hostPrefix: - format: int32 - minimum: 0 - type: integer - type: object - type: array - x-kubernetes-list-type: atomic - hybridOverlayVXLANPort: - description: |- - hybridOverlayVXLANPort defines the VXLAN port number to be used by the additional overlay network. - Default is 4789 - format: int32 - type: integer - type: object - ipsecConfig: - default: - mode: Disabled - description: |- - ipsecConfig enables and configures IPsec for pods on the pod network within the - cluster. - properties: - full: - description: |- - full defines configuration parameters for the IPsec `Full` mode. - This is permitted only when mode is configured with `Full`, - and forbidden otherwise. - minProperties: 1 - properties: - encapsulation: - description: |- - encapsulation option to configure libreswan on how inter-pod traffic across nodes - are encapsulated to handle NAT traversal. When configured it uses UDP port 4500 - for the encapsulation. - Valid values are Always, Auto and omitted. - Always means enable UDP encapsulation regardless of whether NAT is detected. - Auto means enable UDP encapsulation based on the detection of NAT. - When omitted, this means no opinion and the platform is left to choose a reasonable - default, which is subject to change over time. The current default is Auto. - enum: - - Always - - Auto - type: string - type: object - mode: - description: |- - mode defines the behaviour of the ipsec configuration within the platform. - Valid values are `Disabled`, `External` and `Full`. - When 'Disabled', ipsec will not be enabled at the node level. - When 'External', ipsec is enabled on the node level but requires the user to configure the secure communication parameters. - This mode is for external secure communications and the configuration can be done using the k8s-nmstate operator. - When 'Full', ipsec is configured on the node level and inter-pod secure communication within the cluster is configured. - Note with `Full`, if ipsec is desired for communication with external (to the cluster) entities (such as storage arrays), - this is left to the user to configure. - enum: - - Disabled - - External - - Full - type: string - type: object - x-kubernetes-validations: - - message: ipsecConfig.mode is required - rule: self == oldSelf || has(self.mode) - - message: full is forbidden when mode is not Full - rule: 'has(self.mode) && self.mode == ''Full'' ? true : - !has(self.full)' - ipv4: - description: |- - ipv4 allows users to configure IP settings for IPv4 connections. When ommitted, - this means no opinions and the default configuration is used. Check individual - fields within ipv4 for details of default values. - properties: - internalJoinSubnet: - description: |- - internalJoinSubnet is a v4 subnet used internally by ovn-kubernetes in case the - default one is being already used by something else. It must not overlap with - any other subnet being used by OpenShift or by the node network. The size of the - subnet must be larger than the number of nodes. The value cannot be changed - after installation. - The current default value is 100.64.0.0/16 - The subnet must be large enough to accomadate one IP per node in your cluster - The value must be in proper IPV4 CIDR format - maxLength: 18 - type: string - x-kubernetes-validations: - - message: Subnet must be in valid IPV4 CIDR format - rule: isCIDR(self) && cidr(self).ip().family() == 4 - - message: subnet must be in the range /0 to /30 inclusive - rule: isCIDR(self) && cidr(self).prefixLength() <= 30 - - message: first IP address octet must not be 0 - rule: isCIDR(self) && int(self.split('.')[0]) > 0 - internalTransitSwitchSubnet: - description: |- - internalTransitSwitchSubnet is a v4 subnet in IPV4 CIDR format used internally - by OVN-Kubernetes for the distributed transit switch in the OVN Interconnect - architecture that connects the cluster routers on each node together to enable - east west traffic. The subnet chosen should not overlap with other networks - specified for OVN-Kubernetes as well as other networks used on the host. - The value cannot be changed after installation. - When ommitted, this means no opinion and the platform is left to choose a reasonable - default which is subject to change over time. - The current default subnet is 100.88.0.0/16 - The subnet must be large enough to accomadate one IP per node in your cluster - The value must be in proper IPV4 CIDR format - maxLength: 18 - type: string - x-kubernetes-validations: - - message: Subnet must be in valid IPV4 CIDR format - rule: isCIDR(self) && cidr(self).ip().family() == 4 - - message: subnet must be in the range /0 to /30 inclusive - rule: isCIDR(self) && cidr(self).prefixLength() <= 30 - - message: first IP address octet must not be 0 - rule: isCIDR(self) && int(self.split('.')[0]) > 0 - type: object - ipv6: - description: |- - ipv6 allows users to configure IP settings for IPv6 connections. When ommitted, - this means no opinions and the default configuration is used. Check individual - fields within ipv4 for details of default values. - properties: - internalJoinSubnet: - description: |- - internalJoinSubnet is a v6 subnet used internally by ovn-kubernetes in case the - default one is being already used by something else. It must not overlap with - any other subnet being used by OpenShift or by the node network. The size of the - subnet must be larger than the number of nodes. The value cannot be changed - after installation. - The subnet must be large enough to accomadate one IP per node in your cluster - The current default value is fd98::/64 - The value must be in proper IPV6 CIDR format - Note that IPV6 dual addresses are not permitted - maxLength: 48 - type: string - x-kubernetes-validations: - - message: Subnet must be in valid IPV6 CIDR format - rule: isCIDR(self) && cidr(self).ip().family() == 6 - - message: subnet must be in the range /0 to /125 inclusive - rule: isCIDR(self) && cidr(self).prefixLength() <= 125 - internalTransitSwitchSubnet: - description: |- - internalTransitSwitchSubnet is a v4 subnet in IPV4 CIDR format used internally - by OVN-Kubernetes for the distributed transit switch in the OVN Interconnect - architecture that connects the cluster routers on each node together to enable - east west traffic. The subnet chosen should not overlap with other networks - specified for OVN-Kubernetes as well as other networks used on the host. - The value cannot be changed after installation. - When ommitted, this means no opinion and the platform is left to choose a reasonable - default which is subject to change over time. - The subnet must be large enough to accomadate one IP per node in your cluster - The current default subnet is fd97::/64 - The value must be in proper IPV6 CIDR format - Note that IPV6 dual addresses are not permitted - maxLength: 48 - type: string - x-kubernetes-validations: - - message: Subnet must be in valid IPV6 CIDR format - rule: isCIDR(self) && cidr(self).ip().family() == 6 - - message: subnet must be in the range /0 to /125 inclusive - rule: isCIDR(self) && cidr(self).prefixLength() <= 125 - type: object - mtu: - description: |- - mtu is the MTU to use for the tunnel interface. This must be 100 - bytes smaller than the uplink mtu. - Default is 1400 - format: int32 - minimum: 0 - type: integer - policyAuditConfig: - description: |- - policyAuditConfig is the configuration for network policy audit events. If unset, - reported defaults are used. - properties: - destination: - default: "null" - description: |- - destination is the location for policy log messages. - Regardless of this config, persistent logs will always be dumped to the host - at /var/log/ovn/ however - Additionally syslog output may be configured as follows. - Valid values are: - - "libc" -> to use the libc syslog() function of the host node's journdald process - - "udp:host:port" -> for sending syslog over UDP - - "unix:file" -> for using the UNIX domain socket directly - - "null" -> to discard all messages logged to syslog - The default is "null" - type: string - maxFileSize: - default: 50 - description: |- - maxFilesSize is the max size an ACL_audit log file is allowed to reach before rotation occurs - Units are in MB and the Default is 50MB - format: int32 - minimum: 1 - type: integer - maxLogFiles: - default: 5 - description: maxLogFiles specifies the maximum number - of ACL_audit log files that can be present. - format: int32 - minimum: 1 - type: integer - rateLimit: - default: 20 - description: |- - rateLimit is the approximate maximum number of messages to generate per-second per-node. If - unset the default of 20 msg/sec is used. - format: int32 - minimum: 1 - type: integer - syslogFacility: - default: local0 - description: syslogFacility the RFC5424 facility for generated - messages, e.g. "kern". Default is "local0" - type: string - type: object - routeAdvertisements: - description: |- - routeAdvertisements determines if the functionality to advertise cluster - network routes through a dynamic routing protocol, such as BGP, is - enabled or not. This functionality is configured through the - ovn-kubernetes RouteAdvertisements CRD. Requires the 'FRR' routing - capability provider to be enabled as an additional routing capability. - Allowed values are "Enabled", "Disabled" and ommited. When omitted, this - means the user has no opinion and the platform is left to choose - reasonable defaults. These defaults are subject to change over time. The - current default is "Disabled". - enum: - - "" - - Enabled - - Disabled - type: string - v4InternalSubnet: - description: |- - v4InternalSubnet is a v4 subnet used internally by ovn-kubernetes in case the - default one is being already used by something else. It must not overlap with - any other subnet being used by OpenShift or by the node network. The size of the - subnet must be larger than the number of nodes. The value cannot be changed - after installation. - Default is 100.64.0.0/16 - type: string - v6InternalSubnet: - description: |- - v6InternalSubnet is a v6 subnet used internally by ovn-kubernetes in case the - default one is being already used by something else. It must not overlap with - any other subnet being used by OpenShift or by the node network. The size of the - subnet must be larger than the number of nodes. The value cannot be changed - after installation. - Default is fd98::/64 - type: string - type: object - type: - description: |- - type is the type of network - All NetworkTypes are supported except for NetworkTypeRaw - type: string - type: object - deployKubeProxy: - description: |- - deployKubeProxy specifies whether or not a standalone kube-proxy should - be deployed by the operator. Some network providers include kube-proxy - or similar functionality. If unset, the plugin will attempt to select - the correct value, which is false when ovn-kubernetes is used and true - otherwise. - type: boolean - disableMultiNetwork: - description: |- - disableMultiNetwork defaults to 'false' and this setting enables the pod multi-networking capability. - disableMultiNetwork when set to 'true' at cluster install time does not install the components, typically the Multus CNI and the network-attachment-definition CRD, - that enable the pod multi-networking capability. Setting the parameter to 'true' might be useful when you need install third-party CNI plugins, - but these plugins are not supported by Red Hat. Changing the parameter value as a postinstallation cluster task has no effect. - type: boolean - disableNetworkDiagnostics: - default: false - description: |- - disableNetworkDiagnostics specifies whether or not PodNetworkConnectivityCheck - CRs from a test pod to every node, apiserver and LB should be disabled or not. - If unset, this property defaults to 'false' and network diagnostics is enabled. - Setting this to 'true' would reduce the additional load of the pods performing the checks. - type: boolean - exportNetworkFlows: - description: |- - exportNetworkFlows enables and configures the export of network flow metadata from the pod network - by using protocols NetFlow, SFlow or IPFIX. Currently only supported on OVN-Kubernetes plugin. - If unset, flows will not be exported to any collector. - properties: - ipfix: - description: ipfix defines IPFIX configuration. - properties: - collectors: - description: ipfixCollectors is list of strings formatted - as ip:port with a maximum of ten items - items: - pattern: ^(([0-9]|[0-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[0-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5]):([1-9][0-9]{0,3}|[1-5][0-9]{4}|6[0-4][0-9]{3}|65[0-4][0-9]{2}|655[0-2][0-9]|6553[0-5])$ - type: string - maxItems: 10 - minItems: 1 - type: array - x-kubernetes-list-type: atomic - type: object - netFlow: - description: netFlow defines the NetFlow configuration. - properties: - collectors: - description: |- - netFlow defines the NetFlow collectors that will consume the flow data exported from OVS. - It is a list of strings formatted as ip:port with a maximum of ten items - items: - pattern: ^(([0-9]|[0-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[0-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5]):([1-9][0-9]{0,3}|[1-5][0-9]{4}|6[0-4][0-9]{3}|65[0-4][0-9]{2}|655[0-2][0-9]|6553[0-5])$ - type: string - maxItems: 10 - minItems: 1 - type: array - x-kubernetes-list-type: atomic - type: object - sFlow: - description: sFlow defines the SFlow configuration. - properties: - collectors: - description: sFlowCollectors is list of strings formatted - as ip:port with a maximum of ten items - items: - pattern: ^(([0-9]|[0-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[0-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5]):([1-9][0-9]{0,3}|[1-5][0-9]{4}|6[0-4][0-9]{3}|65[0-4][0-9]{2}|655[0-2][0-9]|6553[0-5])$ - type: string - maxItems: 10 - minItems: 1 - type: array - x-kubernetes-list-type: atomic - type: object - type: object - kubeProxyConfig: - description: |- - kubeProxyConfig lets us configure desired proxy configuration, if - deployKubeProxy is true. If not specified, sensible defaults will be chosen by - OpenShift directly. - properties: - bindAddress: - description: |- - The address to "bind" on - Defaults to 0.0.0.0 - type: string - iptablesSyncPeriod: - description: |- - An internal kube-proxy parameter. In older releases of OCP, this sometimes needed to be adjusted - in large clusters for performance reasons, but this is no longer necessary, and there is no reason - to change this from the default value. - Default: 30s - type: string - proxyArguments: - additionalProperties: - description: ProxyArgumentList is a list of arguments to pass - to the kubeproxy process - items: - type: string - type: array - x-kubernetes-list-type: atomic - description: Any additional arguments to pass to the kubeproxy - process - type: object - type: object - logLevel: - default: Normal - description: |- - logLevel is an intent based logging for an overall component. It does not give fine grained control, but it is a - simple way to manage coarse grained logging choices that operators have to interpret for their operands. - - Valid values are: "Normal", "Debug", "Trace", "TraceAll". - Defaults to "Normal". - enum: - - "" - - Normal - - Debug - - Trace - - TraceAll - type: string - managementState: - description: managementState indicates whether and how the operator - should manage the component - pattern: ^(Managed|Unmanaged|Force|Removed)$ - type: string - migration: - description: |- - migration enables and configures cluster network migration, for network changes - that cannot be made instantly. - properties: - features: - description: |- - features was previously used to configure which network plugin features - would be migrated in a network type migration. - DEPRECATED: network type migration is no longer supported, and setting - this to a non-empty value will result in the network operator rejecting - the configuration. - properties: - egressFirewall: - default: true - description: |- - egressFirewall specified whether or not the Egress Firewall configuration was migrated. - DEPRECATED: network type migration is no longer supported. - type: boolean - egressIP: - default: true - description: |- - egressIP specified whether or not the Egress IP configuration was migrated. - DEPRECATED: network type migration is no longer supported. - type: boolean - multicast: - default: true - description: |- - multicast specified whether or not the multicast configuration was migrated. - DEPRECATED: network type migration is no longer supported. - type: boolean - type: object - mode: - description: |- - mode indicates the mode of network type migration. - DEPRECATED: network type migration is no longer supported, and setting - this to a non-empty value will result in the network operator rejecting - the configuration. - enum: - - Live - - Offline - - "" - type: string - mtu: - description: |- - mtu contains the MTU migration configuration. Set this to allow changing - the MTU values for the default network. If unset, the operation of - changing the MTU for the default network will be rejected. - properties: - machine: - description: |- - machine contains MTU migration configuration for the machine's uplink. - Needs to be migrated along with the default network MTU unless the - current uplink MTU already accommodates the default network MTU. - properties: - from: - description: from is the MTU to migrate from. - format: int32 - minimum: 0 - type: integer - to: - description: to is the MTU to migrate to. - format: int32 - minimum: 0 - type: integer - type: object - network: - description: |- - network contains information about MTU migration for the default network. - Migrations are only allowed to MTU values lower than the machine's uplink - MTU by the minimum appropriate offset. - properties: - from: - description: from is the MTU to migrate from. - format: int32 - minimum: 0 - type: integer - to: - description: to is the MTU to migrate to. - format: int32 - minimum: 0 - type: integer - type: object - type: object - networkType: - description: |- - networkType was previously used when changing the default network type. - DEPRECATED: network type migration is no longer supported, and setting - this to a non-empty value will result in the network operator rejecting - the configuration. - type: string - type: object - x-kubernetes-validations: - - message: networkType migration in mode other than 'Live' may not - be configured at the same time as mtu migration - rule: '!has(self.mtu) || !has(self.networkType) || self.networkType - == "" || has(self.mode) && self.mode == ''Live''' - observedConfig: - description: |- - observedConfig holds a sparse config that controller has observed from the cluster state. It exists in spec because - it is an input to the level for the operator - nullable: true - type: object - x-kubernetes-preserve-unknown-fields: true - operatorLogLevel: - default: Normal - description: |- - operatorLogLevel is an intent based logging for the operator itself. It does not give fine grained control, but it is a - simple way to manage coarse grained logging choices that operators have to interpret for themselves. - - Valid values are: "Normal", "Debug", "Trace", "TraceAll". - Defaults to "Normal". - enum: - - "" - - Normal - - Debug - - Trace - - TraceAll - type: string - serviceNetwork: - description: |- - serviceNetwork is the ip address pool to use for Service IPs - Currently, all existing network providers only support a single value - here, but this is an array to allow for growth. - items: - type: string - type: array - x-kubernetes-list-type: atomic - unsupportedConfigOverrides: - description: |- - unsupportedConfigOverrides overrides the final configuration that was computed by the operator. - Red Hat does not support the use of this field. - Misuse of this field could lead to unexpected behavior or conflict with other configuration options. - Seek guidance from the Red Hat support before using this field. - Use of this property blocks cluster upgrades, it must be removed before upgrading your cluster. - nullable: true - type: object - x-kubernetes-preserve-unknown-fields: true - useMultiNetworkPolicy: - description: |- - useMultiNetworkPolicy enables a controller which allows for - MultiNetworkPolicy objects to be used on additional networks as - created by Multus CNI. MultiNetworkPolicy are similar to NetworkPolicy - objects, but NetworkPolicy objects only apply to the primary interface. - With MultiNetworkPolicy, you can control the traffic that a pod can receive - over the secondary interfaces. If unset, this property defaults to 'false' - and MultiNetworkPolicy objects are ignored. If 'disableMultiNetwork' is - 'true' then the value of this field is ignored. - type: boolean - type: object - x-kubernetes-validations: - - message: Route advertisements cannot be Enabled if 'FRR' routing capability - provider is not available - rule: (has(self.additionalRoutingCapabilities) && ('FRR' in self.additionalRoutingCapabilities.providers)) - || !has(self.defaultNetwork) || !has(self.defaultNetwork.ovnKubernetesConfig) - || !has(self.defaultNetwork.ovnKubernetesConfig.routeAdvertisements) - || self.defaultNetwork.ovnKubernetesConfig.routeAdvertisements != - 'Enabled' - - message: invalid value for IPForwarding, valid values are 'Restricted' - or 'Global' - rule: '!has(self.defaultNetwork) || !has(self.defaultNetwork.ovnKubernetesConfig) - || !has(self.defaultNetwork.ovnKubernetesConfig.gatewayConfig) || - !has(self.defaultNetwork.ovnKubernetesConfig.gatewayConfig.ipForwarding) - || self.defaultNetwork.ovnKubernetesConfig.gatewayConfig.ipForwarding - == oldSelf.defaultNetwork.ovnKubernetesConfig.gatewayConfig.ipForwarding - || self.defaultNetwork.ovnKubernetesConfig.gatewayConfig.ipForwarding - == ''Restricted'' || self.defaultNetwork.ovnKubernetesConfig.gatewayConfig.ipForwarding - == ''Global''' - status: - description: |- - NetworkStatus is detailed operator status, which is distilled - up to the Network clusteroperator object. - properties: - conditions: - description: conditions is a list of conditions and their status - items: - description: OperatorCondition is just the standard condition fields. - properties: - lastTransitionTime: - description: |- - lastTransitionTime is the last time the condition transitioned from one status to another. - This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. - format: date-time - type: string - message: - type: string - reason: - type: string - status: - description: status of the condition, one of True, False, Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - status - - type - type: object - type: array - x-kubernetes-list-map-keys: - - type - x-kubernetes-list-type: map - generations: - description: generations are used to determine when an item needs - to be reconciled or has changed in a way that needs a reaction. - items: - description: GenerationStatus keeps track of the generation for - a given resource so that decisions about forced updates can be - made. - properties: - group: - description: group is the group of the thing you're tracking - type: string - hash: - description: hash is an optional field set for resources without - generation that are content sensitive like secrets and configmaps - type: string - lastGeneration: - description: lastGeneration is the last generation of the workload - controller involved - format: int64 - type: integer - name: - description: name is the name of the thing you're tracking - type: string - namespace: - description: namespace is where the thing you're tracking is - type: string - resource: - description: resource is the resource type of the thing you're - tracking - type: string - required: - - group - - name - - namespace - - resource - type: object - type: array - x-kubernetes-list-map-keys: - - group - - resource - - namespace - - name - x-kubernetes-list-type: map - latestAvailableRevision: - description: latestAvailableRevision is the deploymentID of the most - recent deployment - format: int32 - type: integer - x-kubernetes-validations: - - message: must only increase - rule: self >= oldSelf - observedGeneration: - description: observedGeneration is the last generation change you've - dealt with - format: int64 - type: integer - readyReplicas: - description: readyReplicas indicates how many replicas are ready and - at the desired state - format: int32 - type: integer - version: - description: version is the level this availability applies to - type: string - type: object - type: object - served: true - storage: true - subresources: - status: {} diff --git a/vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_70_network_01_networks-TechPreviewNoUpgrade.crd.yaml b/vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_70_network_01_networks-TechPreviewNoUpgrade.crd.yaml deleted file mode 100644 index 5c5c0d708a..0000000000 --- a/vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_70_network_01_networks-TechPreviewNoUpgrade.crd.yaml +++ /dev/null @@ -1,1051 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - api-approved.openshift.io: https://github.com/openshift/api/pull/475 - api.openshift.io/merged-by-featuregates: "true" - include.release.openshift.io/ibm-cloud-managed: "true" - include.release.openshift.io/self-managed-high-availability: "true" - release.openshift.io/feature-set: TechPreviewNoUpgrade - name: networks.operator.openshift.io -spec: - group: operator.openshift.io - names: - kind: Network - listKind: NetworkList - plural: networks - singular: network - scope: Cluster - versions: - - name: v1 - schema: - openAPIV3Schema: - description: |- - Network describes the cluster's desired network configuration. It is - consumed by the cluster-network-operator. - - Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer). - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: NetworkSpec is the top-level network configuration object. - properties: - additionalNetworks: - description: |- - additionalNetworks is a list of extra networks to make available to pods - when multiple networks are enabled. - items: - description: |- - AdditionalNetworkDefinition configures an extra network that is available but not - created by default. Instead, pods must request them by name. - type must be specified, along with exactly one "Config" that matches the type. - properties: - name: - description: |- - name is the name of the network. This will be populated in the resulting CRD - This must be unique. - type: string - namespace: - description: |- - namespace is the namespace of the network. This will be populated in the resulting CRD - If not given the network will be created in the default namespace. - type: string - rawCNIConfig: - description: |- - rawCNIConfig is the raw CNI configuration json to create in the - NetworkAttachmentDefinition CRD - type: string - simpleMacvlanConfig: - description: simpleMacvlanConfig configures the macvlan interface - in case of type:NetworkTypeSimpleMacvlan - properties: - ipamConfig: - description: ipamConfig configures IPAM module will be used - for IP Address Management (IPAM). - properties: - staticIPAMConfig: - description: staticIPAMConfig configures the static - IP address in case of type:IPAMTypeStatic - properties: - addresses: - description: addresses configures IP address for - the interface - items: - description: StaticIPAMAddresses provides IP address - and Gateway for static IPAM addresses - properties: - address: - description: address is the IP address in - CIDR format - type: string - gateway: - description: gateway is IP inside of subnet - to designate as the gateway - type: string - type: object - type: array - x-kubernetes-list-type: atomic - dns: - description: dns configures DNS for the interface - properties: - domain: - description: domain configures the domainname - the local domain used for short hostname lookups - type: string - nameservers: - description: nameservers points DNS servers - for IP lookup - items: - type: string - type: array - x-kubernetes-list-type: atomic - search: - description: search configures priority ordered - search domains for short hostname lookups - items: - type: string - type: array - x-kubernetes-list-type: atomic - type: object - routes: - description: routes configures IP routes for the - interface - items: - description: StaticIPAMRoutes provides Destination/Gateway - pairs for static IPAM routes - properties: - destination: - description: destination points the IP route - destination - type: string - gateway: - description: |- - gateway is the route's next-hop IP address - If unset, a default gateway is assumed (as determined by the CNI plugin). - type: string - type: object - type: array - x-kubernetes-list-type: atomic - type: object - type: - description: |- - type is the type of IPAM module will be used for IP Address Management(IPAM). - The supported values are IPAMTypeDHCP, IPAMTypeStatic - type: string - type: object - master: - description: |- - master is the host interface to create the macvlan interface from. - If not specified, it will be default route interface - type: string - mode: - description: 'mode is the macvlan mode: bridge, private, - vepa, passthru. The default is bridge' - type: string - mtu: - description: |- - mtu is the mtu to use for the macvlan interface. if unset, host's - kernel will select the value. - format: int32 - minimum: 0 - type: integer - type: object - type: - description: |- - type is the type of network - The supported values are NetworkTypeRaw, NetworkTypeSimpleMacvlan - type: string - required: - - name - type: object - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - additionalRoutingCapabilities: - description: |- - additionalRoutingCapabilities describes components and relevant - configuration providing additional routing capabilities. When set, it - enables such components and the usage of the routing capabilities they - provide for the machine network. Upstream operators, like MetalLB - operator, requiring these capabilities may rely on, or automatically set - this attribute. Network plugins may leverage advanced routing - capabilities acquired through the enablement of these components but may - require specific configuration on their side to do so; refer to their - respective documentation and configuration options. - properties: - providers: - description: |- - providers is a set of enabled components that provide additional routing - capabilities. Entries on this list must be unique. The only valid value - is currrently "FRR" which provides FRR routing capabilities through the - deployment of FRR. - items: - description: RoutingCapabilitiesProvider is a component providing - routing capabilities. - enum: - - FRR - type: string - maxItems: 1 - minItems: 1 - type: array - x-kubernetes-list-type: atomic - x-kubernetes-validations: - - rule: self.all(x, self.exists_one(y, x == y)) - required: - - providers - type: object - clusterNetwork: - description: |- - clusterNetwork is the IP address pool to use for pod IPs. - Some network providers support multiple ClusterNetworks. - Others only support one. This is equivalent to the cluster-cidr. - items: - description: |- - ClusterNetworkEntry is a subnet from which to allocate PodIPs. A network of size - HostPrefix (in CIDR notation) will be allocated when nodes join the cluster. If - the HostPrefix field is not used by the plugin, it can be left unset. - Not all network providers support multiple ClusterNetworks - properties: - cidr: - type: string - hostPrefix: - format: int32 - minimum: 0 - type: integer - type: object - type: array - x-kubernetes-list-type: atomic - defaultNetwork: - description: defaultNetwork is the "default" network that all pods - will receive - properties: - openshiftSDNConfig: - description: |- - openshiftSDNConfig was previously used to configure the openshift-sdn plugin. - DEPRECATED: OpenShift SDN is no longer supported. - properties: - enableUnidling: - description: |- - enableUnidling controls whether or not the service proxy will support idling - and unidling of services. By default, unidling is enabled. - type: boolean - mode: - description: mode is one of "Multitenant", "Subnet", or "NetworkPolicy" - type: string - mtu: - description: |- - mtu is the mtu to use for the tunnel interface. Defaults to 1450 if unset. - This must be 50 bytes smaller than the machine's uplink. - format: int32 - minimum: 0 - type: integer - useExternalOpenvswitch: - description: |- - useExternalOpenvswitch used to control whether the operator would deploy an OVS - DaemonSet itself or expect someone else to start OVS. As of 4.6, OVS is always - run as a system service, and this flag is ignored. - type: boolean - vxlanPort: - description: vxlanPort is the port to use for all vxlan packets. - The default is 4789. - format: int32 - minimum: 0 - type: integer - type: object - ovnKubernetesConfig: - description: ovnKubernetesConfig configures the ovn-kubernetes - plugin. - properties: - egressIPConfig: - description: egressIPConfig holds the configuration for EgressIP - options. - properties: - reachabilityTotalTimeoutSeconds: - description: |- - reachabilityTotalTimeout configures the EgressIP node reachability check total timeout in seconds. - If the EgressIP node cannot be reached within this timeout, the node is declared down. - Setting a large value may cause the EgressIP feature to react slowly to node changes. - In particular, it may react slowly for EgressIP nodes that really have a genuine problem and are unreachable. - When omitted, this means the user has no opinion and the platform is left to choose a reasonable default, which is subject to change over time. - The current default is 1 second. - A value of 0 disables the EgressIP node's reachability check. - format: int32 - maximum: 60 - minimum: 0 - type: integer - type: object - gatewayConfig: - description: gatewayConfig holds the configuration for node - gateway options. - properties: - ipForwarding: - description: |- - ipForwarding controls IP forwarding for all traffic on OVN-Kubernetes managed interfaces (such as br-ex). - By default this is set to Restricted, and Kubernetes related traffic is still forwarded appropriately, but other - IP traffic will not be routed by the OCP node. If there is a desire to allow the host to forward traffic across - OVN-Kubernetes managed interfaces, then set this field to "Global". - The supported values are "Restricted" and "Global". - type: string - ipv4: - description: |- - ipv4 allows users to configure IP settings for IPv4 connections. When omitted, this means no opinion and the default - configuration is used. Check individual members fields within ipv4 for details of default values. - properties: - internalMasqueradeSubnet: - description: |- - internalMasqueradeSubnet contains the masquerade addresses in IPV4 CIDR format used internally by - ovn-kubernetes to enable host to service traffic. Each host in the cluster is configured with these - addresses, as well as the shared gateway bridge interface. The values can be changed after - installation. The subnet chosen should not overlap with other networks specified for - OVN-Kubernetes as well as other networks used on the host. Additionally the subnet must - be large enough to accommodate 6 IPs (maximum prefix length /29). - When omitted, this means no opinion and the platform is left to choose a reasonable default which is subject to change over time. - The current default subnet is 169.254.169.0/29 - The value must be in proper IPV4 CIDR format - maxLength: 18 - type: string - x-kubernetes-validations: - - message: Subnet must be in valid IPV4 CIDR format - rule: isCIDR(self) && cidr(self).ip().family() == - 4 - - message: subnet must be in the range /0 to /29 inclusive - rule: isCIDR(self) && cidr(self).prefixLength() - <= 29 - - message: first IP address octet must not be 0 - rule: isCIDR(self) && int(self.split('.')[0]) > - 0 - type: object - ipv6: - description: |- - ipv6 allows users to configure IP settings for IPv6 connections. When omitted, this means no opinion and the default - configuration is used. Check individual members fields within ipv6 for details of default values. - properties: - internalMasqueradeSubnet: - description: |- - internalMasqueradeSubnet contains the masquerade addresses in IPV6 CIDR format used internally by - ovn-kubernetes to enable host to service traffic. Each host in the cluster is configured with these - addresses, as well as the shared gateway bridge interface. The values can be changed after - installation. The subnet chosen should not overlap with other networks specified for - OVN-Kubernetes as well as other networks used on the host. Additionally the subnet must - be large enough to accommodate 6 IPs (maximum prefix length /125). - When omitted, this means no opinion and the platform is left to choose a reasonable default which is subject to change over time. - The current default subnet is fd69::/125 - Note that IPV6 dual addresses are not permitted - type: string - x-kubernetes-validations: - - message: Subnet must be in valid IPV6 CIDR format - rule: isCIDR(self) && cidr(self).ip().family() == - 6 - - message: subnet must be in the range /0 to /125 - inclusive - rule: isCIDR(self) && cidr(self).prefixLength() - <= 125 - type: object - routingViaHost: - default: false - description: |- - routingViaHost allows pod egress traffic to exit via the ovn-k8s-mp0 management port - into the host before sending it out. If this is not set, traffic will always egress directly - from OVN to outside without touching the host stack. Setting this to true means hardware - offload will not be supported. Default is false if GatewayConfig is specified. - type: boolean - type: object - genevePort: - description: |- - geneve port is the UDP port to be used by geneve encapulation. - Default is 6081 - format: int32 - minimum: 1 - type: integer - hybridOverlayConfig: - description: |- - hybridOverlayConfig configures an additional overlay network for peers that are - not using OVN. - properties: - hybridClusterNetwork: - description: hybridClusterNetwork defines a network space - given to nodes on an additional overlay network. - items: - description: |- - ClusterNetworkEntry is a subnet from which to allocate PodIPs. A network of size - HostPrefix (in CIDR notation) will be allocated when nodes join the cluster. If - the HostPrefix field is not used by the plugin, it can be left unset. - Not all network providers support multiple ClusterNetworks - properties: - cidr: - type: string - hostPrefix: - format: int32 - minimum: 0 - type: integer - type: object - type: array - x-kubernetes-list-type: atomic - hybridOverlayVXLANPort: - description: |- - hybridOverlayVXLANPort defines the VXLAN port number to be used by the additional overlay network. - Default is 4789 - format: int32 - type: integer - type: object - ipsecConfig: - default: - mode: Disabled - description: |- - ipsecConfig enables and configures IPsec for pods on the pod network within the - cluster. - properties: - full: - description: |- - full defines configuration parameters for the IPsec `Full` mode. - This is permitted only when mode is configured with `Full`, - and forbidden otherwise. - minProperties: 1 - properties: - encapsulation: - description: |- - encapsulation option to configure libreswan on how inter-pod traffic across nodes - are encapsulated to handle NAT traversal. When configured it uses UDP port 4500 - for the encapsulation. - Valid values are Always, Auto and omitted. - Always means enable UDP encapsulation regardless of whether NAT is detected. - Auto means enable UDP encapsulation based on the detection of NAT. - When omitted, this means no opinion and the platform is left to choose a reasonable - default, which is subject to change over time. The current default is Auto. - enum: - - Always - - Auto - type: string - type: object - mode: - description: |- - mode defines the behaviour of the ipsec configuration within the platform. - Valid values are `Disabled`, `External` and `Full`. - When 'Disabled', ipsec will not be enabled at the node level. - When 'External', ipsec is enabled on the node level but requires the user to configure the secure communication parameters. - This mode is for external secure communications and the configuration can be done using the k8s-nmstate operator. - When 'Full', ipsec is configured on the node level and inter-pod secure communication within the cluster is configured. - Note with `Full`, if ipsec is desired for communication with external (to the cluster) entities (such as storage arrays), - this is left to the user to configure. - enum: - - Disabled - - External - - Full - type: string - type: object - x-kubernetes-validations: - - message: ipsecConfig.mode is required - rule: self == oldSelf || has(self.mode) - - message: full is forbidden when mode is not Full - rule: 'has(self.mode) && self.mode == ''Full'' ? true : - !has(self.full)' - ipv4: - description: |- - ipv4 allows users to configure IP settings for IPv4 connections. When ommitted, - this means no opinions and the default configuration is used. Check individual - fields within ipv4 for details of default values. - properties: - internalJoinSubnet: - description: |- - internalJoinSubnet is a v4 subnet used internally by ovn-kubernetes in case the - default one is being already used by something else. It must not overlap with - any other subnet being used by OpenShift or by the node network. The size of the - subnet must be larger than the number of nodes. The value cannot be changed - after installation. - The current default value is 100.64.0.0/16 - The subnet must be large enough to accomadate one IP per node in your cluster - The value must be in proper IPV4 CIDR format - maxLength: 18 - type: string - x-kubernetes-validations: - - message: Subnet must be in valid IPV4 CIDR format - rule: isCIDR(self) && cidr(self).ip().family() == 4 - - message: subnet must be in the range /0 to /30 inclusive - rule: isCIDR(self) && cidr(self).prefixLength() <= 30 - - message: first IP address octet must not be 0 - rule: isCIDR(self) && int(self.split('.')[0]) > 0 - internalTransitSwitchSubnet: - description: |- - internalTransitSwitchSubnet is a v4 subnet in IPV4 CIDR format used internally - by OVN-Kubernetes for the distributed transit switch in the OVN Interconnect - architecture that connects the cluster routers on each node together to enable - east west traffic. The subnet chosen should not overlap with other networks - specified for OVN-Kubernetes as well as other networks used on the host. - The value cannot be changed after installation. - When ommitted, this means no opinion and the platform is left to choose a reasonable - default which is subject to change over time. - The current default subnet is 100.88.0.0/16 - The subnet must be large enough to accomadate one IP per node in your cluster - The value must be in proper IPV4 CIDR format - maxLength: 18 - type: string - x-kubernetes-validations: - - message: Subnet must be in valid IPV4 CIDR format - rule: isCIDR(self) && cidr(self).ip().family() == 4 - - message: subnet must be in the range /0 to /30 inclusive - rule: isCIDR(self) && cidr(self).prefixLength() <= 30 - - message: first IP address octet must not be 0 - rule: isCIDR(self) && int(self.split('.')[0]) > 0 - type: object - ipv6: - description: |- - ipv6 allows users to configure IP settings for IPv6 connections. When ommitted, - this means no opinions and the default configuration is used. Check individual - fields within ipv4 for details of default values. - properties: - internalJoinSubnet: - description: |- - internalJoinSubnet is a v6 subnet used internally by ovn-kubernetes in case the - default one is being already used by something else. It must not overlap with - any other subnet being used by OpenShift or by the node network. The size of the - subnet must be larger than the number of nodes. The value cannot be changed - after installation. - The subnet must be large enough to accomadate one IP per node in your cluster - The current default value is fd98::/64 - The value must be in proper IPV6 CIDR format - Note that IPV6 dual addresses are not permitted - maxLength: 48 - type: string - x-kubernetes-validations: - - message: Subnet must be in valid IPV6 CIDR format - rule: isCIDR(self) && cidr(self).ip().family() == 6 - - message: subnet must be in the range /0 to /125 inclusive - rule: isCIDR(self) && cidr(self).prefixLength() <= 125 - internalTransitSwitchSubnet: - description: |- - internalTransitSwitchSubnet is a v4 subnet in IPV4 CIDR format used internally - by OVN-Kubernetes for the distributed transit switch in the OVN Interconnect - architecture that connects the cluster routers on each node together to enable - east west traffic. The subnet chosen should not overlap with other networks - specified for OVN-Kubernetes as well as other networks used on the host. - The value cannot be changed after installation. - When ommitted, this means no opinion and the platform is left to choose a reasonable - default which is subject to change over time. - The subnet must be large enough to accomadate one IP per node in your cluster - The current default subnet is fd97::/64 - The value must be in proper IPV6 CIDR format - Note that IPV6 dual addresses are not permitted - maxLength: 48 - type: string - x-kubernetes-validations: - - message: Subnet must be in valid IPV6 CIDR format - rule: isCIDR(self) && cidr(self).ip().family() == 6 - - message: subnet must be in the range /0 to /125 inclusive - rule: isCIDR(self) && cidr(self).prefixLength() <= 125 - type: object - mtu: - description: |- - mtu is the MTU to use for the tunnel interface. This must be 100 - bytes smaller than the uplink mtu. - Default is 1400 - format: int32 - minimum: 0 - type: integer - policyAuditConfig: - description: |- - policyAuditConfig is the configuration for network policy audit events. If unset, - reported defaults are used. - properties: - destination: - default: "null" - description: |- - destination is the location for policy log messages. - Regardless of this config, persistent logs will always be dumped to the host - at /var/log/ovn/ however - Additionally syslog output may be configured as follows. - Valid values are: - - "libc" -> to use the libc syslog() function of the host node's journdald process - - "udp:host:port" -> for sending syslog over UDP - - "unix:file" -> for using the UNIX domain socket directly - - "null" -> to discard all messages logged to syslog - The default is "null" - type: string - maxFileSize: - default: 50 - description: |- - maxFilesSize is the max size an ACL_audit log file is allowed to reach before rotation occurs - Units are in MB and the Default is 50MB - format: int32 - minimum: 1 - type: integer - maxLogFiles: - default: 5 - description: maxLogFiles specifies the maximum number - of ACL_audit log files that can be present. - format: int32 - minimum: 1 - type: integer - rateLimit: - default: 20 - description: |- - rateLimit is the approximate maximum number of messages to generate per-second per-node. If - unset the default of 20 msg/sec is used. - format: int32 - minimum: 1 - type: integer - syslogFacility: - default: local0 - description: syslogFacility the RFC5424 facility for generated - messages, e.g. "kern". Default is "local0" - type: string - type: object - routeAdvertisements: - description: |- - routeAdvertisements determines if the functionality to advertise cluster - network routes through a dynamic routing protocol, such as BGP, is - enabled or not. This functionality is configured through the - ovn-kubernetes RouteAdvertisements CRD. Requires the 'FRR' routing - capability provider to be enabled as an additional routing capability. - Allowed values are "Enabled", "Disabled" and ommited. When omitted, this - means the user has no opinion and the platform is left to choose - reasonable defaults. These defaults are subject to change over time. The - current default is "Disabled". - enum: - - "" - - Enabled - - Disabled - type: string - v4InternalSubnet: - description: |- - v4InternalSubnet is a v4 subnet used internally by ovn-kubernetes in case the - default one is being already used by something else. It must not overlap with - any other subnet being used by OpenShift or by the node network. The size of the - subnet must be larger than the number of nodes. The value cannot be changed - after installation. - Default is 100.64.0.0/16 - type: string - v6InternalSubnet: - description: |- - v6InternalSubnet is a v6 subnet used internally by ovn-kubernetes in case the - default one is being already used by something else. It must not overlap with - any other subnet being used by OpenShift or by the node network. The size of the - subnet must be larger than the number of nodes. The value cannot be changed - after installation. - Default is fd98::/64 - type: string - type: object - type: - description: |- - type is the type of network - All NetworkTypes are supported except for NetworkTypeRaw - type: string - type: object - deployKubeProxy: - description: |- - deployKubeProxy specifies whether or not a standalone kube-proxy should - be deployed by the operator. Some network providers include kube-proxy - or similar functionality. If unset, the plugin will attempt to select - the correct value, which is false when ovn-kubernetes is used and true - otherwise. - type: boolean - disableMultiNetwork: - description: |- - disableMultiNetwork defaults to 'false' and this setting enables the pod multi-networking capability. - disableMultiNetwork when set to 'true' at cluster install time does not install the components, typically the Multus CNI and the network-attachment-definition CRD, - that enable the pod multi-networking capability. Setting the parameter to 'true' might be useful when you need install third-party CNI plugins, - but these plugins are not supported by Red Hat. Changing the parameter value as a postinstallation cluster task has no effect. - type: boolean - disableNetworkDiagnostics: - default: false - description: |- - disableNetworkDiagnostics specifies whether or not PodNetworkConnectivityCheck - CRs from a test pod to every node, apiserver and LB should be disabled or not. - If unset, this property defaults to 'false' and network diagnostics is enabled. - Setting this to 'true' would reduce the additional load of the pods performing the checks. - type: boolean - exportNetworkFlows: - description: |- - exportNetworkFlows enables and configures the export of network flow metadata from the pod network - by using protocols NetFlow, SFlow or IPFIX. Currently only supported on OVN-Kubernetes plugin. - If unset, flows will not be exported to any collector. - properties: - ipfix: - description: ipfix defines IPFIX configuration. - properties: - collectors: - description: ipfixCollectors is list of strings formatted - as ip:port with a maximum of ten items - items: - pattern: ^(([0-9]|[0-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[0-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5]):([1-9][0-9]{0,3}|[1-5][0-9]{4}|6[0-4][0-9]{3}|65[0-4][0-9]{2}|655[0-2][0-9]|6553[0-5])$ - type: string - maxItems: 10 - minItems: 1 - type: array - x-kubernetes-list-type: atomic - type: object - netFlow: - description: netFlow defines the NetFlow configuration. - properties: - collectors: - description: |- - netFlow defines the NetFlow collectors that will consume the flow data exported from OVS. - It is a list of strings formatted as ip:port with a maximum of ten items - items: - pattern: ^(([0-9]|[0-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[0-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5]):([1-9][0-9]{0,3}|[1-5][0-9]{4}|6[0-4][0-9]{3}|65[0-4][0-9]{2}|655[0-2][0-9]|6553[0-5])$ - type: string - maxItems: 10 - minItems: 1 - type: array - x-kubernetes-list-type: atomic - type: object - sFlow: - description: sFlow defines the SFlow configuration. - properties: - collectors: - description: sFlowCollectors is list of strings formatted - as ip:port with a maximum of ten items - items: - pattern: ^(([0-9]|[0-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[0-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5]):([1-9][0-9]{0,3}|[1-5][0-9]{4}|6[0-4][0-9]{3}|65[0-4][0-9]{2}|655[0-2][0-9]|6553[0-5])$ - type: string - maxItems: 10 - minItems: 1 - type: array - x-kubernetes-list-type: atomic - type: object - type: object - kubeProxyConfig: - description: |- - kubeProxyConfig lets us configure desired proxy configuration, if - deployKubeProxy is true. If not specified, sensible defaults will be chosen by - OpenShift directly. - properties: - bindAddress: - description: |- - The address to "bind" on - Defaults to 0.0.0.0 - type: string - iptablesSyncPeriod: - description: |- - An internal kube-proxy parameter. In older releases of OCP, this sometimes needed to be adjusted - in large clusters for performance reasons, but this is no longer necessary, and there is no reason - to change this from the default value. - Default: 30s - type: string - proxyArguments: - additionalProperties: - description: ProxyArgumentList is a list of arguments to pass - to the kubeproxy process - items: - type: string - type: array - x-kubernetes-list-type: atomic - description: Any additional arguments to pass to the kubeproxy - process - type: object - type: object - logLevel: - default: Normal - description: |- - logLevel is an intent based logging for an overall component. It does not give fine grained control, but it is a - simple way to manage coarse grained logging choices that operators have to interpret for their operands. - - Valid values are: "Normal", "Debug", "Trace", "TraceAll". - Defaults to "Normal". - enum: - - "" - - Normal - - Debug - - Trace - - TraceAll - type: string - managementState: - description: managementState indicates whether and how the operator - should manage the component - pattern: ^(Managed|Unmanaged|Force|Removed)$ - type: string - migration: - description: |- - migration enables and configures cluster network migration, for network changes - that cannot be made instantly. - properties: - features: - description: |- - features was previously used to configure which network plugin features - would be migrated in a network type migration. - DEPRECATED: network type migration is no longer supported, and setting - this to a non-empty value will result in the network operator rejecting - the configuration. - properties: - egressFirewall: - default: true - description: |- - egressFirewall specified whether or not the Egress Firewall configuration was migrated. - DEPRECATED: network type migration is no longer supported. - type: boolean - egressIP: - default: true - description: |- - egressIP specified whether or not the Egress IP configuration was migrated. - DEPRECATED: network type migration is no longer supported. - type: boolean - multicast: - default: true - description: |- - multicast specified whether or not the multicast configuration was migrated. - DEPRECATED: network type migration is no longer supported. - type: boolean - type: object - mode: - description: |- - mode indicates the mode of network type migration. - DEPRECATED: network type migration is no longer supported, and setting - this to a non-empty value will result in the network operator rejecting - the configuration. - enum: - - Live - - Offline - - "" - type: string - mtu: - description: |- - mtu contains the MTU migration configuration. Set this to allow changing - the MTU values for the default network. If unset, the operation of - changing the MTU for the default network will be rejected. - properties: - machine: - description: |- - machine contains MTU migration configuration for the machine's uplink. - Needs to be migrated along with the default network MTU unless the - current uplink MTU already accommodates the default network MTU. - properties: - from: - description: from is the MTU to migrate from. - format: int32 - minimum: 0 - type: integer - to: - description: to is the MTU to migrate to. - format: int32 - minimum: 0 - type: integer - type: object - network: - description: |- - network contains information about MTU migration for the default network. - Migrations are only allowed to MTU values lower than the machine's uplink - MTU by the minimum appropriate offset. - properties: - from: - description: from is the MTU to migrate from. - format: int32 - minimum: 0 - type: integer - to: - description: to is the MTU to migrate to. - format: int32 - minimum: 0 - type: integer - type: object - type: object - networkType: - description: |- - networkType was previously used when changing the default network type. - DEPRECATED: network type migration is no longer supported, and setting - this to a non-empty value will result in the network operator rejecting - the configuration. - type: string - type: object - x-kubernetes-validations: - - message: networkType migration in mode other than 'Live' may not - be configured at the same time as mtu migration - rule: '!has(self.mtu) || !has(self.networkType) || self.networkType - == "" || has(self.mode) && self.mode == ''Live''' - observedConfig: - description: |- - observedConfig holds a sparse config that controller has observed from the cluster state. It exists in spec because - it is an input to the level for the operator - nullable: true - type: object - x-kubernetes-preserve-unknown-fields: true - operatorLogLevel: - default: Normal - description: |- - operatorLogLevel is an intent based logging for the operator itself. It does not give fine grained control, but it is a - simple way to manage coarse grained logging choices that operators have to interpret for themselves. - - Valid values are: "Normal", "Debug", "Trace", "TraceAll". - Defaults to "Normal". - enum: - - "" - - Normal - - Debug - - Trace - - TraceAll - type: string - serviceNetwork: - description: |- - serviceNetwork is the ip address pool to use for Service IPs - Currently, all existing network providers only support a single value - here, but this is an array to allow for growth. - items: - type: string - type: array - x-kubernetes-list-type: atomic - unsupportedConfigOverrides: - description: |- - unsupportedConfigOverrides overrides the final configuration that was computed by the operator. - Red Hat does not support the use of this field. - Misuse of this field could lead to unexpected behavior or conflict with other configuration options. - Seek guidance from the Red Hat support before using this field. - Use of this property blocks cluster upgrades, it must be removed before upgrading your cluster. - nullable: true - type: object - x-kubernetes-preserve-unknown-fields: true - useMultiNetworkPolicy: - description: |- - useMultiNetworkPolicy enables a controller which allows for - MultiNetworkPolicy objects to be used on additional networks as - created by Multus CNI. MultiNetworkPolicy are similar to NetworkPolicy - objects, but NetworkPolicy objects only apply to the primary interface. - With MultiNetworkPolicy, you can control the traffic that a pod can receive - over the secondary interfaces. If unset, this property defaults to 'false' - and MultiNetworkPolicy objects are ignored. If 'disableMultiNetwork' is - 'true' then the value of this field is ignored. - type: boolean - type: object - x-kubernetes-validations: - - message: Route advertisements cannot be Enabled if 'FRR' routing capability - provider is not available - rule: (has(self.additionalRoutingCapabilities) && ('FRR' in self.additionalRoutingCapabilities.providers)) - || !has(self.defaultNetwork) || !has(self.defaultNetwork.ovnKubernetesConfig) - || !has(self.defaultNetwork.ovnKubernetesConfig.routeAdvertisements) - || self.defaultNetwork.ovnKubernetesConfig.routeAdvertisements != - 'Enabled' - - message: invalid value for IPForwarding, valid values are 'Restricted' - or 'Global' - rule: '!has(self.defaultNetwork) || !has(self.defaultNetwork.ovnKubernetesConfig) - || !has(self.defaultNetwork.ovnKubernetesConfig.gatewayConfig) || - !has(self.defaultNetwork.ovnKubernetesConfig.gatewayConfig.ipForwarding) - || self.defaultNetwork.ovnKubernetesConfig.gatewayConfig.ipForwarding - == oldSelf.defaultNetwork.ovnKubernetesConfig.gatewayConfig.ipForwarding - || self.defaultNetwork.ovnKubernetesConfig.gatewayConfig.ipForwarding - == ''Restricted'' || self.defaultNetwork.ovnKubernetesConfig.gatewayConfig.ipForwarding - == ''Global''' - status: - description: |- - NetworkStatus is detailed operator status, which is distilled - up to the Network clusteroperator object. - properties: - conditions: - description: conditions is a list of conditions and their status - items: - description: OperatorCondition is just the standard condition fields. - properties: - lastTransitionTime: - description: |- - lastTransitionTime is the last time the condition transitioned from one status to another. - This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. - format: date-time - type: string - message: - type: string - reason: - type: string - status: - description: status of the condition, one of True, False, Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - status - - type - type: object - type: array - x-kubernetes-list-map-keys: - - type - x-kubernetes-list-type: map - generations: - description: generations are used to determine when an item needs - to be reconciled or has changed in a way that needs a reaction. - items: - description: GenerationStatus keeps track of the generation for - a given resource so that decisions about forced updates can be - made. - properties: - group: - description: group is the group of the thing you're tracking - type: string - hash: - description: hash is an optional field set for resources without - generation that are content sensitive like secrets and configmaps - type: string - lastGeneration: - description: lastGeneration is the last generation of the workload - controller involved - format: int64 - type: integer - name: - description: name is the name of the thing you're tracking - type: string - namespace: - description: namespace is where the thing you're tracking is - type: string - resource: - description: resource is the resource type of the thing you're - tracking - type: string - required: - - group - - name - - namespace - - resource - type: object - type: array - x-kubernetes-list-map-keys: - - group - - resource - - namespace - - name - x-kubernetes-list-type: map - latestAvailableRevision: - description: latestAvailableRevision is the deploymentID of the most - recent deployment - format: int32 - type: integer - x-kubernetes-validations: - - message: must only increase - rule: self >= oldSelf - observedGeneration: - description: observedGeneration is the last generation change you've - dealt with - format: int64 - type: integer - readyReplicas: - description: readyReplicas indicates how many replicas are ready and - at the desired state - format: int32 - type: integer - version: - description: version is the level this availability applies to - type: string - type: object - type: object - served: true - storage: true - subresources: - status: {} diff --git a/vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_70_network_01_networks-CustomNoUpgrade.crd.yaml b/vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_70_network_01_networks.crd.yaml similarity index 99% rename from vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_70_network_01_networks-CustomNoUpgrade.crd.yaml rename to vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_70_network_01_networks.crd.yaml index 8d40d869ab..73078d0302 100644 --- a/vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_70_network_01_networks-CustomNoUpgrade.crd.yaml +++ b/vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_70_network_01_networks.crd.yaml @@ -6,7 +6,6 @@ metadata: api.openshift.io/merged-by-featuregates: "true" include.release.openshift.io/ibm-cloud-managed: "true" include.release.openshift.io/self-managed-high-availability: "true" - release.openshift.io/feature-set: CustomNoUpgrade name: networks.operator.openshift.io spec: group: operator.openshift.io diff --git a/vendor/github.com/openshift/api/operator/v1/zz_generated.featuregated-crd-manifests.yaml b/vendor/github.com/openshift/api/operator/v1/zz_generated.featuregated-crd-manifests.yaml index 81f2a87a99..e9750a9242 100644 --- a/vendor/github.com/openshift/api/operator/v1/zz_generated.featuregated-crd-manifests.yaml +++ b/vendor/github.com/openshift/api/operator/v1/zz_generated.featuregated-crd-manifests.yaml @@ -71,7 +71,6 @@ clustercsidrivers.operator.openshift.io: FeatureGates: - AWSEFSDriverVolumeMetrics - VSphereConfigurableMaxAllowedBlockVolumesPerNode - - VSphereDriverConfiguration FilenameOperatorName: csi-driver FilenameOperatorOrdering: "01" FilenameRunLevel: "0000_50" @@ -309,7 +308,6 @@ machineconfigurations.operator.openshift.io: Category: "" FeatureGates: - ManagedBootImages - - NodeDisruptionPolicy FilenameOperatorName: machine-config FilenameOperatorOrdering: "01" FilenameRunLevel: "0000_80" diff --git a/vendor/github.com/openshift/api/payload-command/render/legacyfeaturegates.go b/vendor/github.com/openshift/api/payload-command/render/legacyfeaturegates.go index 00eb91f7b9..55e6396906 100644 --- a/vendor/github.com/openshift/api/payload-command/render/legacyfeaturegates.go +++ b/vendor/github.com/openshift/api/payload-command/render/legacyfeaturegates.go @@ -19,8 +19,6 @@ var legacyFeatureGates = sets.New( // never add to this list, if you think you have an exception ask @deads2k "AzureWorkloadIdentity", // never add to this list, if you think you have an exception ask @deads2k - "BareMetalLoadBalancer", - // never add to this list, if you think you have an exception ask @deads2k "BootcNodeManagement", // never add to this list, if you think you have an exception ask @deads2k "BuildCSIVolumes", @@ -105,8 +103,6 @@ var legacyFeatureGates = sets.New( // never add to this list, if you think you have an exception ask @deads2k "PinnedImages", // never add to this list, if you think you have an exception ask @deads2k - "PlatformOperators", - // never add to this list, if you think you have an exception ask @deads2k "PrivateHostedZoneAWS", // never add to this list, if you think you have an exception ask @deads2k "RouteAdvertisements", diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/clusterimagepolicy.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/clusterimagepolicy.go new file mode 100644 index 0000000000..1ee4a91fb3 --- /dev/null +++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/clusterimagepolicy.go @@ -0,0 +1,246 @@ +// Code generated by applyconfiguration-gen. DO NOT EDIT. + +package v1 + +import ( + configv1 "github.com/openshift/api/config/v1" + internal "github.com/openshift/client-go/config/applyconfigurations/internal" + apismetav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + types "k8s.io/apimachinery/pkg/types" + managedfields "k8s.io/apimachinery/pkg/util/managedfields" + metav1 "k8s.io/client-go/applyconfigurations/meta/v1" +) + +// ClusterImagePolicyApplyConfiguration represents a declarative configuration of the ClusterImagePolicy type for use +// with apply. +type ClusterImagePolicyApplyConfiguration struct { + metav1.TypeMetaApplyConfiguration `json:",inline"` + *metav1.ObjectMetaApplyConfiguration `json:"metadata,omitempty"` + Spec *ClusterImagePolicySpecApplyConfiguration `json:"spec,omitempty"` + Status *ClusterImagePolicyStatusApplyConfiguration `json:"status,omitempty"` +} + +// ClusterImagePolicy constructs a declarative configuration of the ClusterImagePolicy type for use with +// apply. +func ClusterImagePolicy(name string) *ClusterImagePolicyApplyConfiguration { + b := &ClusterImagePolicyApplyConfiguration{} + b.WithName(name) + b.WithKind("ClusterImagePolicy") + b.WithAPIVersion("config.openshift.io/v1") + return b +} + +// ExtractClusterImagePolicy extracts the applied configuration owned by fieldManager from +// clusterImagePolicy. If no managedFields are found in clusterImagePolicy for fieldManager, a +// ClusterImagePolicyApplyConfiguration is returned with only the Name, Namespace (if applicable), +// APIVersion and Kind populated. It is possible that no managed fields were found for because other +// field managers have taken ownership of all the fields previously owned by fieldManager, or because +// the fieldManager never owned fields any fields. +// clusterImagePolicy must be a unmodified ClusterImagePolicy API object that was retrieved from the Kubernetes API. +// ExtractClusterImagePolicy provides a way to perform a extract/modify-in-place/apply workflow. +// Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously +// applied if another fieldManager has updated or force applied any of the previously applied fields. +// Experimental! +func ExtractClusterImagePolicy(clusterImagePolicy *configv1.ClusterImagePolicy, fieldManager string) (*ClusterImagePolicyApplyConfiguration, error) { + return extractClusterImagePolicy(clusterImagePolicy, fieldManager, "") +} + +// ExtractClusterImagePolicyStatus is the same as ExtractClusterImagePolicy except +// that it extracts the status subresource applied configuration. +// Experimental! +func ExtractClusterImagePolicyStatus(clusterImagePolicy *configv1.ClusterImagePolicy, fieldManager string) (*ClusterImagePolicyApplyConfiguration, error) { + return extractClusterImagePolicy(clusterImagePolicy, fieldManager, "status") +} + +func extractClusterImagePolicy(clusterImagePolicy *configv1.ClusterImagePolicy, fieldManager string, subresource string) (*ClusterImagePolicyApplyConfiguration, error) { + b := &ClusterImagePolicyApplyConfiguration{} + err := managedfields.ExtractInto(clusterImagePolicy, internal.Parser().Type("com.github.openshift.api.config.v1.ClusterImagePolicy"), fieldManager, b, subresource) + if err != nil { + return nil, err + } + b.WithName(clusterImagePolicy.Name) + + b.WithKind("ClusterImagePolicy") + b.WithAPIVersion("config.openshift.io/v1") + return b, nil +} + +// WithKind sets the Kind field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the Kind field is set to the value of the last call. +func (b *ClusterImagePolicyApplyConfiguration) WithKind(value string) *ClusterImagePolicyApplyConfiguration { + b.TypeMetaApplyConfiguration.Kind = &value + return b +} + +// WithAPIVersion sets the APIVersion field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the APIVersion field is set to the value of the last call. +func (b *ClusterImagePolicyApplyConfiguration) WithAPIVersion(value string) *ClusterImagePolicyApplyConfiguration { + b.TypeMetaApplyConfiguration.APIVersion = &value + return b +} + +// WithName sets the Name field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the Name field is set to the value of the last call. +func (b *ClusterImagePolicyApplyConfiguration) WithName(value string) *ClusterImagePolicyApplyConfiguration { + b.ensureObjectMetaApplyConfigurationExists() + b.ObjectMetaApplyConfiguration.Name = &value + return b +} + +// WithGenerateName sets the GenerateName field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the GenerateName field is set to the value of the last call. +func (b *ClusterImagePolicyApplyConfiguration) WithGenerateName(value string) *ClusterImagePolicyApplyConfiguration { + b.ensureObjectMetaApplyConfigurationExists() + b.ObjectMetaApplyConfiguration.GenerateName = &value + return b +} + +// WithNamespace sets the Namespace field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the Namespace field is set to the value of the last call. +func (b *ClusterImagePolicyApplyConfiguration) WithNamespace(value string) *ClusterImagePolicyApplyConfiguration { + b.ensureObjectMetaApplyConfigurationExists() + b.ObjectMetaApplyConfiguration.Namespace = &value + return b +} + +// WithUID sets the UID field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the UID field is set to the value of the last call. +func (b *ClusterImagePolicyApplyConfiguration) WithUID(value types.UID) *ClusterImagePolicyApplyConfiguration { + b.ensureObjectMetaApplyConfigurationExists() + b.ObjectMetaApplyConfiguration.UID = &value + return b +} + +// WithResourceVersion sets the ResourceVersion field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the ResourceVersion field is set to the value of the last call. +func (b *ClusterImagePolicyApplyConfiguration) WithResourceVersion(value string) *ClusterImagePolicyApplyConfiguration { + b.ensureObjectMetaApplyConfigurationExists() + b.ObjectMetaApplyConfiguration.ResourceVersion = &value + return b +} + +// WithGeneration sets the Generation field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the Generation field is set to the value of the last call. +func (b *ClusterImagePolicyApplyConfiguration) WithGeneration(value int64) *ClusterImagePolicyApplyConfiguration { + b.ensureObjectMetaApplyConfigurationExists() + b.ObjectMetaApplyConfiguration.Generation = &value + return b +} + +// WithCreationTimestamp sets the CreationTimestamp field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the CreationTimestamp field is set to the value of the last call. +func (b *ClusterImagePolicyApplyConfiguration) WithCreationTimestamp(value apismetav1.Time) *ClusterImagePolicyApplyConfiguration { + b.ensureObjectMetaApplyConfigurationExists() + b.ObjectMetaApplyConfiguration.CreationTimestamp = &value + return b +} + +// WithDeletionTimestamp sets the DeletionTimestamp field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the DeletionTimestamp field is set to the value of the last call. +func (b *ClusterImagePolicyApplyConfiguration) WithDeletionTimestamp(value apismetav1.Time) *ClusterImagePolicyApplyConfiguration { + b.ensureObjectMetaApplyConfigurationExists() + b.ObjectMetaApplyConfiguration.DeletionTimestamp = &value + return b +} + +// WithDeletionGracePeriodSeconds sets the DeletionGracePeriodSeconds field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the DeletionGracePeriodSeconds field is set to the value of the last call. +func (b *ClusterImagePolicyApplyConfiguration) WithDeletionGracePeriodSeconds(value int64) *ClusterImagePolicyApplyConfiguration { + b.ensureObjectMetaApplyConfigurationExists() + b.ObjectMetaApplyConfiguration.DeletionGracePeriodSeconds = &value + return b +} + +// WithLabels puts the entries into the Labels field in the declarative configuration +// and returns the receiver, so that objects can be build by chaining "With" function invocations. +// If called multiple times, the entries provided by each call will be put on the Labels field, +// overwriting an existing map entries in Labels field with the same key. +func (b *ClusterImagePolicyApplyConfiguration) WithLabels(entries map[string]string) *ClusterImagePolicyApplyConfiguration { + b.ensureObjectMetaApplyConfigurationExists() + if b.ObjectMetaApplyConfiguration.Labels == nil && len(entries) > 0 { + b.ObjectMetaApplyConfiguration.Labels = make(map[string]string, len(entries)) + } + for k, v := range entries { + b.ObjectMetaApplyConfiguration.Labels[k] = v + } + return b +} + +// WithAnnotations puts the entries into the Annotations field in the declarative configuration +// and returns the receiver, so that objects can be build by chaining "With" function invocations. +// If called multiple times, the entries provided by each call will be put on the Annotations field, +// overwriting an existing map entries in Annotations field with the same key. +func (b *ClusterImagePolicyApplyConfiguration) WithAnnotations(entries map[string]string) *ClusterImagePolicyApplyConfiguration { + b.ensureObjectMetaApplyConfigurationExists() + if b.ObjectMetaApplyConfiguration.Annotations == nil && len(entries) > 0 { + b.ObjectMetaApplyConfiguration.Annotations = make(map[string]string, len(entries)) + } + for k, v := range entries { + b.ObjectMetaApplyConfiguration.Annotations[k] = v + } + return b +} + +// WithOwnerReferences adds the given value to the OwnerReferences field in the declarative configuration +// and returns the receiver, so that objects can be build by chaining "With" function invocations. +// If called multiple times, values provided by each call will be appended to the OwnerReferences field. +func (b *ClusterImagePolicyApplyConfiguration) WithOwnerReferences(values ...*metav1.OwnerReferenceApplyConfiguration) *ClusterImagePolicyApplyConfiguration { + b.ensureObjectMetaApplyConfigurationExists() + for i := range values { + if values[i] == nil { + panic("nil value passed to WithOwnerReferences") + } + b.ObjectMetaApplyConfiguration.OwnerReferences = append(b.ObjectMetaApplyConfiguration.OwnerReferences, *values[i]) + } + return b +} + +// WithFinalizers adds the given value to the Finalizers field in the declarative configuration +// and returns the receiver, so that objects can be build by chaining "With" function invocations. +// If called multiple times, values provided by each call will be appended to the Finalizers field. +func (b *ClusterImagePolicyApplyConfiguration) WithFinalizers(values ...string) *ClusterImagePolicyApplyConfiguration { + b.ensureObjectMetaApplyConfigurationExists() + for i := range values { + b.ObjectMetaApplyConfiguration.Finalizers = append(b.ObjectMetaApplyConfiguration.Finalizers, values[i]) + } + return b +} + +func (b *ClusterImagePolicyApplyConfiguration) ensureObjectMetaApplyConfigurationExists() { + if b.ObjectMetaApplyConfiguration == nil { + b.ObjectMetaApplyConfiguration = &metav1.ObjectMetaApplyConfiguration{} + } +} + +// WithSpec sets the Spec field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the Spec field is set to the value of the last call. +func (b *ClusterImagePolicyApplyConfiguration) WithSpec(value *ClusterImagePolicySpecApplyConfiguration) *ClusterImagePolicyApplyConfiguration { + b.Spec = value + return b +} + +// WithStatus sets the Status field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the Status field is set to the value of the last call. +func (b *ClusterImagePolicyApplyConfiguration) WithStatus(value *ClusterImagePolicyStatusApplyConfiguration) *ClusterImagePolicyApplyConfiguration { + b.Status = value + return b +} + +// GetName retrieves the value of the Name field in the declarative configuration. +func (b *ClusterImagePolicyApplyConfiguration) GetName() *string { + b.ensureObjectMetaApplyConfigurationExists() + return b.ObjectMetaApplyConfiguration.Name +} diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/clusterimagepolicyspec.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/clusterimagepolicyspec.go new file mode 100644 index 0000000000..6c86d66d47 --- /dev/null +++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/clusterimagepolicyspec.go @@ -0,0 +1,38 @@ +// Code generated by applyconfiguration-gen. DO NOT EDIT. + +package v1 + +import ( + configv1 "github.com/openshift/api/config/v1" +) + +// ClusterImagePolicySpecApplyConfiguration represents a declarative configuration of the ClusterImagePolicySpec type for use +// with apply. +type ClusterImagePolicySpecApplyConfiguration struct { + Scopes []configv1.ImageScope `json:"scopes,omitempty"` + Policy *PolicyApplyConfiguration `json:"policy,omitempty"` +} + +// ClusterImagePolicySpecApplyConfiguration constructs a declarative configuration of the ClusterImagePolicySpec type for use with +// apply. +func ClusterImagePolicySpec() *ClusterImagePolicySpecApplyConfiguration { + return &ClusterImagePolicySpecApplyConfiguration{} +} + +// WithScopes adds the given value to the Scopes field in the declarative configuration +// and returns the receiver, so that objects can be build by chaining "With" function invocations. +// If called multiple times, values provided by each call will be appended to the Scopes field. +func (b *ClusterImagePolicySpecApplyConfiguration) WithScopes(values ...configv1.ImageScope) *ClusterImagePolicySpecApplyConfiguration { + for i := range values { + b.Scopes = append(b.Scopes, values[i]) + } + return b +} + +// WithPolicy sets the Policy field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the Policy field is set to the value of the last call. +func (b *ClusterImagePolicySpecApplyConfiguration) WithPolicy(value *PolicyApplyConfiguration) *ClusterImagePolicySpecApplyConfiguration { + b.Policy = value + return b +} diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/clusterimagepolicystatus.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/clusterimagepolicystatus.go new file mode 100644 index 0000000000..f508f70912 --- /dev/null +++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/clusterimagepolicystatus.go @@ -0,0 +1,32 @@ +// Code generated by applyconfiguration-gen. DO NOT EDIT. + +package v1 + +import ( + metav1 "k8s.io/client-go/applyconfigurations/meta/v1" +) + +// ClusterImagePolicyStatusApplyConfiguration represents a declarative configuration of the ClusterImagePolicyStatus type for use +// with apply. +type ClusterImagePolicyStatusApplyConfiguration struct { + Conditions []metav1.ConditionApplyConfiguration `json:"conditions,omitempty"` +} + +// ClusterImagePolicyStatusApplyConfiguration constructs a declarative configuration of the ClusterImagePolicyStatus type for use with +// apply. +func ClusterImagePolicyStatus() *ClusterImagePolicyStatusApplyConfiguration { + return &ClusterImagePolicyStatusApplyConfiguration{} +} + +// WithConditions adds the given value to the Conditions field in the declarative configuration +// and returns the receiver, so that objects can be build by chaining "With" function invocations. +// If called multiple times, values provided by each call will be appended to the Conditions field. +func (b *ClusterImagePolicyStatusApplyConfiguration) WithConditions(values ...*metav1.ConditionApplyConfiguration) *ClusterImagePolicyStatusApplyConfiguration { + for i := range values { + if values[i] == nil { + panic("nil value passed to WithConditions") + } + b.Conditions = append(b.Conditions, *values[i]) + } + return b +} diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/fulciocawithrekor.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/fulciocawithrekor.go new file mode 100644 index 0000000000..48b553580d --- /dev/null +++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/fulciocawithrekor.go @@ -0,0 +1,45 @@ +// Code generated by applyconfiguration-gen. DO NOT EDIT. + +package v1 + +// FulcioCAWithRekorApplyConfiguration represents a declarative configuration of the FulcioCAWithRekor type for use +// with apply. +type FulcioCAWithRekorApplyConfiguration struct { + FulcioCAData []byte `json:"fulcioCAData,omitempty"` + RekorKeyData []byte `json:"rekorKeyData,omitempty"` + FulcioSubject *PolicyFulcioSubjectApplyConfiguration `json:"fulcioSubject,omitempty"` +} + +// FulcioCAWithRekorApplyConfiguration constructs a declarative configuration of the FulcioCAWithRekor type for use with +// apply. +func FulcioCAWithRekor() *FulcioCAWithRekorApplyConfiguration { + return &FulcioCAWithRekorApplyConfiguration{} +} + +// WithFulcioCAData adds the given value to the FulcioCAData field in the declarative configuration +// and returns the receiver, so that objects can be build by chaining "With" function invocations. +// If called multiple times, values provided by each call will be appended to the FulcioCAData field. +func (b *FulcioCAWithRekorApplyConfiguration) WithFulcioCAData(values ...byte) *FulcioCAWithRekorApplyConfiguration { + for i := range values { + b.FulcioCAData = append(b.FulcioCAData, values[i]) + } + return b +} + +// WithRekorKeyData adds the given value to the RekorKeyData field in the declarative configuration +// and returns the receiver, so that objects can be build by chaining "With" function invocations. +// If called multiple times, values provided by each call will be appended to the RekorKeyData field. +func (b *FulcioCAWithRekorApplyConfiguration) WithRekorKeyData(values ...byte) *FulcioCAWithRekorApplyConfiguration { + for i := range values { + b.RekorKeyData = append(b.RekorKeyData, values[i]) + } + return b +} + +// WithFulcioSubject sets the FulcioSubject field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the FulcioSubject field is set to the value of the last call. +func (b *FulcioCAWithRekorApplyConfiguration) WithFulcioSubject(value *PolicyFulcioSubjectApplyConfiguration) *FulcioCAWithRekorApplyConfiguration { + b.FulcioSubject = value + return b +} diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/imagepolicy.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/imagepolicy.go new file mode 100644 index 0000000000..6ccc3746ae --- /dev/null +++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/imagepolicy.go @@ -0,0 +1,248 @@ +// Code generated by applyconfiguration-gen. DO NOT EDIT. + +package v1 + +import ( + configv1 "github.com/openshift/api/config/v1" + internal "github.com/openshift/client-go/config/applyconfigurations/internal" + apismetav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + types "k8s.io/apimachinery/pkg/types" + managedfields "k8s.io/apimachinery/pkg/util/managedfields" + metav1 "k8s.io/client-go/applyconfigurations/meta/v1" +) + +// ImagePolicyApplyConfiguration represents a declarative configuration of the ImagePolicy type for use +// with apply. +type ImagePolicyApplyConfiguration struct { + metav1.TypeMetaApplyConfiguration `json:",inline"` + *metav1.ObjectMetaApplyConfiguration `json:"metadata,omitempty"` + Spec *ImagePolicySpecApplyConfiguration `json:"spec,omitempty"` + Status *ImagePolicyStatusApplyConfiguration `json:"status,omitempty"` +} + +// ImagePolicy constructs a declarative configuration of the ImagePolicy type for use with +// apply. +func ImagePolicy(name, namespace string) *ImagePolicyApplyConfiguration { + b := &ImagePolicyApplyConfiguration{} + b.WithName(name) + b.WithNamespace(namespace) + b.WithKind("ImagePolicy") + b.WithAPIVersion("config.openshift.io/v1") + return b +} + +// ExtractImagePolicy extracts the applied configuration owned by fieldManager from +// imagePolicy. If no managedFields are found in imagePolicy for fieldManager, a +// ImagePolicyApplyConfiguration is returned with only the Name, Namespace (if applicable), +// APIVersion and Kind populated. It is possible that no managed fields were found for because other +// field managers have taken ownership of all the fields previously owned by fieldManager, or because +// the fieldManager never owned fields any fields. +// imagePolicy must be a unmodified ImagePolicy API object that was retrieved from the Kubernetes API. +// ExtractImagePolicy provides a way to perform a extract/modify-in-place/apply workflow. +// Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously +// applied if another fieldManager has updated or force applied any of the previously applied fields. +// Experimental! +func ExtractImagePolicy(imagePolicy *configv1.ImagePolicy, fieldManager string) (*ImagePolicyApplyConfiguration, error) { + return extractImagePolicy(imagePolicy, fieldManager, "") +} + +// ExtractImagePolicyStatus is the same as ExtractImagePolicy except +// that it extracts the status subresource applied configuration. +// Experimental! +func ExtractImagePolicyStatus(imagePolicy *configv1.ImagePolicy, fieldManager string) (*ImagePolicyApplyConfiguration, error) { + return extractImagePolicy(imagePolicy, fieldManager, "status") +} + +func extractImagePolicy(imagePolicy *configv1.ImagePolicy, fieldManager string, subresource string) (*ImagePolicyApplyConfiguration, error) { + b := &ImagePolicyApplyConfiguration{} + err := managedfields.ExtractInto(imagePolicy, internal.Parser().Type("com.github.openshift.api.config.v1.ImagePolicy"), fieldManager, b, subresource) + if err != nil { + return nil, err + } + b.WithName(imagePolicy.Name) + b.WithNamespace(imagePolicy.Namespace) + + b.WithKind("ImagePolicy") + b.WithAPIVersion("config.openshift.io/v1") + return b, nil +} + +// WithKind sets the Kind field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the Kind field is set to the value of the last call. +func (b *ImagePolicyApplyConfiguration) WithKind(value string) *ImagePolicyApplyConfiguration { + b.TypeMetaApplyConfiguration.Kind = &value + return b +} + +// WithAPIVersion sets the APIVersion field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the APIVersion field is set to the value of the last call. +func (b *ImagePolicyApplyConfiguration) WithAPIVersion(value string) *ImagePolicyApplyConfiguration { + b.TypeMetaApplyConfiguration.APIVersion = &value + return b +} + +// WithName sets the Name field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the Name field is set to the value of the last call. +func (b *ImagePolicyApplyConfiguration) WithName(value string) *ImagePolicyApplyConfiguration { + b.ensureObjectMetaApplyConfigurationExists() + b.ObjectMetaApplyConfiguration.Name = &value + return b +} + +// WithGenerateName sets the GenerateName field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the GenerateName field is set to the value of the last call. +func (b *ImagePolicyApplyConfiguration) WithGenerateName(value string) *ImagePolicyApplyConfiguration { + b.ensureObjectMetaApplyConfigurationExists() + b.ObjectMetaApplyConfiguration.GenerateName = &value + return b +} + +// WithNamespace sets the Namespace field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the Namespace field is set to the value of the last call. +func (b *ImagePolicyApplyConfiguration) WithNamespace(value string) *ImagePolicyApplyConfiguration { + b.ensureObjectMetaApplyConfigurationExists() + b.ObjectMetaApplyConfiguration.Namespace = &value + return b +} + +// WithUID sets the UID field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the UID field is set to the value of the last call. +func (b *ImagePolicyApplyConfiguration) WithUID(value types.UID) *ImagePolicyApplyConfiguration { + b.ensureObjectMetaApplyConfigurationExists() + b.ObjectMetaApplyConfiguration.UID = &value + return b +} + +// WithResourceVersion sets the ResourceVersion field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the ResourceVersion field is set to the value of the last call. +func (b *ImagePolicyApplyConfiguration) WithResourceVersion(value string) *ImagePolicyApplyConfiguration { + b.ensureObjectMetaApplyConfigurationExists() + b.ObjectMetaApplyConfiguration.ResourceVersion = &value + return b +} + +// WithGeneration sets the Generation field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the Generation field is set to the value of the last call. +func (b *ImagePolicyApplyConfiguration) WithGeneration(value int64) *ImagePolicyApplyConfiguration { + b.ensureObjectMetaApplyConfigurationExists() + b.ObjectMetaApplyConfiguration.Generation = &value + return b +} + +// WithCreationTimestamp sets the CreationTimestamp field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the CreationTimestamp field is set to the value of the last call. +func (b *ImagePolicyApplyConfiguration) WithCreationTimestamp(value apismetav1.Time) *ImagePolicyApplyConfiguration { + b.ensureObjectMetaApplyConfigurationExists() + b.ObjectMetaApplyConfiguration.CreationTimestamp = &value + return b +} + +// WithDeletionTimestamp sets the DeletionTimestamp field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the DeletionTimestamp field is set to the value of the last call. +func (b *ImagePolicyApplyConfiguration) WithDeletionTimestamp(value apismetav1.Time) *ImagePolicyApplyConfiguration { + b.ensureObjectMetaApplyConfigurationExists() + b.ObjectMetaApplyConfiguration.DeletionTimestamp = &value + return b +} + +// WithDeletionGracePeriodSeconds sets the DeletionGracePeriodSeconds field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the DeletionGracePeriodSeconds field is set to the value of the last call. +func (b *ImagePolicyApplyConfiguration) WithDeletionGracePeriodSeconds(value int64) *ImagePolicyApplyConfiguration { + b.ensureObjectMetaApplyConfigurationExists() + b.ObjectMetaApplyConfiguration.DeletionGracePeriodSeconds = &value + return b +} + +// WithLabels puts the entries into the Labels field in the declarative configuration +// and returns the receiver, so that objects can be build by chaining "With" function invocations. +// If called multiple times, the entries provided by each call will be put on the Labels field, +// overwriting an existing map entries in Labels field with the same key. +func (b *ImagePolicyApplyConfiguration) WithLabels(entries map[string]string) *ImagePolicyApplyConfiguration { + b.ensureObjectMetaApplyConfigurationExists() + if b.ObjectMetaApplyConfiguration.Labels == nil && len(entries) > 0 { + b.ObjectMetaApplyConfiguration.Labels = make(map[string]string, len(entries)) + } + for k, v := range entries { + b.ObjectMetaApplyConfiguration.Labels[k] = v + } + return b +} + +// WithAnnotations puts the entries into the Annotations field in the declarative configuration +// and returns the receiver, so that objects can be build by chaining "With" function invocations. +// If called multiple times, the entries provided by each call will be put on the Annotations field, +// overwriting an existing map entries in Annotations field with the same key. +func (b *ImagePolicyApplyConfiguration) WithAnnotations(entries map[string]string) *ImagePolicyApplyConfiguration { + b.ensureObjectMetaApplyConfigurationExists() + if b.ObjectMetaApplyConfiguration.Annotations == nil && len(entries) > 0 { + b.ObjectMetaApplyConfiguration.Annotations = make(map[string]string, len(entries)) + } + for k, v := range entries { + b.ObjectMetaApplyConfiguration.Annotations[k] = v + } + return b +} + +// WithOwnerReferences adds the given value to the OwnerReferences field in the declarative configuration +// and returns the receiver, so that objects can be build by chaining "With" function invocations. +// If called multiple times, values provided by each call will be appended to the OwnerReferences field. +func (b *ImagePolicyApplyConfiguration) WithOwnerReferences(values ...*metav1.OwnerReferenceApplyConfiguration) *ImagePolicyApplyConfiguration { + b.ensureObjectMetaApplyConfigurationExists() + for i := range values { + if values[i] == nil { + panic("nil value passed to WithOwnerReferences") + } + b.ObjectMetaApplyConfiguration.OwnerReferences = append(b.ObjectMetaApplyConfiguration.OwnerReferences, *values[i]) + } + return b +} + +// WithFinalizers adds the given value to the Finalizers field in the declarative configuration +// and returns the receiver, so that objects can be build by chaining "With" function invocations. +// If called multiple times, values provided by each call will be appended to the Finalizers field. +func (b *ImagePolicyApplyConfiguration) WithFinalizers(values ...string) *ImagePolicyApplyConfiguration { + b.ensureObjectMetaApplyConfigurationExists() + for i := range values { + b.ObjectMetaApplyConfiguration.Finalizers = append(b.ObjectMetaApplyConfiguration.Finalizers, values[i]) + } + return b +} + +func (b *ImagePolicyApplyConfiguration) ensureObjectMetaApplyConfigurationExists() { + if b.ObjectMetaApplyConfiguration == nil { + b.ObjectMetaApplyConfiguration = &metav1.ObjectMetaApplyConfiguration{} + } +} + +// WithSpec sets the Spec field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the Spec field is set to the value of the last call. +func (b *ImagePolicyApplyConfiguration) WithSpec(value *ImagePolicySpecApplyConfiguration) *ImagePolicyApplyConfiguration { + b.Spec = value + return b +} + +// WithStatus sets the Status field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the Status field is set to the value of the last call. +func (b *ImagePolicyApplyConfiguration) WithStatus(value *ImagePolicyStatusApplyConfiguration) *ImagePolicyApplyConfiguration { + b.Status = value + return b +} + +// GetName retrieves the value of the Name field in the declarative configuration. +func (b *ImagePolicyApplyConfiguration) GetName() *string { + b.ensureObjectMetaApplyConfigurationExists() + return b.ObjectMetaApplyConfiguration.Name +} diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/imagepolicyspec.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/imagepolicyspec.go new file mode 100644 index 0000000000..b75165c8d0 --- /dev/null +++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/imagepolicyspec.go @@ -0,0 +1,38 @@ +// Code generated by applyconfiguration-gen. DO NOT EDIT. + +package v1 + +import ( + configv1 "github.com/openshift/api/config/v1" +) + +// ImagePolicySpecApplyConfiguration represents a declarative configuration of the ImagePolicySpec type for use +// with apply. +type ImagePolicySpecApplyConfiguration struct { + Scopes []configv1.ImageScope `json:"scopes,omitempty"` + Policy *PolicyApplyConfiguration `json:"policy,omitempty"` +} + +// ImagePolicySpecApplyConfiguration constructs a declarative configuration of the ImagePolicySpec type for use with +// apply. +func ImagePolicySpec() *ImagePolicySpecApplyConfiguration { + return &ImagePolicySpecApplyConfiguration{} +} + +// WithScopes adds the given value to the Scopes field in the declarative configuration +// and returns the receiver, so that objects can be build by chaining "With" function invocations. +// If called multiple times, values provided by each call will be appended to the Scopes field. +func (b *ImagePolicySpecApplyConfiguration) WithScopes(values ...configv1.ImageScope) *ImagePolicySpecApplyConfiguration { + for i := range values { + b.Scopes = append(b.Scopes, values[i]) + } + return b +} + +// WithPolicy sets the Policy field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the Policy field is set to the value of the last call. +func (b *ImagePolicySpecApplyConfiguration) WithPolicy(value *PolicyApplyConfiguration) *ImagePolicySpecApplyConfiguration { + b.Policy = value + return b +} diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/imagepolicystatus.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/imagepolicystatus.go new file mode 100644 index 0000000000..aebb2698c9 --- /dev/null +++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/imagepolicystatus.go @@ -0,0 +1,32 @@ +// Code generated by applyconfiguration-gen. DO NOT EDIT. + +package v1 + +import ( + metav1 "k8s.io/client-go/applyconfigurations/meta/v1" +) + +// ImagePolicyStatusApplyConfiguration represents a declarative configuration of the ImagePolicyStatus type for use +// with apply. +type ImagePolicyStatusApplyConfiguration struct { + Conditions []metav1.ConditionApplyConfiguration `json:"conditions,omitempty"` +} + +// ImagePolicyStatusApplyConfiguration constructs a declarative configuration of the ImagePolicyStatus type for use with +// apply. +func ImagePolicyStatus() *ImagePolicyStatusApplyConfiguration { + return &ImagePolicyStatusApplyConfiguration{} +} + +// WithConditions adds the given value to the Conditions field in the declarative configuration +// and returns the receiver, so that objects can be build by chaining "With" function invocations. +// If called multiple times, values provided by each call will be appended to the Conditions field. +func (b *ImagePolicyStatusApplyConfiguration) WithConditions(values ...*metav1.ConditionApplyConfiguration) *ImagePolicyStatusApplyConfiguration { + for i := range values { + if values[i] == nil { + panic("nil value passed to WithConditions") + } + b.Conditions = append(b.Conditions, *values[i]) + } + return b +} diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/pki.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/pki.go new file mode 100644 index 0000000000..65f27edf8e --- /dev/null +++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/pki.go @@ -0,0 +1,45 @@ +// Code generated by applyconfiguration-gen. DO NOT EDIT. + +package v1 + +// PKIApplyConfiguration represents a declarative configuration of the PKI type for use +// with apply. +type PKIApplyConfiguration struct { + CertificateAuthorityRootsData []byte `json:"caRootsData,omitempty"` + CertificateAuthorityIntermediatesData []byte `json:"caIntermediatesData,omitempty"` + PKICertificateSubject *PKICertificateSubjectApplyConfiguration `json:"pkiCertificateSubject,omitempty"` +} + +// PKIApplyConfiguration constructs a declarative configuration of the PKI type for use with +// apply. +func PKI() *PKIApplyConfiguration { + return &PKIApplyConfiguration{} +} + +// WithCertificateAuthorityRootsData adds the given value to the CertificateAuthorityRootsData field in the declarative configuration +// and returns the receiver, so that objects can be build by chaining "With" function invocations. +// If called multiple times, values provided by each call will be appended to the CertificateAuthorityRootsData field. +func (b *PKIApplyConfiguration) WithCertificateAuthorityRootsData(values ...byte) *PKIApplyConfiguration { + for i := range values { + b.CertificateAuthorityRootsData = append(b.CertificateAuthorityRootsData, values[i]) + } + return b +} + +// WithCertificateAuthorityIntermediatesData adds the given value to the CertificateAuthorityIntermediatesData field in the declarative configuration +// and returns the receiver, so that objects can be build by chaining "With" function invocations. +// If called multiple times, values provided by each call will be appended to the CertificateAuthorityIntermediatesData field. +func (b *PKIApplyConfiguration) WithCertificateAuthorityIntermediatesData(values ...byte) *PKIApplyConfiguration { + for i := range values { + b.CertificateAuthorityIntermediatesData = append(b.CertificateAuthorityIntermediatesData, values[i]) + } + return b +} + +// WithPKICertificateSubject sets the PKICertificateSubject field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the PKICertificateSubject field is set to the value of the last call. +func (b *PKIApplyConfiguration) WithPKICertificateSubject(value *PKICertificateSubjectApplyConfiguration) *PKIApplyConfiguration { + b.PKICertificateSubject = value + return b +} diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/pkicertificatesubject.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/pkicertificatesubject.go new file mode 100644 index 0000000000..70181700b3 --- /dev/null +++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/pkicertificatesubject.go @@ -0,0 +1,32 @@ +// Code generated by applyconfiguration-gen. DO NOT EDIT. + +package v1 + +// PKICertificateSubjectApplyConfiguration represents a declarative configuration of the PKICertificateSubject type for use +// with apply. +type PKICertificateSubjectApplyConfiguration struct { + Email *string `json:"email,omitempty"` + Hostname *string `json:"hostname,omitempty"` +} + +// PKICertificateSubjectApplyConfiguration constructs a declarative configuration of the PKICertificateSubject type for use with +// apply. +func PKICertificateSubject() *PKICertificateSubjectApplyConfiguration { + return &PKICertificateSubjectApplyConfiguration{} +} + +// WithEmail sets the Email field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the Email field is set to the value of the last call. +func (b *PKICertificateSubjectApplyConfiguration) WithEmail(value string) *PKICertificateSubjectApplyConfiguration { + b.Email = &value + return b +} + +// WithHostname sets the Hostname field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the Hostname field is set to the value of the last call. +func (b *PKICertificateSubjectApplyConfiguration) WithHostname(value string) *PKICertificateSubjectApplyConfiguration { + b.Hostname = &value + return b +} diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/policy.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/policy.go new file mode 100644 index 0000000000..3e29510bf1 --- /dev/null +++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/policy.go @@ -0,0 +1,32 @@ +// Code generated by applyconfiguration-gen. DO NOT EDIT. + +package v1 + +// PolicyApplyConfiguration represents a declarative configuration of the Policy type for use +// with apply. +type PolicyApplyConfiguration struct { + RootOfTrust *PolicyRootOfTrustApplyConfiguration `json:"rootOfTrust,omitempty"` + SignedIdentity *PolicyIdentityApplyConfiguration `json:"signedIdentity,omitempty"` +} + +// PolicyApplyConfiguration constructs a declarative configuration of the Policy type for use with +// apply. +func Policy() *PolicyApplyConfiguration { + return &PolicyApplyConfiguration{} +} + +// WithRootOfTrust sets the RootOfTrust field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the RootOfTrust field is set to the value of the last call. +func (b *PolicyApplyConfiguration) WithRootOfTrust(value *PolicyRootOfTrustApplyConfiguration) *PolicyApplyConfiguration { + b.RootOfTrust = value + return b +} + +// WithSignedIdentity sets the SignedIdentity field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the SignedIdentity field is set to the value of the last call. +func (b *PolicyApplyConfiguration) WithSignedIdentity(value *PolicyIdentityApplyConfiguration) *PolicyApplyConfiguration { + b.SignedIdentity = value + return b +} diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/policyfulciosubject.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/policyfulciosubject.go new file mode 100644 index 0000000000..7f61d420c0 --- /dev/null +++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/policyfulciosubject.go @@ -0,0 +1,32 @@ +// Code generated by applyconfiguration-gen. DO NOT EDIT. + +package v1 + +// PolicyFulcioSubjectApplyConfiguration represents a declarative configuration of the PolicyFulcioSubject type for use +// with apply. +type PolicyFulcioSubjectApplyConfiguration struct { + OIDCIssuer *string `json:"oidcIssuer,omitempty"` + SignedEmail *string `json:"signedEmail,omitempty"` +} + +// PolicyFulcioSubjectApplyConfiguration constructs a declarative configuration of the PolicyFulcioSubject type for use with +// apply. +func PolicyFulcioSubject() *PolicyFulcioSubjectApplyConfiguration { + return &PolicyFulcioSubjectApplyConfiguration{} +} + +// WithOIDCIssuer sets the OIDCIssuer field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the OIDCIssuer field is set to the value of the last call. +func (b *PolicyFulcioSubjectApplyConfiguration) WithOIDCIssuer(value string) *PolicyFulcioSubjectApplyConfiguration { + b.OIDCIssuer = &value + return b +} + +// WithSignedEmail sets the SignedEmail field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the SignedEmail field is set to the value of the last call. +func (b *PolicyFulcioSubjectApplyConfiguration) WithSignedEmail(value string) *PolicyFulcioSubjectApplyConfiguration { + b.SignedEmail = &value + return b +} diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/policyidentity.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/policyidentity.go new file mode 100644 index 0000000000..0e4e46be69 --- /dev/null +++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/policyidentity.go @@ -0,0 +1,45 @@ +// Code generated by applyconfiguration-gen. DO NOT EDIT. + +package v1 + +import ( + configv1 "github.com/openshift/api/config/v1" +) + +// PolicyIdentityApplyConfiguration represents a declarative configuration of the PolicyIdentity type for use +// with apply. +type PolicyIdentityApplyConfiguration struct { + MatchPolicy *configv1.IdentityMatchPolicy `json:"matchPolicy,omitempty"` + PolicyMatchExactRepository *PolicyMatchExactRepositoryApplyConfiguration `json:"exactRepository,omitempty"` + PolicyMatchRemapIdentity *PolicyMatchRemapIdentityApplyConfiguration `json:"remapIdentity,omitempty"` +} + +// PolicyIdentityApplyConfiguration constructs a declarative configuration of the PolicyIdentity type for use with +// apply. +func PolicyIdentity() *PolicyIdentityApplyConfiguration { + return &PolicyIdentityApplyConfiguration{} +} + +// WithMatchPolicy sets the MatchPolicy field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the MatchPolicy field is set to the value of the last call. +func (b *PolicyIdentityApplyConfiguration) WithMatchPolicy(value configv1.IdentityMatchPolicy) *PolicyIdentityApplyConfiguration { + b.MatchPolicy = &value + return b +} + +// WithPolicyMatchExactRepository sets the PolicyMatchExactRepository field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the PolicyMatchExactRepository field is set to the value of the last call. +func (b *PolicyIdentityApplyConfiguration) WithPolicyMatchExactRepository(value *PolicyMatchExactRepositoryApplyConfiguration) *PolicyIdentityApplyConfiguration { + b.PolicyMatchExactRepository = value + return b +} + +// WithPolicyMatchRemapIdentity sets the PolicyMatchRemapIdentity field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the PolicyMatchRemapIdentity field is set to the value of the last call. +func (b *PolicyIdentityApplyConfiguration) WithPolicyMatchRemapIdentity(value *PolicyMatchRemapIdentityApplyConfiguration) *PolicyIdentityApplyConfiguration { + b.PolicyMatchRemapIdentity = value + return b +} diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/policymatchexactrepository.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/policymatchexactrepository.go new file mode 100644 index 0000000000..3b4fcbd9ce --- /dev/null +++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/policymatchexactrepository.go @@ -0,0 +1,27 @@ +// Code generated by applyconfiguration-gen. DO NOT EDIT. + +package v1 + +import ( + configv1 "github.com/openshift/api/config/v1" +) + +// PolicyMatchExactRepositoryApplyConfiguration represents a declarative configuration of the PolicyMatchExactRepository type for use +// with apply. +type PolicyMatchExactRepositoryApplyConfiguration struct { + Repository *configv1.IdentityRepositoryPrefix `json:"repository,omitempty"` +} + +// PolicyMatchExactRepositoryApplyConfiguration constructs a declarative configuration of the PolicyMatchExactRepository type for use with +// apply. +func PolicyMatchExactRepository() *PolicyMatchExactRepositoryApplyConfiguration { + return &PolicyMatchExactRepositoryApplyConfiguration{} +} + +// WithRepository sets the Repository field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the Repository field is set to the value of the last call. +func (b *PolicyMatchExactRepositoryApplyConfiguration) WithRepository(value configv1.IdentityRepositoryPrefix) *PolicyMatchExactRepositoryApplyConfiguration { + b.Repository = &value + return b +} diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/policymatchremapidentity.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/policymatchremapidentity.go new file mode 100644 index 0000000000..3cf5ccf68c --- /dev/null +++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/policymatchremapidentity.go @@ -0,0 +1,36 @@ +// Code generated by applyconfiguration-gen. DO NOT EDIT. + +package v1 + +import ( + configv1 "github.com/openshift/api/config/v1" +) + +// PolicyMatchRemapIdentityApplyConfiguration represents a declarative configuration of the PolicyMatchRemapIdentity type for use +// with apply. +type PolicyMatchRemapIdentityApplyConfiguration struct { + Prefix *configv1.IdentityRepositoryPrefix `json:"prefix,omitempty"` + SignedPrefix *configv1.IdentityRepositoryPrefix `json:"signedPrefix,omitempty"` +} + +// PolicyMatchRemapIdentityApplyConfiguration constructs a declarative configuration of the PolicyMatchRemapIdentity type for use with +// apply. +func PolicyMatchRemapIdentity() *PolicyMatchRemapIdentityApplyConfiguration { + return &PolicyMatchRemapIdentityApplyConfiguration{} +} + +// WithPrefix sets the Prefix field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the Prefix field is set to the value of the last call. +func (b *PolicyMatchRemapIdentityApplyConfiguration) WithPrefix(value configv1.IdentityRepositoryPrefix) *PolicyMatchRemapIdentityApplyConfiguration { + b.Prefix = &value + return b +} + +// WithSignedPrefix sets the SignedPrefix field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the SignedPrefix field is set to the value of the last call. +func (b *PolicyMatchRemapIdentityApplyConfiguration) WithSignedPrefix(value configv1.IdentityRepositoryPrefix) *PolicyMatchRemapIdentityApplyConfiguration { + b.SignedPrefix = &value + return b +} diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/policyrootoftrust.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/policyrootoftrust.go new file mode 100644 index 0000000000..f1ff91ffbd --- /dev/null +++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/policyrootoftrust.go @@ -0,0 +1,54 @@ +// Code generated by applyconfiguration-gen. DO NOT EDIT. + +package v1 + +import ( + configv1 "github.com/openshift/api/config/v1" +) + +// PolicyRootOfTrustApplyConfiguration represents a declarative configuration of the PolicyRootOfTrust type for use +// with apply. +type PolicyRootOfTrustApplyConfiguration struct { + PolicyType *configv1.PolicyType `json:"policyType,omitempty"` + PublicKey *PublicKeyApplyConfiguration `json:"publicKey,omitempty"` + FulcioCAWithRekor *FulcioCAWithRekorApplyConfiguration `json:"fulcioCAWithRekor,omitempty"` + PKI *PKIApplyConfiguration `json:"pki,omitempty"` +} + +// PolicyRootOfTrustApplyConfiguration constructs a declarative configuration of the PolicyRootOfTrust type for use with +// apply. +func PolicyRootOfTrust() *PolicyRootOfTrustApplyConfiguration { + return &PolicyRootOfTrustApplyConfiguration{} +} + +// WithPolicyType sets the PolicyType field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the PolicyType field is set to the value of the last call. +func (b *PolicyRootOfTrustApplyConfiguration) WithPolicyType(value configv1.PolicyType) *PolicyRootOfTrustApplyConfiguration { + b.PolicyType = &value + return b +} + +// WithPublicKey sets the PublicKey field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the PublicKey field is set to the value of the last call. +func (b *PolicyRootOfTrustApplyConfiguration) WithPublicKey(value *PublicKeyApplyConfiguration) *PolicyRootOfTrustApplyConfiguration { + b.PublicKey = value + return b +} + +// WithFulcioCAWithRekor sets the FulcioCAWithRekor field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the FulcioCAWithRekor field is set to the value of the last call. +func (b *PolicyRootOfTrustApplyConfiguration) WithFulcioCAWithRekor(value *FulcioCAWithRekorApplyConfiguration) *PolicyRootOfTrustApplyConfiguration { + b.FulcioCAWithRekor = value + return b +} + +// WithPKI sets the PKI field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the PKI field is set to the value of the last call. +func (b *PolicyRootOfTrustApplyConfiguration) WithPKI(value *PKIApplyConfiguration) *PolicyRootOfTrustApplyConfiguration { + b.PKI = value + return b +} diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/publickey.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/publickey.go new file mode 100644 index 0000000000..c1073e882f --- /dev/null +++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/publickey.go @@ -0,0 +1,36 @@ +// Code generated by applyconfiguration-gen. DO NOT EDIT. + +package v1 + +// PublicKeyApplyConfiguration represents a declarative configuration of the PublicKey type for use +// with apply. +type PublicKeyApplyConfiguration struct { + KeyData []byte `json:"keyData,omitempty"` + RekorKeyData []byte `json:"rekorKeyData,omitempty"` +} + +// PublicKeyApplyConfiguration constructs a declarative configuration of the PublicKey type for use with +// apply. +func PublicKey() *PublicKeyApplyConfiguration { + return &PublicKeyApplyConfiguration{} +} + +// WithKeyData adds the given value to the KeyData field in the declarative configuration +// and returns the receiver, so that objects can be build by chaining "With" function invocations. +// If called multiple times, values provided by each call will be appended to the KeyData field. +func (b *PublicKeyApplyConfiguration) WithKeyData(values ...byte) *PublicKeyApplyConfiguration { + for i := range values { + b.KeyData = append(b.KeyData, values[i]) + } + return b +} + +// WithRekorKeyData adds the given value to the RekorKeyData field in the declarative configuration +// and returns the receiver, so that objects can be build by chaining "With" function invocations. +// If called multiple times, values provided by each call will be appended to the RekorKeyData field. +func (b *PublicKeyApplyConfiguration) WithRekorKeyData(values ...byte) *PublicKeyApplyConfiguration { + for i := range values { + b.RekorKeyData = append(b.RekorKeyData, values[i]) + } + return b +} diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/usernameclaimmapping.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/usernameclaimmapping.go index e90a90117f..2045ee5039 100644 --- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/usernameclaimmapping.go +++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/usernameclaimmapping.go @@ -9,9 +9,9 @@ import ( // UsernameClaimMappingApplyConfiguration represents a declarative configuration of the UsernameClaimMapping type for use // with apply. type UsernameClaimMappingApplyConfiguration struct { - TokenClaimMappingApplyConfiguration `json:",inline"` - PrefixPolicy *configv1.UsernamePrefixPolicy `json:"prefixPolicy,omitempty"` - Prefix *UsernamePrefixApplyConfiguration `json:"prefix,omitempty"` + Claim *string `json:"claim,omitempty"` + PrefixPolicy *configv1.UsernamePrefixPolicy `json:"prefixPolicy,omitempty"` + Prefix *UsernamePrefixApplyConfiguration `json:"prefix,omitempty"` } // UsernameClaimMappingApplyConfiguration constructs a declarative configuration of the UsernameClaimMapping type for use with @@ -24,7 +24,7 @@ func UsernameClaimMapping() *UsernameClaimMappingApplyConfiguration { // and returns the receiver, so that objects can be built by chaining "With" function invocations. // If called multiple times, the Claim field is set to the value of the last call. func (b *UsernameClaimMappingApplyConfiguration) WithClaim(value string) *UsernameClaimMappingApplyConfiguration { - b.TokenClaimMappingApplyConfiguration.Claim = &value + b.Claim = &value return b } diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha2/custom.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha2/custom.go new file mode 100644 index 0000000000..3903cf882e --- /dev/null +++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha2/custom.go @@ -0,0 +1,28 @@ +// Code generated by applyconfiguration-gen. DO NOT EDIT. + +package v1alpha2 + +// CustomApplyConfiguration represents a declarative configuration of the Custom type for use +// with apply. +type CustomApplyConfiguration struct { + Configs []GathererConfigApplyConfiguration `json:"configs,omitempty"` +} + +// CustomApplyConfiguration constructs a declarative configuration of the Custom type for use with +// apply. +func Custom() *CustomApplyConfiguration { + return &CustomApplyConfiguration{} +} + +// WithConfigs adds the given value to the Configs field in the declarative configuration +// and returns the receiver, so that objects can be build by chaining "With" function invocations. +// If called multiple times, values provided by each call will be appended to the Configs field. +func (b *CustomApplyConfiguration) WithConfigs(values ...*GathererConfigApplyConfiguration) *CustomApplyConfiguration { + for i := range values { + if values[i] == nil { + panic("nil value passed to WithConfigs") + } + b.Configs = append(b.Configs, *values[i]) + } + return b +} diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha2/gatherconfig.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha2/gatherconfig.go new file mode 100644 index 0000000000..6a11bada8a --- /dev/null +++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha2/gatherconfig.go @@ -0,0 +1,47 @@ +// Code generated by applyconfiguration-gen. DO NOT EDIT. + +package v1alpha2 + +import ( + configv1alpha2 "github.com/openshift/api/config/v1alpha2" +) + +// GatherConfigApplyConfiguration represents a declarative configuration of the GatherConfig type for use +// with apply. +type GatherConfigApplyConfiguration struct { + DataPolicy []configv1alpha2.DataPolicyOption `json:"dataPolicy,omitempty"` + Gatherers *GatherersApplyConfiguration `json:"gatherers,omitempty"` + Storage *StorageApplyConfiguration `json:"storage,omitempty"` +} + +// GatherConfigApplyConfiguration constructs a declarative configuration of the GatherConfig type for use with +// apply. +func GatherConfig() *GatherConfigApplyConfiguration { + return &GatherConfigApplyConfiguration{} +} + +// WithDataPolicy adds the given value to the DataPolicy field in the declarative configuration +// and returns the receiver, so that objects can be build by chaining "With" function invocations. +// If called multiple times, values provided by each call will be appended to the DataPolicy field. +func (b *GatherConfigApplyConfiguration) WithDataPolicy(values ...configv1alpha2.DataPolicyOption) *GatherConfigApplyConfiguration { + for i := range values { + b.DataPolicy = append(b.DataPolicy, values[i]) + } + return b +} + +// WithGatherers sets the Gatherers field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the Gatherers field is set to the value of the last call. +func (b *GatherConfigApplyConfiguration) WithGatherers(value *GatherersApplyConfiguration) *GatherConfigApplyConfiguration { + b.Gatherers = value + return b +} + +// WithStorage sets the Storage field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the Storage field is set to the value of the last call. +func (b *GatherConfigApplyConfiguration) WithStorage(value *StorageApplyConfiguration) *GatherConfigApplyConfiguration { + b.Storage = value + return b +} diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha2/gathererconfig.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha2/gathererconfig.go new file mode 100644 index 0000000000..bbcd7464ec --- /dev/null +++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha2/gathererconfig.go @@ -0,0 +1,36 @@ +// Code generated by applyconfiguration-gen. DO NOT EDIT. + +package v1alpha2 + +import ( + configv1alpha2 "github.com/openshift/api/config/v1alpha2" +) + +// GathererConfigApplyConfiguration represents a declarative configuration of the GathererConfig type for use +// with apply. +type GathererConfigApplyConfiguration struct { + Name *string `json:"name,omitempty"` + State *configv1alpha2.GathererState `json:"state,omitempty"` +} + +// GathererConfigApplyConfiguration constructs a declarative configuration of the GathererConfig type for use with +// apply. +func GathererConfig() *GathererConfigApplyConfiguration { + return &GathererConfigApplyConfiguration{} +} + +// WithName sets the Name field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the Name field is set to the value of the last call. +func (b *GathererConfigApplyConfiguration) WithName(value string) *GathererConfigApplyConfiguration { + b.Name = &value + return b +} + +// WithState sets the State field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the State field is set to the value of the last call. +func (b *GathererConfigApplyConfiguration) WithState(value configv1alpha2.GathererState) *GathererConfigApplyConfiguration { + b.State = &value + return b +} diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha2/gatherers.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha2/gatherers.go new file mode 100644 index 0000000000..328f1efda5 --- /dev/null +++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha2/gatherers.go @@ -0,0 +1,36 @@ +// Code generated by applyconfiguration-gen. DO NOT EDIT. + +package v1alpha2 + +import ( + configv1alpha2 "github.com/openshift/api/config/v1alpha2" +) + +// GatherersApplyConfiguration represents a declarative configuration of the Gatherers type for use +// with apply. +type GatherersApplyConfiguration struct { + Mode *configv1alpha2.GatheringMode `json:"mode,omitempty"` + Custom *CustomApplyConfiguration `json:"custom,omitempty"` +} + +// GatherersApplyConfiguration constructs a declarative configuration of the Gatherers type for use with +// apply. +func Gatherers() *GatherersApplyConfiguration { + return &GatherersApplyConfiguration{} +} + +// WithMode sets the Mode field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the Mode field is set to the value of the last call. +func (b *GatherersApplyConfiguration) WithMode(value configv1alpha2.GatheringMode) *GatherersApplyConfiguration { + b.Mode = &value + return b +} + +// WithCustom sets the Custom field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the Custom field is set to the value of the last call. +func (b *GatherersApplyConfiguration) WithCustom(value *CustomApplyConfiguration) *GatherersApplyConfiguration { + b.Custom = value + return b +} diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha2/insightsdatagather.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha2/insightsdatagather.go new file mode 100644 index 0000000000..f0c9797c5f --- /dev/null +++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha2/insightsdatagather.go @@ -0,0 +1,246 @@ +// Code generated by applyconfiguration-gen. DO NOT EDIT. + +package v1alpha2 + +import ( + configv1alpha2 "github.com/openshift/api/config/v1alpha2" + internal "github.com/openshift/client-go/config/applyconfigurations/internal" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + types "k8s.io/apimachinery/pkg/types" + managedfields "k8s.io/apimachinery/pkg/util/managedfields" + v1 "k8s.io/client-go/applyconfigurations/meta/v1" +) + +// InsightsDataGatherApplyConfiguration represents a declarative configuration of the InsightsDataGather type for use +// with apply. +type InsightsDataGatherApplyConfiguration struct { + v1.TypeMetaApplyConfiguration `json:",inline"` + *v1.ObjectMetaApplyConfiguration `json:"metadata,omitempty"` + Spec *InsightsDataGatherSpecApplyConfiguration `json:"spec,omitempty"` + Status *configv1alpha2.InsightsDataGatherStatus `json:"status,omitempty"` +} + +// InsightsDataGather constructs a declarative configuration of the InsightsDataGather type for use with +// apply. +func InsightsDataGather(name string) *InsightsDataGatherApplyConfiguration { + b := &InsightsDataGatherApplyConfiguration{} + b.WithName(name) + b.WithKind("InsightsDataGather") + b.WithAPIVersion("config.openshift.io/v1alpha2") + return b +} + +// ExtractInsightsDataGather extracts the applied configuration owned by fieldManager from +// insightsDataGather. If no managedFields are found in insightsDataGather for fieldManager, a +// InsightsDataGatherApplyConfiguration is returned with only the Name, Namespace (if applicable), +// APIVersion and Kind populated. It is possible that no managed fields were found for because other +// field managers have taken ownership of all the fields previously owned by fieldManager, or because +// the fieldManager never owned fields any fields. +// insightsDataGather must be a unmodified InsightsDataGather API object that was retrieved from the Kubernetes API. +// ExtractInsightsDataGather provides a way to perform a extract/modify-in-place/apply workflow. +// Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously +// applied if another fieldManager has updated or force applied any of the previously applied fields. +// Experimental! +func ExtractInsightsDataGather(insightsDataGather *configv1alpha2.InsightsDataGather, fieldManager string) (*InsightsDataGatherApplyConfiguration, error) { + return extractInsightsDataGather(insightsDataGather, fieldManager, "") +} + +// ExtractInsightsDataGatherStatus is the same as ExtractInsightsDataGather except +// that it extracts the status subresource applied configuration. +// Experimental! +func ExtractInsightsDataGatherStatus(insightsDataGather *configv1alpha2.InsightsDataGather, fieldManager string) (*InsightsDataGatherApplyConfiguration, error) { + return extractInsightsDataGather(insightsDataGather, fieldManager, "status") +} + +func extractInsightsDataGather(insightsDataGather *configv1alpha2.InsightsDataGather, fieldManager string, subresource string) (*InsightsDataGatherApplyConfiguration, error) { + b := &InsightsDataGatherApplyConfiguration{} + err := managedfields.ExtractInto(insightsDataGather, internal.Parser().Type("com.github.openshift.api.config.v1alpha2.InsightsDataGather"), fieldManager, b, subresource) + if err != nil { + return nil, err + } + b.WithName(insightsDataGather.Name) + + b.WithKind("InsightsDataGather") + b.WithAPIVersion("config.openshift.io/v1alpha2") + return b, nil +} + +// WithKind sets the Kind field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the Kind field is set to the value of the last call. +func (b *InsightsDataGatherApplyConfiguration) WithKind(value string) *InsightsDataGatherApplyConfiguration { + b.TypeMetaApplyConfiguration.Kind = &value + return b +} + +// WithAPIVersion sets the APIVersion field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the APIVersion field is set to the value of the last call. +func (b *InsightsDataGatherApplyConfiguration) WithAPIVersion(value string) *InsightsDataGatherApplyConfiguration { + b.TypeMetaApplyConfiguration.APIVersion = &value + return b +} + +// WithName sets the Name field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the Name field is set to the value of the last call. +func (b *InsightsDataGatherApplyConfiguration) WithName(value string) *InsightsDataGatherApplyConfiguration { + b.ensureObjectMetaApplyConfigurationExists() + b.ObjectMetaApplyConfiguration.Name = &value + return b +} + +// WithGenerateName sets the GenerateName field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the GenerateName field is set to the value of the last call. +func (b *InsightsDataGatherApplyConfiguration) WithGenerateName(value string) *InsightsDataGatherApplyConfiguration { + b.ensureObjectMetaApplyConfigurationExists() + b.ObjectMetaApplyConfiguration.GenerateName = &value + return b +} + +// WithNamespace sets the Namespace field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the Namespace field is set to the value of the last call. +func (b *InsightsDataGatherApplyConfiguration) WithNamespace(value string) *InsightsDataGatherApplyConfiguration { + b.ensureObjectMetaApplyConfigurationExists() + b.ObjectMetaApplyConfiguration.Namespace = &value + return b +} + +// WithUID sets the UID field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the UID field is set to the value of the last call. +func (b *InsightsDataGatherApplyConfiguration) WithUID(value types.UID) *InsightsDataGatherApplyConfiguration { + b.ensureObjectMetaApplyConfigurationExists() + b.ObjectMetaApplyConfiguration.UID = &value + return b +} + +// WithResourceVersion sets the ResourceVersion field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the ResourceVersion field is set to the value of the last call. +func (b *InsightsDataGatherApplyConfiguration) WithResourceVersion(value string) *InsightsDataGatherApplyConfiguration { + b.ensureObjectMetaApplyConfigurationExists() + b.ObjectMetaApplyConfiguration.ResourceVersion = &value + return b +} + +// WithGeneration sets the Generation field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the Generation field is set to the value of the last call. +func (b *InsightsDataGatherApplyConfiguration) WithGeneration(value int64) *InsightsDataGatherApplyConfiguration { + b.ensureObjectMetaApplyConfigurationExists() + b.ObjectMetaApplyConfiguration.Generation = &value + return b +} + +// WithCreationTimestamp sets the CreationTimestamp field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the CreationTimestamp field is set to the value of the last call. +func (b *InsightsDataGatherApplyConfiguration) WithCreationTimestamp(value metav1.Time) *InsightsDataGatherApplyConfiguration { + b.ensureObjectMetaApplyConfigurationExists() + b.ObjectMetaApplyConfiguration.CreationTimestamp = &value + return b +} + +// WithDeletionTimestamp sets the DeletionTimestamp field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the DeletionTimestamp field is set to the value of the last call. +func (b *InsightsDataGatherApplyConfiguration) WithDeletionTimestamp(value metav1.Time) *InsightsDataGatherApplyConfiguration { + b.ensureObjectMetaApplyConfigurationExists() + b.ObjectMetaApplyConfiguration.DeletionTimestamp = &value + return b +} + +// WithDeletionGracePeriodSeconds sets the DeletionGracePeriodSeconds field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the DeletionGracePeriodSeconds field is set to the value of the last call. +func (b *InsightsDataGatherApplyConfiguration) WithDeletionGracePeriodSeconds(value int64) *InsightsDataGatherApplyConfiguration { + b.ensureObjectMetaApplyConfigurationExists() + b.ObjectMetaApplyConfiguration.DeletionGracePeriodSeconds = &value + return b +} + +// WithLabels puts the entries into the Labels field in the declarative configuration +// and returns the receiver, so that objects can be build by chaining "With" function invocations. +// If called multiple times, the entries provided by each call will be put on the Labels field, +// overwriting an existing map entries in Labels field with the same key. +func (b *InsightsDataGatherApplyConfiguration) WithLabels(entries map[string]string) *InsightsDataGatherApplyConfiguration { + b.ensureObjectMetaApplyConfigurationExists() + if b.ObjectMetaApplyConfiguration.Labels == nil && len(entries) > 0 { + b.ObjectMetaApplyConfiguration.Labels = make(map[string]string, len(entries)) + } + for k, v := range entries { + b.ObjectMetaApplyConfiguration.Labels[k] = v + } + return b +} + +// WithAnnotations puts the entries into the Annotations field in the declarative configuration +// and returns the receiver, so that objects can be build by chaining "With" function invocations. +// If called multiple times, the entries provided by each call will be put on the Annotations field, +// overwriting an existing map entries in Annotations field with the same key. +func (b *InsightsDataGatherApplyConfiguration) WithAnnotations(entries map[string]string) *InsightsDataGatherApplyConfiguration { + b.ensureObjectMetaApplyConfigurationExists() + if b.ObjectMetaApplyConfiguration.Annotations == nil && len(entries) > 0 { + b.ObjectMetaApplyConfiguration.Annotations = make(map[string]string, len(entries)) + } + for k, v := range entries { + b.ObjectMetaApplyConfiguration.Annotations[k] = v + } + return b +} + +// WithOwnerReferences adds the given value to the OwnerReferences field in the declarative configuration +// and returns the receiver, so that objects can be build by chaining "With" function invocations. +// If called multiple times, values provided by each call will be appended to the OwnerReferences field. +func (b *InsightsDataGatherApplyConfiguration) WithOwnerReferences(values ...*v1.OwnerReferenceApplyConfiguration) *InsightsDataGatherApplyConfiguration { + b.ensureObjectMetaApplyConfigurationExists() + for i := range values { + if values[i] == nil { + panic("nil value passed to WithOwnerReferences") + } + b.ObjectMetaApplyConfiguration.OwnerReferences = append(b.ObjectMetaApplyConfiguration.OwnerReferences, *values[i]) + } + return b +} + +// WithFinalizers adds the given value to the Finalizers field in the declarative configuration +// and returns the receiver, so that objects can be build by chaining "With" function invocations. +// If called multiple times, values provided by each call will be appended to the Finalizers field. +func (b *InsightsDataGatherApplyConfiguration) WithFinalizers(values ...string) *InsightsDataGatherApplyConfiguration { + b.ensureObjectMetaApplyConfigurationExists() + for i := range values { + b.ObjectMetaApplyConfiguration.Finalizers = append(b.ObjectMetaApplyConfiguration.Finalizers, values[i]) + } + return b +} + +func (b *InsightsDataGatherApplyConfiguration) ensureObjectMetaApplyConfigurationExists() { + if b.ObjectMetaApplyConfiguration == nil { + b.ObjectMetaApplyConfiguration = &v1.ObjectMetaApplyConfiguration{} + } +} + +// WithSpec sets the Spec field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the Spec field is set to the value of the last call. +func (b *InsightsDataGatherApplyConfiguration) WithSpec(value *InsightsDataGatherSpecApplyConfiguration) *InsightsDataGatherApplyConfiguration { + b.Spec = value + return b +} + +// WithStatus sets the Status field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the Status field is set to the value of the last call. +func (b *InsightsDataGatherApplyConfiguration) WithStatus(value configv1alpha2.InsightsDataGatherStatus) *InsightsDataGatherApplyConfiguration { + b.Status = &value + return b +} + +// GetName retrieves the value of the Name field in the declarative configuration. +func (b *InsightsDataGatherApplyConfiguration) GetName() *string { + b.ensureObjectMetaApplyConfigurationExists() + return b.ObjectMetaApplyConfiguration.Name +} diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha2/insightsdatagatherspec.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha2/insightsdatagatherspec.go new file mode 100644 index 0000000000..277b1de86b --- /dev/null +++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha2/insightsdatagatherspec.go @@ -0,0 +1,23 @@ +// Code generated by applyconfiguration-gen. DO NOT EDIT. + +package v1alpha2 + +// InsightsDataGatherSpecApplyConfiguration represents a declarative configuration of the InsightsDataGatherSpec type for use +// with apply. +type InsightsDataGatherSpecApplyConfiguration struct { + GatherConfig *GatherConfigApplyConfiguration `json:"gatherConfig,omitempty"` +} + +// InsightsDataGatherSpecApplyConfiguration constructs a declarative configuration of the InsightsDataGatherSpec type for use with +// apply. +func InsightsDataGatherSpec() *InsightsDataGatherSpecApplyConfiguration { + return &InsightsDataGatherSpecApplyConfiguration{} +} + +// WithGatherConfig sets the GatherConfig field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the GatherConfig field is set to the value of the last call. +func (b *InsightsDataGatherSpecApplyConfiguration) WithGatherConfig(value *GatherConfigApplyConfiguration) *InsightsDataGatherSpecApplyConfiguration { + b.GatherConfig = value + return b +} diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha2/persistentvolumeclaimreference.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha2/persistentvolumeclaimreference.go new file mode 100644 index 0000000000..9d194b02f8 --- /dev/null +++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha2/persistentvolumeclaimreference.go @@ -0,0 +1,23 @@ +// Code generated by applyconfiguration-gen. DO NOT EDIT. + +package v1alpha2 + +// PersistentVolumeClaimReferenceApplyConfiguration represents a declarative configuration of the PersistentVolumeClaimReference type for use +// with apply. +type PersistentVolumeClaimReferenceApplyConfiguration struct { + Name *string `json:"name,omitempty"` +} + +// PersistentVolumeClaimReferenceApplyConfiguration constructs a declarative configuration of the PersistentVolumeClaimReference type for use with +// apply. +func PersistentVolumeClaimReference() *PersistentVolumeClaimReferenceApplyConfiguration { + return &PersistentVolumeClaimReferenceApplyConfiguration{} +} + +// WithName sets the Name field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the Name field is set to the value of the last call. +func (b *PersistentVolumeClaimReferenceApplyConfiguration) WithName(value string) *PersistentVolumeClaimReferenceApplyConfiguration { + b.Name = &value + return b +} diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha2/persistentvolumeconfig.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha2/persistentvolumeconfig.go new file mode 100644 index 0000000000..d3341d1b16 --- /dev/null +++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha2/persistentvolumeconfig.go @@ -0,0 +1,32 @@ +// Code generated by applyconfiguration-gen. DO NOT EDIT. + +package v1alpha2 + +// PersistentVolumeConfigApplyConfiguration represents a declarative configuration of the PersistentVolumeConfig type for use +// with apply. +type PersistentVolumeConfigApplyConfiguration struct { + Claim *PersistentVolumeClaimReferenceApplyConfiguration `json:"claim,omitempty"` + MountPath *string `json:"mountPath,omitempty"` +} + +// PersistentVolumeConfigApplyConfiguration constructs a declarative configuration of the PersistentVolumeConfig type for use with +// apply. +func PersistentVolumeConfig() *PersistentVolumeConfigApplyConfiguration { + return &PersistentVolumeConfigApplyConfiguration{} +} + +// WithClaim sets the Claim field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the Claim field is set to the value of the last call. +func (b *PersistentVolumeConfigApplyConfiguration) WithClaim(value *PersistentVolumeClaimReferenceApplyConfiguration) *PersistentVolumeConfigApplyConfiguration { + b.Claim = value + return b +} + +// WithMountPath sets the MountPath field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the MountPath field is set to the value of the last call. +func (b *PersistentVolumeConfigApplyConfiguration) WithMountPath(value string) *PersistentVolumeConfigApplyConfiguration { + b.MountPath = &value + return b +} diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha2/storage.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha2/storage.go new file mode 100644 index 0000000000..596258c48b --- /dev/null +++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha2/storage.go @@ -0,0 +1,36 @@ +// Code generated by applyconfiguration-gen. DO NOT EDIT. + +package v1alpha2 + +import ( + configv1alpha2 "github.com/openshift/api/config/v1alpha2" +) + +// StorageApplyConfiguration represents a declarative configuration of the Storage type for use +// with apply. +type StorageApplyConfiguration struct { + Type *configv1alpha2.StorageType `json:"type,omitempty"` + PersistentVolume *PersistentVolumeConfigApplyConfiguration `json:"persistentVolume,omitempty"` +} + +// StorageApplyConfiguration constructs a declarative configuration of the Storage type for use with +// apply. +func Storage() *StorageApplyConfiguration { + return &StorageApplyConfiguration{} +} + +// WithType sets the Type field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the Type field is set to the value of the last call. +func (b *StorageApplyConfiguration) WithType(value configv1alpha2.StorageType) *StorageApplyConfiguration { + b.Type = &value + return b +} + +// WithPersistentVolume sets the PersistentVolume field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the PersistentVolume field is set to the value of the last call. +func (b *StorageApplyConfiguration) WithPersistentVolume(value *PersistentVolumeConfigApplyConfiguration) *StorageApplyConfiguration { + b.PersistentVolume = value + return b +} diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/internal/internal.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/internal/internal.go index e578bc152c..d65465241b 100644 --- a/vendor/github.com/openshift/client-go/config/applyconfigurations/internal/internal.go +++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/internal/internal.go @@ -597,6 +597,51 @@ var schemaYAML = typed.YAMLObject(`types: type: scalar: string default: "" +- name: com.github.openshift.api.config.v1.ClusterImagePolicy + map: + fields: + - name: apiVersion + type: + scalar: string + - name: kind + type: + scalar: string + - name: metadata + type: + namedType: io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta + default: {} + - name: spec + type: + namedType: com.github.openshift.api.config.v1.ClusterImagePolicySpec + default: {} + - name: status + type: + namedType: com.github.openshift.api.config.v1.ClusterImagePolicyStatus + default: {} +- name: com.github.openshift.api.config.v1.ClusterImagePolicySpec + map: + fields: + - name: policy + type: + namedType: com.github.openshift.api.config.v1.Policy + default: {} + - name: scopes + type: + list: + elementType: + scalar: string + elementRelationship: associative +- name: com.github.openshift.api.config.v1.ClusterImagePolicyStatus + map: + fields: + - name: conditions + type: + list: + elementType: + namedType: io.k8s.apimachinery.pkg.apis.meta.v1.Condition + elementRelationship: associative + keys: + - type - name: com.github.openshift.api.config.v1.ClusterNetworkEntry map: fields: @@ -1266,6 +1311,19 @@ var schemaYAML = typed.YAMLObject(`types: elementRelationship: associative keys: - version +- name: com.github.openshift.api.config.v1.FulcioCAWithRekor + map: + fields: + - name: fulcioCAData + type: + scalar: string + - name: fulcioSubject + type: + namedType: com.github.openshift.api.config.v1.PolicyFulcioSubject + default: {} + - name: rekorKeyData + type: + scalar: string - name: com.github.openshift.api.config.v1.GCPPlatformSpec map: elementType: @@ -1653,6 +1711,51 @@ var schemaYAML = typed.YAMLObject(`types: - name: value type: scalar: string +- name: com.github.openshift.api.config.v1.ImagePolicy + map: + fields: + - name: apiVersion + type: + scalar: string + - name: kind + type: + scalar: string + - name: metadata + type: + namedType: io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta + default: {} + - name: spec + type: + namedType: com.github.openshift.api.config.v1.ImagePolicySpec + default: {} + - name: status + type: + namedType: com.github.openshift.api.config.v1.ImagePolicyStatus + default: {} +- name: com.github.openshift.api.config.v1.ImagePolicySpec + map: + fields: + - name: policy + type: + namedType: com.github.openshift.api.config.v1.Policy + default: {} + - name: scopes + type: + list: + elementType: + scalar: string + elementRelationship: associative +- name: com.github.openshift.api.config.v1.ImagePolicyStatus + map: + fields: + - name: conditions + type: + list: + elementType: + namedType: io.k8s.apimachinery.pkg.apis.meta.v1.Condition + elementRelationship: associative + keys: + - type - name: com.github.openshift.api.config.v1.ImageSpec map: fields: @@ -2801,6 +2904,28 @@ var schemaYAML = typed.YAMLObject(`types: - name: nodeDNSIP type: scalar: string +- name: com.github.openshift.api.config.v1.PKI + map: + fields: + - name: caIntermediatesData + type: + scalar: string + - name: caRootsData + type: + scalar: string + - name: pkiCertificateSubject + type: + namedType: com.github.openshift.api.config.v1.PKICertificateSubject + default: {} +- name: com.github.openshift.api.config.v1.PKICertificateSubject + map: + fields: + - name: email + type: + scalar: string + - name: hostname + type: + scalar: string - name: com.github.openshift.api.config.v1.PlatformSpec map: fields: @@ -2899,6 +3024,90 @@ var schemaYAML = typed.YAMLObject(`types: - name: vsphere type: namedType: com.github.openshift.api.config.v1.VSpherePlatformStatus +- name: com.github.openshift.api.config.v1.Policy + map: + fields: + - name: rootOfTrust + type: + namedType: com.github.openshift.api.config.v1.PolicyRootOfTrust + default: {} + - name: signedIdentity + type: + namedType: com.github.openshift.api.config.v1.PolicyIdentity +- name: com.github.openshift.api.config.v1.PolicyFulcioSubject + map: + fields: + - name: oidcIssuer + type: + scalar: string + default: "" + - name: signedEmail + type: + scalar: string + default: "" +- name: com.github.openshift.api.config.v1.PolicyIdentity + map: + fields: + - name: exactRepository + type: + namedType: com.github.openshift.api.config.v1.PolicyMatchExactRepository + - name: matchPolicy + type: + scalar: string + default: "" + - name: remapIdentity + type: + namedType: com.github.openshift.api.config.v1.PolicyMatchRemapIdentity + unions: + - discriminator: matchPolicy + fields: + - fieldName: exactRepository + discriminatorValue: PolicyMatchExactRepository + - fieldName: remapIdentity + discriminatorValue: PolicyMatchRemapIdentity +- name: com.github.openshift.api.config.v1.PolicyMatchExactRepository + map: + fields: + - name: repository + type: + scalar: string + default: "" +- name: com.github.openshift.api.config.v1.PolicyMatchRemapIdentity + map: + fields: + - name: prefix + type: + scalar: string + default: "" + - name: signedPrefix + type: + scalar: string + default: "" +- name: com.github.openshift.api.config.v1.PolicyRootOfTrust + map: + fields: + - name: fulcioCAWithRekor + type: + namedType: com.github.openshift.api.config.v1.FulcioCAWithRekor + - name: pki + type: + namedType: com.github.openshift.api.config.v1.PKI + - name: policyType + type: + scalar: string + default: "" + - name: publicKey + type: + namedType: com.github.openshift.api.config.v1.PublicKey + unions: + - discriminator: policyType + fields: + - fieldName: fulcioCAWithRekor + discriminatorValue: FulcioCAWithRekor + - fieldName: pki + discriminatorValue: PKI + - fieldName: publicKey + discriminatorValue: PublicKey - name: com.github.openshift.api.config.v1.PowerVSPlatformSpec map: fields: @@ -3074,6 +3283,15 @@ var schemaYAML = typed.YAMLObject(`types: - name: noProxy type: scalar: string +- name: com.github.openshift.api.config.v1.PublicKey + map: + fields: + - name: keyData + type: + scalar: string + - name: rekorKeyData + type: + scalar: string - name: com.github.openshift.api.config.v1.RegistryLocation map: fields: @@ -3468,6 +3686,13 @@ var schemaYAML = typed.YAMLObject(`types: type: scalar: string default: "" + unions: + - discriminator: prefixPolicy + fields: + - fieldName: claim + discriminatorValue: Claim + - fieldName: prefix + discriminatorValue: Prefix - name: com.github.openshift.api.config.v1.UsernamePrefix map: fields: @@ -4147,6 +4372,121 @@ var schemaYAML = typed.YAMLObject(`types: type: scalar: string default: "" +- name: com.github.openshift.api.config.v1alpha2.Custom + map: + fields: + - name: configs + type: + list: + elementType: + namedType: com.github.openshift.api.config.v1alpha2.GathererConfig + elementRelationship: associative + keys: + - name +- name: com.github.openshift.api.config.v1alpha2.GatherConfig + map: + fields: + - name: dataPolicy + type: + list: + elementType: + scalar: string + elementRelationship: atomic + - name: gatherers + type: + namedType: com.github.openshift.api.config.v1alpha2.Gatherers + default: {} + - name: storage + type: + namedType: com.github.openshift.api.config.v1alpha2.Storage +- name: com.github.openshift.api.config.v1alpha2.GathererConfig + map: + fields: + - name: name + type: + scalar: string + default: "" + - name: state + type: + scalar: string + default: "" +- name: com.github.openshift.api.config.v1alpha2.Gatherers + map: + fields: + - name: custom + type: + namedType: com.github.openshift.api.config.v1alpha2.Custom + - name: mode + type: + scalar: string + default: "" +- name: com.github.openshift.api.config.v1alpha2.InsightsDataGather + map: + fields: + - name: apiVersion + type: + scalar: string + - name: kind + type: + scalar: string + - name: metadata + type: + namedType: io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta + default: {} + - name: spec + type: + namedType: com.github.openshift.api.config.v1alpha2.InsightsDataGatherSpec + default: {} + - name: status + type: + namedType: com.github.openshift.api.config.v1alpha2.InsightsDataGatherStatus + default: {} +- name: com.github.openshift.api.config.v1alpha2.InsightsDataGatherSpec + map: + fields: + - name: gatherConfig + type: + namedType: com.github.openshift.api.config.v1alpha2.GatherConfig + default: {} +- name: com.github.openshift.api.config.v1alpha2.InsightsDataGatherStatus + map: + elementType: + scalar: untyped + list: + elementType: + namedType: __untyped_atomic_ + elementRelationship: atomic + map: + elementType: + namedType: __untyped_deduced_ + elementRelationship: separable +- name: com.github.openshift.api.config.v1alpha2.PersistentVolumeClaimReference + map: + fields: + - name: name + type: + scalar: string + default: "" +- name: com.github.openshift.api.config.v1alpha2.PersistentVolumeConfig + map: + fields: + - name: claim + type: + namedType: com.github.openshift.api.config.v1alpha2.PersistentVolumeClaimReference + default: {} + - name: mountPath + type: + scalar: string +- name: com.github.openshift.api.config.v1alpha2.Storage + map: + fields: + - name: persistentVolume + type: + namedType: com.github.openshift.api.config.v1alpha2.PersistentVolumeConfig + - name: type + type: + scalar: string + default: "" - name: io.k8s.api.core.v1.ConfigMapKeySelector map: fields: diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/utils.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/utils.go index 71ed6464c4..3c4838843c 100644 --- a/vendor/github.com/openshift/client-go/config/applyconfigurations/utils.go +++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/utils.go @@ -5,8 +5,10 @@ package applyconfigurations import ( v1 "github.com/openshift/api/config/v1" v1alpha1 "github.com/openshift/api/config/v1alpha1" + v1alpha2 "github.com/openshift/api/config/v1alpha2" configv1 "github.com/openshift/client-go/config/applyconfigurations/config/v1" configv1alpha1 "github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1" + configv1alpha2 "github.com/openshift/client-go/config/applyconfigurations/config/v1alpha2" internal "github.com/openshift/client-go/config/applyconfigurations/internal" runtime "k8s.io/apimachinery/pkg/runtime" schema "k8s.io/apimachinery/pkg/runtime/schema" @@ -84,6 +86,12 @@ func ForKind(kind schema.GroupVersionKind) interface{} { return &configv1.CloudLoadBalancerIPsApplyConfiguration{} case v1.SchemeGroupVersion.WithKind("ClusterCondition"): return &configv1.ClusterConditionApplyConfiguration{} + case v1.SchemeGroupVersion.WithKind("ClusterImagePolicy"): + return &configv1.ClusterImagePolicyApplyConfiguration{} + case v1.SchemeGroupVersion.WithKind("ClusterImagePolicySpec"): + return &configv1.ClusterImagePolicySpecApplyConfiguration{} + case v1.SchemeGroupVersion.WithKind("ClusterImagePolicyStatus"): + return &configv1.ClusterImagePolicyStatusApplyConfiguration{} case v1.SchemeGroupVersion.WithKind("ClusterNetworkEntry"): return &configv1.ClusterNetworkEntryApplyConfiguration{} case v1.SchemeGroupVersion.WithKind("ClusterOperator"): @@ -162,6 +170,8 @@ func ForKind(kind schema.GroupVersionKind) interface{} { return &configv1.FeatureGateSpecApplyConfiguration{} case v1.SchemeGroupVersion.WithKind("FeatureGateStatus"): return &configv1.FeatureGateStatusApplyConfiguration{} + case v1.SchemeGroupVersion.WithKind("FulcioCAWithRekor"): + return &configv1.FulcioCAWithRekorApplyConfiguration{} case v1.SchemeGroupVersion.WithKind("GCPPlatformStatus"): return &configv1.GCPPlatformStatusApplyConfiguration{} case v1.SchemeGroupVersion.WithKind("GCPResourceLabel"): @@ -206,6 +216,12 @@ func ForKind(kind schema.GroupVersionKind) interface{} { return &configv1.ImageDigestMirrorSetSpecApplyConfiguration{} case v1.SchemeGroupVersion.WithKind("ImageLabel"): return &configv1.ImageLabelApplyConfiguration{} + case v1.SchemeGroupVersion.WithKind("ImagePolicy"): + return &configv1.ImagePolicyApplyConfiguration{} + case v1.SchemeGroupVersion.WithKind("ImagePolicySpec"): + return &configv1.ImagePolicySpecApplyConfiguration{} + case v1.SchemeGroupVersion.WithKind("ImagePolicyStatus"): + return &configv1.ImagePolicyStatusApplyConfiguration{} case v1.SchemeGroupVersion.WithKind("ImageSpec"): return &configv1.ImageSpecApplyConfiguration{} case v1.SchemeGroupVersion.WithKind("ImageStatus"): @@ -322,10 +338,26 @@ func ForKind(kind schema.GroupVersionKind) interface{} { return &configv1.OvirtPlatformLoadBalancerApplyConfiguration{} case v1.SchemeGroupVersion.WithKind("OvirtPlatformStatus"): return &configv1.OvirtPlatformStatusApplyConfiguration{} + case v1.SchemeGroupVersion.WithKind("PKI"): + return &configv1.PKIApplyConfiguration{} + case v1.SchemeGroupVersion.WithKind("PKICertificateSubject"): + return &configv1.PKICertificateSubjectApplyConfiguration{} case v1.SchemeGroupVersion.WithKind("PlatformSpec"): return &configv1.PlatformSpecApplyConfiguration{} case v1.SchemeGroupVersion.WithKind("PlatformStatus"): return &configv1.PlatformStatusApplyConfiguration{} + case v1.SchemeGroupVersion.WithKind("Policy"): + return &configv1.PolicyApplyConfiguration{} + case v1.SchemeGroupVersion.WithKind("PolicyFulcioSubject"): + return &configv1.PolicyFulcioSubjectApplyConfiguration{} + case v1.SchemeGroupVersion.WithKind("PolicyIdentity"): + return &configv1.PolicyIdentityApplyConfiguration{} + case v1.SchemeGroupVersion.WithKind("PolicyMatchExactRepository"): + return &configv1.PolicyMatchExactRepositoryApplyConfiguration{} + case v1.SchemeGroupVersion.WithKind("PolicyMatchRemapIdentity"): + return &configv1.PolicyMatchRemapIdentityApplyConfiguration{} + case v1.SchemeGroupVersion.WithKind("PolicyRootOfTrust"): + return &configv1.PolicyRootOfTrustApplyConfiguration{} case v1.SchemeGroupVersion.WithKind("PowerVSPlatformSpec"): return &configv1.PowerVSPlatformSpecApplyConfiguration{} case v1.SchemeGroupVersion.WithKind("PowerVSPlatformStatus"): @@ -348,6 +380,8 @@ func ForKind(kind schema.GroupVersionKind) interface{} { return &configv1.ProxySpecApplyConfiguration{} case v1.SchemeGroupVersion.WithKind("ProxyStatus"): return &configv1.ProxyStatusApplyConfiguration{} + case v1.SchemeGroupVersion.WithKind("PublicKey"): + return &configv1.PublicKeyApplyConfiguration{} case v1.SchemeGroupVersion.WithKind("RegistryLocation"): return &configv1.RegistryLocationApplyConfiguration{} case v1.SchemeGroupVersion.WithKind("RegistrySources"): @@ -485,6 +519,26 @@ func ForKind(kind schema.GroupVersionKind) interface{} { case v1alpha1.SchemeGroupVersion.WithKind("UserDefinedMonitoring"): return &configv1alpha1.UserDefinedMonitoringApplyConfiguration{} + // Group=config.openshift.io, Version=v1alpha2 + case v1alpha2.SchemeGroupVersion.WithKind("Custom"): + return &configv1alpha2.CustomApplyConfiguration{} + case v1alpha2.SchemeGroupVersion.WithKind("GatherConfig"): + return &configv1alpha2.GatherConfigApplyConfiguration{} + case v1alpha2.SchemeGroupVersion.WithKind("GathererConfig"): + return &configv1alpha2.GathererConfigApplyConfiguration{} + case v1alpha2.SchemeGroupVersion.WithKind("Gatherers"): + return &configv1alpha2.GatherersApplyConfiguration{} + case v1alpha2.SchemeGroupVersion.WithKind("InsightsDataGather"): + return &configv1alpha2.InsightsDataGatherApplyConfiguration{} + case v1alpha2.SchemeGroupVersion.WithKind("InsightsDataGatherSpec"): + return &configv1alpha2.InsightsDataGatherSpecApplyConfiguration{} + case v1alpha2.SchemeGroupVersion.WithKind("PersistentVolumeClaimReference"): + return &configv1alpha2.PersistentVolumeClaimReferenceApplyConfiguration{} + case v1alpha2.SchemeGroupVersion.WithKind("PersistentVolumeConfig"): + return &configv1alpha2.PersistentVolumeConfigApplyConfiguration{} + case v1alpha2.SchemeGroupVersion.WithKind("Storage"): + return &configv1alpha2.StorageApplyConfiguration{} + } return nil } diff --git a/vendor/github.com/openshift/client-go/config/clientset/versioned/clientset.go b/vendor/github.com/openshift/client-go/config/clientset/versioned/clientset.go index f9ed357b64..fdb9450b84 100644 --- a/vendor/github.com/openshift/client-go/config/clientset/versioned/clientset.go +++ b/vendor/github.com/openshift/client-go/config/clientset/versioned/clientset.go @@ -8,6 +8,7 @@ import ( configv1 "github.com/openshift/client-go/config/clientset/versioned/typed/config/v1" configv1alpha1 "github.com/openshift/client-go/config/clientset/versioned/typed/config/v1alpha1" + configv1alpha2 "github.com/openshift/client-go/config/clientset/versioned/typed/config/v1alpha2" discovery "k8s.io/client-go/discovery" rest "k8s.io/client-go/rest" flowcontrol "k8s.io/client-go/util/flowcontrol" @@ -17,6 +18,7 @@ type Interface interface { Discovery() discovery.DiscoveryInterface ConfigV1() configv1.ConfigV1Interface ConfigV1alpha1() configv1alpha1.ConfigV1alpha1Interface + ConfigV1alpha2() configv1alpha2.ConfigV1alpha2Interface } // Clientset contains the clients for groups. @@ -24,6 +26,7 @@ type Clientset struct { *discovery.DiscoveryClient configV1 *configv1.ConfigV1Client configV1alpha1 *configv1alpha1.ConfigV1alpha1Client + configV1alpha2 *configv1alpha2.ConfigV1alpha2Client } // ConfigV1 retrieves the ConfigV1Client @@ -36,6 +39,11 @@ func (c *Clientset) ConfigV1alpha1() configv1alpha1.ConfigV1alpha1Interface { return c.configV1alpha1 } +// ConfigV1alpha2 retrieves the ConfigV1alpha2Client +func (c *Clientset) ConfigV1alpha2() configv1alpha2.ConfigV1alpha2Interface { + return c.configV1alpha2 +} + // Discovery retrieves the DiscoveryClient func (c *Clientset) Discovery() discovery.DiscoveryInterface { if c == nil { @@ -88,6 +96,10 @@ func NewForConfigAndClient(c *rest.Config, httpClient *http.Client) (*Clientset, if err != nil { return nil, err } + cs.configV1alpha2, err = configv1alpha2.NewForConfigAndClient(&configShallowCopy, httpClient) + if err != nil { + return nil, err + } cs.DiscoveryClient, err = discovery.NewDiscoveryClientForConfigAndClient(&configShallowCopy, httpClient) if err != nil { @@ -111,6 +123,7 @@ func New(c rest.Interface) *Clientset { var cs Clientset cs.configV1 = configv1.New(c) cs.configV1alpha1 = configv1alpha1.New(c) + cs.configV1alpha2 = configv1alpha2.New(c) cs.DiscoveryClient = discovery.NewDiscoveryClient(c) return &cs diff --git a/vendor/github.com/openshift/client-go/config/clientset/versioned/fake/clientset_generated.go b/vendor/github.com/openshift/client-go/config/clientset/versioned/fake/clientset_generated.go index ddf12da1e7..72cca8fc55 100644 --- a/vendor/github.com/openshift/client-go/config/clientset/versioned/fake/clientset_generated.go +++ b/vendor/github.com/openshift/client-go/config/clientset/versioned/fake/clientset_generated.go @@ -9,6 +9,8 @@ import ( fakeconfigv1 "github.com/openshift/client-go/config/clientset/versioned/typed/config/v1/fake" configv1alpha1 "github.com/openshift/client-go/config/clientset/versioned/typed/config/v1alpha1" fakeconfigv1alpha1 "github.com/openshift/client-go/config/clientset/versioned/typed/config/v1alpha1/fake" + configv1alpha2 "github.com/openshift/client-go/config/clientset/versioned/typed/config/v1alpha2" + fakeconfigv1alpha2 "github.com/openshift/client-go/config/clientset/versioned/typed/config/v1alpha2/fake" "k8s.io/apimachinery/pkg/runtime" "k8s.io/apimachinery/pkg/watch" "k8s.io/client-go/discovery" @@ -111,3 +113,8 @@ func (c *Clientset) ConfigV1() configv1.ConfigV1Interface { func (c *Clientset) ConfigV1alpha1() configv1alpha1.ConfigV1alpha1Interface { return &fakeconfigv1alpha1.FakeConfigV1alpha1{Fake: &c.Fake} } + +// ConfigV1alpha2 retrieves the ConfigV1alpha2Client +func (c *Clientset) ConfigV1alpha2() configv1alpha2.ConfigV1alpha2Interface { + return &fakeconfigv1alpha2.FakeConfigV1alpha2{Fake: &c.Fake} +} diff --git a/vendor/github.com/openshift/client-go/config/clientset/versioned/fake/register.go b/vendor/github.com/openshift/client-go/config/clientset/versioned/fake/register.go index 7489301098..113c9e9cc5 100644 --- a/vendor/github.com/openshift/client-go/config/clientset/versioned/fake/register.go +++ b/vendor/github.com/openshift/client-go/config/clientset/versioned/fake/register.go @@ -5,6 +5,7 @@ package fake import ( configv1 "github.com/openshift/api/config/v1" configv1alpha1 "github.com/openshift/api/config/v1alpha1" + configv1alpha2 "github.com/openshift/api/config/v1alpha2" v1 "k8s.io/apimachinery/pkg/apis/meta/v1" runtime "k8s.io/apimachinery/pkg/runtime" schema "k8s.io/apimachinery/pkg/runtime/schema" @@ -18,6 +19,7 @@ var codecs = serializer.NewCodecFactory(scheme) var localSchemeBuilder = runtime.SchemeBuilder{ configv1.AddToScheme, configv1alpha1.AddToScheme, + configv1alpha2.AddToScheme, } // AddToScheme adds all types of this clientset into the given scheme. This allows composition diff --git a/vendor/github.com/openshift/client-go/config/clientset/versioned/scheme/register.go b/vendor/github.com/openshift/client-go/config/clientset/versioned/scheme/register.go index 6340555dd1..eb67739213 100644 --- a/vendor/github.com/openshift/client-go/config/clientset/versioned/scheme/register.go +++ b/vendor/github.com/openshift/client-go/config/clientset/versioned/scheme/register.go @@ -5,6 +5,7 @@ package scheme import ( configv1 "github.com/openshift/api/config/v1" configv1alpha1 "github.com/openshift/api/config/v1alpha1" + configv1alpha2 "github.com/openshift/api/config/v1alpha2" v1 "k8s.io/apimachinery/pkg/apis/meta/v1" runtime "k8s.io/apimachinery/pkg/runtime" schema "k8s.io/apimachinery/pkg/runtime/schema" @@ -18,6 +19,7 @@ var ParameterCodec = runtime.NewParameterCodec(Scheme) var localSchemeBuilder = runtime.SchemeBuilder{ configv1.AddToScheme, configv1alpha1.AddToScheme, + configv1alpha2.AddToScheme, } // AddToScheme adds all types of this clientset into the given scheme. This allows composition diff --git a/vendor/github.com/openshift/client-go/config/clientset/versioned/typed/config/v1/clusterimagepolicy.go b/vendor/github.com/openshift/client-go/config/clientset/versioned/typed/config/v1/clusterimagepolicy.go new file mode 100644 index 0000000000..b0452f6116 --- /dev/null +++ b/vendor/github.com/openshift/client-go/config/clientset/versioned/typed/config/v1/clusterimagepolicy.go @@ -0,0 +1,58 @@ +// Code generated by client-gen. DO NOT EDIT. + +package v1 + +import ( + context "context" + + configv1 "github.com/openshift/api/config/v1" + applyconfigurationsconfigv1 "github.com/openshift/client-go/config/applyconfigurations/config/v1" + scheme "github.com/openshift/client-go/config/clientset/versioned/scheme" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + types "k8s.io/apimachinery/pkg/types" + watch "k8s.io/apimachinery/pkg/watch" + gentype "k8s.io/client-go/gentype" +) + +// ClusterImagePoliciesGetter has a method to return a ClusterImagePolicyInterface. +// A group's client should implement this interface. +type ClusterImagePoliciesGetter interface { + ClusterImagePolicies() ClusterImagePolicyInterface +} + +// ClusterImagePolicyInterface has methods to work with ClusterImagePolicy resources. +type ClusterImagePolicyInterface interface { + Create(ctx context.Context, clusterImagePolicy *configv1.ClusterImagePolicy, opts metav1.CreateOptions) (*configv1.ClusterImagePolicy, error) + Update(ctx context.Context, clusterImagePolicy *configv1.ClusterImagePolicy, opts metav1.UpdateOptions) (*configv1.ClusterImagePolicy, error) + // Add a +genclient:noStatus comment above the type to avoid generating UpdateStatus(). + UpdateStatus(ctx context.Context, clusterImagePolicy *configv1.ClusterImagePolicy, opts metav1.UpdateOptions) (*configv1.ClusterImagePolicy, error) + Delete(ctx context.Context, name string, opts metav1.DeleteOptions) error + DeleteCollection(ctx context.Context, opts metav1.DeleteOptions, listOpts metav1.ListOptions) error + Get(ctx context.Context, name string, opts metav1.GetOptions) (*configv1.ClusterImagePolicy, error) + List(ctx context.Context, opts metav1.ListOptions) (*configv1.ClusterImagePolicyList, error) + Watch(ctx context.Context, opts metav1.ListOptions) (watch.Interface, error) + Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts metav1.PatchOptions, subresources ...string) (result *configv1.ClusterImagePolicy, err error) + Apply(ctx context.Context, clusterImagePolicy *applyconfigurationsconfigv1.ClusterImagePolicyApplyConfiguration, opts metav1.ApplyOptions) (result *configv1.ClusterImagePolicy, err error) + // Add a +genclient:noStatus comment above the type to avoid generating ApplyStatus(). + ApplyStatus(ctx context.Context, clusterImagePolicy *applyconfigurationsconfigv1.ClusterImagePolicyApplyConfiguration, opts metav1.ApplyOptions) (result *configv1.ClusterImagePolicy, err error) + ClusterImagePolicyExpansion +} + +// clusterImagePolicies implements ClusterImagePolicyInterface +type clusterImagePolicies struct { + *gentype.ClientWithListAndApply[*configv1.ClusterImagePolicy, *configv1.ClusterImagePolicyList, *applyconfigurationsconfigv1.ClusterImagePolicyApplyConfiguration] +} + +// newClusterImagePolicies returns a ClusterImagePolicies +func newClusterImagePolicies(c *ConfigV1Client) *clusterImagePolicies { + return &clusterImagePolicies{ + gentype.NewClientWithListAndApply[*configv1.ClusterImagePolicy, *configv1.ClusterImagePolicyList, *applyconfigurationsconfigv1.ClusterImagePolicyApplyConfiguration]( + "clusterimagepolicies", + c.RESTClient(), + scheme.ParameterCodec, + "", + func() *configv1.ClusterImagePolicy { return &configv1.ClusterImagePolicy{} }, + func() *configv1.ClusterImagePolicyList { return &configv1.ClusterImagePolicyList{} }, + ), + } +} diff --git a/vendor/github.com/openshift/client-go/config/clientset/versioned/typed/config/v1/config_client.go b/vendor/github.com/openshift/client-go/config/clientset/versioned/typed/config/v1/config_client.go index bbb0b312ee..b8fd54454e 100644 --- a/vendor/github.com/openshift/client-go/config/clientset/versioned/typed/config/v1/config_client.go +++ b/vendor/github.com/openshift/client-go/config/clientset/versioned/typed/config/v1/config_client.go @@ -15,6 +15,7 @@ type ConfigV1Interface interface { APIServersGetter AuthenticationsGetter BuildsGetter + ClusterImagePoliciesGetter ClusterOperatorsGetter ClusterVersionsGetter ConsolesGetter @@ -23,6 +24,7 @@ type ConfigV1Interface interface { ImagesGetter ImageContentPoliciesGetter ImageDigestMirrorSetsGetter + ImagePoliciesGetter ImageTagMirrorSetsGetter InfrastructuresGetter IngressesGetter @@ -52,6 +54,10 @@ func (c *ConfigV1Client) Builds() BuildInterface { return newBuilds(c) } +func (c *ConfigV1Client) ClusterImagePolicies() ClusterImagePolicyInterface { + return newClusterImagePolicies(c) +} + func (c *ConfigV1Client) ClusterOperators() ClusterOperatorInterface { return newClusterOperators(c) } @@ -84,6 +90,10 @@ func (c *ConfigV1Client) ImageDigestMirrorSets() ImageDigestMirrorSetInterface { return newImageDigestMirrorSets(c) } +func (c *ConfigV1Client) ImagePolicies(namespace string) ImagePolicyInterface { + return newImagePolicies(c, namespace) +} + func (c *ConfigV1Client) ImageTagMirrorSets() ImageTagMirrorSetInterface { return newImageTagMirrorSets(c) } diff --git a/vendor/github.com/openshift/client-go/config/clientset/versioned/typed/config/v1/fake/fake_clusterimagepolicy.go b/vendor/github.com/openshift/client-go/config/clientset/versioned/typed/config/v1/fake/fake_clusterimagepolicy.go new file mode 100644 index 0000000000..e79a2483fd --- /dev/null +++ b/vendor/github.com/openshift/client-go/config/clientset/versioned/typed/config/v1/fake/fake_clusterimagepolicy.go @@ -0,0 +1,37 @@ +// Code generated by client-gen. DO NOT EDIT. + +package fake + +import ( + v1 "github.com/openshift/api/config/v1" + configv1 "github.com/openshift/client-go/config/applyconfigurations/config/v1" + typedconfigv1 "github.com/openshift/client-go/config/clientset/versioned/typed/config/v1" + gentype "k8s.io/client-go/gentype" +) + +// fakeClusterImagePolicies implements ClusterImagePolicyInterface +type fakeClusterImagePolicies struct { + *gentype.FakeClientWithListAndApply[*v1.ClusterImagePolicy, *v1.ClusterImagePolicyList, *configv1.ClusterImagePolicyApplyConfiguration] + Fake *FakeConfigV1 +} + +func newFakeClusterImagePolicies(fake *FakeConfigV1) typedconfigv1.ClusterImagePolicyInterface { + return &fakeClusterImagePolicies{ + gentype.NewFakeClientWithListAndApply[*v1.ClusterImagePolicy, *v1.ClusterImagePolicyList, *configv1.ClusterImagePolicyApplyConfiguration]( + fake.Fake, + "", + v1.SchemeGroupVersion.WithResource("clusterimagepolicies"), + v1.SchemeGroupVersion.WithKind("ClusterImagePolicy"), + func() *v1.ClusterImagePolicy { return &v1.ClusterImagePolicy{} }, + func() *v1.ClusterImagePolicyList { return &v1.ClusterImagePolicyList{} }, + func(dst, src *v1.ClusterImagePolicyList) { dst.ListMeta = src.ListMeta }, + func(list *v1.ClusterImagePolicyList) []*v1.ClusterImagePolicy { + return gentype.ToPointerSlice(list.Items) + }, + func(list *v1.ClusterImagePolicyList, items []*v1.ClusterImagePolicy) { + list.Items = gentype.FromPointerSlice(items) + }, + ), + fake, + } +} diff --git a/vendor/github.com/openshift/client-go/config/clientset/versioned/typed/config/v1/fake/fake_config_client.go b/vendor/github.com/openshift/client-go/config/clientset/versioned/typed/config/v1/fake/fake_config_client.go index 6253194636..764c8912ad 100644 --- a/vendor/github.com/openshift/client-go/config/clientset/versioned/typed/config/v1/fake/fake_config_client.go +++ b/vendor/github.com/openshift/client-go/config/clientset/versioned/typed/config/v1/fake/fake_config_client.go @@ -24,6 +24,10 @@ func (c *FakeConfigV1) Builds() v1.BuildInterface { return newFakeBuilds(c) } +func (c *FakeConfigV1) ClusterImagePolicies() v1.ClusterImagePolicyInterface { + return newFakeClusterImagePolicies(c) +} + func (c *FakeConfigV1) ClusterOperators() v1.ClusterOperatorInterface { return newFakeClusterOperators(c) } @@ -56,6 +60,10 @@ func (c *FakeConfigV1) ImageDigestMirrorSets() v1.ImageDigestMirrorSetInterface return newFakeImageDigestMirrorSets(c) } +func (c *FakeConfigV1) ImagePolicies(namespace string) v1.ImagePolicyInterface { + return newFakeImagePolicies(c, namespace) +} + func (c *FakeConfigV1) ImageTagMirrorSets() v1.ImageTagMirrorSetInterface { return newFakeImageTagMirrorSets(c) } diff --git a/vendor/github.com/openshift/client-go/config/clientset/versioned/typed/config/v1/fake/fake_imagepolicy.go b/vendor/github.com/openshift/client-go/config/clientset/versioned/typed/config/v1/fake/fake_imagepolicy.go new file mode 100644 index 0000000000..fc34d3f6e2 --- /dev/null +++ b/vendor/github.com/openshift/client-go/config/clientset/versioned/typed/config/v1/fake/fake_imagepolicy.go @@ -0,0 +1,33 @@ +// Code generated by client-gen. DO NOT EDIT. + +package fake + +import ( + v1 "github.com/openshift/api/config/v1" + configv1 "github.com/openshift/client-go/config/applyconfigurations/config/v1" + typedconfigv1 "github.com/openshift/client-go/config/clientset/versioned/typed/config/v1" + gentype "k8s.io/client-go/gentype" +) + +// fakeImagePolicies implements ImagePolicyInterface +type fakeImagePolicies struct { + *gentype.FakeClientWithListAndApply[*v1.ImagePolicy, *v1.ImagePolicyList, *configv1.ImagePolicyApplyConfiguration] + Fake *FakeConfigV1 +} + +func newFakeImagePolicies(fake *FakeConfigV1, namespace string) typedconfigv1.ImagePolicyInterface { + return &fakeImagePolicies{ + gentype.NewFakeClientWithListAndApply[*v1.ImagePolicy, *v1.ImagePolicyList, *configv1.ImagePolicyApplyConfiguration]( + fake.Fake, + namespace, + v1.SchemeGroupVersion.WithResource("imagepolicies"), + v1.SchemeGroupVersion.WithKind("ImagePolicy"), + func() *v1.ImagePolicy { return &v1.ImagePolicy{} }, + func() *v1.ImagePolicyList { return &v1.ImagePolicyList{} }, + func(dst, src *v1.ImagePolicyList) { dst.ListMeta = src.ListMeta }, + func(list *v1.ImagePolicyList) []*v1.ImagePolicy { return gentype.ToPointerSlice(list.Items) }, + func(list *v1.ImagePolicyList, items []*v1.ImagePolicy) { list.Items = gentype.FromPointerSlice(items) }, + ), + fake, + } +} diff --git a/vendor/github.com/openshift/client-go/config/clientset/versioned/typed/config/v1/generated_expansion.go b/vendor/github.com/openshift/client-go/config/clientset/versioned/typed/config/v1/generated_expansion.go index a56721ba9d..44ad19dcb3 100644 --- a/vendor/github.com/openshift/client-go/config/clientset/versioned/typed/config/v1/generated_expansion.go +++ b/vendor/github.com/openshift/client-go/config/clientset/versioned/typed/config/v1/generated_expansion.go @@ -8,6 +8,8 @@ type AuthenticationExpansion interface{} type BuildExpansion interface{} +type ClusterImagePolicyExpansion interface{} + type ClusterOperatorExpansion interface{} type ClusterVersionExpansion interface{} @@ -24,6 +26,8 @@ type ImageContentPolicyExpansion interface{} type ImageDigestMirrorSetExpansion interface{} +type ImagePolicyExpansion interface{} + type ImageTagMirrorSetExpansion interface{} type InfrastructureExpansion interface{} diff --git a/vendor/github.com/openshift/client-go/config/clientset/versioned/typed/config/v1/imagepolicy.go b/vendor/github.com/openshift/client-go/config/clientset/versioned/typed/config/v1/imagepolicy.go new file mode 100644 index 0000000000..4dae127574 --- /dev/null +++ b/vendor/github.com/openshift/client-go/config/clientset/versioned/typed/config/v1/imagepolicy.go @@ -0,0 +1,58 @@ +// Code generated by client-gen. DO NOT EDIT. + +package v1 + +import ( + context "context" + + configv1 "github.com/openshift/api/config/v1" + applyconfigurationsconfigv1 "github.com/openshift/client-go/config/applyconfigurations/config/v1" + scheme "github.com/openshift/client-go/config/clientset/versioned/scheme" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + types "k8s.io/apimachinery/pkg/types" + watch "k8s.io/apimachinery/pkg/watch" + gentype "k8s.io/client-go/gentype" +) + +// ImagePoliciesGetter has a method to return a ImagePolicyInterface. +// A group's client should implement this interface. +type ImagePoliciesGetter interface { + ImagePolicies(namespace string) ImagePolicyInterface +} + +// ImagePolicyInterface has methods to work with ImagePolicy resources. +type ImagePolicyInterface interface { + Create(ctx context.Context, imagePolicy *configv1.ImagePolicy, opts metav1.CreateOptions) (*configv1.ImagePolicy, error) + Update(ctx context.Context, imagePolicy *configv1.ImagePolicy, opts metav1.UpdateOptions) (*configv1.ImagePolicy, error) + // Add a +genclient:noStatus comment above the type to avoid generating UpdateStatus(). + UpdateStatus(ctx context.Context, imagePolicy *configv1.ImagePolicy, opts metav1.UpdateOptions) (*configv1.ImagePolicy, error) + Delete(ctx context.Context, name string, opts metav1.DeleteOptions) error + DeleteCollection(ctx context.Context, opts metav1.DeleteOptions, listOpts metav1.ListOptions) error + Get(ctx context.Context, name string, opts metav1.GetOptions) (*configv1.ImagePolicy, error) + List(ctx context.Context, opts metav1.ListOptions) (*configv1.ImagePolicyList, error) + Watch(ctx context.Context, opts metav1.ListOptions) (watch.Interface, error) + Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts metav1.PatchOptions, subresources ...string) (result *configv1.ImagePolicy, err error) + Apply(ctx context.Context, imagePolicy *applyconfigurationsconfigv1.ImagePolicyApplyConfiguration, opts metav1.ApplyOptions) (result *configv1.ImagePolicy, err error) + // Add a +genclient:noStatus comment above the type to avoid generating ApplyStatus(). + ApplyStatus(ctx context.Context, imagePolicy *applyconfigurationsconfigv1.ImagePolicyApplyConfiguration, opts metav1.ApplyOptions) (result *configv1.ImagePolicy, err error) + ImagePolicyExpansion +} + +// imagePolicies implements ImagePolicyInterface +type imagePolicies struct { + *gentype.ClientWithListAndApply[*configv1.ImagePolicy, *configv1.ImagePolicyList, *applyconfigurationsconfigv1.ImagePolicyApplyConfiguration] +} + +// newImagePolicies returns a ImagePolicies +func newImagePolicies(c *ConfigV1Client, namespace string) *imagePolicies { + return &imagePolicies{ + gentype.NewClientWithListAndApply[*configv1.ImagePolicy, *configv1.ImagePolicyList, *applyconfigurationsconfigv1.ImagePolicyApplyConfiguration]( + "imagepolicies", + c.RESTClient(), + scheme.ParameterCodec, + namespace, + func() *configv1.ImagePolicy { return &configv1.ImagePolicy{} }, + func() *configv1.ImagePolicyList { return &configv1.ImagePolicyList{} }, + ), + } +} diff --git a/vendor/github.com/openshift/client-go/config/clientset/versioned/typed/config/v1alpha2/config_client.go b/vendor/github.com/openshift/client-go/config/clientset/versioned/typed/config/v1alpha2/config_client.go new file mode 100644 index 0000000000..50f1d81765 --- /dev/null +++ b/vendor/github.com/openshift/client-go/config/clientset/versioned/typed/config/v1alpha2/config_client.go @@ -0,0 +1,91 @@ +// Code generated by client-gen. DO NOT EDIT. + +package v1alpha2 + +import ( + http "net/http" + + configv1alpha2 "github.com/openshift/api/config/v1alpha2" + scheme "github.com/openshift/client-go/config/clientset/versioned/scheme" + rest "k8s.io/client-go/rest" +) + +type ConfigV1alpha2Interface interface { + RESTClient() rest.Interface + InsightsDataGathersGetter +} + +// ConfigV1alpha2Client is used to interact with features provided by the config.openshift.io group. +type ConfigV1alpha2Client struct { + restClient rest.Interface +} + +func (c *ConfigV1alpha2Client) InsightsDataGathers() InsightsDataGatherInterface { + return newInsightsDataGathers(c) +} + +// NewForConfig creates a new ConfigV1alpha2Client for the given config. +// NewForConfig is equivalent to NewForConfigAndClient(c, httpClient), +// where httpClient was generated with rest.HTTPClientFor(c). +func NewForConfig(c *rest.Config) (*ConfigV1alpha2Client, error) { + config := *c + if err := setConfigDefaults(&config); err != nil { + return nil, err + } + httpClient, err := rest.HTTPClientFor(&config) + if err != nil { + return nil, err + } + return NewForConfigAndClient(&config, httpClient) +} + +// NewForConfigAndClient creates a new ConfigV1alpha2Client for the given config and http client. +// Note the http client provided takes precedence over the configured transport values. +func NewForConfigAndClient(c *rest.Config, h *http.Client) (*ConfigV1alpha2Client, error) { + config := *c + if err := setConfigDefaults(&config); err != nil { + return nil, err + } + client, err := rest.RESTClientForConfigAndClient(&config, h) + if err != nil { + return nil, err + } + return &ConfigV1alpha2Client{client}, nil +} + +// NewForConfigOrDie creates a new ConfigV1alpha2Client for the given config and +// panics if there is an error in the config. +func NewForConfigOrDie(c *rest.Config) *ConfigV1alpha2Client { + client, err := NewForConfig(c) + if err != nil { + panic(err) + } + return client +} + +// New creates a new ConfigV1alpha2Client for the given RESTClient. +func New(c rest.Interface) *ConfigV1alpha2Client { + return &ConfigV1alpha2Client{c} +} + +func setConfigDefaults(config *rest.Config) error { + gv := configv1alpha2.SchemeGroupVersion + config.GroupVersion = &gv + config.APIPath = "/apis" + config.NegotiatedSerializer = rest.CodecFactoryForGeneratedClient(scheme.Scheme, scheme.Codecs).WithoutConversion() + + if config.UserAgent == "" { + config.UserAgent = rest.DefaultKubernetesUserAgent() + } + + return nil +} + +// RESTClient returns a RESTClient that is used to communicate +// with API server by this client implementation. +func (c *ConfigV1alpha2Client) RESTClient() rest.Interface { + if c == nil { + return nil + } + return c.restClient +} diff --git a/vendor/github.com/openshift/client-go/config/clientset/versioned/typed/config/v1alpha2/doc.go b/vendor/github.com/openshift/client-go/config/clientset/versioned/typed/config/v1alpha2/doc.go new file mode 100644 index 0000000000..c11da26828 --- /dev/null +++ b/vendor/github.com/openshift/client-go/config/clientset/versioned/typed/config/v1alpha2/doc.go @@ -0,0 +1,4 @@ +// Code generated by client-gen. DO NOT EDIT. + +// This package has the automatically generated typed clients. +package v1alpha2 diff --git a/vendor/github.com/openshift/client-go/config/clientset/versioned/typed/config/v1alpha2/fake/doc.go b/vendor/github.com/openshift/client-go/config/clientset/versioned/typed/config/v1alpha2/fake/doc.go new file mode 100644 index 0000000000..2b5ba4c8e4 --- /dev/null +++ b/vendor/github.com/openshift/client-go/config/clientset/versioned/typed/config/v1alpha2/fake/doc.go @@ -0,0 +1,4 @@ +// Code generated by client-gen. DO NOT EDIT. + +// Package fake has the automatically generated clients. +package fake diff --git a/vendor/github.com/openshift/client-go/config/clientset/versioned/typed/config/v1alpha2/fake/fake_config_client.go b/vendor/github.com/openshift/client-go/config/clientset/versioned/typed/config/v1alpha2/fake/fake_config_client.go new file mode 100644 index 0000000000..04e9accbd0 --- /dev/null +++ b/vendor/github.com/openshift/client-go/config/clientset/versioned/typed/config/v1alpha2/fake/fake_config_client.go @@ -0,0 +1,24 @@ +// Code generated by client-gen. DO NOT EDIT. + +package fake + +import ( + v1alpha2 "github.com/openshift/client-go/config/clientset/versioned/typed/config/v1alpha2" + rest "k8s.io/client-go/rest" + testing "k8s.io/client-go/testing" +) + +type FakeConfigV1alpha2 struct { + *testing.Fake +} + +func (c *FakeConfigV1alpha2) InsightsDataGathers() v1alpha2.InsightsDataGatherInterface { + return newFakeInsightsDataGathers(c) +} + +// RESTClient returns a RESTClient that is used to communicate +// with API server by this client implementation. +func (c *FakeConfigV1alpha2) RESTClient() rest.Interface { + var ret *rest.RESTClient + return ret +} diff --git a/vendor/github.com/openshift/client-go/config/clientset/versioned/typed/config/v1alpha2/fake/fake_insightsdatagather.go b/vendor/github.com/openshift/client-go/config/clientset/versioned/typed/config/v1alpha2/fake/fake_insightsdatagather.go new file mode 100644 index 0000000000..2f9c0ddfdb --- /dev/null +++ b/vendor/github.com/openshift/client-go/config/clientset/versioned/typed/config/v1alpha2/fake/fake_insightsdatagather.go @@ -0,0 +1,37 @@ +// Code generated by client-gen. DO NOT EDIT. + +package fake + +import ( + v1alpha2 "github.com/openshift/api/config/v1alpha2" + configv1alpha2 "github.com/openshift/client-go/config/applyconfigurations/config/v1alpha2" + typedconfigv1alpha2 "github.com/openshift/client-go/config/clientset/versioned/typed/config/v1alpha2" + gentype "k8s.io/client-go/gentype" +) + +// fakeInsightsDataGathers implements InsightsDataGatherInterface +type fakeInsightsDataGathers struct { + *gentype.FakeClientWithListAndApply[*v1alpha2.InsightsDataGather, *v1alpha2.InsightsDataGatherList, *configv1alpha2.InsightsDataGatherApplyConfiguration] + Fake *FakeConfigV1alpha2 +} + +func newFakeInsightsDataGathers(fake *FakeConfigV1alpha2) typedconfigv1alpha2.InsightsDataGatherInterface { + return &fakeInsightsDataGathers{ + gentype.NewFakeClientWithListAndApply[*v1alpha2.InsightsDataGather, *v1alpha2.InsightsDataGatherList, *configv1alpha2.InsightsDataGatherApplyConfiguration]( + fake.Fake, + "", + v1alpha2.SchemeGroupVersion.WithResource("insightsdatagathers"), + v1alpha2.SchemeGroupVersion.WithKind("InsightsDataGather"), + func() *v1alpha2.InsightsDataGather { return &v1alpha2.InsightsDataGather{} }, + func() *v1alpha2.InsightsDataGatherList { return &v1alpha2.InsightsDataGatherList{} }, + func(dst, src *v1alpha2.InsightsDataGatherList) { dst.ListMeta = src.ListMeta }, + func(list *v1alpha2.InsightsDataGatherList) []*v1alpha2.InsightsDataGather { + return gentype.ToPointerSlice(list.Items) + }, + func(list *v1alpha2.InsightsDataGatherList, items []*v1alpha2.InsightsDataGather) { + list.Items = gentype.FromPointerSlice(items) + }, + ), + fake, + } +} diff --git a/vendor/github.com/openshift/client-go/config/clientset/versioned/typed/config/v1alpha2/generated_expansion.go b/vendor/github.com/openshift/client-go/config/clientset/versioned/typed/config/v1alpha2/generated_expansion.go new file mode 100644 index 0000000000..6f1f055c79 --- /dev/null +++ b/vendor/github.com/openshift/client-go/config/clientset/versioned/typed/config/v1alpha2/generated_expansion.go @@ -0,0 +1,5 @@ +// Code generated by client-gen. DO NOT EDIT. + +package v1alpha2 + +type InsightsDataGatherExpansion interface{} diff --git a/vendor/github.com/openshift/client-go/config/clientset/versioned/typed/config/v1alpha2/insightsdatagather.go b/vendor/github.com/openshift/client-go/config/clientset/versioned/typed/config/v1alpha2/insightsdatagather.go new file mode 100644 index 0000000000..ad5be4b226 --- /dev/null +++ b/vendor/github.com/openshift/client-go/config/clientset/versioned/typed/config/v1alpha2/insightsdatagather.go @@ -0,0 +1,58 @@ +// Code generated by client-gen. DO NOT EDIT. + +package v1alpha2 + +import ( + context "context" + + configv1alpha2 "github.com/openshift/api/config/v1alpha2" + applyconfigurationsconfigv1alpha2 "github.com/openshift/client-go/config/applyconfigurations/config/v1alpha2" + scheme "github.com/openshift/client-go/config/clientset/versioned/scheme" + v1 "k8s.io/apimachinery/pkg/apis/meta/v1" + types "k8s.io/apimachinery/pkg/types" + watch "k8s.io/apimachinery/pkg/watch" + gentype "k8s.io/client-go/gentype" +) + +// InsightsDataGathersGetter has a method to return a InsightsDataGatherInterface. +// A group's client should implement this interface. +type InsightsDataGathersGetter interface { + InsightsDataGathers() InsightsDataGatherInterface +} + +// InsightsDataGatherInterface has methods to work with InsightsDataGather resources. +type InsightsDataGatherInterface interface { + Create(ctx context.Context, insightsDataGather *configv1alpha2.InsightsDataGather, opts v1.CreateOptions) (*configv1alpha2.InsightsDataGather, error) + Update(ctx context.Context, insightsDataGather *configv1alpha2.InsightsDataGather, opts v1.UpdateOptions) (*configv1alpha2.InsightsDataGather, error) + // Add a +genclient:noStatus comment above the type to avoid generating UpdateStatus(). + UpdateStatus(ctx context.Context, insightsDataGather *configv1alpha2.InsightsDataGather, opts v1.UpdateOptions) (*configv1alpha2.InsightsDataGather, error) + Delete(ctx context.Context, name string, opts v1.DeleteOptions) error + DeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error + Get(ctx context.Context, name string, opts v1.GetOptions) (*configv1alpha2.InsightsDataGather, error) + List(ctx context.Context, opts v1.ListOptions) (*configv1alpha2.InsightsDataGatherList, error) + Watch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error) + Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *configv1alpha2.InsightsDataGather, err error) + Apply(ctx context.Context, insightsDataGather *applyconfigurationsconfigv1alpha2.InsightsDataGatherApplyConfiguration, opts v1.ApplyOptions) (result *configv1alpha2.InsightsDataGather, err error) + // Add a +genclient:noStatus comment above the type to avoid generating ApplyStatus(). + ApplyStatus(ctx context.Context, insightsDataGather *applyconfigurationsconfigv1alpha2.InsightsDataGatherApplyConfiguration, opts v1.ApplyOptions) (result *configv1alpha2.InsightsDataGather, err error) + InsightsDataGatherExpansion +} + +// insightsDataGathers implements InsightsDataGatherInterface +type insightsDataGathers struct { + *gentype.ClientWithListAndApply[*configv1alpha2.InsightsDataGather, *configv1alpha2.InsightsDataGatherList, *applyconfigurationsconfigv1alpha2.InsightsDataGatherApplyConfiguration] +} + +// newInsightsDataGathers returns a InsightsDataGathers +func newInsightsDataGathers(c *ConfigV1alpha2Client) *insightsDataGathers { + return &insightsDataGathers{ + gentype.NewClientWithListAndApply[*configv1alpha2.InsightsDataGather, *configv1alpha2.InsightsDataGatherList, *applyconfigurationsconfigv1alpha2.InsightsDataGatherApplyConfiguration]( + "insightsdatagathers", + c.RESTClient(), + scheme.ParameterCodec, + "", + func() *configv1alpha2.InsightsDataGather { return &configv1alpha2.InsightsDataGather{} }, + func() *configv1alpha2.InsightsDataGatherList { return &configv1alpha2.InsightsDataGatherList{} }, + ), + } +} diff --git a/vendor/github.com/openshift/client-go/config/informers/externalversions/config/interface.go b/vendor/github.com/openshift/client-go/config/informers/externalversions/config/interface.go index 3e7e6e8d3b..7ffc394de4 100644 --- a/vendor/github.com/openshift/client-go/config/informers/externalversions/config/interface.go +++ b/vendor/github.com/openshift/client-go/config/informers/externalversions/config/interface.go @@ -5,6 +5,7 @@ package config import ( v1 "github.com/openshift/client-go/config/informers/externalversions/config/v1" v1alpha1 "github.com/openshift/client-go/config/informers/externalversions/config/v1alpha1" + v1alpha2 "github.com/openshift/client-go/config/informers/externalversions/config/v1alpha2" internalinterfaces "github.com/openshift/client-go/config/informers/externalversions/internalinterfaces" ) @@ -14,6 +15,8 @@ type Interface interface { V1() v1.Interface // V1alpha1 provides access to shared informers for resources in V1alpha1. V1alpha1() v1alpha1.Interface + // V1alpha2 provides access to shared informers for resources in V1alpha2. + V1alpha2() v1alpha2.Interface } type group struct { @@ -36,3 +39,8 @@ func (g *group) V1() v1.Interface { func (g *group) V1alpha1() v1alpha1.Interface { return v1alpha1.New(g.factory, g.namespace, g.tweakListOptions) } + +// V1alpha2 returns a new v1alpha2.Interface. +func (g *group) V1alpha2() v1alpha2.Interface { + return v1alpha2.New(g.factory, g.namespace, g.tweakListOptions) +} diff --git a/vendor/github.com/openshift/client-go/config/informers/externalversions/config/v1/clusterimagepolicy.go b/vendor/github.com/openshift/client-go/config/informers/externalversions/config/v1/clusterimagepolicy.go new file mode 100644 index 0000000000..0cd758e687 --- /dev/null +++ b/vendor/github.com/openshift/client-go/config/informers/externalversions/config/v1/clusterimagepolicy.go @@ -0,0 +1,73 @@ +// Code generated by informer-gen. DO NOT EDIT. + +package v1 + +import ( + context "context" + time "time" + + apiconfigv1 "github.com/openshift/api/config/v1" + versioned "github.com/openshift/client-go/config/clientset/versioned" + internalinterfaces "github.com/openshift/client-go/config/informers/externalversions/internalinterfaces" + configv1 "github.com/openshift/client-go/config/listers/config/v1" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + runtime "k8s.io/apimachinery/pkg/runtime" + watch "k8s.io/apimachinery/pkg/watch" + cache "k8s.io/client-go/tools/cache" +) + +// ClusterImagePolicyInformer provides access to a shared informer and lister for +// ClusterImagePolicies. +type ClusterImagePolicyInformer interface { + Informer() cache.SharedIndexInformer + Lister() configv1.ClusterImagePolicyLister +} + +type clusterImagePolicyInformer struct { + factory internalinterfaces.SharedInformerFactory + tweakListOptions internalinterfaces.TweakListOptionsFunc +} + +// NewClusterImagePolicyInformer constructs a new informer for ClusterImagePolicy type. +// Always prefer using an informer factory to get a shared informer instead of getting an independent +// one. This reduces memory footprint and number of connections to the server. +func NewClusterImagePolicyInformer(client versioned.Interface, resyncPeriod time.Duration, indexers cache.Indexers) cache.SharedIndexInformer { + return NewFilteredClusterImagePolicyInformer(client, resyncPeriod, indexers, nil) +} + +// NewFilteredClusterImagePolicyInformer constructs a new informer for ClusterImagePolicy type. +// Always prefer using an informer factory to get a shared informer instead of getting an independent +// one. This reduces memory footprint and number of connections to the server. +func NewFilteredClusterImagePolicyInformer(client versioned.Interface, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer { + return cache.NewSharedIndexInformer( + &cache.ListWatch{ + ListFunc: func(options metav1.ListOptions) (runtime.Object, error) { + if tweakListOptions != nil { + tweakListOptions(&options) + } + return client.ConfigV1().ClusterImagePolicies().List(context.TODO(), options) + }, + WatchFunc: func(options metav1.ListOptions) (watch.Interface, error) { + if tweakListOptions != nil { + tweakListOptions(&options) + } + return client.ConfigV1().ClusterImagePolicies().Watch(context.TODO(), options) + }, + }, + &apiconfigv1.ClusterImagePolicy{}, + resyncPeriod, + indexers, + ) +} + +func (f *clusterImagePolicyInformer) defaultInformer(client versioned.Interface, resyncPeriod time.Duration) cache.SharedIndexInformer { + return NewFilteredClusterImagePolicyInformer(client, resyncPeriod, cache.Indexers{cache.NamespaceIndex: cache.MetaNamespaceIndexFunc}, f.tweakListOptions) +} + +func (f *clusterImagePolicyInformer) Informer() cache.SharedIndexInformer { + return f.factory.InformerFor(&apiconfigv1.ClusterImagePolicy{}, f.defaultInformer) +} + +func (f *clusterImagePolicyInformer) Lister() configv1.ClusterImagePolicyLister { + return configv1.NewClusterImagePolicyLister(f.Informer().GetIndexer()) +} diff --git a/vendor/github.com/openshift/client-go/config/informers/externalversions/config/v1/imagepolicy.go b/vendor/github.com/openshift/client-go/config/informers/externalversions/config/v1/imagepolicy.go new file mode 100644 index 0000000000..591e6ab086 --- /dev/null +++ b/vendor/github.com/openshift/client-go/config/informers/externalversions/config/v1/imagepolicy.go @@ -0,0 +1,74 @@ +// Code generated by informer-gen. DO NOT EDIT. + +package v1 + +import ( + context "context" + time "time" + + apiconfigv1 "github.com/openshift/api/config/v1" + versioned "github.com/openshift/client-go/config/clientset/versioned" + internalinterfaces "github.com/openshift/client-go/config/informers/externalversions/internalinterfaces" + configv1 "github.com/openshift/client-go/config/listers/config/v1" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + runtime "k8s.io/apimachinery/pkg/runtime" + watch "k8s.io/apimachinery/pkg/watch" + cache "k8s.io/client-go/tools/cache" +) + +// ImagePolicyInformer provides access to a shared informer and lister for +// ImagePolicies. +type ImagePolicyInformer interface { + Informer() cache.SharedIndexInformer + Lister() configv1.ImagePolicyLister +} + +type imagePolicyInformer struct { + factory internalinterfaces.SharedInformerFactory + tweakListOptions internalinterfaces.TweakListOptionsFunc + namespace string +} + +// NewImagePolicyInformer constructs a new informer for ImagePolicy type. +// Always prefer using an informer factory to get a shared informer instead of getting an independent +// one. This reduces memory footprint and number of connections to the server. +func NewImagePolicyInformer(client versioned.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers) cache.SharedIndexInformer { + return NewFilteredImagePolicyInformer(client, namespace, resyncPeriod, indexers, nil) +} + +// NewFilteredImagePolicyInformer constructs a new informer for ImagePolicy type. +// Always prefer using an informer factory to get a shared informer instead of getting an independent +// one. This reduces memory footprint and number of connections to the server. +func NewFilteredImagePolicyInformer(client versioned.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer { + return cache.NewSharedIndexInformer( + &cache.ListWatch{ + ListFunc: func(options metav1.ListOptions) (runtime.Object, error) { + if tweakListOptions != nil { + tweakListOptions(&options) + } + return client.ConfigV1().ImagePolicies(namespace).List(context.TODO(), options) + }, + WatchFunc: func(options metav1.ListOptions) (watch.Interface, error) { + if tweakListOptions != nil { + tweakListOptions(&options) + } + return client.ConfigV1().ImagePolicies(namespace).Watch(context.TODO(), options) + }, + }, + &apiconfigv1.ImagePolicy{}, + resyncPeriod, + indexers, + ) +} + +func (f *imagePolicyInformer) defaultInformer(client versioned.Interface, resyncPeriod time.Duration) cache.SharedIndexInformer { + return NewFilteredImagePolicyInformer(client, f.namespace, resyncPeriod, cache.Indexers{cache.NamespaceIndex: cache.MetaNamespaceIndexFunc}, f.tweakListOptions) +} + +func (f *imagePolicyInformer) Informer() cache.SharedIndexInformer { + return f.factory.InformerFor(&apiconfigv1.ImagePolicy{}, f.defaultInformer) +} + +func (f *imagePolicyInformer) Lister() configv1.ImagePolicyLister { + return configv1.NewImagePolicyLister(f.Informer().GetIndexer()) +} diff --git a/vendor/github.com/openshift/client-go/config/informers/externalversions/config/v1/interface.go b/vendor/github.com/openshift/client-go/config/informers/externalversions/config/v1/interface.go index f49b1d2287..ff4c521b04 100644 --- a/vendor/github.com/openshift/client-go/config/informers/externalversions/config/v1/interface.go +++ b/vendor/github.com/openshift/client-go/config/informers/externalversions/config/v1/interface.go @@ -14,6 +14,8 @@ type Interface interface { Authentications() AuthenticationInformer // Builds returns a BuildInformer. Builds() BuildInformer + // ClusterImagePolicies returns a ClusterImagePolicyInformer. + ClusterImagePolicies() ClusterImagePolicyInformer // ClusterOperators returns a ClusterOperatorInformer. ClusterOperators() ClusterOperatorInformer // ClusterVersions returns a ClusterVersionInformer. @@ -30,6 +32,8 @@ type Interface interface { ImageContentPolicies() ImageContentPolicyInformer // ImageDigestMirrorSets returns a ImageDigestMirrorSetInformer. ImageDigestMirrorSets() ImageDigestMirrorSetInformer + // ImagePolicies returns a ImagePolicyInformer. + ImagePolicies() ImagePolicyInformer // ImageTagMirrorSets returns a ImageTagMirrorSetInformer. ImageTagMirrorSets() ImageTagMirrorSetInformer // Infrastructures returns a InfrastructureInformer. @@ -78,6 +82,11 @@ func (v *version) Builds() BuildInformer { return &buildInformer{factory: v.factory, tweakListOptions: v.tweakListOptions} } +// ClusterImagePolicies returns a ClusterImagePolicyInformer. +func (v *version) ClusterImagePolicies() ClusterImagePolicyInformer { + return &clusterImagePolicyInformer{factory: v.factory, tweakListOptions: v.tweakListOptions} +} + // ClusterOperators returns a ClusterOperatorInformer. func (v *version) ClusterOperators() ClusterOperatorInformer { return &clusterOperatorInformer{factory: v.factory, tweakListOptions: v.tweakListOptions} @@ -118,6 +127,11 @@ func (v *version) ImageDigestMirrorSets() ImageDigestMirrorSetInformer { return &imageDigestMirrorSetInformer{factory: v.factory, tweakListOptions: v.tweakListOptions} } +// ImagePolicies returns a ImagePolicyInformer. +func (v *version) ImagePolicies() ImagePolicyInformer { + return &imagePolicyInformer{factory: v.factory, namespace: v.namespace, tweakListOptions: v.tweakListOptions} +} + // ImageTagMirrorSets returns a ImageTagMirrorSetInformer. func (v *version) ImageTagMirrorSets() ImageTagMirrorSetInformer { return &imageTagMirrorSetInformer{factory: v.factory, tweakListOptions: v.tweakListOptions} diff --git a/vendor/github.com/openshift/client-go/config/informers/externalversions/config/v1alpha2/insightsdatagather.go b/vendor/github.com/openshift/client-go/config/informers/externalversions/config/v1alpha2/insightsdatagather.go new file mode 100644 index 0000000000..15f474252f --- /dev/null +++ b/vendor/github.com/openshift/client-go/config/informers/externalversions/config/v1alpha2/insightsdatagather.go @@ -0,0 +1,73 @@ +// Code generated by informer-gen. DO NOT EDIT. + +package v1alpha2 + +import ( + context "context" + time "time" + + apiconfigv1alpha2 "github.com/openshift/api/config/v1alpha2" + versioned "github.com/openshift/client-go/config/clientset/versioned" + internalinterfaces "github.com/openshift/client-go/config/informers/externalversions/internalinterfaces" + configv1alpha2 "github.com/openshift/client-go/config/listers/config/v1alpha2" + v1 "k8s.io/apimachinery/pkg/apis/meta/v1" + runtime "k8s.io/apimachinery/pkg/runtime" + watch "k8s.io/apimachinery/pkg/watch" + cache "k8s.io/client-go/tools/cache" +) + +// InsightsDataGatherInformer provides access to a shared informer and lister for +// InsightsDataGathers. +type InsightsDataGatherInformer interface { + Informer() cache.SharedIndexInformer + Lister() configv1alpha2.InsightsDataGatherLister +} + +type insightsDataGatherInformer struct { + factory internalinterfaces.SharedInformerFactory + tweakListOptions internalinterfaces.TweakListOptionsFunc +} + +// NewInsightsDataGatherInformer constructs a new informer for InsightsDataGather type. +// Always prefer using an informer factory to get a shared informer instead of getting an independent +// one. This reduces memory footprint and number of connections to the server. +func NewInsightsDataGatherInformer(client versioned.Interface, resyncPeriod time.Duration, indexers cache.Indexers) cache.SharedIndexInformer { + return NewFilteredInsightsDataGatherInformer(client, resyncPeriod, indexers, nil) +} + +// NewFilteredInsightsDataGatherInformer constructs a new informer for InsightsDataGather type. +// Always prefer using an informer factory to get a shared informer instead of getting an independent +// one. This reduces memory footprint and number of connections to the server. +func NewFilteredInsightsDataGatherInformer(client versioned.Interface, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer { + return cache.NewSharedIndexInformer( + &cache.ListWatch{ + ListFunc: func(options v1.ListOptions) (runtime.Object, error) { + if tweakListOptions != nil { + tweakListOptions(&options) + } + return client.ConfigV1alpha2().InsightsDataGathers().List(context.TODO(), options) + }, + WatchFunc: func(options v1.ListOptions) (watch.Interface, error) { + if tweakListOptions != nil { + tweakListOptions(&options) + } + return client.ConfigV1alpha2().InsightsDataGathers().Watch(context.TODO(), options) + }, + }, + &apiconfigv1alpha2.InsightsDataGather{}, + resyncPeriod, + indexers, + ) +} + +func (f *insightsDataGatherInformer) defaultInformer(client versioned.Interface, resyncPeriod time.Duration) cache.SharedIndexInformer { + return NewFilteredInsightsDataGatherInformer(client, resyncPeriod, cache.Indexers{cache.NamespaceIndex: cache.MetaNamespaceIndexFunc}, f.tweakListOptions) +} + +func (f *insightsDataGatherInformer) Informer() cache.SharedIndexInformer { + return f.factory.InformerFor(&apiconfigv1alpha2.InsightsDataGather{}, f.defaultInformer) +} + +func (f *insightsDataGatherInformer) Lister() configv1alpha2.InsightsDataGatherLister { + return configv1alpha2.NewInsightsDataGatherLister(f.Informer().GetIndexer()) +} diff --git a/vendor/github.com/openshift/client-go/config/informers/externalversions/config/v1alpha2/interface.go b/vendor/github.com/openshift/client-go/config/informers/externalversions/config/v1alpha2/interface.go new file mode 100644 index 0000000000..f7d8f276f4 --- /dev/null +++ b/vendor/github.com/openshift/client-go/config/informers/externalversions/config/v1alpha2/interface.go @@ -0,0 +1,29 @@ +// Code generated by informer-gen. DO NOT EDIT. + +package v1alpha2 + +import ( + internalinterfaces "github.com/openshift/client-go/config/informers/externalversions/internalinterfaces" +) + +// Interface provides access to all the informers in this group version. +type Interface interface { + // InsightsDataGathers returns a InsightsDataGatherInformer. + InsightsDataGathers() InsightsDataGatherInformer +} + +type version struct { + factory internalinterfaces.SharedInformerFactory + namespace string + tweakListOptions internalinterfaces.TweakListOptionsFunc +} + +// New returns a new Interface. +func New(f internalinterfaces.SharedInformerFactory, namespace string, tweakListOptions internalinterfaces.TweakListOptionsFunc) Interface { + return &version{factory: f, namespace: namespace, tweakListOptions: tweakListOptions} +} + +// InsightsDataGathers returns a InsightsDataGatherInformer. +func (v *version) InsightsDataGathers() InsightsDataGatherInformer { + return &insightsDataGatherInformer{factory: v.factory, tweakListOptions: v.tweakListOptions} +} diff --git a/vendor/github.com/openshift/client-go/config/informers/externalversions/generic.go b/vendor/github.com/openshift/client-go/config/informers/externalversions/generic.go index 9135d1fcc1..59c98ea77c 100644 --- a/vendor/github.com/openshift/client-go/config/informers/externalversions/generic.go +++ b/vendor/github.com/openshift/client-go/config/informers/externalversions/generic.go @@ -7,6 +7,7 @@ import ( v1 "github.com/openshift/api/config/v1" v1alpha1 "github.com/openshift/api/config/v1alpha1" + v1alpha2 "github.com/openshift/api/config/v1alpha2" schema "k8s.io/apimachinery/pkg/runtime/schema" cache "k8s.io/client-go/tools/cache" ) @@ -44,6 +45,8 @@ func (f *sharedInformerFactory) ForResource(resource schema.GroupVersionResource return &genericInformer{resource: resource.GroupResource(), informer: f.Config().V1().Authentications().Informer()}, nil case v1.SchemeGroupVersion.WithResource("builds"): return &genericInformer{resource: resource.GroupResource(), informer: f.Config().V1().Builds().Informer()}, nil + case v1.SchemeGroupVersion.WithResource("clusterimagepolicies"): + return &genericInformer{resource: resource.GroupResource(), informer: f.Config().V1().ClusterImagePolicies().Informer()}, nil case v1.SchemeGroupVersion.WithResource("clusteroperators"): return &genericInformer{resource: resource.GroupResource(), informer: f.Config().V1().ClusterOperators().Informer()}, nil case v1.SchemeGroupVersion.WithResource("clusterversions"): @@ -60,6 +63,8 @@ func (f *sharedInformerFactory) ForResource(resource schema.GroupVersionResource return &genericInformer{resource: resource.GroupResource(), informer: f.Config().V1().ImageContentPolicies().Informer()}, nil case v1.SchemeGroupVersion.WithResource("imagedigestmirrorsets"): return &genericInformer{resource: resource.GroupResource(), informer: f.Config().V1().ImageDigestMirrorSets().Informer()}, nil + case v1.SchemeGroupVersion.WithResource("imagepolicies"): + return &genericInformer{resource: resource.GroupResource(), informer: f.Config().V1().ImagePolicies().Informer()}, nil case v1.SchemeGroupVersion.WithResource("imagetagmirrorsets"): return &genericInformer{resource: resource.GroupResource(), informer: f.Config().V1().ImageTagMirrorSets().Informer()}, nil case v1.SchemeGroupVersion.WithResource("infrastructures"): @@ -93,6 +98,10 @@ func (f *sharedInformerFactory) ForResource(resource schema.GroupVersionResource case v1alpha1.SchemeGroupVersion.WithResource("insightsdatagathers"): return &genericInformer{resource: resource.GroupResource(), informer: f.Config().V1alpha1().InsightsDataGathers().Informer()}, nil + // Group=config.openshift.io, Version=v1alpha2 + case v1alpha2.SchemeGroupVersion.WithResource("insightsdatagathers"): + return &genericInformer{resource: resource.GroupResource(), informer: f.Config().V1alpha2().InsightsDataGathers().Informer()}, nil + } return nil, fmt.Errorf("no informer found for %v", resource) diff --git a/vendor/github.com/openshift/client-go/config/listers/config/v1/clusterimagepolicy.go b/vendor/github.com/openshift/client-go/config/listers/config/v1/clusterimagepolicy.go new file mode 100644 index 0000000000..693b815939 --- /dev/null +++ b/vendor/github.com/openshift/client-go/config/listers/config/v1/clusterimagepolicy.go @@ -0,0 +1,32 @@ +// Code generated by lister-gen. DO NOT EDIT. + +package v1 + +import ( + configv1 "github.com/openshift/api/config/v1" + labels "k8s.io/apimachinery/pkg/labels" + listers "k8s.io/client-go/listers" + cache "k8s.io/client-go/tools/cache" +) + +// ClusterImagePolicyLister helps list ClusterImagePolicies. +// All objects returned here must be treated as read-only. +type ClusterImagePolicyLister interface { + // List lists all ClusterImagePolicies in the indexer. + // Objects returned here must be treated as read-only. + List(selector labels.Selector) (ret []*configv1.ClusterImagePolicy, err error) + // Get retrieves the ClusterImagePolicy from the index for a given name. + // Objects returned here must be treated as read-only. + Get(name string) (*configv1.ClusterImagePolicy, error) + ClusterImagePolicyListerExpansion +} + +// clusterImagePolicyLister implements the ClusterImagePolicyLister interface. +type clusterImagePolicyLister struct { + listers.ResourceIndexer[*configv1.ClusterImagePolicy] +} + +// NewClusterImagePolicyLister returns a new ClusterImagePolicyLister. +func NewClusterImagePolicyLister(indexer cache.Indexer) ClusterImagePolicyLister { + return &clusterImagePolicyLister{listers.New[*configv1.ClusterImagePolicy](indexer, configv1.Resource("clusterimagepolicy"))} +} diff --git a/vendor/github.com/openshift/client-go/config/listers/config/v1/expansion_generated.go b/vendor/github.com/openshift/client-go/config/listers/config/v1/expansion_generated.go index b5d6fc088b..d4e79cd0ea 100644 --- a/vendor/github.com/openshift/client-go/config/listers/config/v1/expansion_generated.go +++ b/vendor/github.com/openshift/client-go/config/listers/config/v1/expansion_generated.go @@ -14,6 +14,10 @@ type AuthenticationListerExpansion interface{} // BuildLister. type BuildListerExpansion interface{} +// ClusterImagePolicyListerExpansion allows custom methods to be added to +// ClusterImagePolicyLister. +type ClusterImagePolicyListerExpansion interface{} + // ClusterOperatorListerExpansion allows custom methods to be added to // ClusterOperatorLister. type ClusterOperatorListerExpansion interface{} @@ -46,6 +50,14 @@ type ImageContentPolicyListerExpansion interface{} // ImageDigestMirrorSetLister. type ImageDigestMirrorSetListerExpansion interface{} +// ImagePolicyListerExpansion allows custom methods to be added to +// ImagePolicyLister. +type ImagePolicyListerExpansion interface{} + +// ImagePolicyNamespaceListerExpansion allows custom methods to be added to +// ImagePolicyNamespaceLister. +type ImagePolicyNamespaceListerExpansion interface{} + // ImageTagMirrorSetListerExpansion allows custom methods to be added to // ImageTagMirrorSetLister. type ImageTagMirrorSetListerExpansion interface{} diff --git a/vendor/github.com/openshift/client-go/config/listers/config/v1/imagepolicy.go b/vendor/github.com/openshift/client-go/config/listers/config/v1/imagepolicy.go new file mode 100644 index 0000000000..38f4e20ef1 --- /dev/null +++ b/vendor/github.com/openshift/client-go/config/listers/config/v1/imagepolicy.go @@ -0,0 +1,54 @@ +// Code generated by lister-gen. DO NOT EDIT. + +package v1 + +import ( + configv1 "github.com/openshift/api/config/v1" + labels "k8s.io/apimachinery/pkg/labels" + listers "k8s.io/client-go/listers" + cache "k8s.io/client-go/tools/cache" +) + +// ImagePolicyLister helps list ImagePolicies. +// All objects returned here must be treated as read-only. +type ImagePolicyLister interface { + // List lists all ImagePolicies in the indexer. + // Objects returned here must be treated as read-only. + List(selector labels.Selector) (ret []*configv1.ImagePolicy, err error) + // ImagePolicies returns an object that can list and get ImagePolicies. + ImagePolicies(namespace string) ImagePolicyNamespaceLister + ImagePolicyListerExpansion +} + +// imagePolicyLister implements the ImagePolicyLister interface. +type imagePolicyLister struct { + listers.ResourceIndexer[*configv1.ImagePolicy] +} + +// NewImagePolicyLister returns a new ImagePolicyLister. +func NewImagePolicyLister(indexer cache.Indexer) ImagePolicyLister { + return &imagePolicyLister{listers.New[*configv1.ImagePolicy](indexer, configv1.Resource("imagepolicy"))} +} + +// ImagePolicies returns an object that can list and get ImagePolicies. +func (s *imagePolicyLister) ImagePolicies(namespace string) ImagePolicyNamespaceLister { + return imagePolicyNamespaceLister{listers.NewNamespaced[*configv1.ImagePolicy](s.ResourceIndexer, namespace)} +} + +// ImagePolicyNamespaceLister helps list and get ImagePolicies. +// All objects returned here must be treated as read-only. +type ImagePolicyNamespaceLister interface { + // List lists all ImagePolicies in the indexer for a given namespace. + // Objects returned here must be treated as read-only. + List(selector labels.Selector) (ret []*configv1.ImagePolicy, err error) + // Get retrieves the ImagePolicy from the indexer for a given namespace and name. + // Objects returned here must be treated as read-only. + Get(name string) (*configv1.ImagePolicy, error) + ImagePolicyNamespaceListerExpansion +} + +// imagePolicyNamespaceLister implements the ImagePolicyNamespaceLister +// interface. +type imagePolicyNamespaceLister struct { + listers.ResourceIndexer[*configv1.ImagePolicy] +} diff --git a/vendor/github.com/openshift/client-go/config/listers/config/v1alpha2/expansion_generated.go b/vendor/github.com/openshift/client-go/config/listers/config/v1alpha2/expansion_generated.go new file mode 100644 index 0000000000..edd6ab8c51 --- /dev/null +++ b/vendor/github.com/openshift/client-go/config/listers/config/v1alpha2/expansion_generated.go @@ -0,0 +1,7 @@ +// Code generated by lister-gen. DO NOT EDIT. + +package v1alpha2 + +// InsightsDataGatherListerExpansion allows custom methods to be added to +// InsightsDataGatherLister. +type InsightsDataGatherListerExpansion interface{} diff --git a/vendor/github.com/openshift/client-go/config/listers/config/v1alpha2/insightsdatagather.go b/vendor/github.com/openshift/client-go/config/listers/config/v1alpha2/insightsdatagather.go new file mode 100644 index 0000000000..13f0c3e4d8 --- /dev/null +++ b/vendor/github.com/openshift/client-go/config/listers/config/v1alpha2/insightsdatagather.go @@ -0,0 +1,32 @@ +// Code generated by lister-gen. DO NOT EDIT. + +package v1alpha2 + +import ( + configv1alpha2 "github.com/openshift/api/config/v1alpha2" + labels "k8s.io/apimachinery/pkg/labels" + listers "k8s.io/client-go/listers" + cache "k8s.io/client-go/tools/cache" +) + +// InsightsDataGatherLister helps list InsightsDataGathers. +// All objects returned here must be treated as read-only. +type InsightsDataGatherLister interface { + // List lists all InsightsDataGathers in the indexer. + // Objects returned here must be treated as read-only. + List(selector labels.Selector) (ret []*configv1alpha2.InsightsDataGather, err error) + // Get retrieves the InsightsDataGather from the index for a given name. + // Objects returned here must be treated as read-only. + Get(name string) (*configv1alpha2.InsightsDataGather, error) + InsightsDataGatherListerExpansion +} + +// insightsDataGatherLister implements the InsightsDataGatherLister interface. +type insightsDataGatherLister struct { + listers.ResourceIndexer[*configv1alpha2.InsightsDataGather] +} + +// NewInsightsDataGatherLister returns a new InsightsDataGatherLister. +func NewInsightsDataGatherLister(indexer cache.Indexer) InsightsDataGatherLister { + return &insightsDataGatherLister{listers.New[*configv1alpha2.InsightsDataGather](indexer, configv1alpha2.Resource("insightsdatagather"))} +} diff --git a/vendor/modules.txt b/vendor/modules.txt index de47d35350..34b5ad4f24 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -981,7 +981,7 @@ github.com/opencontainers/image-spec/specs-go/v1 # github.com/opencontainers/runtime-spec v1.2.0 ## explicit github.com/opencontainers/runtime-spec/specs-go -# github.com/openshift/api v0.0.0-20250425163235-9b80d67473bc +# github.com/openshift/api v0.0.0-20250620092249-a8cbc218cd2c ## explicit; go 1.23.0 github.com/openshift/api github.com/openshift/api/annotations @@ -1064,7 +1064,7 @@ github.com/openshift/api/template github.com/openshift/api/template/v1 github.com/openshift/api/user github.com/openshift/api/user/v1 -# github.com/openshift/client-go v0.0.0-20250425165505-5f55ff6979a1 +# github.com/openshift/client-go v0.0.0-20250425165505-5f55ff6979a1 => github.com/naseerahkani/client-go v0.0.0-20250702153039-3fb0bcdfe344 ## explicit; go 1.23.0 github.com/openshift/client-go/build/applyconfigurations/build/v1 github.com/openshift/client-go/build/applyconfigurations/internal @@ -1074,6 +1074,7 @@ github.com/openshift/client-go/build/clientset/versioned/typed/build/v1 github.com/openshift/client-go/config/applyconfigurations github.com/openshift/client-go/config/applyconfigurations/config/v1 github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1 +github.com/openshift/client-go/config/applyconfigurations/config/v1alpha2 github.com/openshift/client-go/config/applyconfigurations/internal github.com/openshift/client-go/config/clientset/versioned github.com/openshift/client-go/config/clientset/versioned/fake @@ -1082,13 +1083,17 @@ github.com/openshift/client-go/config/clientset/versioned/typed/config/v1 github.com/openshift/client-go/config/clientset/versioned/typed/config/v1/fake github.com/openshift/client-go/config/clientset/versioned/typed/config/v1alpha1 github.com/openshift/client-go/config/clientset/versioned/typed/config/v1alpha1/fake +github.com/openshift/client-go/config/clientset/versioned/typed/config/v1alpha2 +github.com/openshift/client-go/config/clientset/versioned/typed/config/v1alpha2/fake github.com/openshift/client-go/config/informers/externalversions github.com/openshift/client-go/config/informers/externalversions/config github.com/openshift/client-go/config/informers/externalversions/config/v1 github.com/openshift/client-go/config/informers/externalversions/config/v1alpha1 +github.com/openshift/client-go/config/informers/externalversions/config/v1alpha2 github.com/openshift/client-go/config/informers/externalversions/internalinterfaces github.com/openshift/client-go/config/listers/config/v1 github.com/openshift/client-go/config/listers/config/v1alpha1 +github.com/openshift/client-go/config/listers/config/v1alpha2 github.com/openshift/client-go/image/applyconfigurations github.com/openshift/client-go/image/applyconfigurations/image/v1 github.com/openshift/client-go/image/applyconfigurations/internal @@ -2766,3 +2771,4 @@ sigs.k8s.io/yaml sigs.k8s.io/yaml/goyaml.v2 sigs.k8s.io/yaml/goyaml.v3 # k8s.io/kube-openapi => github.com/openshift/kube-openapi v0.0.0-20230816122517-ffc8f001abb0 +# github.com/openshift/client-go => github.com/naseerahkani/client-go v0.0.0-20250702153039-3fb0bcdfe344 From 1fe21d29a9666ce456a1fbbc2a9b94518bc378f8 Mon Sep 17 00:00:00 2001 From: Naseerah Kani Pakrudeen Ali Date: Wed, 2 Jul 2025 13:35:51 -0400 Subject: [PATCH 05/11] adding api linking --- go.mod | 2 + go.sum | 4 +- .../openshift/api/.ci-operator.yaml | 2 +- .../github.com/openshift/api/Dockerfile.ocp | 4 +- .../v1/types_machineconfignode.go | 65 ++- ...achineconfignodes-CustomNoUpgrade.crd.yaml | 428 ++++++++++++++++++ ...ig_01_machineconfignodes-Default.crd.yaml} | 17 +- ...neconfignodes-DevPreviewNoUpgrade.crd.yaml | 428 ++++++++++++++++++ ...econfignodes-TechPreviewNoUpgrade.crd.yaml | 428 ++++++++++++++++++ .../v1/zz_generated.deepcopy.go | 38 ++ ..._generated.featuregated-crd-manifests.yaml | 13 +- .../v1/zz_generated.swagger_doc_generated.go | 23 +- .../api/operator/v1/types_network.go | 26 +- .../0000_70_network_01_networks.crd.yaml | 26 +- .../v1/zz_generated.swagger_doc_generated.go | 16 +- vendor/modules.txt | 3 +- 16 files changed, 1467 insertions(+), 56 deletions(-) create mode 100644 vendor/github.com/openshift/api/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_machineconfignodes-CustomNoUpgrade.crd.yaml rename vendor/github.com/openshift/api/machineconfiguration/v1/zz_generated.crd-manifests/{0000_80_machine-config_01_machineconfignodes.crd.yaml => 0000_80_machine-config_01_machineconfignodes-Default.crd.yaml} (96%) create mode 100644 vendor/github.com/openshift/api/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_machineconfignodes-DevPreviewNoUpgrade.crd.yaml create mode 100644 vendor/github.com/openshift/api/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_machineconfignodes-TechPreviewNoUpgrade.crd.yaml diff --git a/go.mod b/go.mod index 404fc1844a..048d0a6bf1 100644 --- a/go.mod +++ b/go.mod @@ -352,3 +352,5 @@ require ( replace k8s.io/kube-openapi => github.com/openshift/kube-openapi v0.0.0-20230816122517-ffc8f001abb0 replace github.com/openshift/client-go => github.com/naseerahkani/client-go v0.0.0-20250702153039-3fb0bcdfe344 + +replace github.com/openshift/api => github.com/naseerahkani/api v0.0.0-20250702152244-85f45829f9cc diff --git a/go.sum b/go.sum index ce82b5242f..0db2fe2ca0 100644 --- a/go.sum +++ b/go.sum @@ -483,6 +483,8 @@ github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f h1:y5//uYreIhSUg3J github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f/go.mod h1:ZdcZmHo+o7JKHSa8/e818NopupXU1YMK5fe1lsApnBw= github.com/nakabonne/nestif v0.3.1 h1:wm28nZjhQY5HyYPx+weN3Q65k6ilSBxDb8v5S81B81U= github.com/nakabonne/nestif v0.3.1/go.mod h1:9EtoZochLn5iUprVDmDjqGKPofoUEBL8U4Ngq6aY7OE= +github.com/naseerahkani/api v0.0.0-20250702152244-85f45829f9cc h1:zViLcax8usXZ98kf+zbBgG+xGTctxD0IZNItL1XdmWE= +github.com/naseerahkani/api v0.0.0-20250702152244-85f45829f9cc/go.mod h1:yk60tHAmHhtVpJQo3TwVYq2zpuP70iJIFDCmeKMIzPw= github.com/naseerahkani/client-go v0.0.0-20250702153039-3fb0bcdfe344 h1:F3b00R8BHTLsRFwdnFqsq2qbmBNo/wb7NlW2yuvUmk4= github.com/naseerahkani/client-go v0.0.0-20250702153039-3fb0bcdfe344/go.mod h1:Cce4FUvlkzzMnElVNAk2VDn/g6H48DyK96ZYcaU9GdY= github.com/nishanths/exhaustive v0.12.0 h1:vIY9sALmw6T/yxiASewa4TQcFsVYZQQRUQJhKRf3Swg= @@ -515,8 +517,6 @@ github.com/opencontainers/image-spec v1.1.0 h1:8SG7/vwALn54lVB/0yZ/MMwhFrPYtpEHQ github.com/opencontainers/image-spec v1.1.0/go.mod h1:W4s4sFTMaBeK1BQLXbG4AdM2szdn85PY75RI83NrTrM= github.com/opencontainers/runtime-spec v1.2.0 h1:z97+pHb3uELt/yiAWD691HNHQIF07bE7dzrbT927iTk= github.com/opencontainers/runtime-spec v1.2.0/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0= -github.com/openshift/api v0.0.0-20250620092249-a8cbc218cd2c h1:0Np840IRyzpvHLWxcE1AZ8sttVZe+a3Y6QBS3Ge+umA= -github.com/openshift/api v0.0.0-20250620092249-a8cbc218cd2c/go.mod h1:yk60tHAmHhtVpJQo3TwVYq2zpuP70iJIFDCmeKMIzPw= github.com/openshift/kube-openapi v0.0.0-20230816122517-ffc8f001abb0 h1:GPlAy197Jkr+D0T2FNWanamraTdzS/r9ZkT29lxvHaA= github.com/openshift/kube-openapi v0.0.0-20230816122517-ffc8f001abb0/go.mod h1:wZK2AVp1uHCp4VamDVgBP2COHZjqD1T68Rf0CM3YjSM= github.com/openshift/library-go v0.0.0-20250129210218-fe56c2cf5d70 h1:VLj8CU9q009xlMuR4wNcqDX4lVa2Ji3u/iYnBLHtQUc= diff --git a/vendor/github.com/openshift/api/.ci-operator.yaml b/vendor/github.com/openshift/api/.ci-operator.yaml index 7c15f83e3e..461415cbc5 100644 --- a/vendor/github.com/openshift/api/.ci-operator.yaml +++ b/vendor/github.com/openshift/api/.ci-operator.yaml @@ -1,4 +1,4 @@ build_root_image: name: release namespace: openshift - tag: rhel-9-release-golang-1.23-openshift-4.19 + tag: rhel-9-release-golang-1.24-openshift-4.20 diff --git a/vendor/github.com/openshift/api/Dockerfile.ocp b/vendor/github.com/openshift/api/Dockerfile.ocp index 3b5d1736dc..0a4c98c488 100644 --- a/vendor/github.com/openshift/api/Dockerfile.ocp +++ b/vendor/github.com/openshift/api/Dockerfile.ocp @@ -1,10 +1,10 @@ -FROM registry.ci.openshift.org/ocp/builder:rhel-9-golang-1.23-openshift-4.19 AS builder +FROM registry.ci.openshift.org/ocp/builder:rhel-9-golang-1.24-openshift-4.20 AS builder WORKDIR /go/src/github.com/openshift/api COPY . . ENV GO_PACKAGE github.com/openshift/api RUN make build --warn-undefined-variables -FROM registry.ci.openshift.org/ocp/4.19:base-rhel9 +FROM registry.ci.openshift.org/ocp/4.20:base-rhel9 # copy the built binaries to /usr/bin COPY --from=builder /go/src/github.com/openshift/api/render /usr/bin/ diff --git a/vendor/github.com/openshift/api/machineconfiguration/v1/types_machineconfignode.go b/vendor/github.com/openshift/api/machineconfiguration/v1/types_machineconfignode.go index a1d37f0c9a..c32db6f5a8 100644 --- a/vendor/github.com/openshift/api/machineconfiguration/v1/types_machineconfignode.go +++ b/vendor/github.com/openshift/api/machineconfiguration/v1/types_machineconfignode.go @@ -22,11 +22,13 @@ import ( // +kubebuilder:printcolumn:name="UpdatePostActionComplete",type="string",JSONPath=.status.conditions[?(@.type=="UpdatePostActionComplete")].status,priority=1 // +kubebuilder:printcolumn:name="UpdateComplete",type="string",JSONPath=.status.conditions[?(@.type=="UpdateComplete")].status,priority=1 // +kubebuilder:printcolumn:name="Resumed",type="string",JSONPath=.status.conditions[?(@.type=="Resumed")].status,priority=1 -// +kubebuilder:printcolumn:name="UpdatedFilesAndOS",type="string",JSONPath=.status.conditions[?(@.type=="AppliedFilesAndOS")].status,priority=1 +// +kubebuilder:printcolumn:name="UpdatedOSImage",type="string",JSONPath=.status.conditions[?(@.type=="AppliedOSImage")].status,priority=1 +// +kubebuilder:printcolumn:name="UpdatedFiles",type="string",JSONPath=.status.conditions[?(@.type=="AppliedFiles")].status,priority=1 // +kubebuilder:printcolumn:name="CordonedNode",type="string",JSONPath=.status.conditions[?(@.type=="Cordoned")].status,priority=1 // +kubebuilder:printcolumn:name="DrainedNode",type="string",JSONPath=.status.conditions[?(@.type=="Drained")].status,priority=1 // +kubebuilder:printcolumn:name="RebootedNode",type="string",JSONPath=.status.conditions[?(@.type=="RebootedNode")].status,priority=1 // +kubebuilder:printcolumn:name="UncordonedNode",type="string",JSONPath=.status.conditions[?(@.type=="Uncordoned")].status,priority=1 +// +kubebuilder:printcolumn:name="ImagePulledFromRegistry",type="string",JSONPath=.status.conditions[?(@.type=="ImagePulledFromRegistry")].status,priority=1 // +kubebuilder:metadata:labels=openshift.io/operator-managed= // MachineConfigNode describes the health of the Machines on the system @@ -98,6 +100,13 @@ type MachineConfigNodeSpec struct { // the new machine config against the current machine config. // +required ConfigVersion MachineConfigNodeSpecMachineConfigVersion `json:"configVersion"` + + // configImage holds the desired image for the node targeted by this machine config node resource. + // The desired image represents the image the node will attempt to update to and gets set before the machine config operator validates + // the new image against the current image. + // +openshift:enable:FeatureGate=ImageModeStatusReporting + // +optional + ConfigImage MachineConfigNodeSpecConfigImage `json:"configImage"` } // MachineConfigNodeStatus holds the reported information on a particular machine config node. @@ -105,7 +114,9 @@ type MachineConfigNodeStatus struct { // conditions represent the observations of a machine config node's current state. Valid types are: // UpdatePrepared, UpdateExecuted, UpdatePostActionComplete, UpdateComplete, Updated, Resumed, // Drained, AppliedFilesAndOS, Cordoned, Uncordoned, RebootedNode, NodeDegraded, PinnedImageSetsProgressing, - // and PinnedImageSetsDegraded. + // , and PinnedImageSetsDegraded. + // The following types are only available when the ImageModeStatusReporting feature gate is enabled: ImagePulledFromRegistry, + // AppliedOSImage, AppliedFiles // +listType=map // +listMapKey=type // +kubebuilder:validation:MaxItems=20 @@ -120,6 +131,10 @@ type MachineConfigNodeStatus struct { // configVersion describes the current and desired machine config version for this node. // +optional ConfigVersion *MachineConfigNodeStatusMachineConfigVersion `json:"configVersion,omitempty"` + // configImage describes the current and desired image for this node. + // +openshift:enable:FeatureGate=ImageModeStatusReporting + // +optional + ConfigImage *MachineConfigNodeStatusConfigImage `json:"configImage,omitempty"` // pinnedImageSets describes the current and desired pinned image sets for this node. // +listType=map // +listMapKey=name @@ -209,6 +224,42 @@ type MachineConfigNodeSpecMachineConfigVersion struct { Desired string `json:"desired"` } +// MachineConfigNodeSpecConfigImage holds the desired image for the node. +// This structure is populated from the `machineconfiguration.openshift.io/desiredImage` +// annotation on the target node, which is set by the Machine Config Pool controller +// to signal the desired image pullspec for the node to update to. +type MachineConfigNodeSpecConfigImage struct { + // desiredImage is the fully-qualified pullspec of the image that the Machine + // Config Operator (MCO) intends to apply to the node. + // Required field that can be at most 253 characters in length. + // +kubebuilder:validation:MaxLength:=253 + // +required + DesiredImage string `json:"desiredImage"` +} + +// MachineConfigNodeStatusConfigImage holds the observed state of the image +// on the node, including both the image targeted for an update and the image +// currently applied. This allows for monitoring the progress of the layering +// rollout. +type MachineConfigNodeStatusConfigImage struct { + // currentImage is the fully-qualified pullspec of the image that is + // currently applied to the node. + // This field is optional because when image-mode is first enabled on a + // node, there is no currentImage because the node has not yet applied + // the updated image. Only after the updated image is applied will the + // currentImage be populated. + // This field can be at most 253 characters in length. + // +kubebuilder:validation:MaxLength:=253 + // +optional + CurrentImage string `json:"currentImage,omitempty"` + // desiredImage is a mirror of the desired image from the Spec. When the + // current and desired image are not equal, the node is in an updating phase. + // Optional field that can be at most 253 characters in length. + // +kubebuilder:validation:MaxLength:=253 + // +optional + DesiredImage string `json:"desiredImage"` +} + // StateProgress is each possible state for each possible MachineConfigNodeType // +enum type StateProgress string @@ -228,8 +279,14 @@ const ( MachineConfigNodeResumed StateProgress = "Resumed" // MachineConfigNodeUpdateDrained describes the part of the in progress phase where the node drains MachineConfigNodeUpdateDrained StateProgress = "Drained" - // MachineConfigNodeUpdateFilesAndOS describes the part of the in progress phase where the nodes files and OS config change - MachineConfigNodeUpdateFilesAndOS StateProgress = "AppliedFilesAndOS" + // MachineConfigNodeUpdateFiles describes the part of the in progress phase where the nodes files changes + MachineConfigNodeUpdateFiles StateProgress = "AppliedFiles" + // MachineConfigNodeUpdateOS describes the part of the in progress phase where the OS config changes + MachineConfigNodeUpdateOS StateProgress = "AppliedOSImage" + // MachineConfigNodeUpdateOS describes the part of the in progress phase where the nodes files and OS config change + MachineConfigNodeAppliedFilesAndOS StateProgress = "AppliedFilesAndOS" + // MachineConfigNodeImagePulledFromRegistry describes the part of the in progress phase where the update image is pulled from the registry + MachineConfigNodeImagePulledFromRegistry StateProgress = "ImagePulledFromRegistry" // MachineConfigNodeUpdateCordoned describes the part of the in progress phase where the node cordons MachineConfigNodeUpdateCordoned StateProgress = "Cordoned" // MachineConfigNodeUpdateUncordoned describes the part of the completing phase where the node uncordons diff --git a/vendor/github.com/openshift/api/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_machineconfignodes-CustomNoUpgrade.crd.yaml b/vendor/github.com/openshift/api/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_machineconfignodes-CustomNoUpgrade.crd.yaml new file mode 100644 index 0000000000..669f3f561c --- /dev/null +++ b/vendor/github.com/openshift/api/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_machineconfignodes-CustomNoUpgrade.crd.yaml @@ -0,0 +1,428 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.openshift.io: https://github.com/openshift/api/pull/2255 + api.openshift.io/merged-by-featuregates: "true" + include.release.openshift.io/ibm-cloud-managed: "true" + include.release.openshift.io/self-managed-high-availability: "true" + release.openshift.io/feature-set: CustomNoUpgrade + labels: + openshift.io/operator-managed: "" + name: machineconfignodes.machineconfiguration.openshift.io +spec: + group: machineconfiguration.openshift.io + names: + kind: MachineConfigNode + listKind: MachineConfigNodeList + plural: machineconfignodes + singular: machineconfignode + scope: Cluster + versions: + - additionalPrinterColumns: + - jsonPath: .spec.pool.name + name: PoolName + type: string + - jsonPath: .spec.configVersion.desired + name: DesiredConfig + type: string + - jsonPath: .status.configVersion.current + name: CurrentConfig + type: string + - jsonPath: .status.conditions[?(@.type=="Updated")].status + name: Updated + type: string + - jsonPath: .status.conditions[?(@.type=="UpdatePrepared")].status + name: UpdatePrepared + priority: 1 + type: string + - jsonPath: .status.conditions[?(@.type=="UpdateExecuted")].status + name: UpdateExecuted + priority: 1 + type: string + - jsonPath: .status.conditions[?(@.type=="UpdatePostActionComplete")].status + name: UpdatePostActionComplete + priority: 1 + type: string + - jsonPath: .status.conditions[?(@.type=="UpdateComplete")].status + name: UpdateComplete + priority: 1 + type: string + - jsonPath: .status.conditions[?(@.type=="Resumed")].status + name: Resumed + priority: 1 + type: string + - jsonPath: .status.conditions[?(@.type=="AppliedOSImage")].status + name: UpdatedOSImage + priority: 1 + type: string + - jsonPath: .status.conditions[?(@.type=="AppliedFiles")].status + name: UpdatedFiles + priority: 1 + type: string + - jsonPath: .status.conditions[?(@.type=="Cordoned")].status + name: CordonedNode + priority: 1 + type: string + - jsonPath: .status.conditions[?(@.type=="Drained")].status + name: DrainedNode + priority: 1 + type: string + - jsonPath: .status.conditions[?(@.type=="RebootedNode")].status + name: RebootedNode + priority: 1 + type: string + - jsonPath: .status.conditions[?(@.type=="Uncordoned")].status + name: UncordonedNode + priority: 1 + type: string + - jsonPath: .status.conditions[?(@.type=="ImagePulledFromRegistry")].status + name: ImagePulledFromRegistry + priority: 1 + type: string + name: v1 + schema: + openAPIV3Schema: + description: |- + MachineConfigNode describes the health of the Machines on the system + Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer). + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: spec describes the configuration of the machine config node. + properties: + configImage: + description: |- + configImage holds the desired image for the node targeted by this machine config node resource. + The desired image represents the image the node will attempt to update to and gets set before the machine config operator validates + the new image against the current image. + properties: + desiredImage: + description: |- + desiredImage is the fully-qualified pullspec of the image that the Machine + Config Operator (MCO) intends to apply to the node. + Required field that can be at most 253 characters in length. + maxLength: 253 + type: string + required: + - desiredImage + type: object + configVersion: + description: |- + configVersion holds the desired config version for the node targeted by this machine config node resource. + The desired version represents the machine config the node will attempt to update to and gets set before the machine config operator validates + the new machine config against the current machine config. + properties: + desired: + description: |- + desired is the name of the machine config that the the node should be upgraded to. + This value is set when the machine config pool generates a new version of its rendered configuration. + When this value is changed, the machine config daemon starts the node upgrade process. + This value gets set in the machine config node spec once the machine config has been targeted for upgrade and before it is validated. + Must be a lowercase RFC-1123 subdomain name (https://tools.ietf.org/html/rfc1123) consisting + of only lowercase alphanumeric characters, hyphens (-), and periods (.), and must start and end + with an alphanumeric character, and be at most 253 characters in length. + maxLength: 253 + type: string + x-kubernetes-validations: + - message: a lowercase RFC 1123 subdomain must consist of lower + case alphanumeric characters, '-' or '.', and must start and + end with an alphanumeric character. + rule: '!format.dns1123Subdomain().validate(self).hasValue()' + required: + - desired + type: object + node: + description: node contains a reference to the node for this machine + config node. + properties: + name: + description: |- + name is the name of the object being referenced. For example, this can represent a machine + config pool or node name. + Must be a lowercase RFC-1123 subdomain name (https://tools.ietf.org/html/rfc1123) consisting + of only lowercase alphanumeric characters, hyphens (-), and periods (.), and must start and end + with an alphanumeric character, and be at most 253 characters in length. + maxLength: 253 + type: string + x-kubernetes-validations: + - message: a lowercase RFC 1123 subdomain must consist of lower + case alphanumeric characters, '-' or '.', and must start and + end with an alphanumeric character. + rule: '!format.dns1123Subdomain().validate(self).hasValue()' + required: + - name + type: object + pool: + description: |- + pool contains a reference to the machine config pool that this machine config node's + referenced node belongs to. + properties: + name: + description: |- + name is the name of the object being referenced. For example, this can represent a machine + config pool or node name. + Must be a lowercase RFC-1123 subdomain name (https://tools.ietf.org/html/rfc1123) consisting + of only lowercase alphanumeric characters, hyphens (-), and periods (.), and must start and end + with an alphanumeric character, and be at most 253 characters in length. + maxLength: 253 + type: string + x-kubernetes-validations: + - message: a lowercase RFC 1123 subdomain must consist of lower + case alphanumeric characters, '-' or '.', and must start and + end with an alphanumeric character. + rule: '!format.dns1123Subdomain().validate(self).hasValue()' + required: + - name + type: object + required: + - configVersion + - node + - pool + type: object + status: + description: status describes the last observed state of this machine + config node. + properties: + conditions: + description: |- + conditions represent the observations of a machine config node's current state. Valid types are: + UpdatePrepared, UpdateExecuted, UpdatePostActionComplete, UpdateComplete, Updated, Resumed, + Drained, AppliedFilesAndOS, Cordoned, Uncordoned, RebootedNode, NodeDegraded, PinnedImageSetsProgressing, + , and PinnedImageSetsDegraded. + The following types are only available when the ImageModeStatusReporting feature gate is enabled: ImagePulledFromRegistry, + AppliedOSImage, AppliedFiles + items: + description: Condition contains details for one aspect of the current + state of this API Resource. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 20 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + configImage: + description: configImage describes the current and desired image for + this node. + properties: + currentImage: + description: |- + currentImage is the fully-qualified pullspec of the image that is + currently applied to the node. + This field is optional because when image-mode is first enabled on a + node, there is no currentImage because the node has not yet applied + the updated image. Only after the updated image is applied will the + currentImage be populated. + This field can be at most 253 characters in length. + maxLength: 253 + type: string + desiredImage: + description: |- + desiredImage is a mirror of the desired image from the Spec. When the + current and desired image are not equal, the node is in an updating phase. + Optional field that can be at most 253 characters in length. + maxLength: 253 + type: string + type: object + configVersion: + description: configVersion describes the current and desired machine + config version for this node. + properties: + current: + description: |- + current is the name of the machine config currently in use on the node. + This value is updated once the machine config daemon has completed the update of the configuration for the node. + This value should match the desired version unless an upgrade is in progress. + Must be a lowercase RFC-1123 subdomain name (https://tools.ietf.org/html/rfc1123) consisting + of only lowercase alphanumeric characters, hyphens (-), and periods (.), and must start and end + with an alphanumeric character, and be at most 253 characters in length. + maxLength: 253 + type: string + x-kubernetes-validations: + - message: a lowercase RFC 1123 subdomain must consist of lower + case alphanumeric characters, '-' or '.', and must start and + end with an alphanumeric character. + rule: '!format.dns1123Subdomain().validate(self).hasValue()' + desired: + description: |- + desired is the MachineConfig the node wants to upgrade to. + This value gets set in the machine config node status once the machine config has been validated + against the current machine config. + Must be a lowercase RFC-1123 subdomain name (https://tools.ietf.org/html/rfc1123) consisting + of only lowercase alphanumeric characters, hyphens (-), and periods (.), and must start and end + with an alphanumeric character, and be at most 253 characters in length. + maxLength: 253 + type: string + x-kubernetes-validations: + - message: a lowercase RFC 1123 subdomain must consist of lower + case alphanumeric characters, '-' or '.', and must start and + end with an alphanumeric character. + rule: '!format.dns1123Subdomain().validate(self).hasValue()' + required: + - desired + type: object + observedGeneration: + description: |- + observedGeneration represents the generation of the MachineConfigNode object observed by the Machine Config Operator's controller. + This field is updated when the controller observes a change to the desiredConfig in the configVersion of the machine config node spec. + format: int64 + minimum: 1 + type: integer + x-kubernetes-validations: + - message: observedGeneration must not decrease + rule: self >= oldSelf + pinnedImageSets: + description: pinnedImageSets describes the current and desired pinned + image sets for this node. + items: + description: MachineConfigNodeStatusPinnedImageSet holds information + about the current, desired, and failed pinned image sets for the + observed machine config node. + properties: + currentGeneration: + description: currentGeneration is the generation of the pinned + image set that has most recently been successfully pulled + and pinned on this node. + format: int32 + minimum: 1 + type: integer + x-kubernetes-validations: + - message: currentGeneration must not decrease + rule: self >= oldSelf + desiredGeneration: + description: desiredGeneration is the generation of the pinned + image set that is targeted to be pulled and pinned on this + node. + format: int32 + minimum: 1 + type: integer + x-kubernetes-validations: + - message: desiredGeneration must not decrease + rule: self >= oldSelf + lastFailedGeneration: + description: lastFailedGeneration is the generation of the most + recent pinned image set that failed to be pulled and pinned + on this node. + format: int32 + minimum: 1 + type: integer + x-kubernetes-validations: + - message: lastFailedGeneration must not decrease + rule: self >= oldSelf + lastFailedGenerationError: + description: |- + lastFailedGenerationError is the error explaining why the desired images failed to be pulled and pinned. + The error is an empty string if the image pull and pin is successful. + maxLength: 32768 + type: string + name: + description: |- + name is the name of the pinned image set. + Must be a lowercase RFC-1123 subdomain name (https://tools.ietf.org/html/rfc1123) consisting + of only lowercase alphanumeric characters, hyphens (-), and periods (.), and must start and end + with an alphanumeric character, and be at most 253 characters in length. + maxLength: 253 + type: string + x-kubernetes-validations: + - message: a lowercase RFC 1123 subdomain must consist of lower + case alphanumeric characters, '-' or '.', and must start + and end with an alphanumeric character. + rule: '!format.dns1123Subdomain().validate(self).hasValue()' + required: + - name + type: object + x-kubernetes-validations: + - message: desired generation must be greater than or equal to the + current generation + rule: 'has(self.desiredGeneration) && has(self.currentGeneration) + ? self.desiredGeneration >= self.currentGeneration : true' + - message: desired generation must be greater than or equal to the + last failed generation + rule: 'has(self.lastFailedGeneration) && has(self.desiredGeneration) + ? self.desiredGeneration >= self.lastFailedGeneration : true' + - message: last failed generation error must be defined on image + pull and pin failure + rule: 'has(self.lastFailedGeneration) ? has(self.lastFailedGenerationError) + : true' + maxItems: 100 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + required: + - spec + type: object + x-kubernetes-validations: + - message: spec.node.name should match metadata.name + rule: self.metadata.name == self.spec.node.name + served: true + storage: true + subresources: + status: {} diff --git a/vendor/github.com/openshift/api/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_machineconfignodes.crd.yaml b/vendor/github.com/openshift/api/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_machineconfignodes-Default.crd.yaml similarity index 96% rename from vendor/github.com/openshift/api/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_machineconfignodes.crd.yaml rename to vendor/github.com/openshift/api/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_machineconfignodes-Default.crd.yaml index 0631b41096..343e44697f 100644 --- a/vendor/github.com/openshift/api/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_machineconfignodes.crd.yaml +++ b/vendor/github.com/openshift/api/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_machineconfignodes-Default.crd.yaml @@ -6,6 +6,7 @@ metadata: api.openshift.io/merged-by-featuregates: "true" include.release.openshift.io/ibm-cloud-managed: "true" include.release.openshift.io/self-managed-high-availability: "true" + release.openshift.io/feature-set: Default labels: openshift.io/operator-managed: "" name: machineconfignodes.machineconfiguration.openshift.io @@ -51,8 +52,12 @@ spec: name: Resumed priority: 1 type: string - - jsonPath: .status.conditions[?(@.type=="AppliedFilesAndOS")].status - name: UpdatedFilesAndOS + - jsonPath: .status.conditions[?(@.type=="AppliedOSImage")].status + name: UpdatedOSImage + priority: 1 + type: string + - jsonPath: .status.conditions[?(@.type=="AppliedFiles")].status + name: UpdatedFiles priority: 1 type: string - jsonPath: .status.conditions[?(@.type=="Cordoned")].status @@ -71,6 +76,10 @@ spec: name: UncordonedNode priority: 1 type: string + - jsonPath: .status.conditions[?(@.type=="ImagePulledFromRegistry")].status + name: ImagePulledFromRegistry + priority: 1 + type: string name: v1 schema: openAPIV3Schema: @@ -180,7 +189,9 @@ spec: conditions represent the observations of a machine config node's current state. Valid types are: UpdatePrepared, UpdateExecuted, UpdatePostActionComplete, UpdateComplete, Updated, Resumed, Drained, AppliedFilesAndOS, Cordoned, Uncordoned, RebootedNode, NodeDegraded, PinnedImageSetsProgressing, - and PinnedImageSetsDegraded. + , and PinnedImageSetsDegraded. + The following types are only available when the ImageModeStatusReporting feature gate is enabled: ImagePulledFromRegistry, + AppliedOSImage, AppliedFiles items: description: Condition contains details for one aspect of the current state of this API Resource. diff --git a/vendor/github.com/openshift/api/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_machineconfignodes-DevPreviewNoUpgrade.crd.yaml b/vendor/github.com/openshift/api/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_machineconfignodes-DevPreviewNoUpgrade.crd.yaml new file mode 100644 index 0000000000..de578029c0 --- /dev/null +++ b/vendor/github.com/openshift/api/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_machineconfignodes-DevPreviewNoUpgrade.crd.yaml @@ -0,0 +1,428 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.openshift.io: https://github.com/openshift/api/pull/2255 + api.openshift.io/merged-by-featuregates: "true" + include.release.openshift.io/ibm-cloud-managed: "true" + include.release.openshift.io/self-managed-high-availability: "true" + release.openshift.io/feature-set: DevPreviewNoUpgrade + labels: + openshift.io/operator-managed: "" + name: machineconfignodes.machineconfiguration.openshift.io +spec: + group: machineconfiguration.openshift.io + names: + kind: MachineConfigNode + listKind: MachineConfigNodeList + plural: machineconfignodes + singular: machineconfignode + scope: Cluster + versions: + - additionalPrinterColumns: + - jsonPath: .spec.pool.name + name: PoolName + type: string + - jsonPath: .spec.configVersion.desired + name: DesiredConfig + type: string + - jsonPath: .status.configVersion.current + name: CurrentConfig + type: string + - jsonPath: .status.conditions[?(@.type=="Updated")].status + name: Updated + type: string + - jsonPath: .status.conditions[?(@.type=="UpdatePrepared")].status + name: UpdatePrepared + priority: 1 + type: string + - jsonPath: .status.conditions[?(@.type=="UpdateExecuted")].status + name: UpdateExecuted + priority: 1 + type: string + - jsonPath: .status.conditions[?(@.type=="UpdatePostActionComplete")].status + name: UpdatePostActionComplete + priority: 1 + type: string + - jsonPath: .status.conditions[?(@.type=="UpdateComplete")].status + name: UpdateComplete + priority: 1 + type: string + - jsonPath: .status.conditions[?(@.type=="Resumed")].status + name: Resumed + priority: 1 + type: string + - jsonPath: .status.conditions[?(@.type=="AppliedOSImage")].status + name: UpdatedOSImage + priority: 1 + type: string + - jsonPath: .status.conditions[?(@.type=="AppliedFiles")].status + name: UpdatedFiles + priority: 1 + type: string + - jsonPath: .status.conditions[?(@.type=="Cordoned")].status + name: CordonedNode + priority: 1 + type: string + - jsonPath: .status.conditions[?(@.type=="Drained")].status + name: DrainedNode + priority: 1 + type: string + - jsonPath: .status.conditions[?(@.type=="RebootedNode")].status + name: RebootedNode + priority: 1 + type: string + - jsonPath: .status.conditions[?(@.type=="Uncordoned")].status + name: UncordonedNode + priority: 1 + type: string + - jsonPath: .status.conditions[?(@.type=="ImagePulledFromRegistry")].status + name: ImagePulledFromRegistry + priority: 1 + type: string + name: v1 + schema: + openAPIV3Schema: + description: |- + MachineConfigNode describes the health of the Machines on the system + Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer). + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: spec describes the configuration of the machine config node. + properties: + configImage: + description: |- + configImage holds the desired image for the node targeted by this machine config node resource. + The desired image represents the image the node will attempt to update to and gets set before the machine config operator validates + the new image against the current image. + properties: + desiredImage: + description: |- + desiredImage is the fully-qualified pullspec of the image that the Machine + Config Operator (MCO) intends to apply to the node. + Required field that can be at most 253 characters in length. + maxLength: 253 + type: string + required: + - desiredImage + type: object + configVersion: + description: |- + configVersion holds the desired config version for the node targeted by this machine config node resource. + The desired version represents the machine config the node will attempt to update to and gets set before the machine config operator validates + the new machine config against the current machine config. + properties: + desired: + description: |- + desired is the name of the machine config that the the node should be upgraded to. + This value is set when the machine config pool generates a new version of its rendered configuration. + When this value is changed, the machine config daemon starts the node upgrade process. + This value gets set in the machine config node spec once the machine config has been targeted for upgrade and before it is validated. + Must be a lowercase RFC-1123 subdomain name (https://tools.ietf.org/html/rfc1123) consisting + of only lowercase alphanumeric characters, hyphens (-), and periods (.), and must start and end + with an alphanumeric character, and be at most 253 characters in length. + maxLength: 253 + type: string + x-kubernetes-validations: + - message: a lowercase RFC 1123 subdomain must consist of lower + case alphanumeric characters, '-' or '.', and must start and + end with an alphanumeric character. + rule: '!format.dns1123Subdomain().validate(self).hasValue()' + required: + - desired + type: object + node: + description: node contains a reference to the node for this machine + config node. + properties: + name: + description: |- + name is the name of the object being referenced. For example, this can represent a machine + config pool or node name. + Must be a lowercase RFC-1123 subdomain name (https://tools.ietf.org/html/rfc1123) consisting + of only lowercase alphanumeric characters, hyphens (-), and periods (.), and must start and end + with an alphanumeric character, and be at most 253 characters in length. + maxLength: 253 + type: string + x-kubernetes-validations: + - message: a lowercase RFC 1123 subdomain must consist of lower + case alphanumeric characters, '-' or '.', and must start and + end with an alphanumeric character. + rule: '!format.dns1123Subdomain().validate(self).hasValue()' + required: + - name + type: object + pool: + description: |- + pool contains a reference to the machine config pool that this machine config node's + referenced node belongs to. + properties: + name: + description: |- + name is the name of the object being referenced. For example, this can represent a machine + config pool or node name. + Must be a lowercase RFC-1123 subdomain name (https://tools.ietf.org/html/rfc1123) consisting + of only lowercase alphanumeric characters, hyphens (-), and periods (.), and must start and end + with an alphanumeric character, and be at most 253 characters in length. + maxLength: 253 + type: string + x-kubernetes-validations: + - message: a lowercase RFC 1123 subdomain must consist of lower + case alphanumeric characters, '-' or '.', and must start and + end with an alphanumeric character. + rule: '!format.dns1123Subdomain().validate(self).hasValue()' + required: + - name + type: object + required: + - configVersion + - node + - pool + type: object + status: + description: status describes the last observed state of this machine + config node. + properties: + conditions: + description: |- + conditions represent the observations of a machine config node's current state. Valid types are: + UpdatePrepared, UpdateExecuted, UpdatePostActionComplete, UpdateComplete, Updated, Resumed, + Drained, AppliedFilesAndOS, Cordoned, Uncordoned, RebootedNode, NodeDegraded, PinnedImageSetsProgressing, + , and PinnedImageSetsDegraded. + The following types are only available when the ImageModeStatusReporting feature gate is enabled: ImagePulledFromRegistry, + AppliedOSImage, AppliedFiles + items: + description: Condition contains details for one aspect of the current + state of this API Resource. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 20 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + configImage: + description: configImage describes the current and desired image for + this node. + properties: + currentImage: + description: |- + currentImage is the fully-qualified pullspec of the image that is + currently applied to the node. + This field is optional because when image-mode is first enabled on a + node, there is no currentImage because the node has not yet applied + the updated image. Only after the updated image is applied will the + currentImage be populated. + This field can be at most 253 characters in length. + maxLength: 253 + type: string + desiredImage: + description: |- + desiredImage is a mirror of the desired image from the Spec. When the + current and desired image are not equal, the node is in an updating phase. + Optional field that can be at most 253 characters in length. + maxLength: 253 + type: string + type: object + configVersion: + description: configVersion describes the current and desired machine + config version for this node. + properties: + current: + description: |- + current is the name of the machine config currently in use on the node. + This value is updated once the machine config daemon has completed the update of the configuration for the node. + This value should match the desired version unless an upgrade is in progress. + Must be a lowercase RFC-1123 subdomain name (https://tools.ietf.org/html/rfc1123) consisting + of only lowercase alphanumeric characters, hyphens (-), and periods (.), and must start and end + with an alphanumeric character, and be at most 253 characters in length. + maxLength: 253 + type: string + x-kubernetes-validations: + - message: a lowercase RFC 1123 subdomain must consist of lower + case alphanumeric characters, '-' or '.', and must start and + end with an alphanumeric character. + rule: '!format.dns1123Subdomain().validate(self).hasValue()' + desired: + description: |- + desired is the MachineConfig the node wants to upgrade to. + This value gets set in the machine config node status once the machine config has been validated + against the current machine config. + Must be a lowercase RFC-1123 subdomain name (https://tools.ietf.org/html/rfc1123) consisting + of only lowercase alphanumeric characters, hyphens (-), and periods (.), and must start and end + with an alphanumeric character, and be at most 253 characters in length. + maxLength: 253 + type: string + x-kubernetes-validations: + - message: a lowercase RFC 1123 subdomain must consist of lower + case alphanumeric characters, '-' or '.', and must start and + end with an alphanumeric character. + rule: '!format.dns1123Subdomain().validate(self).hasValue()' + required: + - desired + type: object + observedGeneration: + description: |- + observedGeneration represents the generation of the MachineConfigNode object observed by the Machine Config Operator's controller. + This field is updated when the controller observes a change to the desiredConfig in the configVersion of the machine config node spec. + format: int64 + minimum: 1 + type: integer + x-kubernetes-validations: + - message: observedGeneration must not decrease + rule: self >= oldSelf + pinnedImageSets: + description: pinnedImageSets describes the current and desired pinned + image sets for this node. + items: + description: MachineConfigNodeStatusPinnedImageSet holds information + about the current, desired, and failed pinned image sets for the + observed machine config node. + properties: + currentGeneration: + description: currentGeneration is the generation of the pinned + image set that has most recently been successfully pulled + and pinned on this node. + format: int32 + minimum: 1 + type: integer + x-kubernetes-validations: + - message: currentGeneration must not decrease + rule: self >= oldSelf + desiredGeneration: + description: desiredGeneration is the generation of the pinned + image set that is targeted to be pulled and pinned on this + node. + format: int32 + minimum: 1 + type: integer + x-kubernetes-validations: + - message: desiredGeneration must not decrease + rule: self >= oldSelf + lastFailedGeneration: + description: lastFailedGeneration is the generation of the most + recent pinned image set that failed to be pulled and pinned + on this node. + format: int32 + minimum: 1 + type: integer + x-kubernetes-validations: + - message: lastFailedGeneration must not decrease + rule: self >= oldSelf + lastFailedGenerationError: + description: |- + lastFailedGenerationError is the error explaining why the desired images failed to be pulled and pinned. + The error is an empty string if the image pull and pin is successful. + maxLength: 32768 + type: string + name: + description: |- + name is the name of the pinned image set. + Must be a lowercase RFC-1123 subdomain name (https://tools.ietf.org/html/rfc1123) consisting + of only lowercase alphanumeric characters, hyphens (-), and periods (.), and must start and end + with an alphanumeric character, and be at most 253 characters in length. + maxLength: 253 + type: string + x-kubernetes-validations: + - message: a lowercase RFC 1123 subdomain must consist of lower + case alphanumeric characters, '-' or '.', and must start + and end with an alphanumeric character. + rule: '!format.dns1123Subdomain().validate(self).hasValue()' + required: + - name + type: object + x-kubernetes-validations: + - message: desired generation must be greater than or equal to the + current generation + rule: 'has(self.desiredGeneration) && has(self.currentGeneration) + ? self.desiredGeneration >= self.currentGeneration : true' + - message: desired generation must be greater than or equal to the + last failed generation + rule: 'has(self.lastFailedGeneration) && has(self.desiredGeneration) + ? self.desiredGeneration >= self.lastFailedGeneration : true' + - message: last failed generation error must be defined on image + pull and pin failure + rule: 'has(self.lastFailedGeneration) ? has(self.lastFailedGenerationError) + : true' + maxItems: 100 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + required: + - spec + type: object + x-kubernetes-validations: + - message: spec.node.name should match metadata.name + rule: self.metadata.name == self.spec.node.name + served: true + storage: true + subresources: + status: {} diff --git a/vendor/github.com/openshift/api/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_machineconfignodes-TechPreviewNoUpgrade.crd.yaml b/vendor/github.com/openshift/api/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_machineconfignodes-TechPreviewNoUpgrade.crd.yaml new file mode 100644 index 0000000000..9ac70ab26d --- /dev/null +++ b/vendor/github.com/openshift/api/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_machineconfignodes-TechPreviewNoUpgrade.crd.yaml @@ -0,0 +1,428 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.openshift.io: https://github.com/openshift/api/pull/2255 + api.openshift.io/merged-by-featuregates: "true" + include.release.openshift.io/ibm-cloud-managed: "true" + include.release.openshift.io/self-managed-high-availability: "true" + release.openshift.io/feature-set: TechPreviewNoUpgrade + labels: + openshift.io/operator-managed: "" + name: machineconfignodes.machineconfiguration.openshift.io +spec: + group: machineconfiguration.openshift.io + names: + kind: MachineConfigNode + listKind: MachineConfigNodeList + plural: machineconfignodes + singular: machineconfignode + scope: Cluster + versions: + - additionalPrinterColumns: + - jsonPath: .spec.pool.name + name: PoolName + type: string + - jsonPath: .spec.configVersion.desired + name: DesiredConfig + type: string + - jsonPath: .status.configVersion.current + name: CurrentConfig + type: string + - jsonPath: .status.conditions[?(@.type=="Updated")].status + name: Updated + type: string + - jsonPath: .status.conditions[?(@.type=="UpdatePrepared")].status + name: UpdatePrepared + priority: 1 + type: string + - jsonPath: .status.conditions[?(@.type=="UpdateExecuted")].status + name: UpdateExecuted + priority: 1 + type: string + - jsonPath: .status.conditions[?(@.type=="UpdatePostActionComplete")].status + name: UpdatePostActionComplete + priority: 1 + type: string + - jsonPath: .status.conditions[?(@.type=="UpdateComplete")].status + name: UpdateComplete + priority: 1 + type: string + - jsonPath: .status.conditions[?(@.type=="Resumed")].status + name: Resumed + priority: 1 + type: string + - jsonPath: .status.conditions[?(@.type=="AppliedOSImage")].status + name: UpdatedOSImage + priority: 1 + type: string + - jsonPath: .status.conditions[?(@.type=="AppliedFiles")].status + name: UpdatedFiles + priority: 1 + type: string + - jsonPath: .status.conditions[?(@.type=="Cordoned")].status + name: CordonedNode + priority: 1 + type: string + - jsonPath: .status.conditions[?(@.type=="Drained")].status + name: DrainedNode + priority: 1 + type: string + - jsonPath: .status.conditions[?(@.type=="RebootedNode")].status + name: RebootedNode + priority: 1 + type: string + - jsonPath: .status.conditions[?(@.type=="Uncordoned")].status + name: UncordonedNode + priority: 1 + type: string + - jsonPath: .status.conditions[?(@.type=="ImagePulledFromRegistry")].status + name: ImagePulledFromRegistry + priority: 1 + type: string + name: v1 + schema: + openAPIV3Schema: + description: |- + MachineConfigNode describes the health of the Machines on the system + Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer). + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: spec describes the configuration of the machine config node. + properties: + configImage: + description: |- + configImage holds the desired image for the node targeted by this machine config node resource. + The desired image represents the image the node will attempt to update to and gets set before the machine config operator validates + the new image against the current image. + properties: + desiredImage: + description: |- + desiredImage is the fully-qualified pullspec of the image that the Machine + Config Operator (MCO) intends to apply to the node. + Required field that can be at most 253 characters in length. + maxLength: 253 + type: string + required: + - desiredImage + type: object + configVersion: + description: |- + configVersion holds the desired config version for the node targeted by this machine config node resource. + The desired version represents the machine config the node will attempt to update to and gets set before the machine config operator validates + the new machine config against the current machine config. + properties: + desired: + description: |- + desired is the name of the machine config that the the node should be upgraded to. + This value is set when the machine config pool generates a new version of its rendered configuration. + When this value is changed, the machine config daemon starts the node upgrade process. + This value gets set in the machine config node spec once the machine config has been targeted for upgrade and before it is validated. + Must be a lowercase RFC-1123 subdomain name (https://tools.ietf.org/html/rfc1123) consisting + of only lowercase alphanumeric characters, hyphens (-), and periods (.), and must start and end + with an alphanumeric character, and be at most 253 characters in length. + maxLength: 253 + type: string + x-kubernetes-validations: + - message: a lowercase RFC 1123 subdomain must consist of lower + case alphanumeric characters, '-' or '.', and must start and + end with an alphanumeric character. + rule: '!format.dns1123Subdomain().validate(self).hasValue()' + required: + - desired + type: object + node: + description: node contains a reference to the node for this machine + config node. + properties: + name: + description: |- + name is the name of the object being referenced. For example, this can represent a machine + config pool or node name. + Must be a lowercase RFC-1123 subdomain name (https://tools.ietf.org/html/rfc1123) consisting + of only lowercase alphanumeric characters, hyphens (-), and periods (.), and must start and end + with an alphanumeric character, and be at most 253 characters in length. + maxLength: 253 + type: string + x-kubernetes-validations: + - message: a lowercase RFC 1123 subdomain must consist of lower + case alphanumeric characters, '-' or '.', and must start and + end with an alphanumeric character. + rule: '!format.dns1123Subdomain().validate(self).hasValue()' + required: + - name + type: object + pool: + description: |- + pool contains a reference to the machine config pool that this machine config node's + referenced node belongs to. + properties: + name: + description: |- + name is the name of the object being referenced. For example, this can represent a machine + config pool or node name. + Must be a lowercase RFC-1123 subdomain name (https://tools.ietf.org/html/rfc1123) consisting + of only lowercase alphanumeric characters, hyphens (-), and periods (.), and must start and end + with an alphanumeric character, and be at most 253 characters in length. + maxLength: 253 + type: string + x-kubernetes-validations: + - message: a lowercase RFC 1123 subdomain must consist of lower + case alphanumeric characters, '-' or '.', and must start and + end with an alphanumeric character. + rule: '!format.dns1123Subdomain().validate(self).hasValue()' + required: + - name + type: object + required: + - configVersion + - node + - pool + type: object + status: + description: status describes the last observed state of this machine + config node. + properties: + conditions: + description: |- + conditions represent the observations of a machine config node's current state. Valid types are: + UpdatePrepared, UpdateExecuted, UpdatePostActionComplete, UpdateComplete, Updated, Resumed, + Drained, AppliedFilesAndOS, Cordoned, Uncordoned, RebootedNode, NodeDegraded, PinnedImageSetsProgressing, + , and PinnedImageSetsDegraded. + The following types are only available when the ImageModeStatusReporting feature gate is enabled: ImagePulledFromRegistry, + AppliedOSImage, AppliedFiles + items: + description: Condition contains details for one aspect of the current + state of this API Resource. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 20 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + configImage: + description: configImage describes the current and desired image for + this node. + properties: + currentImage: + description: |- + currentImage is the fully-qualified pullspec of the image that is + currently applied to the node. + This field is optional because when image-mode is first enabled on a + node, there is no currentImage because the node has not yet applied + the updated image. Only after the updated image is applied will the + currentImage be populated. + This field can be at most 253 characters in length. + maxLength: 253 + type: string + desiredImage: + description: |- + desiredImage is a mirror of the desired image from the Spec. When the + current and desired image are not equal, the node is in an updating phase. + Optional field that can be at most 253 characters in length. + maxLength: 253 + type: string + type: object + configVersion: + description: configVersion describes the current and desired machine + config version for this node. + properties: + current: + description: |- + current is the name of the machine config currently in use on the node. + This value is updated once the machine config daemon has completed the update of the configuration for the node. + This value should match the desired version unless an upgrade is in progress. + Must be a lowercase RFC-1123 subdomain name (https://tools.ietf.org/html/rfc1123) consisting + of only lowercase alphanumeric characters, hyphens (-), and periods (.), and must start and end + with an alphanumeric character, and be at most 253 characters in length. + maxLength: 253 + type: string + x-kubernetes-validations: + - message: a lowercase RFC 1123 subdomain must consist of lower + case alphanumeric characters, '-' or '.', and must start and + end with an alphanumeric character. + rule: '!format.dns1123Subdomain().validate(self).hasValue()' + desired: + description: |- + desired is the MachineConfig the node wants to upgrade to. + This value gets set in the machine config node status once the machine config has been validated + against the current machine config. + Must be a lowercase RFC-1123 subdomain name (https://tools.ietf.org/html/rfc1123) consisting + of only lowercase alphanumeric characters, hyphens (-), and periods (.), and must start and end + with an alphanumeric character, and be at most 253 characters in length. + maxLength: 253 + type: string + x-kubernetes-validations: + - message: a lowercase RFC 1123 subdomain must consist of lower + case alphanumeric characters, '-' or '.', and must start and + end with an alphanumeric character. + rule: '!format.dns1123Subdomain().validate(self).hasValue()' + required: + - desired + type: object + observedGeneration: + description: |- + observedGeneration represents the generation of the MachineConfigNode object observed by the Machine Config Operator's controller. + This field is updated when the controller observes a change to the desiredConfig in the configVersion of the machine config node spec. + format: int64 + minimum: 1 + type: integer + x-kubernetes-validations: + - message: observedGeneration must not decrease + rule: self >= oldSelf + pinnedImageSets: + description: pinnedImageSets describes the current and desired pinned + image sets for this node. + items: + description: MachineConfigNodeStatusPinnedImageSet holds information + about the current, desired, and failed pinned image sets for the + observed machine config node. + properties: + currentGeneration: + description: currentGeneration is the generation of the pinned + image set that has most recently been successfully pulled + and pinned on this node. + format: int32 + minimum: 1 + type: integer + x-kubernetes-validations: + - message: currentGeneration must not decrease + rule: self >= oldSelf + desiredGeneration: + description: desiredGeneration is the generation of the pinned + image set that is targeted to be pulled and pinned on this + node. + format: int32 + minimum: 1 + type: integer + x-kubernetes-validations: + - message: desiredGeneration must not decrease + rule: self >= oldSelf + lastFailedGeneration: + description: lastFailedGeneration is the generation of the most + recent pinned image set that failed to be pulled and pinned + on this node. + format: int32 + minimum: 1 + type: integer + x-kubernetes-validations: + - message: lastFailedGeneration must not decrease + rule: self >= oldSelf + lastFailedGenerationError: + description: |- + lastFailedGenerationError is the error explaining why the desired images failed to be pulled and pinned. + The error is an empty string if the image pull and pin is successful. + maxLength: 32768 + type: string + name: + description: |- + name is the name of the pinned image set. + Must be a lowercase RFC-1123 subdomain name (https://tools.ietf.org/html/rfc1123) consisting + of only lowercase alphanumeric characters, hyphens (-), and periods (.), and must start and end + with an alphanumeric character, and be at most 253 characters in length. + maxLength: 253 + type: string + x-kubernetes-validations: + - message: a lowercase RFC 1123 subdomain must consist of lower + case alphanumeric characters, '-' or '.', and must start + and end with an alphanumeric character. + rule: '!format.dns1123Subdomain().validate(self).hasValue()' + required: + - name + type: object + x-kubernetes-validations: + - message: desired generation must be greater than or equal to the + current generation + rule: 'has(self.desiredGeneration) && has(self.currentGeneration) + ? self.desiredGeneration >= self.currentGeneration : true' + - message: desired generation must be greater than or equal to the + last failed generation + rule: 'has(self.lastFailedGeneration) && has(self.desiredGeneration) + ? self.desiredGeneration >= self.lastFailedGeneration : true' + - message: last failed generation error must be defined on image + pull and pin failure + rule: 'has(self.lastFailedGeneration) ? has(self.lastFailedGenerationError) + : true' + maxItems: 100 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + required: + - spec + type: object + x-kubernetes-validations: + - message: spec.node.name should match metadata.name + rule: self.metadata.name == self.spec.node.name + served: true + storage: true + subresources: + status: {} diff --git a/vendor/github.com/openshift/api/machineconfiguration/v1/zz_generated.deepcopy.go b/vendor/github.com/openshift/api/machineconfiguration/v1/zz_generated.deepcopy.go index f153cc0237..9b148fa46e 100644 --- a/vendor/github.com/openshift/api/machineconfiguration/v1/zz_generated.deepcopy.go +++ b/vendor/github.com/openshift/api/machineconfiguration/v1/zz_generated.deepcopy.go @@ -732,6 +732,7 @@ func (in *MachineConfigNodeSpec) DeepCopyInto(out *MachineConfigNodeSpec) { out.Node = in.Node out.Pool = in.Pool out.ConfigVersion = in.ConfigVersion + out.ConfigImage = in.ConfigImage return } @@ -745,6 +746,22 @@ func (in *MachineConfigNodeSpec) DeepCopy() *MachineConfigNodeSpec { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *MachineConfigNodeSpecConfigImage) DeepCopyInto(out *MachineConfigNodeSpecConfigImage) { + *out = *in + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new MachineConfigNodeSpecConfigImage. +func (in *MachineConfigNodeSpecConfigImage) DeepCopy() *MachineConfigNodeSpecConfigImage { + if in == nil { + return nil + } + out := new(MachineConfigNodeSpecConfigImage) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *MachineConfigNodeSpecMachineConfigVersion) DeepCopyInto(out *MachineConfigNodeSpecMachineConfigVersion) { *out = *in @@ -776,6 +793,11 @@ func (in *MachineConfigNodeStatus) DeepCopyInto(out *MachineConfigNodeStatus) { *out = new(MachineConfigNodeStatusMachineConfigVersion) **out = **in } + if in.ConfigImage != nil { + in, out := &in.ConfigImage, &out.ConfigImage + *out = new(MachineConfigNodeStatusConfigImage) + **out = **in + } if in.PinnedImageSets != nil { in, out := &in.PinnedImageSets, &out.PinnedImageSets *out = make([]MachineConfigNodeStatusPinnedImageSet, len(*in)) @@ -794,6 +816,22 @@ func (in *MachineConfigNodeStatus) DeepCopy() *MachineConfigNodeStatus { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *MachineConfigNodeStatusConfigImage) DeepCopyInto(out *MachineConfigNodeStatusConfigImage) { + *out = *in + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new MachineConfigNodeStatusConfigImage. +func (in *MachineConfigNodeStatusConfigImage) DeepCopy() *MachineConfigNodeStatusConfigImage { + if in == nil { + return nil + } + out := new(MachineConfigNodeStatusConfigImage) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *MachineConfigNodeStatusMachineConfigVersion) DeepCopyInto(out *MachineConfigNodeStatusMachineConfigVersion) { *out = *in diff --git a/vendor/github.com/openshift/api/machineconfiguration/v1/zz_generated.featuregated-crd-manifests.yaml b/vendor/github.com/openshift/api/machineconfiguration/v1/zz_generated.featuregated-crd-manifests.yaml index beb838caf6..889c05aef6 100644 --- a/vendor/github.com/openshift/api/machineconfiguration/v1/zz_generated.featuregated-crd-manifests.yaml +++ b/vendor/github.com/openshift/api/machineconfiguration/v1/zz_generated.featuregated-crd-manifests.yaml @@ -117,6 +117,7 @@ machineconfignodes.machineconfiguration.openshift.io: Capability: "" Category: "" FeatureGates: + - ImageModeStatusReporting - MachineConfigNodes FilenameOperatorName: machine-config FilenameOperatorOrdering: "01" @@ -160,8 +161,12 @@ machineconfignodes.machineconfiguration.openshift.io: name: Resumed priority: 1 type: string - - jsonPath: .status.conditions[?(@.type=="AppliedFilesAndOS")].status - name: UpdatedFilesAndOS + - jsonPath: .status.conditions[?(@.type=="AppliedOSImage")].status + name: UpdatedOSImage + priority: 1 + type: string + - jsonPath: .status.conditions[?(@.type=="AppliedFiles")].status + name: UpdatedFiles priority: 1 type: string - jsonPath: .status.conditions[?(@.type=="Cordoned")].status @@ -180,6 +185,10 @@ machineconfignodes.machineconfiguration.openshift.io: name: UncordonedNode priority: 1 type: string + - jsonPath: .status.conditions[?(@.type=="ImagePulledFromRegistry")].status + name: ImagePulledFromRegistry + priority: 1 + type: string Scope: Cluster ShortNames: null TopLevelFeatureGates: diff --git a/vendor/github.com/openshift/api/machineconfiguration/v1/zz_generated.swagger_doc_generated.go b/vendor/github.com/openshift/api/machineconfiguration/v1/zz_generated.swagger_doc_generated.go index 92f536b9a8..dfb20651bf 100644 --- a/vendor/github.com/openshift/api/machineconfiguration/v1/zz_generated.swagger_doc_generated.go +++ b/vendor/github.com/openshift/api/machineconfiguration/v1/zz_generated.swagger_doc_generated.go @@ -403,12 +403,22 @@ var map_MachineConfigNodeSpec = map[string]string{ "node": "node contains a reference to the node for this machine config node.", "pool": "pool contains a reference to the machine config pool that this machine config node's referenced node belongs to.", "configVersion": "configVersion holds the desired config version for the node targeted by this machine config node resource. The desired version represents the machine config the node will attempt to update to and gets set before the machine config operator validates the new machine config against the current machine config.", + "configImage": "configImage holds the desired image for the node targeted by this machine config node resource. The desired image represents the image the node will attempt to update to and gets set before the machine config operator validates the new image against the current image.", } func (MachineConfigNodeSpec) SwaggerDoc() map[string]string { return map_MachineConfigNodeSpec } +var map_MachineConfigNodeSpecConfigImage = map[string]string{ + "": "MachineConfigNodeSpecConfigImage holds the desired image for the node. This structure is populated from the `machineconfiguration.openshift.io/desiredImage` annotation on the target node, which is set by the Machine Config Pool controller to signal the desired image pullspec for the node to update to.", + "desiredImage": "desiredImage is the fully-qualified pullspec of the image that the Machine Config Operator (MCO) intends to apply to the node. Required field that can be at most 253 characters in length.", +} + +func (MachineConfigNodeSpecConfigImage) SwaggerDoc() map[string]string { + return map_MachineConfigNodeSpecConfigImage +} + var map_MachineConfigNodeSpecMachineConfigVersion = map[string]string{ "": "MachineConfigNodeSpecMachineConfigVersion holds the desired config version for the current observed machine config node. When Current is not equal to Desired, the MachineConfigOperator is in an upgrade phase and the machine config node will take account of upgrade related events. Otherwise, they will be ignored given that certain operations happen both during the MCO's upgrade mode and the daily operations mode.", "desired": "desired is the name of the machine config that the the node should be upgraded to. This value is set when the machine config pool generates a new version of its rendered configuration. When this value is changed, the machine config daemon starts the node upgrade process. This value gets set in the machine config node spec once the machine config has been targeted for upgrade and before it is validated. Must be a lowercase RFC-1123 subdomain name (https://tools.ietf.org/html/rfc1123) consisting of only lowercase alphanumeric characters, hyphens (-), and periods (.), and must start and end with an alphanumeric character, and be at most 253 characters in length.", @@ -420,9 +430,10 @@ func (MachineConfigNodeSpecMachineConfigVersion) SwaggerDoc() map[string]string var map_MachineConfigNodeStatus = map[string]string{ "": "MachineConfigNodeStatus holds the reported information on a particular machine config node.", - "conditions": "conditions represent the observations of a machine config node's current state. Valid types are: UpdatePrepared, UpdateExecuted, UpdatePostActionComplete, UpdateComplete, Updated, Resumed, Drained, AppliedFilesAndOS, Cordoned, Uncordoned, RebootedNode, NodeDegraded, PinnedImageSetsProgressing, and PinnedImageSetsDegraded.", + "conditions": "conditions represent the observations of a machine config node's current state. Valid types are: UpdatePrepared, UpdateExecuted, UpdatePostActionComplete, UpdateComplete, Updated, Resumed, Drained, AppliedFilesAndOS, Cordoned, Uncordoned, RebootedNode, NodeDegraded, PinnedImageSetsProgressing, , and PinnedImageSetsDegraded. The following types are only available when the ImageModeStatusReporting feature gate is enabled: ImagePulledFromRegistry, AppliedOSImage, AppliedFiles", "observedGeneration": "observedGeneration represents the generation of the MachineConfigNode object observed by the Machine Config Operator's controller. This field is updated when the controller observes a change to the desiredConfig in the configVersion of the machine config node spec.", "configVersion": "configVersion describes the current and desired machine config version for this node.", + "configImage": "configImage describes the current and desired image for this node.", "pinnedImageSets": "pinnedImageSets describes the current and desired pinned image sets for this node.", } @@ -430,6 +441,16 @@ func (MachineConfigNodeStatus) SwaggerDoc() map[string]string { return map_MachineConfigNodeStatus } +var map_MachineConfigNodeStatusConfigImage = map[string]string{ + "": "MachineConfigNodeStatusConfigImage holds the observed state of the image on the node, including both the image targeted for an update and the image currently applied. This allows for monitoring the progress of the layering rollout.", + "currentImage": "currentImage is the fully-qualified pullspec of the image that is currently applied to the node. This field is optional because when image-mode is first enabled on a node, there is no currentImage because the node has not yet applied the updated image. Only after the updated image is applied will the currentImage be populated. This field can be at most 253 characters in length.", + "desiredImage": "desiredImage is a mirror of the desired image from the Spec. When the current and desired image are not equal, the node is in an updating phase. Optional field that can be at most 253 characters in length.", +} + +func (MachineConfigNodeStatusConfigImage) SwaggerDoc() map[string]string { + return map_MachineConfigNodeStatusConfigImage +} + var map_MachineConfigNodeStatusMachineConfigVersion = map[string]string{ "": "MachineConfigNodeStatusMachineConfigVersion holds the current and desired config versions as last updated in the MCN status. When the current and desired versions do not match, the machine config pool is processing an upgrade and the machine config node will monitor the upgrade process. When the current and desired versions do match, the machine config node will ignore these events given that certain operations happen both during the MCO's upgrade mode and the daily operations mode.", "current": "current is the name of the machine config currently in use on the node. This value is updated once the machine config daemon has completed the update of the configuration for the node. This value should match the desired version unless an upgrade is in progress. Must be a lowercase RFC-1123 subdomain name (https://tools.ietf.org/html/rfc1123) consisting of only lowercase alphanumeric characters, hyphens (-), and periods (.), and must start and end with an alphanumeric character, and be at most 253 characters in length.", diff --git a/vendor/github.com/openshift/api/operator/v1/types_network.go b/vendor/github.com/openshift/api/operator/v1/types_network.go index 713939ddbb..111240eecf 100644 --- a/vendor/github.com/openshift/api/operator/v1/types_network.go +++ b/vendor/github.com/openshift/api/operator/v1/types_network.go @@ -431,16 +431,14 @@ type OVNKubernetesConfig struct { // v4InternalSubnet is a v4 subnet used internally by ovn-kubernetes in case the // default one is being already used by something else. It must not overlap with // any other subnet being used by OpenShift or by the node network. The size of the - // subnet must be larger than the number of nodes. The value cannot be changed - // after installation. + // subnet must be larger than the number of nodes. // Default is 100.64.0.0/16 // +optional V4InternalSubnet string `json:"v4InternalSubnet,omitempty"` // v6InternalSubnet is a v6 subnet used internally by ovn-kubernetes in case the // default one is being already used by something else. It must not overlap with // any other subnet being used by OpenShift or by the node network. The size of the - // subnet must be larger than the number of nodes. The value cannot be changed - // after installation. + // subnet must be larger than the number of nodes. // Default is fd98::/64 // +optional V6InternalSubnet string `json:"v6InternalSubnet,omitempty"` @@ -478,11 +476,10 @@ type IPv4OVNKubernetesConfig struct { // architecture that connects the cluster routers on each node together to enable // east west traffic. The subnet chosen should not overlap with other networks // specified for OVN-Kubernetes as well as other networks used on the host. - // The value cannot be changed after installation. // When ommitted, this means no opinion and the platform is left to choose a reasonable // default which is subject to change over time. // The current default subnet is 100.88.0.0/16 - // The subnet must be large enough to accomadate one IP per node in your cluster + // The subnet must be large enough to accommodate one IP per node in your cluster // The value must be in proper IPV4 CIDR format // +kubebuilder:validation:MaxLength=18 // +kubebuilder:validation:XValidation:rule="isCIDR(self) && cidr(self).ip().family() == 4",message="Subnet must be in valid IPV4 CIDR format" @@ -493,10 +490,9 @@ type IPv4OVNKubernetesConfig struct { // internalJoinSubnet is a v4 subnet used internally by ovn-kubernetes in case the // default one is being already used by something else. It must not overlap with // any other subnet being used by OpenShift or by the node network. The size of the - // subnet must be larger than the number of nodes. The value cannot be changed - // after installation. + // subnet must be larger than the number of nodes. // The current default value is 100.64.0.0/16 - // The subnet must be large enough to accomadate one IP per node in your cluster + // The subnet must be large enough to accommodate one IP per node in your cluster // The value must be in proper IPV4 CIDR format // +kubebuilder:validation:MaxLength=18 // +kubebuilder:validation:XValidation:rule="isCIDR(self) && cidr(self).ip().family() == 4",message="Subnet must be in valid IPV4 CIDR format" @@ -512,10 +508,9 @@ type IPv6OVNKubernetesConfig struct { // architecture that connects the cluster routers on each node together to enable // east west traffic. The subnet chosen should not overlap with other networks // specified for OVN-Kubernetes as well as other networks used on the host. - // The value cannot be changed after installation. // When ommitted, this means no opinion and the platform is left to choose a reasonable // default which is subject to change over time. - // The subnet must be large enough to accomadate one IP per node in your cluster + // The subnet must be large enough to accommodate one IP per node in your cluster // The current default subnet is fd97::/64 // The value must be in proper IPV6 CIDR format // Note that IPV6 dual addresses are not permitted @@ -527,9 +522,8 @@ type IPv6OVNKubernetesConfig struct { // internalJoinSubnet is a v6 subnet used internally by ovn-kubernetes in case the // default one is being already used by something else. It must not overlap with // any other subnet being used by OpenShift or by the node network. The size of the - // subnet must be larger than the number of nodes. The value cannot be changed - // after installation. - // The subnet must be large enough to accomadate one IP per node in your cluster + // subnet must be larger than the number of nodes. + // The subnet must be large enough to accommodate one IP per node in your cluster // The current default value is fd98::/64 // The value must be in proper IPV6 CIDR format // Note that IPV6 dual addresses are not permitted @@ -646,7 +640,7 @@ type IPv4GatewayConfig struct { // OVN-Kubernetes as well as other networks used on the host. Additionally the subnet must // be large enough to accommodate 6 IPs (maximum prefix length /29). // When omitted, this means no opinion and the platform is left to choose a reasonable default which is subject to change over time. - // The current default subnet is 169.254.169.0/29 + // The current default subnet is 169.254.0.0/17 // The value must be in proper IPV4 CIDR format // +kubebuilder:validation:MaxLength=18 // +kubebuilder:validation:XValidation:rule="isCIDR(self) && cidr(self).ip().family() == 4",message="Subnet must be in valid IPV4 CIDR format" @@ -665,7 +659,7 @@ type IPv6GatewayConfig struct { // OVN-Kubernetes as well as other networks used on the host. Additionally the subnet must // be large enough to accommodate 6 IPs (maximum prefix length /125). // When omitted, this means no opinion and the platform is left to choose a reasonable default which is subject to change over time. - // The current default subnet is fd69::/125 + // The current default subnet is fd69::/112 // Note that IPV6 dual addresses are not permitted // +kubebuilder:validation:XValidation:rule="isCIDR(self) && cidr(self).ip().family() == 6",message="Subnet must be in valid IPV6 CIDR format" // +kubebuilder:validation:XValidation:rule="isCIDR(self) && cidr(self).prefixLength() <= 125",message="subnet must be in the range /0 to /125 inclusive" diff --git a/vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_70_network_01_networks.crd.yaml b/vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_70_network_01_networks.crd.yaml index 73078d0302..7a41655bd1 100644 --- a/vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_70_network_01_networks.crd.yaml +++ b/vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_70_network_01_networks.crd.yaml @@ -316,7 +316,7 @@ spec: OVN-Kubernetes as well as other networks used on the host. Additionally the subnet must be large enough to accommodate 6 IPs (maximum prefix length /29). When omitted, this means no opinion and the platform is left to choose a reasonable default which is subject to change over time. - The current default subnet is 169.254.169.0/29 + The current default subnet is 169.254.0.0/17 The value must be in proper IPV4 CIDR format maxLength: 18 type: string @@ -345,7 +345,7 @@ spec: OVN-Kubernetes as well as other networks used on the host. Additionally the subnet must be large enough to accommodate 6 IPs (maximum prefix length /125). When omitted, this means no opinion and the platform is left to choose a reasonable default which is subject to change over time. - The current default subnet is fd69::/125 + The current default subnet is fd69::/112 Note that IPV6 dual addresses are not permitted type: string x-kubernetes-validations: @@ -466,10 +466,9 @@ spec: internalJoinSubnet is a v4 subnet used internally by ovn-kubernetes in case the default one is being already used by something else. It must not overlap with any other subnet being used by OpenShift or by the node network. The size of the - subnet must be larger than the number of nodes. The value cannot be changed - after installation. + subnet must be larger than the number of nodes. The current default value is 100.64.0.0/16 - The subnet must be large enough to accomadate one IP per node in your cluster + The subnet must be large enough to accommodate one IP per node in your cluster The value must be in proper IPV4 CIDR format maxLength: 18 type: string @@ -487,11 +486,10 @@ spec: architecture that connects the cluster routers on each node together to enable east west traffic. The subnet chosen should not overlap with other networks specified for OVN-Kubernetes as well as other networks used on the host. - The value cannot be changed after installation. When ommitted, this means no opinion and the platform is left to choose a reasonable default which is subject to change over time. The current default subnet is 100.88.0.0/16 - The subnet must be large enough to accomadate one IP per node in your cluster + The subnet must be large enough to accommodate one IP per node in your cluster The value must be in proper IPV4 CIDR format maxLength: 18 type: string @@ -514,9 +512,8 @@ spec: internalJoinSubnet is a v6 subnet used internally by ovn-kubernetes in case the default one is being already used by something else. It must not overlap with any other subnet being used by OpenShift or by the node network. The size of the - subnet must be larger than the number of nodes. The value cannot be changed - after installation. - The subnet must be large enough to accomadate one IP per node in your cluster + subnet must be larger than the number of nodes. + The subnet must be large enough to accommodate one IP per node in your cluster The current default value is fd98::/64 The value must be in proper IPV6 CIDR format Note that IPV6 dual addresses are not permitted @@ -534,10 +531,9 @@ spec: architecture that connects the cluster routers on each node together to enable east west traffic. The subnet chosen should not overlap with other networks specified for OVN-Kubernetes as well as other networks used on the host. - The value cannot be changed after installation. When ommitted, this means no opinion and the platform is left to choose a reasonable default which is subject to change over time. - The subnet must be large enough to accomadate one IP per node in your cluster + The subnet must be large enough to accommodate one IP per node in your cluster The current default subnet is fd97::/64 The value must be in proper IPV6 CIDR format Note that IPV6 dual addresses are not permitted @@ -626,8 +622,7 @@ spec: v4InternalSubnet is a v4 subnet used internally by ovn-kubernetes in case the default one is being already used by something else. It must not overlap with any other subnet being used by OpenShift or by the node network. The size of the - subnet must be larger than the number of nodes. The value cannot be changed - after installation. + subnet must be larger than the number of nodes. Default is 100.64.0.0/16 type: string v6InternalSubnet: @@ -635,8 +630,7 @@ spec: v6InternalSubnet is a v6 subnet used internally by ovn-kubernetes in case the default one is being already used by something else. It must not overlap with any other subnet being used by OpenShift or by the node network. The size of the - subnet must be larger than the number of nodes. The value cannot be changed - after installation. + subnet must be larger than the number of nodes. Default is fd98::/64 type: string type: object diff --git a/vendor/github.com/openshift/api/operator/v1/zz_generated.swagger_doc_generated.go b/vendor/github.com/openshift/api/operator/v1/zz_generated.swagger_doc_generated.go index a0fa4fe475..582f9686ff 100644 --- a/vendor/github.com/openshift/api/operator/v1/zz_generated.swagger_doc_generated.go +++ b/vendor/github.com/openshift/api/operator/v1/zz_generated.swagger_doc_generated.go @@ -1712,7 +1712,7 @@ func (IPsecFullModeConfig) SwaggerDoc() map[string]string { var map_IPv4GatewayConfig = map[string]string{ "": "IPV4GatewayConfig holds the configuration paramaters for IPV4 connections in the GatewayConfig for OVN-Kubernetes", - "internalMasqueradeSubnet": "internalMasqueradeSubnet contains the masquerade addresses in IPV4 CIDR format used internally by ovn-kubernetes to enable host to service traffic. Each host in the cluster is configured with these addresses, as well as the shared gateway bridge interface. The values can be changed after installation. The subnet chosen should not overlap with other networks specified for OVN-Kubernetes as well as other networks used on the host. Additionally the subnet must be large enough to accommodate 6 IPs (maximum prefix length /29). When omitted, this means no opinion and the platform is left to choose a reasonable default which is subject to change over time. The current default subnet is 169.254.169.0/29 The value must be in proper IPV4 CIDR format", + "internalMasqueradeSubnet": "internalMasqueradeSubnet contains the masquerade addresses in IPV4 CIDR format used internally by ovn-kubernetes to enable host to service traffic. Each host in the cluster is configured with these addresses, as well as the shared gateway bridge interface. The values can be changed after installation. The subnet chosen should not overlap with other networks specified for OVN-Kubernetes as well as other networks used on the host. Additionally the subnet must be large enough to accommodate 6 IPs (maximum prefix length /29). When omitted, this means no opinion and the platform is left to choose a reasonable default which is subject to change over time. The current default subnet is 169.254.0.0/17 The value must be in proper IPV4 CIDR format", } func (IPv4GatewayConfig) SwaggerDoc() map[string]string { @@ -1720,8 +1720,8 @@ func (IPv4GatewayConfig) SwaggerDoc() map[string]string { } var map_IPv4OVNKubernetesConfig = map[string]string{ - "internalTransitSwitchSubnet": "internalTransitSwitchSubnet is a v4 subnet in IPV4 CIDR format used internally by OVN-Kubernetes for the distributed transit switch in the OVN Interconnect architecture that connects the cluster routers on each node together to enable east west traffic. The subnet chosen should not overlap with other networks specified for OVN-Kubernetes as well as other networks used on the host. The value cannot be changed after installation. When ommitted, this means no opinion and the platform is left to choose a reasonable default which is subject to change over time. The current default subnet is 100.88.0.0/16 The subnet must be large enough to accomadate one IP per node in your cluster The value must be in proper IPV4 CIDR format", - "internalJoinSubnet": "internalJoinSubnet is a v4 subnet used internally by ovn-kubernetes in case the default one is being already used by something else. It must not overlap with any other subnet being used by OpenShift or by the node network. The size of the subnet must be larger than the number of nodes. The value cannot be changed after installation. The current default value is 100.64.0.0/16 The subnet must be large enough to accomadate one IP per node in your cluster The value must be in proper IPV4 CIDR format", + "internalTransitSwitchSubnet": "internalTransitSwitchSubnet is a v4 subnet in IPV4 CIDR format used internally by OVN-Kubernetes for the distributed transit switch in the OVN Interconnect architecture that connects the cluster routers on each node together to enable east west traffic. The subnet chosen should not overlap with other networks specified for OVN-Kubernetes as well as other networks used on the host. When ommitted, this means no opinion and the platform is left to choose a reasonable default which is subject to change over time. The current default subnet is 100.88.0.0/16 The subnet must be large enough to accommodate one IP per node in your cluster The value must be in proper IPV4 CIDR format", + "internalJoinSubnet": "internalJoinSubnet is a v4 subnet used internally by ovn-kubernetes in case the default one is being already used by something else. It must not overlap with any other subnet being used by OpenShift or by the node network. The size of the subnet must be larger than the number of nodes. The current default value is 100.64.0.0/16 The subnet must be large enough to accommodate one IP per node in your cluster The value must be in proper IPV4 CIDR format", } func (IPv4OVNKubernetesConfig) SwaggerDoc() map[string]string { @@ -1730,7 +1730,7 @@ func (IPv4OVNKubernetesConfig) SwaggerDoc() map[string]string { var map_IPv6GatewayConfig = map[string]string{ "": "IPV6GatewayConfig holds the configuration paramaters for IPV6 connections in the GatewayConfig for OVN-Kubernetes", - "internalMasqueradeSubnet": "internalMasqueradeSubnet contains the masquerade addresses in IPV6 CIDR format used internally by ovn-kubernetes to enable host to service traffic. Each host in the cluster is configured with these addresses, as well as the shared gateway bridge interface. The values can be changed after installation. The subnet chosen should not overlap with other networks specified for OVN-Kubernetes as well as other networks used on the host. Additionally the subnet must be large enough to accommodate 6 IPs (maximum prefix length /125). When omitted, this means no opinion and the platform is left to choose a reasonable default which is subject to change over time. The current default subnet is fd69::/125 Note that IPV6 dual addresses are not permitted", + "internalMasqueradeSubnet": "internalMasqueradeSubnet contains the masquerade addresses in IPV6 CIDR format used internally by ovn-kubernetes to enable host to service traffic. Each host in the cluster is configured with these addresses, as well as the shared gateway bridge interface. The values can be changed after installation. The subnet chosen should not overlap with other networks specified for OVN-Kubernetes as well as other networks used on the host. Additionally the subnet must be large enough to accommodate 6 IPs (maximum prefix length /125). When omitted, this means no opinion and the platform is left to choose a reasonable default which is subject to change over time. The current default subnet is fd69::/112 Note that IPV6 dual addresses are not permitted", } func (IPv6GatewayConfig) SwaggerDoc() map[string]string { @@ -1738,8 +1738,8 @@ func (IPv6GatewayConfig) SwaggerDoc() map[string]string { } var map_IPv6OVNKubernetesConfig = map[string]string{ - "internalTransitSwitchSubnet": "internalTransitSwitchSubnet is a v4 subnet in IPV4 CIDR format used internally by OVN-Kubernetes for the distributed transit switch in the OVN Interconnect architecture that connects the cluster routers on each node together to enable east west traffic. The subnet chosen should not overlap with other networks specified for OVN-Kubernetes as well as other networks used on the host. The value cannot be changed after installation. When ommitted, this means no opinion and the platform is left to choose a reasonable default which is subject to change over time. The subnet must be large enough to accomadate one IP per node in your cluster The current default subnet is fd97::/64 The value must be in proper IPV6 CIDR format Note that IPV6 dual addresses are not permitted", - "internalJoinSubnet": "internalJoinSubnet is a v6 subnet used internally by ovn-kubernetes in case the default one is being already used by something else. It must not overlap with any other subnet being used by OpenShift or by the node network. The size of the subnet must be larger than the number of nodes. The value cannot be changed after installation. The subnet must be large enough to accomadate one IP per node in your cluster The current default value is fd98::/64 The value must be in proper IPV6 CIDR format Note that IPV6 dual addresses are not permitted", + "internalTransitSwitchSubnet": "internalTransitSwitchSubnet is a v4 subnet in IPV4 CIDR format used internally by OVN-Kubernetes for the distributed transit switch in the OVN Interconnect architecture that connects the cluster routers on each node together to enable east west traffic. The subnet chosen should not overlap with other networks specified for OVN-Kubernetes as well as other networks used on the host. When ommitted, this means no opinion and the platform is left to choose a reasonable default which is subject to change over time. The subnet must be large enough to accommodate one IP per node in your cluster The current default subnet is fd97::/64 The value must be in proper IPV6 CIDR format Note that IPV6 dual addresses are not permitted", + "internalJoinSubnet": "internalJoinSubnet is a v6 subnet used internally by ovn-kubernetes in case the default one is being already used by something else. It must not overlap with any other subnet being used by OpenShift or by the node network. The size of the subnet must be larger than the number of nodes. The subnet must be large enough to accommodate one IP per node in your cluster The current default value is fd98::/64 The value must be in proper IPV6 CIDR format Note that IPV6 dual addresses are not permitted", } func (IPv6OVNKubernetesConfig) SwaggerDoc() map[string]string { @@ -1840,8 +1840,8 @@ var map_OVNKubernetesConfig = map[string]string{ "ipsecConfig": "ipsecConfig enables and configures IPsec for pods on the pod network within the cluster.", "policyAuditConfig": "policyAuditConfig is the configuration for network policy audit events. If unset, reported defaults are used.", "gatewayConfig": "gatewayConfig holds the configuration for node gateway options.", - "v4InternalSubnet": "v4InternalSubnet is a v4 subnet used internally by ovn-kubernetes in case the default one is being already used by something else. It must not overlap with any other subnet being used by OpenShift or by the node network. The size of the subnet must be larger than the number of nodes. The value cannot be changed after installation. Default is 100.64.0.0/16", - "v6InternalSubnet": "v6InternalSubnet is a v6 subnet used internally by ovn-kubernetes in case the default one is being already used by something else. It must not overlap with any other subnet being used by OpenShift or by the node network. The size of the subnet must be larger than the number of nodes. The value cannot be changed after installation. Default is fd98::/64", + "v4InternalSubnet": "v4InternalSubnet is a v4 subnet used internally by ovn-kubernetes in case the default one is being already used by something else. It must not overlap with any other subnet being used by OpenShift or by the node network. The size of the subnet must be larger than the number of nodes. Default is 100.64.0.0/16", + "v6InternalSubnet": "v6InternalSubnet is a v6 subnet used internally by ovn-kubernetes in case the default one is being already used by something else. It must not overlap with any other subnet being used by OpenShift or by the node network. The size of the subnet must be larger than the number of nodes. Default is fd98::/64", "egressIPConfig": "egressIPConfig holds the configuration for EgressIP options.", "ipv4": "ipv4 allows users to configure IP settings for IPv4 connections. When ommitted, this means no opinions and the default configuration is used. Check individual fields within ipv4 for details of default values.", "ipv6": "ipv6 allows users to configure IP settings for IPv6 connections. When ommitted, this means no opinions and the default configuration is used. Check individual fields within ipv4 for details of default values.", diff --git a/vendor/modules.txt b/vendor/modules.txt index 34b5ad4f24..3ff80c37fa 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -981,7 +981,7 @@ github.com/opencontainers/image-spec/specs-go/v1 # github.com/opencontainers/runtime-spec v1.2.0 ## explicit github.com/opencontainers/runtime-spec/specs-go -# github.com/openshift/api v0.0.0-20250620092249-a8cbc218cd2c +# github.com/openshift/api v0.0.0-20250620092249-a8cbc218cd2c => github.com/naseerahkani/api v0.0.0-20250702152244-85f45829f9cc ## explicit; go 1.23.0 github.com/openshift/api github.com/openshift/api/annotations @@ -2772,3 +2772,4 @@ sigs.k8s.io/yaml/goyaml.v2 sigs.k8s.io/yaml/goyaml.v3 # k8s.io/kube-openapi => github.com/openshift/kube-openapi v0.0.0-20230816122517-ffc8f001abb0 # github.com/openshift/client-go => github.com/naseerahkani/client-go v0.0.0-20250702153039-3fb0bcdfe344 +# github.com/openshift/api => github.com/naseerahkani/api v0.0.0-20250702152244-85f45829f9cc From e0ec96db39582b048e8b8a5158046c0066dc6313 Mon Sep 17 00:00:00 2001 From: Naseerah Kani Pakrudeen Ali Date: Mon, 14 Jul 2025 16:28:24 -0400 Subject: [PATCH 06/11] initial changes --- go.mod | 4 +- go.sum | 8 +-- pkg/operator/sync.go | 6 ++ pkg/upgrademonitor/upgrade_monitor.go | 14 ++++- .../v1/types_machineconfignode.go | 39 ++++++------- ...achineconfignodes-CustomNoUpgrade.crd.yaml | 57 +++++++++++-------- ...fig_01_machineconfignodes-Default.crd.yaml | 14 +---- ...neconfignodes-DevPreviewNoUpgrade.crd.yaml | 57 +++++++++++-------- ...econfignodes-TechPreviewNoUpgrade.crd.yaml | 57 +++++++++++-------- .../v1/zz_generated.deepcopy.go | 6 +- ..._generated.featuregated-crd-manifests.yaml | 12 +--- .../v1/zz_generated.swagger_doc_generated.go | 8 +-- vendor/modules.txt | 8 +-- 13 files changed, 161 insertions(+), 129 deletions(-) diff --git a/go.mod b/go.mod index 048d0a6bf1..772f5acd83 100644 --- a/go.mod +++ b/go.mod @@ -351,6 +351,6 @@ require ( replace k8s.io/kube-openapi => github.com/openshift/kube-openapi v0.0.0-20230816122517-ffc8f001abb0 -replace github.com/openshift/client-go => github.com/naseerahkani/client-go v0.0.0-20250702153039-3fb0bcdfe344 +replace github.com/openshift/client-go => github.com/naseerahkani/client-go v0.0.0-20250710210823-95c2813c5f23 -replace github.com/openshift/api => github.com/naseerahkani/api v0.0.0-20250702152244-85f45829f9cc +replace github.com/openshift/api => github.com/naseerahkani/api v0.0.0-20250709200454-c82e51f90bb8 diff --git a/go.sum b/go.sum index 0db2fe2ca0..b12e19f606 100644 --- a/go.sum +++ b/go.sum @@ -483,10 +483,10 @@ github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f h1:y5//uYreIhSUg3J github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f/go.mod h1:ZdcZmHo+o7JKHSa8/e818NopupXU1YMK5fe1lsApnBw= github.com/nakabonne/nestif v0.3.1 h1:wm28nZjhQY5HyYPx+weN3Q65k6ilSBxDb8v5S81B81U= github.com/nakabonne/nestif v0.3.1/go.mod h1:9EtoZochLn5iUprVDmDjqGKPofoUEBL8U4Ngq6aY7OE= -github.com/naseerahkani/api v0.0.0-20250702152244-85f45829f9cc h1:zViLcax8usXZ98kf+zbBgG+xGTctxD0IZNItL1XdmWE= -github.com/naseerahkani/api v0.0.0-20250702152244-85f45829f9cc/go.mod h1:yk60tHAmHhtVpJQo3TwVYq2zpuP70iJIFDCmeKMIzPw= -github.com/naseerahkani/client-go v0.0.0-20250702153039-3fb0bcdfe344 h1:F3b00R8BHTLsRFwdnFqsq2qbmBNo/wb7NlW2yuvUmk4= -github.com/naseerahkani/client-go v0.0.0-20250702153039-3fb0bcdfe344/go.mod h1:Cce4FUvlkzzMnElVNAk2VDn/g6H48DyK96ZYcaU9GdY= +github.com/naseerahkani/api v0.0.0-20250709200454-c82e51f90bb8 h1:rQMpXmqxtPWXMDgHCcWIp/pe88g2zDrpOOIssygbtKU= +github.com/naseerahkani/api v0.0.0-20250709200454-c82e51f90bb8/go.mod h1:yk60tHAmHhtVpJQo3TwVYq2zpuP70iJIFDCmeKMIzPw= +github.com/naseerahkani/client-go v0.0.0-20250710210823-95c2813c5f23 h1:IREE8JqeISOk0Iq40xsDLyJaYupGG27ZZzYQstO8sr4= +github.com/naseerahkani/client-go v0.0.0-20250710210823-95c2813c5f23/go.mod h1:bzFwp/7ipZKYCdEMNZKGfyPeWVr9tIHf9j4fPygaOnQ= github.com/nishanths/exhaustive v0.12.0 h1:vIY9sALmw6T/yxiASewa4TQcFsVYZQQRUQJhKRf3Swg= github.com/nishanths/exhaustive v0.12.0/go.mod h1:mEZ95wPIZW+x8kC4TgC+9YCUgiST7ecevsVDTgc2obs= github.com/nishanths/predeclared v0.2.2 h1:V2EPdZPliZymNAn79T8RkNApBjMmVKh5XRpLm/w98Vk= diff --git a/pkg/operator/sync.go b/pkg/operator/sync.go index 672b47ab48..603b6e36d3 100644 --- a/pkg/operator/sync.go +++ b/pkg/operator/sync.go @@ -790,6 +790,10 @@ func (optr *Operator) syncMachineConfigNodes(_ *renderConfig, _ *configv1.Cluste ConfigVersion: mcfgv1.MachineConfigNodeSpecMachineConfigVersion{ Desired: upgrademonitor.NotYetSet, }, + // leaving this empty because configImage and all the fields are optional + ConfigImage: mcfgv1.MachineConfigNodeSpecConfigImage{ + DesiredImage: "", + }, }, TypeMeta: metav1.TypeMeta{ Kind: "MachineConfigNode", @@ -825,6 +829,8 @@ func (optr *Operator) syncMachineConfigNodes(_ *renderConfig, _ *configv1.Cluste } } + //CHECK: are you checking anything for configImage if it's empty? + } if mcns != nil { for _, mcn := range mcns.Items { diff --git a/pkg/upgrademonitor/upgrade_monitor.go b/pkg/upgrademonitor/upgrade_monitor.go index 7e1a60ab0d..40fc02a768 100644 --- a/pkg/upgrademonitor/upgrade_monitor.go +++ b/pkg/upgrademonitor/upgrade_monitor.go @@ -145,12 +145,14 @@ func generateAndApplyMachineConfigNodes( mcfgv1.MachineConfigNodeUpdateComplete, mcfgv1.MachineConfigNodeResumed, mcfgv1.MachineConfigNodeUpdateDrained, - mcfgv1.MachineConfigNodeUpdateFilesAndOS, + mcfgv1.MachineConfigNodeUpdateFiles, + mcfgv1.MachineConfigNodeUpdateOS, mcfgv1.MachineConfigNodeUpdateCordoned, mcfgv1.MachineConfigNodeUpdateRebooted, mcfgv1.MachineConfigNodeUpdated, mcfgv1.MachineConfigNodeUpdateUncordoned, mcfgv1.MachineConfigNodeNodeDegraded, + mcfgv1.MachineConfigNodeImagePulledFromRegistry, } allConditionTypes = append(allConditionTypes, singletonConditionTypes...) @@ -397,6 +399,16 @@ func GenerateAndApplyMachineConfigNodeSpec(fgAccessor featuregates.FeatureGateAc return err } } + + if fg.Enabled(features.FeatureGateImageModeStatusReporting) { + newMCNode.Spec.ConfigImage = mcfgv1.MachineConfigNodeSpecConfigImage{ + DesiredImage: node.Annotations[daemonconsts.DesiredMachineConfigAnnotationKey], + } + + if newMCNode.Spec.ConfigImage.DesiredImage == "" { + // since it's required now, this would probably error out? + } + } return nil } diff --git a/vendor/github.com/openshift/api/machineconfiguration/v1/types_machineconfignode.go b/vendor/github.com/openshift/api/machineconfiguration/v1/types_machineconfignode.go index c32db6f5a8..e4740bb1dc 100644 --- a/vendor/github.com/openshift/api/machineconfiguration/v1/types_machineconfignode.go +++ b/vendor/github.com/openshift/api/machineconfiguration/v1/types_machineconfignode.go @@ -22,13 +22,11 @@ import ( // +kubebuilder:printcolumn:name="UpdatePostActionComplete",type="string",JSONPath=.status.conditions[?(@.type=="UpdatePostActionComplete")].status,priority=1 // +kubebuilder:printcolumn:name="UpdateComplete",type="string",JSONPath=.status.conditions[?(@.type=="UpdateComplete")].status,priority=1 // +kubebuilder:printcolumn:name="Resumed",type="string",JSONPath=.status.conditions[?(@.type=="Resumed")].status,priority=1 -// +kubebuilder:printcolumn:name="UpdatedOSImage",type="string",JSONPath=.status.conditions[?(@.type=="AppliedOSImage")].status,priority=1 -// +kubebuilder:printcolumn:name="UpdatedFiles",type="string",JSONPath=.status.conditions[?(@.type=="AppliedFiles")].status,priority=1 +// +kubebuilder:printcolumn:name="UpdatedFilesAndOS",type="string",JSONPath=.status.conditions[?(@.type=="AppliedFilesAndOS")].status,priority=1 // +kubebuilder:printcolumn:name="CordonedNode",type="string",JSONPath=.status.conditions[?(@.type=="Cordoned")].status,priority=1 // +kubebuilder:printcolumn:name="DrainedNode",type="string",JSONPath=.status.conditions[?(@.type=="Drained")].status,priority=1 // +kubebuilder:printcolumn:name="RebootedNode",type="string",JSONPath=.status.conditions[?(@.type=="RebootedNode")].status,priority=1 // +kubebuilder:printcolumn:name="UncordonedNode",type="string",JSONPath=.status.conditions[?(@.type=="Uncordoned")].status,priority=1 -// +kubebuilder:printcolumn:name="ImagePulledFromRegistry",type="string",JSONPath=.status.conditions[?(@.type=="ImagePulledFromRegistry")].status,priority=1 // +kubebuilder:metadata:labels=openshift.io/operator-managed= // MachineConfigNode describes the health of the Machines on the system @@ -114,7 +112,7 @@ type MachineConfigNodeStatus struct { // conditions represent the observations of a machine config node's current state. Valid types are: // UpdatePrepared, UpdateExecuted, UpdatePostActionComplete, UpdateComplete, Updated, Resumed, // Drained, AppliedFilesAndOS, Cordoned, Uncordoned, RebootedNode, NodeDegraded, PinnedImageSetsProgressing, - // , and PinnedImageSetsDegraded. + // and PinnedImageSetsDegraded. // The following types are only available when the ImageModeStatusReporting feature gate is enabled: ImagePulledFromRegistry, // AppliedOSImage, AppliedFiles // +listType=map @@ -134,7 +132,7 @@ type MachineConfigNodeStatus struct { // configImage describes the current and desired image for this node. // +openshift:enable:FeatureGate=ImageModeStatusReporting // +optional - ConfigImage *MachineConfigNodeStatusConfigImage `json:"configImage,omitempty"` + ConfigImage MachineConfigNodeStatusConfigImage `json:"configImage"` // pinnedImageSets describes the current and desired pinned image sets for this node. // +listType=map // +listMapKey=name @@ -229,11 +227,12 @@ type MachineConfigNodeSpecMachineConfigVersion struct { // annotation on the target node, which is set by the Machine Config Pool controller // to signal the desired image pullspec for the node to update to. type MachineConfigNodeSpecConfigImage struct { - // desiredImage is the fully-qualified pullspec of the image that the Machine - // Config Operator (MCO) intends to apply to the node. - // Required field that can be at most 253 characters in length. - // +kubebuilder:validation:MaxLength:=253 - // +required + // desiredImage is the fully qualified image pull spec of the image that the Machine + // Config Operator (MCO) intends to apply to the node. This field is optional. + // The length of the field must be between 1 to 447 characters. + // +kubebuilder:validation:MaxLength=447 + // +kubebuilder:validation:XValidation:rule="self.matches('^([a-zA-Z0-9-]+\\\\.)+[a-zA-Z0-9-]+(:[0-9]{2,5})?(/[a-zA-Z0-9-_]{1,61})*/[a-zA-Z0-9-_.]+:[a-zA-Z0-9._-]+$') || self.matches('^[^.]+\\\\.[^.]+\\\\.svc:\\\\d+\\\\/[^\\\\/]+\\\\/[^\\\\/]+:[^\\\\/]+$')",message="the OCI Image name should follow the host[:port][/namespace]/name format, resembling a valid URL without the scheme. Or it must be a valid .svc followed by a port, repository, image name, and tag." + // +optional DesiredImage string `json:"desiredImage"` } @@ -242,20 +241,22 @@ type MachineConfigNodeSpecConfigImage struct { // currently applied. This allows for monitoring the progress of the layering // rollout. type MachineConfigNodeStatusConfigImage struct { - // currentImage is the fully-qualified pullspec of the image that is + // currentImage is the fully qualified image pull spec of the image that is // currently applied to the node. // This field is optional because when image-mode is first enabled on a // node, there is no currentImage because the node has not yet applied // the updated image. Only after the updated image is applied will the // currentImage be populated. - // This field can be at most 253 characters in length. - // +kubebuilder:validation:MaxLength:=253 + // The length of the field must be between 1 to 447 characters. + // +kubebuilder:validation:MaxLength=447 + // +kubebuilder:validation:XValidation:rule="self.matches('^([a-zA-Z0-9-]+\\\\.)+[a-zA-Z0-9-]+(:[0-9]{2,5})?(/[a-zA-Z0-9-_]{1,61})*/[a-zA-Z0-9-_.]+:[a-zA-Z0-9._-]+$') || self.matches('^[^.]+\\\\.[^.]+\\\\.svc:\\\\d+\\\\/[^\\\\/]+\\\\/[^\\\\/]+:[^\\\\/]+$')",message="the OCI Image name should follow the host[:port][/namespace]/name format, resembling a valid URL without the scheme. Or it must be a valid .svc followed by a port, repository, image name, and tag." // +optional - CurrentImage string `json:"currentImage,omitempty"` + CurrentImage string `json:"currentImage"` // desiredImage is a mirror of the desired image from the Spec. When the - // current and desired image are not equal, the node is in an updating phase. - // Optional field that can be at most 253 characters in length. - // +kubebuilder:validation:MaxLength:=253 + // current and desired image are not equal, the node is in an updating phase. This field is optional. + // The length of the field must be between 1 to 447 characters. + // +kubebuilder:validation:MaxLength=447 + // +kubebuilder:validation:XValidation:rule="self.matches('^([a-zA-Z0-9-]+\\\\.)+[a-zA-Z0-9-]+(:[0-9]{2,5})?(/[a-zA-Z0-9-_]{1,61})*/[a-zA-Z0-9-_.]+:[a-zA-Z0-9._-]+$') || self.matches('^[^.]+\\\\.[^.]+\\\\.svc:\\\\d+\\\\/[^\\\\/]+\\\\/[^\\\\/]+:[^\\\\/]+$')",message="the OCI Image name should follow the host[:port][/namespace]/name format, resembling a valid URL without the scheme. Or it must be a valid .svc followed by a port, repository, image name, and tag." // +optional DesiredImage string `json:"desiredImage"` } @@ -283,8 +284,8 @@ const ( MachineConfigNodeUpdateFiles StateProgress = "AppliedFiles" // MachineConfigNodeUpdateOS describes the part of the in progress phase where the OS config changes MachineConfigNodeUpdateOS StateProgress = "AppliedOSImage" - // MachineConfigNodeUpdateOS describes the part of the in progress phase where the nodes files and OS config change - MachineConfigNodeAppliedFilesAndOS StateProgress = "AppliedFilesAndOS" + // MachineConfigNodeUpdateFilesAndOS describes the part of the in progress phase where the nodes files and OS config change + MachineConfigNodeUpdateFilesAndOS StateProgress = "AppliedFilesAndOS" // MachineConfigNodeImagePulledFromRegistry describes the part of the in progress phase where the update image is pulled from the registry MachineConfigNodeImagePulledFromRegistry StateProgress = "ImagePulledFromRegistry" // MachineConfigNodeUpdateCordoned describes the part of the in progress phase where the node cordons diff --git a/vendor/github.com/openshift/api/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_machineconfignodes-CustomNoUpgrade.crd.yaml b/vendor/github.com/openshift/api/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_machineconfignodes-CustomNoUpgrade.crd.yaml index 669f3f561c..2bb2409395 100644 --- a/vendor/github.com/openshift/api/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_machineconfignodes-CustomNoUpgrade.crd.yaml +++ b/vendor/github.com/openshift/api/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_machineconfignodes-CustomNoUpgrade.crd.yaml @@ -52,12 +52,8 @@ spec: name: Resumed priority: 1 type: string - - jsonPath: .status.conditions[?(@.type=="AppliedOSImage")].status - name: UpdatedOSImage - priority: 1 - type: string - - jsonPath: .status.conditions[?(@.type=="AppliedFiles")].status - name: UpdatedFiles + - jsonPath: .status.conditions[?(@.type=="AppliedFilesAndOS")].status + name: UpdatedFilesAndOS priority: 1 type: string - jsonPath: .status.conditions[?(@.type=="Cordoned")].status @@ -76,10 +72,6 @@ spec: name: UncordonedNode priority: 1 type: string - - jsonPath: .status.conditions[?(@.type=="ImagePulledFromRegistry")].status - name: ImagePulledFromRegistry - priority: 1 - type: string name: v1 schema: openAPIV3Schema: @@ -115,13 +107,18 @@ spec: properties: desiredImage: description: |- - desiredImage is the fully-qualified pullspec of the image that the Machine - Config Operator (MCO) intends to apply to the node. - Required field that can be at most 253 characters in length. - maxLength: 253 + desiredImage is the fully qualified image pull spec of the image that the Machine + Config Operator (MCO) intends to apply to the node. This field is optional. + The length of the field must be between 1 to 447 characters. + maxLength: 447 type: string - required: - - desiredImage + x-kubernetes-validations: + - message: the OCI Image name should follow the host[:port][/namespace]/name + format, resembling a valid URL without the scheme. Or it must + be a valid .svc followed by a port, repository, image name, + and tag. + rule: self.matches('^([a-zA-Z0-9-]+\\.)+[a-zA-Z0-9-]+(:[0-9]{2,5})?(/[a-zA-Z0-9-_]{1,61})*/[a-zA-Z0-9-_.]+:[a-zA-Z0-9._-]+$') + || self.matches('^[^.]+\\.[^.]+\\.svc:\\d+\\/[^\\/]+\\/[^\\/]+:[^\\/]+$') type: object configVersion: description: |- @@ -205,7 +202,7 @@ spec: conditions represent the observations of a machine config node's current state. Valid types are: UpdatePrepared, UpdateExecuted, UpdatePostActionComplete, UpdateComplete, Updated, Resumed, Drained, AppliedFilesAndOS, Cordoned, Uncordoned, RebootedNode, NodeDegraded, PinnedImageSetsProgressing, - , and PinnedImageSetsDegraded. + and PinnedImageSetsDegraded. The following types are only available when the ImageModeStatusReporting feature gate is enabled: ImagePulledFromRegistry, AppliedOSImage, AppliedFiles items: @@ -273,22 +270,36 @@ spec: properties: currentImage: description: |- - currentImage is the fully-qualified pullspec of the image that is + currentImage is the fully qualified image pull spec of the image that is currently applied to the node. This field is optional because when image-mode is first enabled on a node, there is no currentImage because the node has not yet applied the updated image. Only after the updated image is applied will the currentImage be populated. - This field can be at most 253 characters in length. - maxLength: 253 + The length of the field must be between 1 to 447 characters. + maxLength: 447 type: string + x-kubernetes-validations: + - message: the OCI Image name should follow the host[:port][/namespace]/name + format, resembling a valid URL without the scheme. Or it must + be a valid .svc followed by a port, repository, image name, + and tag. + rule: self.matches('^([a-zA-Z0-9-]+\\.)+[a-zA-Z0-9-]+(:[0-9]{2,5})?(/[a-zA-Z0-9-_]{1,61})*/[a-zA-Z0-9-_.]+:[a-zA-Z0-9._-]+$') + || self.matches('^[^.]+\\.[^.]+\\.svc:\\d+\\/[^\\/]+\\/[^\\/]+:[^\\/]+$') desiredImage: description: |- desiredImage is a mirror of the desired image from the Spec. When the - current and desired image are not equal, the node is in an updating phase. - Optional field that can be at most 253 characters in length. - maxLength: 253 + current and desired image are not equal, the node is in an updating phase. This field is optional. + The length of the field must be between 1 to 447 characters. + maxLength: 447 type: string + x-kubernetes-validations: + - message: the OCI Image name should follow the host[:port][/namespace]/name + format, resembling a valid URL without the scheme. Or it must + be a valid .svc followed by a port, repository, image name, + and tag. + rule: self.matches('^([a-zA-Z0-9-]+\\.)+[a-zA-Z0-9-]+(:[0-9]{2,5})?(/[a-zA-Z0-9-_]{1,61})*/[a-zA-Z0-9-_.]+:[a-zA-Z0-9._-]+$') + || self.matches('^[^.]+\\.[^.]+\\.svc:\\d+\\/[^\\/]+\\/[^\\/]+:[^\\/]+$') type: object configVersion: description: configVersion describes the current and desired machine diff --git a/vendor/github.com/openshift/api/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_machineconfignodes-Default.crd.yaml b/vendor/github.com/openshift/api/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_machineconfignodes-Default.crd.yaml index 343e44697f..21d9caaa42 100644 --- a/vendor/github.com/openshift/api/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_machineconfignodes-Default.crd.yaml +++ b/vendor/github.com/openshift/api/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_machineconfignodes-Default.crd.yaml @@ -52,12 +52,8 @@ spec: name: Resumed priority: 1 type: string - - jsonPath: .status.conditions[?(@.type=="AppliedOSImage")].status - name: UpdatedOSImage - priority: 1 - type: string - - jsonPath: .status.conditions[?(@.type=="AppliedFiles")].status - name: UpdatedFiles + - jsonPath: .status.conditions[?(@.type=="AppliedFilesAndOS")].status + name: UpdatedFilesAndOS priority: 1 type: string - jsonPath: .status.conditions[?(@.type=="Cordoned")].status @@ -76,10 +72,6 @@ spec: name: UncordonedNode priority: 1 type: string - - jsonPath: .status.conditions[?(@.type=="ImagePulledFromRegistry")].status - name: ImagePulledFromRegistry - priority: 1 - type: string name: v1 schema: openAPIV3Schema: @@ -189,7 +181,7 @@ spec: conditions represent the observations of a machine config node's current state. Valid types are: UpdatePrepared, UpdateExecuted, UpdatePostActionComplete, UpdateComplete, Updated, Resumed, Drained, AppliedFilesAndOS, Cordoned, Uncordoned, RebootedNode, NodeDegraded, PinnedImageSetsProgressing, - , and PinnedImageSetsDegraded. + and PinnedImageSetsDegraded. The following types are only available when the ImageModeStatusReporting feature gate is enabled: ImagePulledFromRegistry, AppliedOSImage, AppliedFiles items: diff --git a/vendor/github.com/openshift/api/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_machineconfignodes-DevPreviewNoUpgrade.crd.yaml b/vendor/github.com/openshift/api/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_machineconfignodes-DevPreviewNoUpgrade.crd.yaml index de578029c0..49492e117a 100644 --- a/vendor/github.com/openshift/api/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_machineconfignodes-DevPreviewNoUpgrade.crd.yaml +++ b/vendor/github.com/openshift/api/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_machineconfignodes-DevPreviewNoUpgrade.crd.yaml @@ -52,12 +52,8 @@ spec: name: Resumed priority: 1 type: string - - jsonPath: .status.conditions[?(@.type=="AppliedOSImage")].status - name: UpdatedOSImage - priority: 1 - type: string - - jsonPath: .status.conditions[?(@.type=="AppliedFiles")].status - name: UpdatedFiles + - jsonPath: .status.conditions[?(@.type=="AppliedFilesAndOS")].status + name: UpdatedFilesAndOS priority: 1 type: string - jsonPath: .status.conditions[?(@.type=="Cordoned")].status @@ -76,10 +72,6 @@ spec: name: UncordonedNode priority: 1 type: string - - jsonPath: .status.conditions[?(@.type=="ImagePulledFromRegistry")].status - name: ImagePulledFromRegistry - priority: 1 - type: string name: v1 schema: openAPIV3Schema: @@ -115,13 +107,18 @@ spec: properties: desiredImage: description: |- - desiredImage is the fully-qualified pullspec of the image that the Machine - Config Operator (MCO) intends to apply to the node. - Required field that can be at most 253 characters in length. - maxLength: 253 + desiredImage is the fully qualified image pull spec of the image that the Machine + Config Operator (MCO) intends to apply to the node. This field is optional. + The length of the field must be between 1 to 447 characters. + maxLength: 447 type: string - required: - - desiredImage + x-kubernetes-validations: + - message: the OCI Image name should follow the host[:port][/namespace]/name + format, resembling a valid URL without the scheme. Or it must + be a valid .svc followed by a port, repository, image name, + and tag. + rule: self.matches('^([a-zA-Z0-9-]+\\.)+[a-zA-Z0-9-]+(:[0-9]{2,5})?(/[a-zA-Z0-9-_]{1,61})*/[a-zA-Z0-9-_.]+:[a-zA-Z0-9._-]+$') + || self.matches('^[^.]+\\.[^.]+\\.svc:\\d+\\/[^\\/]+\\/[^\\/]+:[^\\/]+$') type: object configVersion: description: |- @@ -205,7 +202,7 @@ spec: conditions represent the observations of a machine config node's current state. Valid types are: UpdatePrepared, UpdateExecuted, UpdatePostActionComplete, UpdateComplete, Updated, Resumed, Drained, AppliedFilesAndOS, Cordoned, Uncordoned, RebootedNode, NodeDegraded, PinnedImageSetsProgressing, - , and PinnedImageSetsDegraded. + and PinnedImageSetsDegraded. The following types are only available when the ImageModeStatusReporting feature gate is enabled: ImagePulledFromRegistry, AppliedOSImage, AppliedFiles items: @@ -273,22 +270,36 @@ spec: properties: currentImage: description: |- - currentImage is the fully-qualified pullspec of the image that is + currentImage is the fully qualified image pull spec of the image that is currently applied to the node. This field is optional because when image-mode is first enabled on a node, there is no currentImage because the node has not yet applied the updated image. Only after the updated image is applied will the currentImage be populated. - This field can be at most 253 characters in length. - maxLength: 253 + The length of the field must be between 1 to 447 characters. + maxLength: 447 type: string + x-kubernetes-validations: + - message: the OCI Image name should follow the host[:port][/namespace]/name + format, resembling a valid URL without the scheme. Or it must + be a valid .svc followed by a port, repository, image name, + and tag. + rule: self.matches('^([a-zA-Z0-9-]+\\.)+[a-zA-Z0-9-]+(:[0-9]{2,5})?(/[a-zA-Z0-9-_]{1,61})*/[a-zA-Z0-9-_.]+:[a-zA-Z0-9._-]+$') + || self.matches('^[^.]+\\.[^.]+\\.svc:\\d+\\/[^\\/]+\\/[^\\/]+:[^\\/]+$') desiredImage: description: |- desiredImage is a mirror of the desired image from the Spec. When the - current and desired image are not equal, the node is in an updating phase. - Optional field that can be at most 253 characters in length. - maxLength: 253 + current and desired image are not equal, the node is in an updating phase. This field is optional. + The length of the field must be between 1 to 447 characters. + maxLength: 447 type: string + x-kubernetes-validations: + - message: the OCI Image name should follow the host[:port][/namespace]/name + format, resembling a valid URL without the scheme. Or it must + be a valid .svc followed by a port, repository, image name, + and tag. + rule: self.matches('^([a-zA-Z0-9-]+\\.)+[a-zA-Z0-9-]+(:[0-9]{2,5})?(/[a-zA-Z0-9-_]{1,61})*/[a-zA-Z0-9-_.]+:[a-zA-Z0-9._-]+$') + || self.matches('^[^.]+\\.[^.]+\\.svc:\\d+\\/[^\\/]+\\/[^\\/]+:[^\\/]+$') type: object configVersion: description: configVersion describes the current and desired machine diff --git a/vendor/github.com/openshift/api/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_machineconfignodes-TechPreviewNoUpgrade.crd.yaml b/vendor/github.com/openshift/api/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_machineconfignodes-TechPreviewNoUpgrade.crd.yaml index 9ac70ab26d..e731ca9c62 100644 --- a/vendor/github.com/openshift/api/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_machineconfignodes-TechPreviewNoUpgrade.crd.yaml +++ b/vendor/github.com/openshift/api/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_machineconfignodes-TechPreviewNoUpgrade.crd.yaml @@ -52,12 +52,8 @@ spec: name: Resumed priority: 1 type: string - - jsonPath: .status.conditions[?(@.type=="AppliedOSImage")].status - name: UpdatedOSImage - priority: 1 - type: string - - jsonPath: .status.conditions[?(@.type=="AppliedFiles")].status - name: UpdatedFiles + - jsonPath: .status.conditions[?(@.type=="AppliedFilesAndOS")].status + name: UpdatedFilesAndOS priority: 1 type: string - jsonPath: .status.conditions[?(@.type=="Cordoned")].status @@ -76,10 +72,6 @@ spec: name: UncordonedNode priority: 1 type: string - - jsonPath: .status.conditions[?(@.type=="ImagePulledFromRegistry")].status - name: ImagePulledFromRegistry - priority: 1 - type: string name: v1 schema: openAPIV3Schema: @@ -115,13 +107,18 @@ spec: properties: desiredImage: description: |- - desiredImage is the fully-qualified pullspec of the image that the Machine - Config Operator (MCO) intends to apply to the node. - Required field that can be at most 253 characters in length. - maxLength: 253 + desiredImage is the fully qualified image pull spec of the image that the Machine + Config Operator (MCO) intends to apply to the node. This field is optional. + The length of the field must be between 1 to 447 characters. + maxLength: 447 type: string - required: - - desiredImage + x-kubernetes-validations: + - message: the OCI Image name should follow the host[:port][/namespace]/name + format, resembling a valid URL without the scheme. Or it must + be a valid .svc followed by a port, repository, image name, + and tag. + rule: self.matches('^([a-zA-Z0-9-]+\\.)+[a-zA-Z0-9-]+(:[0-9]{2,5})?(/[a-zA-Z0-9-_]{1,61})*/[a-zA-Z0-9-_.]+:[a-zA-Z0-9._-]+$') + || self.matches('^[^.]+\\.[^.]+\\.svc:\\d+\\/[^\\/]+\\/[^\\/]+:[^\\/]+$') type: object configVersion: description: |- @@ -205,7 +202,7 @@ spec: conditions represent the observations of a machine config node's current state. Valid types are: UpdatePrepared, UpdateExecuted, UpdatePostActionComplete, UpdateComplete, Updated, Resumed, Drained, AppliedFilesAndOS, Cordoned, Uncordoned, RebootedNode, NodeDegraded, PinnedImageSetsProgressing, - , and PinnedImageSetsDegraded. + and PinnedImageSetsDegraded. The following types are only available when the ImageModeStatusReporting feature gate is enabled: ImagePulledFromRegistry, AppliedOSImage, AppliedFiles items: @@ -273,22 +270,36 @@ spec: properties: currentImage: description: |- - currentImage is the fully-qualified pullspec of the image that is + currentImage is the fully qualified image pull spec of the image that is currently applied to the node. This field is optional because when image-mode is first enabled on a node, there is no currentImage because the node has not yet applied the updated image. Only after the updated image is applied will the currentImage be populated. - This field can be at most 253 characters in length. - maxLength: 253 + The length of the field must be between 1 to 447 characters. + maxLength: 447 type: string + x-kubernetes-validations: + - message: the OCI Image name should follow the host[:port][/namespace]/name + format, resembling a valid URL without the scheme. Or it must + be a valid .svc followed by a port, repository, image name, + and tag. + rule: self.matches('^([a-zA-Z0-9-]+\\.)+[a-zA-Z0-9-]+(:[0-9]{2,5})?(/[a-zA-Z0-9-_]{1,61})*/[a-zA-Z0-9-_.]+:[a-zA-Z0-9._-]+$') + || self.matches('^[^.]+\\.[^.]+\\.svc:\\d+\\/[^\\/]+\\/[^\\/]+:[^\\/]+$') desiredImage: description: |- desiredImage is a mirror of the desired image from the Spec. When the - current and desired image are not equal, the node is in an updating phase. - Optional field that can be at most 253 characters in length. - maxLength: 253 + current and desired image are not equal, the node is in an updating phase. This field is optional. + The length of the field must be between 1 to 447 characters. + maxLength: 447 type: string + x-kubernetes-validations: + - message: the OCI Image name should follow the host[:port][/namespace]/name + format, resembling a valid URL without the scheme. Or it must + be a valid .svc followed by a port, repository, image name, + and tag. + rule: self.matches('^([a-zA-Z0-9-]+\\.)+[a-zA-Z0-9-]+(:[0-9]{2,5})?(/[a-zA-Z0-9-_]{1,61})*/[a-zA-Z0-9-_.]+:[a-zA-Z0-9._-]+$') + || self.matches('^[^.]+\\.[^.]+\\.svc:\\d+\\/[^\\/]+\\/[^\\/]+:[^\\/]+$') type: object configVersion: description: configVersion describes the current and desired machine diff --git a/vendor/github.com/openshift/api/machineconfiguration/v1/zz_generated.deepcopy.go b/vendor/github.com/openshift/api/machineconfiguration/v1/zz_generated.deepcopy.go index 9b148fa46e..60b6d15b84 100644 --- a/vendor/github.com/openshift/api/machineconfiguration/v1/zz_generated.deepcopy.go +++ b/vendor/github.com/openshift/api/machineconfiguration/v1/zz_generated.deepcopy.go @@ -793,11 +793,7 @@ func (in *MachineConfigNodeStatus) DeepCopyInto(out *MachineConfigNodeStatus) { *out = new(MachineConfigNodeStatusMachineConfigVersion) **out = **in } - if in.ConfigImage != nil { - in, out := &in.ConfigImage, &out.ConfigImage - *out = new(MachineConfigNodeStatusConfigImage) - **out = **in - } + out.ConfigImage = in.ConfigImage if in.PinnedImageSets != nil { in, out := &in.PinnedImageSets, &out.PinnedImageSets *out = make([]MachineConfigNodeStatusPinnedImageSet, len(*in)) diff --git a/vendor/github.com/openshift/api/machineconfiguration/v1/zz_generated.featuregated-crd-manifests.yaml b/vendor/github.com/openshift/api/machineconfiguration/v1/zz_generated.featuregated-crd-manifests.yaml index 889c05aef6..45b5ba9b82 100644 --- a/vendor/github.com/openshift/api/machineconfiguration/v1/zz_generated.featuregated-crd-manifests.yaml +++ b/vendor/github.com/openshift/api/machineconfiguration/v1/zz_generated.featuregated-crd-manifests.yaml @@ -161,12 +161,8 @@ machineconfignodes.machineconfiguration.openshift.io: name: Resumed priority: 1 type: string - - jsonPath: .status.conditions[?(@.type=="AppliedOSImage")].status - name: UpdatedOSImage - priority: 1 - type: string - - jsonPath: .status.conditions[?(@.type=="AppliedFiles")].status - name: UpdatedFiles + - jsonPath: .status.conditions[?(@.type=="AppliedFilesAndOS")].status + name: UpdatedFilesAndOS priority: 1 type: string - jsonPath: .status.conditions[?(@.type=="Cordoned")].status @@ -185,10 +181,6 @@ machineconfignodes.machineconfiguration.openshift.io: name: UncordonedNode priority: 1 type: string - - jsonPath: .status.conditions[?(@.type=="ImagePulledFromRegistry")].status - name: ImagePulledFromRegistry - priority: 1 - type: string Scope: Cluster ShortNames: null TopLevelFeatureGates: diff --git a/vendor/github.com/openshift/api/machineconfiguration/v1/zz_generated.swagger_doc_generated.go b/vendor/github.com/openshift/api/machineconfiguration/v1/zz_generated.swagger_doc_generated.go index dfb20651bf..0c2f1c43d2 100644 --- a/vendor/github.com/openshift/api/machineconfiguration/v1/zz_generated.swagger_doc_generated.go +++ b/vendor/github.com/openshift/api/machineconfiguration/v1/zz_generated.swagger_doc_generated.go @@ -412,7 +412,7 @@ func (MachineConfigNodeSpec) SwaggerDoc() map[string]string { var map_MachineConfigNodeSpecConfigImage = map[string]string{ "": "MachineConfigNodeSpecConfigImage holds the desired image for the node. This structure is populated from the `machineconfiguration.openshift.io/desiredImage` annotation on the target node, which is set by the Machine Config Pool controller to signal the desired image pullspec for the node to update to.", - "desiredImage": "desiredImage is the fully-qualified pullspec of the image that the Machine Config Operator (MCO) intends to apply to the node. Required field that can be at most 253 characters in length.", + "desiredImage": "desiredImage is the fully qualified image pull spec of the image that the Machine Config Operator (MCO) intends to apply to the node. This field is optional. The length of the field must be between 1 to 447 characters.", } func (MachineConfigNodeSpecConfigImage) SwaggerDoc() map[string]string { @@ -430,7 +430,7 @@ func (MachineConfigNodeSpecMachineConfigVersion) SwaggerDoc() map[string]string var map_MachineConfigNodeStatus = map[string]string{ "": "MachineConfigNodeStatus holds the reported information on a particular machine config node.", - "conditions": "conditions represent the observations of a machine config node's current state. Valid types are: UpdatePrepared, UpdateExecuted, UpdatePostActionComplete, UpdateComplete, Updated, Resumed, Drained, AppliedFilesAndOS, Cordoned, Uncordoned, RebootedNode, NodeDegraded, PinnedImageSetsProgressing, , and PinnedImageSetsDegraded. The following types are only available when the ImageModeStatusReporting feature gate is enabled: ImagePulledFromRegistry, AppliedOSImage, AppliedFiles", + "conditions": "conditions represent the observations of a machine config node's current state. Valid types are: UpdatePrepared, UpdateExecuted, UpdatePostActionComplete, UpdateComplete, Updated, Resumed, Drained, AppliedFilesAndOS, Cordoned, Uncordoned, RebootedNode, NodeDegraded, PinnedImageSetsProgressing, and PinnedImageSetsDegraded. The following types are only available when the ImageModeStatusReporting feature gate is enabled: ImagePulledFromRegistry, AppliedOSImage, AppliedFiles", "observedGeneration": "observedGeneration represents the generation of the MachineConfigNode object observed by the Machine Config Operator's controller. This field is updated when the controller observes a change to the desiredConfig in the configVersion of the machine config node spec.", "configVersion": "configVersion describes the current and desired machine config version for this node.", "configImage": "configImage describes the current and desired image for this node.", @@ -443,8 +443,8 @@ func (MachineConfigNodeStatus) SwaggerDoc() map[string]string { var map_MachineConfigNodeStatusConfigImage = map[string]string{ "": "MachineConfigNodeStatusConfigImage holds the observed state of the image on the node, including both the image targeted for an update and the image currently applied. This allows for monitoring the progress of the layering rollout.", - "currentImage": "currentImage is the fully-qualified pullspec of the image that is currently applied to the node. This field is optional because when image-mode is first enabled on a node, there is no currentImage because the node has not yet applied the updated image. Only after the updated image is applied will the currentImage be populated. This field can be at most 253 characters in length.", - "desiredImage": "desiredImage is a mirror of the desired image from the Spec. When the current and desired image are not equal, the node is in an updating phase. Optional field that can be at most 253 characters in length.", + "currentImage": "currentImage is the fully qualified image pull spec of the image that is currently applied to the node. This field is optional because when image-mode is first enabled on a node, there is no currentImage because the node has not yet applied the updated image. Only after the updated image is applied will the currentImage be populated. The length of the field must be between 1 to 447 characters.", + "desiredImage": "desiredImage is a mirror of the desired image from the Spec. When the current and desired image are not equal, the node is in an updating phase. This field is optional. The length of the field must be between 1 to 447 characters.", } func (MachineConfigNodeStatusConfigImage) SwaggerDoc() map[string]string { diff --git a/vendor/modules.txt b/vendor/modules.txt index 3ff80c37fa..2e4bc212ce 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -981,7 +981,7 @@ github.com/opencontainers/image-spec/specs-go/v1 # github.com/opencontainers/runtime-spec v1.2.0 ## explicit github.com/opencontainers/runtime-spec/specs-go -# github.com/openshift/api v0.0.0-20250620092249-a8cbc218cd2c => github.com/naseerahkani/api v0.0.0-20250702152244-85f45829f9cc +# github.com/openshift/api v0.0.0-20250620092249-a8cbc218cd2c => github.com/naseerahkani/api v0.0.0-20250709200454-c82e51f90bb8 ## explicit; go 1.23.0 github.com/openshift/api github.com/openshift/api/annotations @@ -1064,7 +1064,7 @@ github.com/openshift/api/template github.com/openshift/api/template/v1 github.com/openshift/api/user github.com/openshift/api/user/v1 -# github.com/openshift/client-go v0.0.0-20250425165505-5f55ff6979a1 => github.com/naseerahkani/client-go v0.0.0-20250702153039-3fb0bcdfe344 +# github.com/openshift/client-go v0.0.0-20250425165505-5f55ff6979a1 => github.com/naseerahkani/client-go v0.0.0-20250710210823-95c2813c5f23 ## explicit; go 1.23.0 github.com/openshift/client-go/build/applyconfigurations/build/v1 github.com/openshift/client-go/build/applyconfigurations/internal @@ -2771,5 +2771,5 @@ sigs.k8s.io/yaml sigs.k8s.io/yaml/goyaml.v2 sigs.k8s.io/yaml/goyaml.v3 # k8s.io/kube-openapi => github.com/openshift/kube-openapi v0.0.0-20230816122517-ffc8f001abb0 -# github.com/openshift/client-go => github.com/naseerahkani/client-go v0.0.0-20250702153039-3fb0bcdfe344 -# github.com/openshift/api => github.com/naseerahkani/api v0.0.0-20250702152244-85f45829f9cc +# github.com/openshift/client-go => github.com/naseerahkani/client-go v0.0.0-20250710210823-95c2813c5f23 +# github.com/openshift/api => github.com/naseerahkani/api v0.0.0-20250709200454-c82e51f90bb8 From ae76087e8089f191d83e80ad1788f0ac45f1bc3e Mon Sep 17 00:00:00 2001 From: Naseerah Kani Pakrudeen Ali Date: Fri, 18 Jul 2025 09:42:00 -0400 Subject: [PATCH 07/11] updated code --- pkg/controller/node/node_controller.go | 9 +++++ pkg/operator/sync.go | 23 ++++++++++--- pkg/upgrademonitor/upgrade_monitor.go | 47 ++++++++++++++++++++------ 3 files changed, 63 insertions(+), 16 deletions(-) diff --git a/pkg/controller/node/node_controller.go b/pkg/controller/node/node_controller.go index b1911b2503..49622630af 100644 --- a/pkg/controller/node/node_controller.go +++ b/pkg/controller/node/node_controller.go @@ -723,6 +723,15 @@ func (ctrl *Controller) updateNode(old, cur interface{}) { } } + if fg.Enabled(features.FeatureGateImageModeStatusReporting) { + // check if second part of conditional is necessary + if oldNode.Annotations[daemonconsts.CurrentImageAnnotationKey] != oldNode.Annotations[daemonconsts.DesiredImageAnnotationKey] && curLNS.IsNodeDone() { + ctrl.logPoolNode(pool, curNode, "Completed update to %s", curNode.Annotations[daemonconsts.DesiredImageAnnotationKey]) + changed = true + } + + } + if !changed { return } diff --git a/pkg/operator/sync.go b/pkg/operator/sync.go index 603b6e36d3..4e7a9c0186 100644 --- a/pkg/operator/sync.go +++ b/pkg/operator/sync.go @@ -790,10 +790,6 @@ func (optr *Operator) syncMachineConfigNodes(_ *renderConfig, _ *configv1.Cluste ConfigVersion: mcfgv1.MachineConfigNodeSpecMachineConfigVersion{ Desired: upgrademonitor.NotYetSet, }, - // leaving this empty because configImage and all the fields are optional - ConfigImage: mcfgv1.MachineConfigNodeSpecConfigImage{ - DesiredImage: "", - }, }, TypeMeta: metav1.TypeMeta{ Kind: "MachineConfigNode", @@ -811,6 +807,14 @@ func (optr *Operator) syncMachineConfigNodes(_ *renderConfig, _ *configv1.Cluste }, }, } + + //Add: check if image mode status reporting fg is enables and if yes, use 821-826 as a guideline for configImage initialization + if fg.Enabled(features.FeatureGateImageModeStatusReporting) { + newMCS.Spec.ConfigImage = mcfgv1.MachineConfigNodeSpecConfigImage{ + DesiredImage: node.Annotations[daemonconsts.DesiredImageAnnotationKey], + } + } + mcsBytes, err := json.Marshal(newMCS) if err != nil { klog.Errorf("error rendering asset for MachineConfigNode %v", err) @@ -821,6 +825,7 @@ func (optr *Operator) syncMachineConfigNodes(_ *renderConfig, _ *configv1.Cluste if err != nil { return err } + // if this is the first time we are applying the MCN and the node is ready, set the config version probably if mcn.Spec.ConfigVersion.Desired == upgrademonitor.NotYetSet { err = upgrademonitor.GenerateAndApplyMachineConfigNodeSpec(optr.fgAccessor, pool, node, optr.client) @@ -829,9 +834,17 @@ func (optr *Operator) syncMachineConfigNodes(_ *renderConfig, _ *configv1.Cluste } } - //CHECK: are you checking anything for configImage if it's empty? + if fg.Enabled(features.FeatureGateImageModeStatusReporting) { + if mcn.Spec.ConfigImage.DesiredImage == upgrademonitor.NotYetSet { + err = upgrademonitor.GenerateAndApplyMachineConfigNodeSpec(optr.fgAccessor, pool, node, optr.client) + if err != nil { + klog.Errorf("Error making MCN spec for Update Compatible: %v", err) + } + } + } } + if mcns != nil { for _, mcn := range mcns.Items { if _, ok := nodeMap[mcn.Name]; !ok { diff --git a/pkg/upgrademonitor/upgrade_monitor.go b/pkg/upgrademonitor/upgrade_monitor.go index 40fc02a768..d1e1f2bfab 100644 --- a/pkg/upgrademonitor/upgrade_monitor.go +++ b/pkg/upgrademonitor/upgrade_monitor.go @@ -222,7 +222,11 @@ func generateAndApplyMachineConfigNodes( case condition.Status != metav1.ConditionFalse && reset: condition.Status = metav1.ConditionFalse + // ASK: does this message change if OCL is used condition.Message = fmt.Sprintf("Action during update to %s: %s", newMCNode.Spec.ConfigVersion.Desired, condition.Message) + if fg.Enabled(features.FeatureGateImageModeStatusReporting) { + condition.Message = fmt.Sprintf("") + } condition.LastTransitionTime = metav1.Now() } condition.DeepCopyInto(&newMCNode.Status.Conditions[i]) @@ -249,7 +253,6 @@ func generateAndApplyMachineConfigNodes( } else { newMCNode.Status.ConfigVersion.Desired = desiredAnnotation } - // Set current version in MCN.Status.ConfigVersion if node annotation exists if node.Annotations[daemonconsts.CurrentMachineConfigAnnotationKey] != "" { newMCNode.Status.ConfigVersion.Current = node.Annotations[daemonconsts.CurrentMachineConfigAnnotationKey] @@ -292,6 +295,14 @@ func generateAndApplyMachineConfigNodes( } } + if fg.Enabled(features.FeatureGateImageModeStatusReporting) { + statusConfigImageApplyImage := machineconfigurationv1.MachineConfigNodeStatusMachineConfigImage().WithDesired(newMCNode.Status.ConfigImage) + if node.Annotations[daemonconsts.CurrentImageAnnotationKey] != "" { + statusConfigImageApplyImage = statusConfigImageApplyImage.WithCurrent(newMCNode.Status.ConfigImage.CurrentImage) + } + + } + mcnodeApplyConfig := machineconfigurationv1.MachineConfigNode(newMCNode.Name).WithStatus(statusApplyConfig) _, err := mcfgClient.MachineconfigurationV1().MachineConfigNodes().ApplyStatus(context.TODO(), mcnodeApplyConfig, metav1.ApplyOptions{FieldManager: "machine-config-operator", Force: true}) if err != nil { @@ -306,6 +317,17 @@ func generateAndApplyMachineConfigNodes( if newMCNode.Spec.ConfigVersion.Desired == "" { newMCNode.Spec.ConfigVersion.Desired = NotYetSet } + + if fg.Enabled(features.FeatureGateImageModeStatusReporting) { + newMCNode.Spec.ConfigImage = mcfgv1.MachineConfigNodeSpecMachineConfigImage{ + Desired: node.Annotations[daemonconsts.DesiredImageAnnotationKey], + } + + if newMCNode.Spec.ConfigImage.DesiredImage == "" { + newMCNode.Spec.ConfigImage.DesiredImage = "" + } + + } newMCNode.Name = node.Name newMCNode.Spec.Pool = mcfgv1.MCOObjectReference{Name: pool} newMCNode.Spec.Node = mcfgv1.MCOObjectReference{Name: node.Name} @@ -381,11 +403,23 @@ func GenerateAndApplyMachineConfigNodeSpec(fgAccessor featuregates.FeatureGateAc newMCNode.Spec.Node = mcfgv1.MCOObjectReference{ Name: node.Name, } + + if fg.Enabled(features.FeatureGateImageModeStatusReporting) { + newMCNode.Spec.ConfigImage = mcfgv1.MachineConfigNodeSpecConfigImage{ + DesiredImage: node.Annotations[daemonconsts.DesiredImageAnnotationKey], + } + // check if it should be empty + if newMCNode.Spec.ConfigImage.DesiredImage == "" { + newMCNode.Spec.ConfigVersion.Desired = NotYetSet + } + } + if !needNewMCNode { nodeRefApplyConfig := machineconfigurationv1.MCOObjectReference().WithName(newMCNode.Spec.Node.Name) poolRefApplyConfig := machineconfigurationv1.MCOObjectReference().WithName(newMCNode.Spec.Pool.Name) specconfigVersionApplyConfig := machineconfigurationv1.MachineConfigNodeSpecMachineConfigVersion().WithDesired(newMCNode.Spec.ConfigVersion.Desired) - specApplyConfig := machineconfigurationv1.MachineConfigNodeSpec().WithNode(nodeRefApplyConfig).WithPool(poolRefApplyConfig).WithConfigVersion(specconfigVersionApplyConfig) + specConfigImageApplyConfig := machineconfigurationv1.MachineConfigNodeSpecConfigImage().WithDesired(newMCNode.Spec.ConfigImage.DesiredImage) + specApplyConfig := machineconfigurationv1.MachineConfigNodeSpec().WithNode(nodeRefApplyConfig).WithPool(poolRefApplyConfig).WithConfigVersion(specconfigVersionApplyConfig).WithConfigImage(specConfigImageApplyConfig) mcnodeApplyConfig := machineconfigurationv1.MachineConfigNode(newMCNode.Name).WithSpec(specApplyConfig) _, err := mcfgClient.MachineconfigurationV1().MachineConfigNodes().Apply(context.TODO(), mcnodeApplyConfig, metav1.ApplyOptions{FieldManager: "machine-config-operator", Force: true}) if err != nil { @@ -400,15 +434,6 @@ func GenerateAndApplyMachineConfigNodeSpec(fgAccessor featuregates.FeatureGateAc } } - if fg.Enabled(features.FeatureGateImageModeStatusReporting) { - newMCNode.Spec.ConfigImage = mcfgv1.MachineConfigNodeSpecConfigImage{ - DesiredImage: node.Annotations[daemonconsts.DesiredMachineConfigAnnotationKey], - } - - if newMCNode.Spec.ConfigImage.DesiredImage == "" { - // since it's required now, this would probably error out? - } - } return nil } From 8a455cafc4c4f18fb351ab88ec998e356bf1b085 Mon Sep 17 00:00:00 2001 From: Naseerah Kani Pakrudeen Ali Date: Tue, 22 Jul 2025 13:01:46 -0400 Subject: [PATCH 08/11] changes to mco --- go.mod | 4 +- go.sum | 8 +-- pkg/daemon/update.go | 16 ++++++ pkg/operator/sync.go | 2 +- pkg/upgrademonitor/upgrade_monitor.go | 12 ++-- .../v1/types_machineconfignode.go | 38 +++++++------ ...achineconfignodes-CustomNoUpgrade.crd.yaml | 56 +++++++++++-------- ...neconfignodes-DevPreviewNoUpgrade.crd.yaml | 56 +++++++++++-------- ...econfignodes-TechPreviewNoUpgrade.crd.yaml | 56 +++++++++++-------- .../v1/zz_generated.deepcopy.go | 6 +- .../v1/zz_generated.swagger_doc_generated.go | 12 ++-- .../v1/machineconfignodespec.go | 9 +++ .../v1/machineconfignodespecconfigimage.go | 27 +++++++++ .../v1/machineconfignodestatus.go | 9 +++ .../v1/machineconfignodestatusconfigimage.go | 36 ++++++++++++ .../applyconfigurations/utils.go | 4 ++ vendor/modules.txt | 8 +-- 17 files changed, 251 insertions(+), 108 deletions(-) create mode 100644 vendor/github.com/openshift/client-go/machineconfiguration/applyconfigurations/machineconfiguration/v1/machineconfignodespecconfigimage.go create mode 100644 vendor/github.com/openshift/client-go/machineconfiguration/applyconfigurations/machineconfiguration/v1/machineconfignodestatusconfigimage.go diff --git a/go.mod b/go.mod index 772f5acd83..640cdaa569 100644 --- a/go.mod +++ b/go.mod @@ -351,6 +351,6 @@ require ( replace k8s.io/kube-openapi => github.com/openshift/kube-openapi v0.0.0-20230816122517-ffc8f001abb0 -replace github.com/openshift/client-go => github.com/naseerahkani/client-go v0.0.0-20250710210823-95c2813c5f23 +replace github.com/openshift/client-go => github.com/naseerahkani/client-go v0.0.0-20250722005126-8e9e555e298c -replace github.com/openshift/api => github.com/naseerahkani/api v0.0.0-20250709200454-c82e51f90bb8 +replace github.com/openshift/api => github.com/naseerahkani/api v0.0.0-20250715184238-584477d3b226 diff --git a/go.sum b/go.sum index b12e19f606..a90b873874 100644 --- a/go.sum +++ b/go.sum @@ -483,10 +483,10 @@ github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f h1:y5//uYreIhSUg3J github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f/go.mod h1:ZdcZmHo+o7JKHSa8/e818NopupXU1YMK5fe1lsApnBw= github.com/nakabonne/nestif v0.3.1 h1:wm28nZjhQY5HyYPx+weN3Q65k6ilSBxDb8v5S81B81U= github.com/nakabonne/nestif v0.3.1/go.mod h1:9EtoZochLn5iUprVDmDjqGKPofoUEBL8U4Ngq6aY7OE= -github.com/naseerahkani/api v0.0.0-20250709200454-c82e51f90bb8 h1:rQMpXmqxtPWXMDgHCcWIp/pe88g2zDrpOOIssygbtKU= -github.com/naseerahkani/api v0.0.0-20250709200454-c82e51f90bb8/go.mod h1:yk60tHAmHhtVpJQo3TwVYq2zpuP70iJIFDCmeKMIzPw= -github.com/naseerahkani/client-go v0.0.0-20250710210823-95c2813c5f23 h1:IREE8JqeISOk0Iq40xsDLyJaYupGG27ZZzYQstO8sr4= -github.com/naseerahkani/client-go v0.0.0-20250710210823-95c2813c5f23/go.mod h1:bzFwp/7ipZKYCdEMNZKGfyPeWVr9tIHf9j4fPygaOnQ= +github.com/naseerahkani/api v0.0.0-20250715184238-584477d3b226 h1:20I1LGq8ZVQOLkYmKTmMKIn7wqrU6cd0sdW7oW/Xwqg= +github.com/naseerahkani/api v0.0.0-20250715184238-584477d3b226/go.mod h1:yk60tHAmHhtVpJQo3TwVYq2zpuP70iJIFDCmeKMIzPw= +github.com/naseerahkani/client-go v0.0.0-20250722005126-8e9e555e298c h1:f8AqcpybuKmUyGKCvq4pkOHIsgxGMvrmI5+yq6ZFTvo= +github.com/naseerahkani/client-go v0.0.0-20250722005126-8e9e555e298c/go.mod h1:AFenInkrazQ4DaGyy1GXrUQPGdVzv/uXMp6sGbR5bXs= github.com/nishanths/exhaustive v0.12.0 h1:vIY9sALmw6T/yxiASewa4TQcFsVYZQQRUQJhKRf3Swg= github.com/nishanths/exhaustive v0.12.0/go.mod h1:mEZ95wPIZW+x8kC4TgC+9YCUgiST7ecevsVDTgc2obs= github.com/nishanths/predeclared v0.2.2 h1:V2EPdZPliZymNAn79T8RkNApBjMmVKh5XRpLm/w98Vk= diff --git a/pkg/daemon/update.go b/pkg/daemon/update.go index 7027529048..38b561bea6 100644 --- a/pkg/daemon/update.go +++ b/pkg/daemon/update.go @@ -1073,6 +1073,22 @@ func (dn *Daemon) update(oldConfig, newConfig *mcfgv1.MachineConfig, skipCertifi if err != nil { klog.Errorf("Error making MCN spec for Update Compatible: %v", err) } + + _, newOCLImage := extractOCLImageFromMachineConfig(newConfig) + err = upgrademonitor.GenerateAndApplyMachineConfigNodes( + &upgrademonitor.Condition{State: mcfgv1.MachineConfigNodeUpdateExecuted, Reason: string(mcfgv1.MachineConfigNodeImagePulledFromRegistry), Message: fmt.Sprintf("Image %s pulled from registry.", newOCLImage)}, + &upgrademonitor.Condition{State: mcfgv1.MachineConfigNodeImagePulledFromRegistry, Reason: fmt.Sprintf("%s%s", string(mcfgv1.MachineConfigNodeUpdateExecuted), string(mcfgv1.MachineConfigNodeImagePulledFromRegistry)), Message: fmt.Sprintf("ask message")}, + metav1.ConditionUnknown, + metav1.ConditionTrue, + dn.node, + dn.mcfgClient, + dn.featureGatesAccessor, + pool, + ) + if err != nil { + klog.Errorf("Error making MCN for Pulling Image from Registry: %v", err) + } + if drain { if err := dn.performDrain(); err != nil { return err diff --git a/pkg/operator/sync.go b/pkg/operator/sync.go index 4e7a9c0186..947aaacf21 100644 --- a/pkg/operator/sync.go +++ b/pkg/operator/sync.go @@ -811,7 +811,7 @@ func (optr *Operator) syncMachineConfigNodes(_ *renderConfig, _ *configv1.Cluste //Add: check if image mode status reporting fg is enables and if yes, use 821-826 as a guideline for configImage initialization if fg.Enabled(features.FeatureGateImageModeStatusReporting) { newMCS.Spec.ConfigImage = mcfgv1.MachineConfigNodeSpecConfigImage{ - DesiredImage: node.Annotations[daemonconsts.DesiredImageAnnotationKey], + DesiredImage: mcfgv1.ImageDigestFormat(node.Annotations[daemonconsts.DesiredImageAnnotationKey]), } } diff --git a/pkg/upgrademonitor/upgrade_monitor.go b/pkg/upgrademonitor/upgrade_monitor.go index d1e1f2bfab..f364854620 100644 --- a/pkg/upgrademonitor/upgrade_monitor.go +++ b/pkg/upgrademonitor/upgrade_monitor.go @@ -296,9 +296,9 @@ func generateAndApplyMachineConfigNodes( } if fg.Enabled(features.FeatureGateImageModeStatusReporting) { - statusConfigImageApplyImage := machineconfigurationv1.MachineConfigNodeStatusMachineConfigImage().WithDesired(newMCNode.Status.ConfigImage) + statusConfigImageApplyImage := machineconfigurationv1.MachineConfigNodeStatusConfigImage().WithDesiredImage(newMCNode.Status.ConfigImage.DesiredImage) if node.Annotations[daemonconsts.CurrentImageAnnotationKey] != "" { - statusConfigImageApplyImage = statusConfigImageApplyImage.WithCurrent(newMCNode.Status.ConfigImage.CurrentImage) + statusConfigImageApplyImage = statusConfigImageApplyImage.WithCurrentImage(newMCNode.Status.ConfigImage.CurrentImage) } } @@ -319,8 +319,8 @@ func generateAndApplyMachineConfigNodes( } if fg.Enabled(features.FeatureGateImageModeStatusReporting) { - newMCNode.Spec.ConfigImage = mcfgv1.MachineConfigNodeSpecMachineConfigImage{ - Desired: node.Annotations[daemonconsts.DesiredImageAnnotationKey], + newMCNode.Spec.ConfigImage = mcfgv1.MachineConfigNodeSpecConfigImage{ + DesiredImage: mcfgv1.ImageDigestFormat(node.Annotations[daemonconsts.DesiredImageAnnotationKey]), } if newMCNode.Spec.ConfigImage.DesiredImage == "" { @@ -406,7 +406,7 @@ func GenerateAndApplyMachineConfigNodeSpec(fgAccessor featuregates.FeatureGateAc if fg.Enabled(features.FeatureGateImageModeStatusReporting) { newMCNode.Spec.ConfigImage = mcfgv1.MachineConfigNodeSpecConfigImage{ - DesiredImage: node.Annotations[daemonconsts.DesiredImageAnnotationKey], + DesiredImage: mcfgv1.ImageDigestFormat(node.Annotations[daemonconsts.DesiredImageAnnotationKey]), } // check if it should be empty if newMCNode.Spec.ConfigImage.DesiredImage == "" { @@ -418,7 +418,7 @@ func GenerateAndApplyMachineConfigNodeSpec(fgAccessor featuregates.FeatureGateAc nodeRefApplyConfig := machineconfigurationv1.MCOObjectReference().WithName(newMCNode.Spec.Node.Name) poolRefApplyConfig := machineconfigurationv1.MCOObjectReference().WithName(newMCNode.Spec.Pool.Name) specconfigVersionApplyConfig := machineconfigurationv1.MachineConfigNodeSpecMachineConfigVersion().WithDesired(newMCNode.Spec.ConfigVersion.Desired) - specConfigImageApplyConfig := machineconfigurationv1.MachineConfigNodeSpecConfigImage().WithDesired(newMCNode.Spec.ConfigImage.DesiredImage) + specConfigImageApplyConfig := machineconfigurationv1.MachineConfigNodeSpecConfigImage().WithDesiredImage(newMCNode.Spec.ConfigImage.DesiredImage) specApplyConfig := machineconfigurationv1.MachineConfigNodeSpec().WithNode(nodeRefApplyConfig).WithPool(poolRefApplyConfig).WithConfigVersion(specconfigVersionApplyConfig).WithConfigImage(specConfigImageApplyConfig) mcnodeApplyConfig := machineconfigurationv1.MachineConfigNode(newMCNode.Name).WithSpec(specApplyConfig) _, err := mcfgClient.MachineconfigurationV1().MachineConfigNodes().Apply(context.TODO(), mcnodeApplyConfig, metav1.ApplyOptions{FieldManager: "machine-config-operator", Force: true}) diff --git a/vendor/github.com/openshift/api/machineconfiguration/v1/types_machineconfignode.go b/vendor/github.com/openshift/api/machineconfiguration/v1/types_machineconfignode.go index e4740bb1dc..316891faeb 100644 --- a/vendor/github.com/openshift/api/machineconfiguration/v1/types_machineconfignode.go +++ b/vendor/github.com/openshift/api/machineconfiguration/v1/types_machineconfignode.go @@ -101,7 +101,7 @@ type MachineConfigNodeSpec struct { // configImage holds the desired image for the node targeted by this machine config node resource. // The desired image represents the image the node will attempt to update to and gets set before the machine config operator validates - // the new image against the current image. + // the new image against the current image. This field will be used only when OCL is enabled. This will be empty/omitted otherwise. // +openshift:enable:FeatureGate=ImageModeStatusReporting // +optional ConfigImage MachineConfigNodeSpecConfigImage `json:"configImage"` @@ -129,10 +129,10 @@ type MachineConfigNodeStatus struct { // configVersion describes the current and desired machine config version for this node. // +optional ConfigVersion *MachineConfigNodeStatusMachineConfigVersion `json:"configVersion,omitempty"` - // configImage describes the current and desired image for this node. + // configImage describes the current and desired image for this node. OCL must be enabled for this to be populated. It will be omitted/empty otherwise. // +openshift:enable:FeatureGate=ImageModeStatusReporting // +optional - ConfigImage MachineConfigNodeStatusConfigImage `json:"configImage"` + ConfigImage *MachineConfigNodeStatusConfigImage `json:"configImage,omitempty"` // pinnedImageSets describes the current and desired pinned image sets for this node. // +listType=map // +listMapKey=name @@ -228,18 +228,20 @@ type MachineConfigNodeSpecMachineConfigVersion struct { // to signal the desired image pullspec for the node to update to. type MachineConfigNodeSpecConfigImage struct { // desiredImage is the fully qualified image pull spec of the image that the Machine - // Config Operator (MCO) intends to apply to the node. This field is optional. - // The length of the field must be between 1 to 447 characters. - // +kubebuilder:validation:MaxLength=447 - // +kubebuilder:validation:XValidation:rule="self.matches('^([a-zA-Z0-9-]+\\\\.)+[a-zA-Z0-9-]+(:[0-9]{2,5})?(/[a-zA-Z0-9-_]{1,61})*/[a-zA-Z0-9-_.]+:[a-zA-Z0-9._-]+$') || self.matches('^[^.]+\\\\.[^.]+\\\\.svc:\\\\d+\\\\/[^\\\\/]+\\\\/[^\\\\/]+:[^\\\\/]+$')",message="the OCI Image name should follow the host[:port][/namespace]/name format, resembling a valid URL without the scheme. Or it must be a valid .svc followed by a port, repository, image name, and tag." + // Config Operator (MCO) intends to apply to the node. This field is optional. When + // OCL is not enabled, this field will be omitted/empty. + // The format of the push spec is: host[:port][/namespace]/name@sha256:, + // where the digest must be 64 characters long, and consist only of lowercase hexadecimal characters, a-f and 0-9. + // The length of the whole spec must be between 1 to 447 characters. // +optional - DesiredImage string `json:"desiredImage"` + DesiredImage ImageDigestFormat `json:"desiredImage"` } // MachineConfigNodeStatusConfigImage holds the observed state of the image // on the node, including both the image targeted for an update and the image // currently applied. This allows for monitoring the progress of the layering -// rollout. +// rollout. If OCL is enabled, desiredImage must be defined. +// +kubebuilder:validation:MinProperties:=1 type MachineConfigNodeStatusConfigImage struct { // currentImage is the fully qualified image pull spec of the image that is // currently applied to the node. @@ -247,18 +249,18 @@ type MachineConfigNodeStatusConfigImage struct { // node, there is no currentImage because the node has not yet applied // the updated image. Only after the updated image is applied will the // currentImage be populated. - // The length of the field must be between 1 to 447 characters. - // +kubebuilder:validation:MaxLength=447 - // +kubebuilder:validation:XValidation:rule="self.matches('^([a-zA-Z0-9-]+\\\\.)+[a-zA-Z0-9-]+(:[0-9]{2,5})?(/[a-zA-Z0-9-_]{1,61})*/[a-zA-Z0-9-_.]+:[a-zA-Z0-9._-]+$') || self.matches('^[^.]+\\\\.[^.]+\\\\.svc:\\\\d+\\\\/[^\\\\/]+\\\\/[^\\\\/]+:[^\\\\/]+$')",message="the OCI Image name should follow the host[:port][/namespace]/name format, resembling a valid URL without the scheme. Or it must be a valid .svc followed by a port, repository, image name, and tag." + // The format of the push spec is: host[:port][/namespace]/name@sha256:, + // where the digest must be 64 characters long, and consist only of lowercase hexadecimal characters, a-f and 0-9. + // The length of the whole spec must be between 1 to 447 characters. // +optional - CurrentImage string `json:"currentImage"` + CurrentImage ImageDigestFormat `json:"currentImage"` // desiredImage is a mirror of the desired image from the Spec. When the - // current and desired image are not equal, the node is in an updating phase. This field is optional. - // The length of the field must be between 1 to 447 characters. - // +kubebuilder:validation:MaxLength=447 - // +kubebuilder:validation:XValidation:rule="self.matches('^([a-zA-Z0-9-]+\\\\.)+[a-zA-Z0-9-]+(:[0-9]{2,5})?(/[a-zA-Z0-9-_]{1,61})*/[a-zA-Z0-9-_.]+:[a-zA-Z0-9._-]+$') || self.matches('^[^.]+\\\\.[^.]+\\\\.svc:\\\\d+\\\\/[^\\\\/]+\\\\/[^\\\\/]+:[^\\\\/]+$')",message="the OCI Image name should follow the host[:port][/namespace]/name format, resembling a valid URL without the scheme. Or it must be a valid .svc followed by a port, repository, image name, and tag." + // current and desired image are not equal, the node is in an updating phase. This field is required. + // The format of the push spec is: host[:port][/namespace]/name@sha256:, + // where the digest must be 64 characters long, and consist only of lowercase hexadecimal characters, a-f and 0-9. + // The length of the whole spec must be between 1 to 447 characters. // +optional - DesiredImage string `json:"desiredImage"` + DesiredImage ImageDigestFormat `json:"desiredImage"` } // StateProgress is each possible state for each possible MachineConfigNodeType diff --git a/vendor/github.com/openshift/api/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_machineconfignodes-CustomNoUpgrade.crd.yaml b/vendor/github.com/openshift/api/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_machineconfignodes-CustomNoUpgrade.crd.yaml index 2bb2409395..d4deea8a48 100644 --- a/vendor/github.com/openshift/api/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_machineconfignodes-CustomNoUpgrade.crd.yaml +++ b/vendor/github.com/openshift/api/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_machineconfignodes-CustomNoUpgrade.crd.yaml @@ -103,22 +103,26 @@ spec: description: |- configImage holds the desired image for the node targeted by this machine config node resource. The desired image represents the image the node will attempt to update to and gets set before the machine config operator validates - the new image against the current image. + the new image against the current image. This field will be used only when OCL is enabled. This will be empty/omitted otherwise. properties: desiredImage: description: |- desiredImage is the fully qualified image pull spec of the image that the Machine - Config Operator (MCO) intends to apply to the node. This field is optional. - The length of the field must be between 1 to 447 characters. + Config Operator (MCO) intends to apply to the node. This field is optional. When + OCL is not enabled, this field will be omitted/empty. + The format of the push spec is: host[:port][/namespace]/name@sha256:, + where the digest must be 64 characters long, and consist only of lowercase hexadecimal characters, a-f and 0-9. + The length of the whole spec must be between 1 to 447 characters. maxLength: 447 + minLength: 1 type: string x-kubernetes-validations: + - message: the OCI Image reference must end with a valid '@sha256:' + suffix, where '' is 64 characters long + rule: (self.split('@').size() == 2 && self.split('@')[1].matches('^sha256:[a-f0-9]{64}$')) - message: the OCI Image name should follow the host[:port][/namespace]/name - format, resembling a valid URL without the scheme. Or it must - be a valid .svc followed by a port, repository, image name, - and tag. - rule: self.matches('^([a-zA-Z0-9-]+\\.)+[a-zA-Z0-9-]+(:[0-9]{2,5})?(/[a-zA-Z0-9-_]{1,61})*/[a-zA-Z0-9-_.]+:[a-zA-Z0-9._-]+$') - || self.matches('^[^.]+\\.[^.]+\\.svc:\\d+\\/[^\\/]+\\/[^\\/]+:[^\\/]+$') + format, resembling a valid URL without the scheme + rule: (self.split('@')[0].matches('^([a-zA-Z0-9-]+\\.)+[a-zA-Z0-9-]+(:[0-9]{2,5})?/([a-zA-Z0-9-_]{0,61}/)?[a-zA-Z0-9-_.]*?$')) type: object configVersion: description: |- @@ -266,7 +270,9 @@ spec: x-kubernetes-list-type: map configImage: description: configImage describes the current and desired image for - this node. + this node. OCL must be enabled for this to be populated. It will + be omitted/empty otherwise. + minProperties: 1 properties: currentImage: description: |- @@ -276,30 +282,36 @@ spec: node, there is no currentImage because the node has not yet applied the updated image. Only after the updated image is applied will the currentImage be populated. - The length of the field must be between 1 to 447 characters. + The format of the push spec is: host[:port][/namespace]/name@sha256:, + where the digest must be 64 characters long, and consist only of lowercase hexadecimal characters, a-f and 0-9. + The length of the whole spec must be between 1 to 447 characters. maxLength: 447 + minLength: 1 type: string x-kubernetes-validations: + - message: the OCI Image reference must end with a valid '@sha256:' + suffix, where '' is 64 characters long + rule: (self.split('@').size() == 2 && self.split('@')[1].matches('^sha256:[a-f0-9]{64}$')) - message: the OCI Image name should follow the host[:port][/namespace]/name - format, resembling a valid URL without the scheme. Or it must - be a valid .svc followed by a port, repository, image name, - and tag. - rule: self.matches('^([a-zA-Z0-9-]+\\.)+[a-zA-Z0-9-]+(:[0-9]{2,5})?(/[a-zA-Z0-9-_]{1,61})*/[a-zA-Z0-9-_.]+:[a-zA-Z0-9._-]+$') - || self.matches('^[^.]+\\.[^.]+\\.svc:\\d+\\/[^\\/]+\\/[^\\/]+:[^\\/]+$') + format, resembling a valid URL without the scheme + rule: (self.split('@')[0].matches('^([a-zA-Z0-9-]+\\.)+[a-zA-Z0-9-]+(:[0-9]{2,5})?/([a-zA-Z0-9-_]{0,61}/)?[a-zA-Z0-9-_.]*?$')) desiredImage: description: |- desiredImage is a mirror of the desired image from the Spec. When the - current and desired image are not equal, the node is in an updating phase. This field is optional. - The length of the field must be between 1 to 447 characters. + current and desired image are not equal, the node is in an updating phase. This field is required. + The format of the push spec is: host[:port][/namespace]/name@sha256:, + where the digest must be 64 characters long, and consist only of lowercase hexadecimal characters, a-f and 0-9. + The length of the whole spec must be between 1 to 447 characters. maxLength: 447 + minLength: 1 type: string x-kubernetes-validations: + - message: the OCI Image reference must end with a valid '@sha256:' + suffix, where '' is 64 characters long + rule: (self.split('@').size() == 2 && self.split('@')[1].matches('^sha256:[a-f0-9]{64}$')) - message: the OCI Image name should follow the host[:port][/namespace]/name - format, resembling a valid URL without the scheme. Or it must - be a valid .svc followed by a port, repository, image name, - and tag. - rule: self.matches('^([a-zA-Z0-9-]+\\.)+[a-zA-Z0-9-]+(:[0-9]{2,5})?(/[a-zA-Z0-9-_]{1,61})*/[a-zA-Z0-9-_.]+:[a-zA-Z0-9._-]+$') - || self.matches('^[^.]+\\.[^.]+\\.svc:\\d+\\/[^\\/]+\\/[^\\/]+:[^\\/]+$') + format, resembling a valid URL without the scheme + rule: (self.split('@')[0].matches('^([a-zA-Z0-9-]+\\.)+[a-zA-Z0-9-]+(:[0-9]{2,5})?/([a-zA-Z0-9-_]{0,61}/)?[a-zA-Z0-9-_.]*?$')) type: object configVersion: description: configVersion describes the current and desired machine diff --git a/vendor/github.com/openshift/api/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_machineconfignodes-DevPreviewNoUpgrade.crd.yaml b/vendor/github.com/openshift/api/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_machineconfignodes-DevPreviewNoUpgrade.crd.yaml index 49492e117a..dc01464f7d 100644 --- a/vendor/github.com/openshift/api/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_machineconfignodes-DevPreviewNoUpgrade.crd.yaml +++ b/vendor/github.com/openshift/api/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_machineconfignodes-DevPreviewNoUpgrade.crd.yaml @@ -103,22 +103,26 @@ spec: description: |- configImage holds the desired image for the node targeted by this machine config node resource. The desired image represents the image the node will attempt to update to and gets set before the machine config operator validates - the new image against the current image. + the new image against the current image. This field will be used only when OCL is enabled. This will be empty/omitted otherwise. properties: desiredImage: description: |- desiredImage is the fully qualified image pull spec of the image that the Machine - Config Operator (MCO) intends to apply to the node. This field is optional. - The length of the field must be between 1 to 447 characters. + Config Operator (MCO) intends to apply to the node. This field is optional. When + OCL is not enabled, this field will be omitted/empty. + The format of the push spec is: host[:port][/namespace]/name@sha256:, + where the digest must be 64 characters long, and consist only of lowercase hexadecimal characters, a-f and 0-9. + The length of the whole spec must be between 1 to 447 characters. maxLength: 447 + minLength: 1 type: string x-kubernetes-validations: + - message: the OCI Image reference must end with a valid '@sha256:' + suffix, where '' is 64 characters long + rule: (self.split('@').size() == 2 && self.split('@')[1].matches('^sha256:[a-f0-9]{64}$')) - message: the OCI Image name should follow the host[:port][/namespace]/name - format, resembling a valid URL without the scheme. Or it must - be a valid .svc followed by a port, repository, image name, - and tag. - rule: self.matches('^([a-zA-Z0-9-]+\\.)+[a-zA-Z0-9-]+(:[0-9]{2,5})?(/[a-zA-Z0-9-_]{1,61})*/[a-zA-Z0-9-_.]+:[a-zA-Z0-9._-]+$') - || self.matches('^[^.]+\\.[^.]+\\.svc:\\d+\\/[^\\/]+\\/[^\\/]+:[^\\/]+$') + format, resembling a valid URL without the scheme + rule: (self.split('@')[0].matches('^([a-zA-Z0-9-]+\\.)+[a-zA-Z0-9-]+(:[0-9]{2,5})?/([a-zA-Z0-9-_]{0,61}/)?[a-zA-Z0-9-_.]*?$')) type: object configVersion: description: |- @@ -266,7 +270,9 @@ spec: x-kubernetes-list-type: map configImage: description: configImage describes the current and desired image for - this node. + this node. OCL must be enabled for this to be populated. It will + be omitted/empty otherwise. + minProperties: 1 properties: currentImage: description: |- @@ -276,30 +282,36 @@ spec: node, there is no currentImage because the node has not yet applied the updated image. Only after the updated image is applied will the currentImage be populated. - The length of the field must be between 1 to 447 characters. + The format of the push spec is: host[:port][/namespace]/name@sha256:, + where the digest must be 64 characters long, and consist only of lowercase hexadecimal characters, a-f and 0-9. + The length of the whole spec must be between 1 to 447 characters. maxLength: 447 + minLength: 1 type: string x-kubernetes-validations: + - message: the OCI Image reference must end with a valid '@sha256:' + suffix, where '' is 64 characters long + rule: (self.split('@').size() == 2 && self.split('@')[1].matches('^sha256:[a-f0-9]{64}$')) - message: the OCI Image name should follow the host[:port][/namespace]/name - format, resembling a valid URL without the scheme. Or it must - be a valid .svc followed by a port, repository, image name, - and tag. - rule: self.matches('^([a-zA-Z0-9-]+\\.)+[a-zA-Z0-9-]+(:[0-9]{2,5})?(/[a-zA-Z0-9-_]{1,61})*/[a-zA-Z0-9-_.]+:[a-zA-Z0-9._-]+$') - || self.matches('^[^.]+\\.[^.]+\\.svc:\\d+\\/[^\\/]+\\/[^\\/]+:[^\\/]+$') + format, resembling a valid URL without the scheme + rule: (self.split('@')[0].matches('^([a-zA-Z0-9-]+\\.)+[a-zA-Z0-9-]+(:[0-9]{2,5})?/([a-zA-Z0-9-_]{0,61}/)?[a-zA-Z0-9-_.]*?$')) desiredImage: description: |- desiredImage is a mirror of the desired image from the Spec. When the - current and desired image are not equal, the node is in an updating phase. This field is optional. - The length of the field must be between 1 to 447 characters. + current and desired image are not equal, the node is in an updating phase. This field is required. + The format of the push spec is: host[:port][/namespace]/name@sha256:, + where the digest must be 64 characters long, and consist only of lowercase hexadecimal characters, a-f and 0-9. + The length of the whole spec must be between 1 to 447 characters. maxLength: 447 + minLength: 1 type: string x-kubernetes-validations: + - message: the OCI Image reference must end with a valid '@sha256:' + suffix, where '' is 64 characters long + rule: (self.split('@').size() == 2 && self.split('@')[1].matches('^sha256:[a-f0-9]{64}$')) - message: the OCI Image name should follow the host[:port][/namespace]/name - format, resembling a valid URL without the scheme. Or it must - be a valid .svc followed by a port, repository, image name, - and tag. - rule: self.matches('^([a-zA-Z0-9-]+\\.)+[a-zA-Z0-9-]+(:[0-9]{2,5})?(/[a-zA-Z0-9-_]{1,61})*/[a-zA-Z0-9-_.]+:[a-zA-Z0-9._-]+$') - || self.matches('^[^.]+\\.[^.]+\\.svc:\\d+\\/[^\\/]+\\/[^\\/]+:[^\\/]+$') + format, resembling a valid URL without the scheme + rule: (self.split('@')[0].matches('^([a-zA-Z0-9-]+\\.)+[a-zA-Z0-9-]+(:[0-9]{2,5})?/([a-zA-Z0-9-_]{0,61}/)?[a-zA-Z0-9-_.]*?$')) type: object configVersion: description: configVersion describes the current and desired machine diff --git a/vendor/github.com/openshift/api/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_machineconfignodes-TechPreviewNoUpgrade.crd.yaml b/vendor/github.com/openshift/api/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_machineconfignodes-TechPreviewNoUpgrade.crd.yaml index e731ca9c62..a056e0ac46 100644 --- a/vendor/github.com/openshift/api/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_machineconfignodes-TechPreviewNoUpgrade.crd.yaml +++ b/vendor/github.com/openshift/api/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_machineconfignodes-TechPreviewNoUpgrade.crd.yaml @@ -103,22 +103,26 @@ spec: description: |- configImage holds the desired image for the node targeted by this machine config node resource. The desired image represents the image the node will attempt to update to and gets set before the machine config operator validates - the new image against the current image. + the new image against the current image. This field will be used only when OCL is enabled. This will be empty/omitted otherwise. properties: desiredImage: description: |- desiredImage is the fully qualified image pull spec of the image that the Machine - Config Operator (MCO) intends to apply to the node. This field is optional. - The length of the field must be between 1 to 447 characters. + Config Operator (MCO) intends to apply to the node. This field is optional. When + OCL is not enabled, this field will be omitted/empty. + The format of the push spec is: host[:port][/namespace]/name@sha256:, + where the digest must be 64 characters long, and consist only of lowercase hexadecimal characters, a-f and 0-9. + The length of the whole spec must be between 1 to 447 characters. maxLength: 447 + minLength: 1 type: string x-kubernetes-validations: + - message: the OCI Image reference must end with a valid '@sha256:' + suffix, where '' is 64 characters long + rule: (self.split('@').size() == 2 && self.split('@')[1].matches('^sha256:[a-f0-9]{64}$')) - message: the OCI Image name should follow the host[:port][/namespace]/name - format, resembling a valid URL without the scheme. Or it must - be a valid .svc followed by a port, repository, image name, - and tag. - rule: self.matches('^([a-zA-Z0-9-]+\\.)+[a-zA-Z0-9-]+(:[0-9]{2,5})?(/[a-zA-Z0-9-_]{1,61})*/[a-zA-Z0-9-_.]+:[a-zA-Z0-9._-]+$') - || self.matches('^[^.]+\\.[^.]+\\.svc:\\d+\\/[^\\/]+\\/[^\\/]+:[^\\/]+$') + format, resembling a valid URL without the scheme + rule: (self.split('@')[0].matches('^([a-zA-Z0-9-]+\\.)+[a-zA-Z0-9-]+(:[0-9]{2,5})?/([a-zA-Z0-9-_]{0,61}/)?[a-zA-Z0-9-_.]*?$')) type: object configVersion: description: |- @@ -266,7 +270,9 @@ spec: x-kubernetes-list-type: map configImage: description: configImage describes the current and desired image for - this node. + this node. OCL must be enabled for this to be populated. It will + be omitted/empty otherwise. + minProperties: 1 properties: currentImage: description: |- @@ -276,30 +282,36 @@ spec: node, there is no currentImage because the node has not yet applied the updated image. Only after the updated image is applied will the currentImage be populated. - The length of the field must be between 1 to 447 characters. + The format of the push spec is: host[:port][/namespace]/name@sha256:, + where the digest must be 64 characters long, and consist only of lowercase hexadecimal characters, a-f and 0-9. + The length of the whole spec must be between 1 to 447 characters. maxLength: 447 + minLength: 1 type: string x-kubernetes-validations: + - message: the OCI Image reference must end with a valid '@sha256:' + suffix, where '' is 64 characters long + rule: (self.split('@').size() == 2 && self.split('@')[1].matches('^sha256:[a-f0-9]{64}$')) - message: the OCI Image name should follow the host[:port][/namespace]/name - format, resembling a valid URL without the scheme. Or it must - be a valid .svc followed by a port, repository, image name, - and tag. - rule: self.matches('^([a-zA-Z0-9-]+\\.)+[a-zA-Z0-9-]+(:[0-9]{2,5})?(/[a-zA-Z0-9-_]{1,61})*/[a-zA-Z0-9-_.]+:[a-zA-Z0-9._-]+$') - || self.matches('^[^.]+\\.[^.]+\\.svc:\\d+\\/[^\\/]+\\/[^\\/]+:[^\\/]+$') + format, resembling a valid URL without the scheme + rule: (self.split('@')[0].matches('^([a-zA-Z0-9-]+\\.)+[a-zA-Z0-9-]+(:[0-9]{2,5})?/([a-zA-Z0-9-_]{0,61}/)?[a-zA-Z0-9-_.]*?$')) desiredImage: description: |- desiredImage is a mirror of the desired image from the Spec. When the - current and desired image are not equal, the node is in an updating phase. This field is optional. - The length of the field must be between 1 to 447 characters. + current and desired image are not equal, the node is in an updating phase. This field is required. + The format of the push spec is: host[:port][/namespace]/name@sha256:, + where the digest must be 64 characters long, and consist only of lowercase hexadecimal characters, a-f and 0-9. + The length of the whole spec must be between 1 to 447 characters. maxLength: 447 + minLength: 1 type: string x-kubernetes-validations: + - message: the OCI Image reference must end with a valid '@sha256:' + suffix, where '' is 64 characters long + rule: (self.split('@').size() == 2 && self.split('@')[1].matches('^sha256:[a-f0-9]{64}$')) - message: the OCI Image name should follow the host[:port][/namespace]/name - format, resembling a valid URL without the scheme. Or it must - be a valid .svc followed by a port, repository, image name, - and tag. - rule: self.matches('^([a-zA-Z0-9-]+\\.)+[a-zA-Z0-9-]+(:[0-9]{2,5})?(/[a-zA-Z0-9-_]{1,61})*/[a-zA-Z0-9-_.]+:[a-zA-Z0-9._-]+$') - || self.matches('^[^.]+\\.[^.]+\\.svc:\\d+\\/[^\\/]+\\/[^\\/]+:[^\\/]+$') + format, resembling a valid URL without the scheme + rule: (self.split('@')[0].matches('^([a-zA-Z0-9-]+\\.)+[a-zA-Z0-9-]+(:[0-9]{2,5})?/([a-zA-Z0-9-_]{0,61}/)?[a-zA-Z0-9-_.]*?$')) type: object configVersion: description: configVersion describes the current and desired machine diff --git a/vendor/github.com/openshift/api/machineconfiguration/v1/zz_generated.deepcopy.go b/vendor/github.com/openshift/api/machineconfiguration/v1/zz_generated.deepcopy.go index 60b6d15b84..9b148fa46e 100644 --- a/vendor/github.com/openshift/api/machineconfiguration/v1/zz_generated.deepcopy.go +++ b/vendor/github.com/openshift/api/machineconfiguration/v1/zz_generated.deepcopy.go @@ -793,7 +793,11 @@ func (in *MachineConfigNodeStatus) DeepCopyInto(out *MachineConfigNodeStatus) { *out = new(MachineConfigNodeStatusMachineConfigVersion) **out = **in } - out.ConfigImage = in.ConfigImage + if in.ConfigImage != nil { + in, out := &in.ConfigImage, &out.ConfigImage + *out = new(MachineConfigNodeStatusConfigImage) + **out = **in + } if in.PinnedImageSets != nil { in, out := &in.PinnedImageSets, &out.PinnedImageSets *out = make([]MachineConfigNodeStatusPinnedImageSet, len(*in)) diff --git a/vendor/github.com/openshift/api/machineconfiguration/v1/zz_generated.swagger_doc_generated.go b/vendor/github.com/openshift/api/machineconfiguration/v1/zz_generated.swagger_doc_generated.go index 0c2f1c43d2..6179ca3994 100644 --- a/vendor/github.com/openshift/api/machineconfiguration/v1/zz_generated.swagger_doc_generated.go +++ b/vendor/github.com/openshift/api/machineconfiguration/v1/zz_generated.swagger_doc_generated.go @@ -403,7 +403,7 @@ var map_MachineConfigNodeSpec = map[string]string{ "node": "node contains a reference to the node for this machine config node.", "pool": "pool contains a reference to the machine config pool that this machine config node's referenced node belongs to.", "configVersion": "configVersion holds the desired config version for the node targeted by this machine config node resource. The desired version represents the machine config the node will attempt to update to and gets set before the machine config operator validates the new machine config against the current machine config.", - "configImage": "configImage holds the desired image for the node targeted by this machine config node resource. The desired image represents the image the node will attempt to update to and gets set before the machine config operator validates the new image against the current image.", + "configImage": "configImage holds the desired image for the node targeted by this machine config node resource. The desired image represents the image the node will attempt to update to and gets set before the machine config operator validates the new image against the current image. This field will be used only when OCL is enabled. This will be empty/omitted otherwise.", } func (MachineConfigNodeSpec) SwaggerDoc() map[string]string { @@ -412,7 +412,7 @@ func (MachineConfigNodeSpec) SwaggerDoc() map[string]string { var map_MachineConfigNodeSpecConfigImage = map[string]string{ "": "MachineConfigNodeSpecConfigImage holds the desired image for the node. This structure is populated from the `machineconfiguration.openshift.io/desiredImage` annotation on the target node, which is set by the Machine Config Pool controller to signal the desired image pullspec for the node to update to.", - "desiredImage": "desiredImage is the fully qualified image pull spec of the image that the Machine Config Operator (MCO) intends to apply to the node. This field is optional. The length of the field must be between 1 to 447 characters.", + "desiredImage": "desiredImage is the fully qualified image pull spec of the image that the Machine Config Operator (MCO) intends to apply to the node. This field is optional. When OCL is not enabled, this field will be omitted/empty. The format of the push spec is: host[:port][/namespace]/name@sha256:, where the digest must be 64 characters long, and consist only of lowercase hexadecimal characters, a-f and 0-9. The length of the whole spec must be between 1 to 447 characters.", } func (MachineConfigNodeSpecConfigImage) SwaggerDoc() map[string]string { @@ -433,7 +433,7 @@ var map_MachineConfigNodeStatus = map[string]string{ "conditions": "conditions represent the observations of a machine config node's current state. Valid types are: UpdatePrepared, UpdateExecuted, UpdatePostActionComplete, UpdateComplete, Updated, Resumed, Drained, AppliedFilesAndOS, Cordoned, Uncordoned, RebootedNode, NodeDegraded, PinnedImageSetsProgressing, and PinnedImageSetsDegraded. The following types are only available when the ImageModeStatusReporting feature gate is enabled: ImagePulledFromRegistry, AppliedOSImage, AppliedFiles", "observedGeneration": "observedGeneration represents the generation of the MachineConfigNode object observed by the Machine Config Operator's controller. This field is updated when the controller observes a change to the desiredConfig in the configVersion of the machine config node spec.", "configVersion": "configVersion describes the current and desired machine config version for this node.", - "configImage": "configImage describes the current and desired image for this node.", + "configImage": "configImage describes the current and desired image for this node. OCL must be enabled for this to be populated. It will be omitted/empty otherwise.", "pinnedImageSets": "pinnedImageSets describes the current and desired pinned image sets for this node.", } @@ -442,9 +442,9 @@ func (MachineConfigNodeStatus) SwaggerDoc() map[string]string { } var map_MachineConfigNodeStatusConfigImage = map[string]string{ - "": "MachineConfigNodeStatusConfigImage holds the observed state of the image on the node, including both the image targeted for an update and the image currently applied. This allows for monitoring the progress of the layering rollout.", - "currentImage": "currentImage is the fully qualified image pull spec of the image that is currently applied to the node. This field is optional because when image-mode is first enabled on a node, there is no currentImage because the node has not yet applied the updated image. Only after the updated image is applied will the currentImage be populated. The length of the field must be between 1 to 447 characters.", - "desiredImage": "desiredImage is a mirror of the desired image from the Spec. When the current and desired image are not equal, the node is in an updating phase. This field is optional. The length of the field must be between 1 to 447 characters.", + "": "MachineConfigNodeStatusConfigImage holds the observed state of the image on the node, including both the image targeted for an update and the image currently applied. This allows for monitoring the progress of the layering rollout. If OCL is enabled, desiredImage must be defined.", + "currentImage": "currentImage is the fully qualified image pull spec of the image that is currently applied to the node. This field is optional because when image-mode is first enabled on a node, there is no currentImage because the node has not yet applied the updated image. Only after the updated image is applied will the currentImage be populated. The format of the push spec is: host[:port][/namespace]/name@sha256:, where the digest must be 64 characters long, and consist only of lowercase hexadecimal characters, a-f and 0-9. The length of the whole spec must be between 1 to 447 characters.", + "desiredImage": "desiredImage is a mirror of the desired image from the Spec. When the current and desired image are not equal, the node is in an updating phase. This field is required. The format of the push spec is: host[:port][/namespace]/name@sha256:, where the digest must be 64 characters long, and consist only of lowercase hexadecimal characters, a-f and 0-9. The length of the whole spec must be between 1 to 447 characters.", } func (MachineConfigNodeStatusConfigImage) SwaggerDoc() map[string]string { diff --git a/vendor/github.com/openshift/client-go/machineconfiguration/applyconfigurations/machineconfiguration/v1/machineconfignodespec.go b/vendor/github.com/openshift/client-go/machineconfiguration/applyconfigurations/machineconfiguration/v1/machineconfignodespec.go index d1e04cef84..6f34967acc 100644 --- a/vendor/github.com/openshift/client-go/machineconfiguration/applyconfigurations/machineconfiguration/v1/machineconfignodespec.go +++ b/vendor/github.com/openshift/client-go/machineconfiguration/applyconfigurations/machineconfiguration/v1/machineconfignodespec.go @@ -8,6 +8,7 @@ type MachineConfigNodeSpecApplyConfiguration struct { Node *MCOObjectReferenceApplyConfiguration `json:"node,omitempty"` Pool *MCOObjectReferenceApplyConfiguration `json:"pool,omitempty"` ConfigVersion *MachineConfigNodeSpecMachineConfigVersionApplyConfiguration `json:"configVersion,omitempty"` + ConfigImage *MachineConfigNodeSpecConfigImageApplyConfiguration `json:"configImage,omitempty"` } // MachineConfigNodeSpecApplyConfiguration constructs a declarative configuration of the MachineConfigNodeSpec type for use with @@ -39,3 +40,11 @@ func (b *MachineConfigNodeSpecApplyConfiguration) WithConfigVersion(value *Machi b.ConfigVersion = value return b } + +// WithConfigImage sets the ConfigImage field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the ConfigImage field is set to the value of the last call. +func (b *MachineConfigNodeSpecApplyConfiguration) WithConfigImage(value *MachineConfigNodeSpecConfigImageApplyConfiguration) *MachineConfigNodeSpecApplyConfiguration { + b.ConfigImage = value + return b +} diff --git a/vendor/github.com/openshift/client-go/machineconfiguration/applyconfigurations/machineconfiguration/v1/machineconfignodespecconfigimage.go b/vendor/github.com/openshift/client-go/machineconfiguration/applyconfigurations/machineconfiguration/v1/machineconfignodespecconfigimage.go new file mode 100644 index 0000000000..c72e26f9cd --- /dev/null +++ b/vendor/github.com/openshift/client-go/machineconfiguration/applyconfigurations/machineconfiguration/v1/machineconfignodespecconfigimage.go @@ -0,0 +1,27 @@ +// Code generated by applyconfiguration-gen. DO NOT EDIT. + +package v1 + +import ( + machineconfigurationv1 "github.com/openshift/api/machineconfiguration/v1" +) + +// MachineConfigNodeSpecConfigImageApplyConfiguration represents a declarative configuration of the MachineConfigNodeSpecConfigImage type for use +// with apply. +type MachineConfigNodeSpecConfigImageApplyConfiguration struct { + DesiredImage *machineconfigurationv1.ImageDigestFormat `json:"desiredImage,omitempty"` +} + +// MachineConfigNodeSpecConfigImageApplyConfiguration constructs a declarative configuration of the MachineConfigNodeSpecConfigImage type for use with +// apply. +func MachineConfigNodeSpecConfigImage() *MachineConfigNodeSpecConfigImageApplyConfiguration { + return &MachineConfigNodeSpecConfigImageApplyConfiguration{} +} + +// WithDesiredImage sets the DesiredImage field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the DesiredImage field is set to the value of the last call. +func (b *MachineConfigNodeSpecConfigImageApplyConfiguration) WithDesiredImage(value machineconfigurationv1.ImageDigestFormat) *MachineConfigNodeSpecConfigImageApplyConfiguration { + b.DesiredImage = &value + return b +} diff --git a/vendor/github.com/openshift/client-go/machineconfiguration/applyconfigurations/machineconfiguration/v1/machineconfignodestatus.go b/vendor/github.com/openshift/client-go/machineconfiguration/applyconfigurations/machineconfiguration/v1/machineconfignodestatus.go index abfc04d09c..1f2e5bc387 100644 --- a/vendor/github.com/openshift/client-go/machineconfiguration/applyconfigurations/machineconfiguration/v1/machineconfignodestatus.go +++ b/vendor/github.com/openshift/client-go/machineconfiguration/applyconfigurations/machineconfiguration/v1/machineconfignodestatus.go @@ -12,6 +12,7 @@ type MachineConfigNodeStatusApplyConfiguration struct { Conditions []metav1.ConditionApplyConfiguration `json:"conditions,omitempty"` ObservedGeneration *int64 `json:"observedGeneration,omitempty"` ConfigVersion *MachineConfigNodeStatusMachineConfigVersionApplyConfiguration `json:"configVersion,omitempty"` + ConfigImage *MachineConfigNodeStatusConfigImageApplyConfiguration `json:"configImage,omitempty"` PinnedImageSets []MachineConfigNodeStatusPinnedImageSetApplyConfiguration `json:"pinnedImageSets,omitempty"` } @@ -50,6 +51,14 @@ func (b *MachineConfigNodeStatusApplyConfiguration) WithConfigVersion(value *Mac return b } +// WithConfigImage sets the ConfigImage field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the ConfigImage field is set to the value of the last call. +func (b *MachineConfigNodeStatusApplyConfiguration) WithConfigImage(value *MachineConfigNodeStatusConfigImageApplyConfiguration) *MachineConfigNodeStatusApplyConfiguration { + b.ConfigImage = value + return b +} + // WithPinnedImageSets adds the given value to the PinnedImageSets field in the declarative configuration // and returns the receiver, so that objects can be build by chaining "With" function invocations. // If called multiple times, values provided by each call will be appended to the PinnedImageSets field. diff --git a/vendor/github.com/openshift/client-go/machineconfiguration/applyconfigurations/machineconfiguration/v1/machineconfignodestatusconfigimage.go b/vendor/github.com/openshift/client-go/machineconfiguration/applyconfigurations/machineconfiguration/v1/machineconfignodestatusconfigimage.go new file mode 100644 index 0000000000..7eada16af9 --- /dev/null +++ b/vendor/github.com/openshift/client-go/machineconfiguration/applyconfigurations/machineconfiguration/v1/machineconfignodestatusconfigimage.go @@ -0,0 +1,36 @@ +// Code generated by applyconfiguration-gen. DO NOT EDIT. + +package v1 + +import ( + machineconfigurationv1 "github.com/openshift/api/machineconfiguration/v1" +) + +// MachineConfigNodeStatusConfigImageApplyConfiguration represents a declarative configuration of the MachineConfigNodeStatusConfigImage type for use +// with apply. +type MachineConfigNodeStatusConfigImageApplyConfiguration struct { + CurrentImage *machineconfigurationv1.ImageDigestFormat `json:"currentImage,omitempty"` + DesiredImage *machineconfigurationv1.ImageDigestFormat `json:"desiredImage,omitempty"` +} + +// MachineConfigNodeStatusConfigImageApplyConfiguration constructs a declarative configuration of the MachineConfigNodeStatusConfigImage type for use with +// apply. +func MachineConfigNodeStatusConfigImage() *MachineConfigNodeStatusConfigImageApplyConfiguration { + return &MachineConfigNodeStatusConfigImageApplyConfiguration{} +} + +// WithCurrentImage sets the CurrentImage field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the CurrentImage field is set to the value of the last call. +func (b *MachineConfigNodeStatusConfigImageApplyConfiguration) WithCurrentImage(value machineconfigurationv1.ImageDigestFormat) *MachineConfigNodeStatusConfigImageApplyConfiguration { + b.CurrentImage = &value + return b +} + +// WithDesiredImage sets the DesiredImage field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the DesiredImage field is set to the value of the last call. +func (b *MachineConfigNodeStatusConfigImageApplyConfiguration) WithDesiredImage(value machineconfigurationv1.ImageDigestFormat) *MachineConfigNodeStatusConfigImageApplyConfiguration { + b.DesiredImage = &value + return b +} diff --git a/vendor/github.com/openshift/client-go/machineconfiguration/applyconfigurations/utils.go b/vendor/github.com/openshift/client-go/machineconfiguration/applyconfigurations/utils.go index 8bd1942b5f..b7968caf3a 100644 --- a/vendor/github.com/openshift/client-go/machineconfiguration/applyconfigurations/utils.go +++ b/vendor/github.com/openshift/client-go/machineconfiguration/applyconfigurations/utils.go @@ -58,10 +58,14 @@ func ForKind(kind schema.GroupVersionKind) interface{} { return &machineconfigurationv1.MachineConfigNodeApplyConfiguration{} case v1.SchemeGroupVersion.WithKind("MachineConfigNodeSpec"): return &machineconfigurationv1.MachineConfigNodeSpecApplyConfiguration{} + case v1.SchemeGroupVersion.WithKind("MachineConfigNodeSpecConfigImage"): + return &machineconfigurationv1.MachineConfigNodeSpecConfigImageApplyConfiguration{} case v1.SchemeGroupVersion.WithKind("MachineConfigNodeSpecMachineConfigVersion"): return &machineconfigurationv1.MachineConfigNodeSpecMachineConfigVersionApplyConfiguration{} case v1.SchemeGroupVersion.WithKind("MachineConfigNodeStatus"): return &machineconfigurationv1.MachineConfigNodeStatusApplyConfiguration{} + case v1.SchemeGroupVersion.WithKind("MachineConfigNodeStatusConfigImage"): + return &machineconfigurationv1.MachineConfigNodeStatusConfigImageApplyConfiguration{} case v1.SchemeGroupVersion.WithKind("MachineConfigNodeStatusMachineConfigVersion"): return &machineconfigurationv1.MachineConfigNodeStatusMachineConfigVersionApplyConfiguration{} case v1.SchemeGroupVersion.WithKind("MachineConfigNodeStatusPinnedImageSet"): diff --git a/vendor/modules.txt b/vendor/modules.txt index 2e4bc212ce..90b57a4beb 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -981,7 +981,7 @@ github.com/opencontainers/image-spec/specs-go/v1 # github.com/opencontainers/runtime-spec v1.2.0 ## explicit github.com/opencontainers/runtime-spec/specs-go -# github.com/openshift/api v0.0.0-20250620092249-a8cbc218cd2c => github.com/naseerahkani/api v0.0.0-20250709200454-c82e51f90bb8 +# github.com/openshift/api v0.0.0-20250620092249-a8cbc218cd2c => github.com/naseerahkani/api v0.0.0-20250715184238-584477d3b226 ## explicit; go 1.23.0 github.com/openshift/api github.com/openshift/api/annotations @@ -1064,7 +1064,7 @@ github.com/openshift/api/template github.com/openshift/api/template/v1 github.com/openshift/api/user github.com/openshift/api/user/v1 -# github.com/openshift/client-go v0.0.0-20250425165505-5f55ff6979a1 => github.com/naseerahkani/client-go v0.0.0-20250710210823-95c2813c5f23 +# github.com/openshift/client-go v0.0.0-20250425165505-5f55ff6979a1 => github.com/naseerahkani/client-go v0.0.0-20250722005126-8e9e555e298c ## explicit; go 1.23.0 github.com/openshift/client-go/build/applyconfigurations/build/v1 github.com/openshift/client-go/build/applyconfigurations/internal @@ -2771,5 +2771,5 @@ sigs.k8s.io/yaml sigs.k8s.io/yaml/goyaml.v2 sigs.k8s.io/yaml/goyaml.v3 # k8s.io/kube-openapi => github.com/openshift/kube-openapi v0.0.0-20230816122517-ffc8f001abb0 -# github.com/openshift/client-go => github.com/naseerahkani/client-go v0.0.0-20250710210823-95c2813c5f23 -# github.com/openshift/api => github.com/naseerahkani/api v0.0.0-20250709200454-c82e51f90bb8 +# github.com/openshift/client-go => github.com/naseerahkani/client-go v0.0.0-20250722005126-8e9e555e298c +# github.com/openshift/api => github.com/naseerahkani/api v0.0.0-20250715184238-584477d3b226 From 4f9b635d0d058ce90a2dece49b314062bbdbd2a0 Mon Sep 17 00:00:00 2001 From: Naseerah Kani Pakrudeen Ali Date: Fri, 1 Aug 2025 11:40:07 -0400 Subject: [PATCH 09/11] changes --- go.mod | 2 +- go.sum | 4 +- pkg/daemon/update.go | 31 ++++++------ pkg/operator/sync.go | 17 ++----- pkg/upgrademonitor/upgrade_monitor.go | 49 ++++++++++++------- .../v1/types_machineconfignode.go | 2 +- .../v1/zz_generated.deepcopy.go | 8 ++- vendor/modules.txt | 4 +- 8 files changed, 63 insertions(+), 54 deletions(-) diff --git a/go.mod b/go.mod index 640cdaa569..dd5f00338f 100644 --- a/go.mod +++ b/go.mod @@ -353,4 +353,4 @@ replace k8s.io/kube-openapi => github.com/openshift/kube-openapi v0.0.0-20230816 replace github.com/openshift/client-go => github.com/naseerahkani/client-go v0.0.0-20250722005126-8e9e555e298c -replace github.com/openshift/api => github.com/naseerahkani/api v0.0.0-20250715184238-584477d3b226 +replace github.com/openshift/api => github.com/naseerahkani/api v0.0.0-20250724174438-d1048fccac8c diff --git a/go.sum b/go.sum index a90b873874..a38807bd54 100644 --- a/go.sum +++ b/go.sum @@ -483,8 +483,8 @@ github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f h1:y5//uYreIhSUg3J github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f/go.mod h1:ZdcZmHo+o7JKHSa8/e818NopupXU1YMK5fe1lsApnBw= github.com/nakabonne/nestif v0.3.1 h1:wm28nZjhQY5HyYPx+weN3Q65k6ilSBxDb8v5S81B81U= github.com/nakabonne/nestif v0.3.1/go.mod h1:9EtoZochLn5iUprVDmDjqGKPofoUEBL8U4Ngq6aY7OE= -github.com/naseerahkani/api v0.0.0-20250715184238-584477d3b226 h1:20I1LGq8ZVQOLkYmKTmMKIn7wqrU6cd0sdW7oW/Xwqg= -github.com/naseerahkani/api v0.0.0-20250715184238-584477d3b226/go.mod h1:yk60tHAmHhtVpJQo3TwVYq2zpuP70iJIFDCmeKMIzPw= +github.com/naseerahkani/api v0.0.0-20250724174438-d1048fccac8c h1:FjVVDcuMUlrxIDZYx8zPJChnrJg1wC1bonhrpB2yrgM= +github.com/naseerahkani/api v0.0.0-20250724174438-d1048fccac8c/go.mod h1:yk60tHAmHhtVpJQo3TwVYq2zpuP70iJIFDCmeKMIzPw= github.com/naseerahkani/client-go v0.0.0-20250722005126-8e9e555e298c h1:f8AqcpybuKmUyGKCvq4pkOHIsgxGMvrmI5+yq6ZFTvo= github.com/naseerahkani/client-go v0.0.0-20250722005126-8e9e555e298c/go.mod h1:AFenInkrazQ4DaGyy1GXrUQPGdVzv/uXMp6sGbR5bXs= github.com/nishanths/exhaustive v0.12.0 h1:vIY9sALmw6T/yxiASewa4TQcFsVYZQQRUQJhKRf3Swg= diff --git a/pkg/daemon/update.go b/pkg/daemon/update.go index 38b561bea6..a6161ab5cf 100644 --- a/pkg/daemon/update.go +++ b/pkg/daemon/update.go @@ -1074,21 +1074,6 @@ func (dn *Daemon) update(oldConfig, newConfig *mcfgv1.MachineConfig, skipCertifi klog.Errorf("Error making MCN spec for Update Compatible: %v", err) } - _, newOCLImage := extractOCLImageFromMachineConfig(newConfig) - err = upgrademonitor.GenerateAndApplyMachineConfigNodes( - &upgrademonitor.Condition{State: mcfgv1.MachineConfigNodeUpdateExecuted, Reason: string(mcfgv1.MachineConfigNodeImagePulledFromRegistry), Message: fmt.Sprintf("Image %s pulled from registry.", newOCLImage)}, - &upgrademonitor.Condition{State: mcfgv1.MachineConfigNodeImagePulledFromRegistry, Reason: fmt.Sprintf("%s%s", string(mcfgv1.MachineConfigNodeUpdateExecuted), string(mcfgv1.MachineConfigNodeImagePulledFromRegistry)), Message: fmt.Sprintf("ask message")}, - metav1.ConditionUnknown, - metav1.ConditionTrue, - dn.node, - dn.mcfgClient, - dn.featureGatesAccessor, - pool, - ) - if err != nil { - klog.Errorf("Error making MCN for Pulling Image from Registry: %v", err) - } - if drain { if err := dn.performDrain(); err != nil { return err @@ -1258,6 +1243,22 @@ func (dn *Daemon) update(oldConfig, newConfig *mcfgv1.MachineConfig, skipCertifi if err != nil { klog.Errorf("Error making MCN for Updated Files and OS: %v", err) } + + _, newOCLImage := extractOCLImageFromMachineConfig(newConfig) + err = upgrademonitor.GenerateAndApplyMachineConfigNodes( + &upgrademonitor.Condition{State: mcfgv1.MachineConfigNodeUpdateExecuted, Reason: string(mcfgv1.MachineConfigNodeImagePulledFromRegistry), Message: fmt.Sprintf("Image %s pulled from registry.", newOCLImage)}, + &upgrademonitor.Condition{State: mcfgv1.MachineConfigNodeImagePulledFromRegistry, Reason: fmt.Sprintf("%s%s", string(mcfgv1.MachineConfigNodeUpdateExecuted), string(mcfgv1.MachineConfigNodeImagePulledFromRegistry)), Message: fmt.Sprintf("Image %s pulled from registry.", newOCLImage)}, + metav1.ConditionUnknown, + metav1.ConditionTrue, + dn.node, + dn.mcfgClient, + dn.featureGatesAccessor, + pool, + ) + if err != nil { + klog.Errorf("Error making MCN for Pulling Image from Registry: %v", err) + } + // Node Disruption Policies cannot be used during firstboot as API is not accessible. if !firstBoot { return dn.performPostConfigChangeNodeDisruptionAction(nodeDisruptionActions, newConfig.GetName()) diff --git a/pkg/operator/sync.go b/pkg/operator/sync.go index 947aaacf21..e3c8e05b81 100644 --- a/pkg/operator/sync.go +++ b/pkg/operator/sync.go @@ -808,9 +808,8 @@ func (optr *Operator) syncMachineConfigNodes(_ *renderConfig, _ *configv1.Cluste }, } - //Add: check if image mode status reporting fg is enables and if yes, use 821-826 as a guideline for configImage initialization - if fg.Enabled(features.FeatureGateImageModeStatusReporting) { - newMCS.Spec.ConfigImage = mcfgv1.MachineConfigNodeSpecConfigImage{ + if fg.Enabled(features.FeatureGateImageModeStatusReporting) && node.Annotations[daemonconsts.DesiredImageAnnotationKey] != "" { + newMCS.Spec.ConfigImage = &mcfgv1.MachineConfigNodeSpecConfigImage{ DesiredImage: mcfgv1.ImageDigestFormat(node.Annotations[daemonconsts.DesiredImageAnnotationKey]), } } @@ -827,19 +826,11 @@ func (optr *Operator) syncMachineConfigNodes(_ *renderConfig, _ *configv1.Cluste } // if this is the first time we are applying the MCN and the node is ready, set the config version probably + // this should also catch the configImage requirements from the GenerateAndApplyMachineConfigNodeSpec function in upgrademonitor (lines 398-400) if mcn.Spec.ConfigVersion.Desired == upgrademonitor.NotYetSet { err = upgrademonitor.GenerateAndApplyMachineConfigNodeSpec(optr.fgAccessor, pool, node, optr.client) if err != nil { - klog.Errorf("Error making MCN spec for Update Compatible: %v", err) - } - } - - if fg.Enabled(features.FeatureGateImageModeStatusReporting) { - if mcn.Spec.ConfigImage.DesiredImage == upgrademonitor.NotYetSet { - err = upgrademonitor.GenerateAndApplyMachineConfigNodeSpec(optr.fgAccessor, pool, node, optr.client) - if err != nil { - klog.Errorf("Error making MCN spec for Update Compatible: %v", err) - } + klog.Errorf("Error making MCN Spec: %v", err) } } diff --git a/pkg/upgrademonitor/upgrade_monitor.go b/pkg/upgrademonitor/upgrade_monitor.go index f364854620..0ce970185c 100644 --- a/pkg/upgrademonitor/upgrade_monitor.go +++ b/pkg/upgrademonitor/upgrade_monitor.go @@ -258,6 +258,32 @@ func generateAndApplyMachineConfigNodes( newMCNode.Status.ConfigVersion.Current = node.Annotations[daemonconsts.CurrentMachineConfigAnnotationKey] } + // Set desired version in MCN.Status.ConfigImage + desiredImageAnnotation := node.Annotations[daemonconsts.DesiredImageAnnotationKey] + currentImageAnnotation := node.Annotations[daemonconsts.CurrentImageAnnotationKey] + // if the update is compatible, we can set the desired to the one being used in the update, + // otherwise continue using the placeholder value + if desiredImageAnnotation != "" || currentImageAnnotation != "" { + // desiredImageAnnotation := node.Annotations[daemonconsts.DesiredImageAnnotationKey] + if newMCNode.Status.ConfigImage == nil { + newMCNode.Status.ConfigImage = &mcfgv1.MachineConfigNodeStatusConfigImage{ + // DesiredImage: mcfgv1.ImageDigestFormat(desiredImageAnnotation), + } + // } else { + // newMCNode.Status.ConfigImage.DesiredImage = mcfgv1.ImageDigestFormat(desiredImageAnnotation) + } + if desiredImageAnnotation != "" { + newMCNode.Status.ConfigImage.DesiredImage = mcfgv1.ImageDigestFormat(desiredImageAnnotation) + } + if currentImageAnnotation != "" { + newMCNode.Status.ConfigImage.CurrentImage = mcfgv1.ImageDigestFormat(currentImageAnnotation) + } + } + // // Set current version in MCN.Status.ConfigImage if node annotation exists + // if node.Annotations[daemonconsts.CurrentImageAnnotationKey] != "" { + // newMCNode.Status.ConfigImage.CurrentImage = mcfgv1.ImageDigestFormat(node.Annotations[daemonconsts.CurrentImageAnnotationKey]) + // } + // if we do not need a new MCN, generate the apply configurations for this object if !needNewMCNode { statusconfigVersionApplyConfig := machineconfigurationv1.MachineConfigNodeStatusMachineConfigVersion().WithDesired(newMCNode.Status.ConfigVersion.Desired) @@ -318,15 +344,11 @@ func generateAndApplyMachineConfigNodes( newMCNode.Spec.ConfigVersion.Desired = NotYetSet } - if fg.Enabled(features.FeatureGateImageModeStatusReporting) { - newMCNode.Spec.ConfigImage = mcfgv1.MachineConfigNodeSpecConfigImage{ + if fg.Enabled(features.FeatureGateImageModeStatusReporting) && node.Annotations[daemonconsts.DesiredImageAnnotationKey] != "" { + newMCNode.Spec.ConfigImage = &mcfgv1.MachineConfigNodeSpecConfigImage{ DesiredImage: mcfgv1.ImageDigestFormat(node.Annotations[daemonconsts.DesiredImageAnnotationKey]), } - if newMCNode.Spec.ConfigImage.DesiredImage == "" { - newMCNode.Spec.ConfigImage.DesiredImage = "" - } - } newMCNode.Name = node.Name newMCNode.Spec.Pool = mcfgv1.MCOObjectReference{Name: pool} @@ -392,10 +414,6 @@ func GenerateAndApplyMachineConfigNodeSpec(fgAccessor featuregates.FeatureGateAc newMCNode.Spec.ConfigVersion = mcfgv1.MachineConfigNodeSpecMachineConfigVersion{ Desired: node.Annotations[daemonconsts.DesiredMachineConfigAnnotationKey], } - // Set desired config to NotYetSet if the annotation is empty to satisfy API validation - if newMCNode.Spec.ConfigVersion.Desired == "" { - newMCNode.Spec.ConfigVersion.Desired = NotYetSet - } newMCNode.Spec.Pool = mcfgv1.MCOObjectReference{ Name: pool, @@ -403,14 +421,9 @@ func GenerateAndApplyMachineConfigNodeSpec(fgAccessor featuregates.FeatureGateAc newMCNode.Spec.Node = mcfgv1.MCOObjectReference{ Name: node.Name, } - - if fg.Enabled(features.FeatureGateImageModeStatusReporting) { - newMCNode.Spec.ConfigImage = mcfgv1.MachineConfigNodeSpecConfigImage{ - DesiredImage: mcfgv1.ImageDigestFormat(node.Annotations[daemonconsts.DesiredImageAnnotationKey]), - } - // check if it should be empty - if newMCNode.Spec.ConfigImage.DesiredImage == "" { - newMCNode.Spec.ConfigVersion.Desired = NotYetSet + if daemonconsts.DesiredImageAnnotationKey != "" && fg.Enabled(features.FeatureGateImageModeStatusReporting) { + newMCNode.Spec.ConfigImage = &mcfgv1.MachineConfigNodeSpecConfigImage{ + DesiredImage: daemonconsts.DesiredImageAnnotationKey, } } diff --git a/vendor/github.com/openshift/api/machineconfiguration/v1/types_machineconfignode.go b/vendor/github.com/openshift/api/machineconfiguration/v1/types_machineconfignode.go index 316891faeb..9df6fa29ac 100644 --- a/vendor/github.com/openshift/api/machineconfiguration/v1/types_machineconfignode.go +++ b/vendor/github.com/openshift/api/machineconfiguration/v1/types_machineconfignode.go @@ -104,7 +104,7 @@ type MachineConfigNodeSpec struct { // the new image against the current image. This field will be used only when OCL is enabled. This will be empty/omitted otherwise. // +openshift:enable:FeatureGate=ImageModeStatusReporting // +optional - ConfigImage MachineConfigNodeSpecConfigImage `json:"configImage"` + ConfigImage *MachineConfigNodeSpecConfigImage `json:"configImage,omitempty"` } // MachineConfigNodeStatus holds the reported information on a particular machine config node. diff --git a/vendor/github.com/openshift/api/machineconfiguration/v1/zz_generated.deepcopy.go b/vendor/github.com/openshift/api/machineconfiguration/v1/zz_generated.deepcopy.go index 9b148fa46e..469cd596d1 100644 --- a/vendor/github.com/openshift/api/machineconfiguration/v1/zz_generated.deepcopy.go +++ b/vendor/github.com/openshift/api/machineconfiguration/v1/zz_generated.deepcopy.go @@ -670,7 +670,7 @@ func (in *MachineConfigNode) DeepCopyInto(out *MachineConfigNode) { *out = *in out.TypeMeta = in.TypeMeta in.ObjectMeta.DeepCopyInto(&out.ObjectMeta) - out.Spec = in.Spec + in.Spec.DeepCopyInto(&out.Spec) in.Status.DeepCopyInto(&out.Status) return } @@ -732,7 +732,11 @@ func (in *MachineConfigNodeSpec) DeepCopyInto(out *MachineConfigNodeSpec) { out.Node = in.Node out.Pool = in.Pool out.ConfigVersion = in.ConfigVersion - out.ConfigImage = in.ConfigImage + if in.ConfigImage != nil { + in, out := &in.ConfigImage, &out.ConfigImage + *out = new(MachineConfigNodeSpecConfigImage) + **out = **in + } return } diff --git a/vendor/modules.txt b/vendor/modules.txt index 90b57a4beb..7b2922616a 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -981,7 +981,7 @@ github.com/opencontainers/image-spec/specs-go/v1 # github.com/opencontainers/runtime-spec v1.2.0 ## explicit github.com/opencontainers/runtime-spec/specs-go -# github.com/openshift/api v0.0.0-20250620092249-a8cbc218cd2c => github.com/naseerahkani/api v0.0.0-20250715184238-584477d3b226 +# github.com/openshift/api v0.0.0-20250620092249-a8cbc218cd2c => github.com/naseerahkani/api v0.0.0-20250724174438-d1048fccac8c ## explicit; go 1.23.0 github.com/openshift/api github.com/openshift/api/annotations @@ -2772,4 +2772,4 @@ sigs.k8s.io/yaml/goyaml.v2 sigs.k8s.io/yaml/goyaml.v3 # k8s.io/kube-openapi => github.com/openshift/kube-openapi v0.0.0-20230816122517-ffc8f001abb0 # github.com/openshift/client-go => github.com/naseerahkani/client-go v0.0.0-20250722005126-8e9e555e298c -# github.com/openshift/api => github.com/naseerahkani/api v0.0.0-20250715184238-584477d3b226 +# github.com/openshift/api => github.com/naseerahkani/api v0.0.0-20250724174438-d1048fccac8c From 7f52c15223f4aef3fe81ac9d9cad4e58a5d33112 Mon Sep 17 00:00:00 2001 From: Naseerah Kani Pakrudeen Ali Date: Fri, 1 Aug 2025 13:37:18 -0400 Subject: [PATCH 10/11] moved OCL image pull conditional --- pkg/daemon/update.go | 30 +++++++++++++++--------------- 1 file changed, 15 insertions(+), 15 deletions(-) diff --git a/pkg/daemon/update.go b/pkg/daemon/update.go index a6161ab5cf..0e9fd13cb6 100644 --- a/pkg/daemon/update.go +++ b/pkg/daemon/update.go @@ -1187,6 +1187,21 @@ func (dn *Daemon) update(oldConfig, newConfig *mcfgv1.MachineConfig, skipCertifi return err } + _, newOCLImage := extractOCLImageFromMachineConfig(newConfig) + err = upgrademonitor.GenerateAndApplyMachineConfigNodes( + &upgrademonitor.Condition{State: mcfgv1.MachineConfigNodeUpdateExecuted, Reason: string(mcfgv1.MachineConfigNodeImagePulledFromRegistry), Message: fmt.Sprintf("Image %s pulled from registry.", newOCLImage)}, + &upgrademonitor.Condition{State: mcfgv1.MachineConfigNodeImagePulledFromRegistry, Reason: fmt.Sprintf("%s%s", string(mcfgv1.MachineConfigNodeUpdateExecuted), string(mcfgv1.MachineConfigNodeImagePulledFromRegistry)), Message: fmt.Sprintf("Image %s pulled from registry.", newOCLImage)}, + metav1.ConditionUnknown, + metav1.ConditionTrue, + dn.node, + dn.mcfgClient, + dn.featureGatesAccessor, + pool, + ) + if err != nil { + klog.Errorf("Error making MCN for Pulling Image from Registry: %v", err) + } + defer func() { if retErr != nil { if err := coreOSDaemon.applyOSChanges(*diff, newConfig, oldConfig); err != nil { @@ -1244,21 +1259,6 @@ func (dn *Daemon) update(oldConfig, newConfig *mcfgv1.MachineConfig, skipCertifi klog.Errorf("Error making MCN for Updated Files and OS: %v", err) } - _, newOCLImage := extractOCLImageFromMachineConfig(newConfig) - err = upgrademonitor.GenerateAndApplyMachineConfigNodes( - &upgrademonitor.Condition{State: mcfgv1.MachineConfigNodeUpdateExecuted, Reason: string(mcfgv1.MachineConfigNodeImagePulledFromRegistry), Message: fmt.Sprintf("Image %s pulled from registry.", newOCLImage)}, - &upgrademonitor.Condition{State: mcfgv1.MachineConfigNodeImagePulledFromRegistry, Reason: fmt.Sprintf("%s%s", string(mcfgv1.MachineConfigNodeUpdateExecuted), string(mcfgv1.MachineConfigNodeImagePulledFromRegistry)), Message: fmt.Sprintf("Image %s pulled from registry.", newOCLImage)}, - metav1.ConditionUnknown, - metav1.ConditionTrue, - dn.node, - dn.mcfgClient, - dn.featureGatesAccessor, - pool, - ) - if err != nil { - klog.Errorf("Error making MCN for Pulling Image from Registry: %v", err) - } - // Node Disruption Policies cannot be used during firstboot as API is not accessible. if !firstBoot { return dn.performPostConfigChangeNodeDisruptionAction(nodeDisruptionActions, newConfig.GetName()) From 74536f44d1f773fe94fdc1862e6e3eb63db45871 Mon Sep 17 00:00:00 2001 From: Naseerah Kani Pakrudeen Ali Date: Mon, 4 Aug 2025 15:34:33 -0400 Subject: [PATCH 11/11] moved function --- pkg/daemon/update.go | 36 +++++++++++++++++++++--------------- 1 file changed, 21 insertions(+), 15 deletions(-) diff --git a/pkg/daemon/update.go b/pkg/daemon/update.go index 0e9fd13cb6..88bcc8a8f7 100644 --- a/pkg/daemon/update.go +++ b/pkg/daemon/update.go @@ -1187,21 +1187,6 @@ func (dn *Daemon) update(oldConfig, newConfig *mcfgv1.MachineConfig, skipCertifi return err } - _, newOCLImage := extractOCLImageFromMachineConfig(newConfig) - err = upgrademonitor.GenerateAndApplyMachineConfigNodes( - &upgrademonitor.Condition{State: mcfgv1.MachineConfigNodeUpdateExecuted, Reason: string(mcfgv1.MachineConfigNodeImagePulledFromRegistry), Message: fmt.Sprintf("Image %s pulled from registry.", newOCLImage)}, - &upgrademonitor.Condition{State: mcfgv1.MachineConfigNodeImagePulledFromRegistry, Reason: fmt.Sprintf("%s%s", string(mcfgv1.MachineConfigNodeUpdateExecuted), string(mcfgv1.MachineConfigNodeImagePulledFromRegistry)), Message: fmt.Sprintf("Image %s pulled from registry.", newOCLImage)}, - metav1.ConditionUnknown, - metav1.ConditionTrue, - dn.node, - dn.mcfgClient, - dn.featureGatesAccessor, - pool, - ) - if err != nil { - klog.Errorf("Error making MCN for Pulling Image from Registry: %v", err) - } - defer func() { if retErr != nil { if err := coreOSDaemon.applyOSChanges(*diff, newConfig, oldConfig); err != nil { @@ -2801,9 +2786,30 @@ func (dn *CoreOSDaemon) applyLayeredOSChanges(mcDiff machineConfigDiff, oldConfi } } + // Get MCP associated with node + pool, err := helpers.GetPrimaryPoolNameForMCN(dn.mcpLister, dn.node) + if err != nil { + return err + } + // Update OS if mcDiff.osUpdate { if err := dn.updateLayeredOS(newConfig); err != nil { + _, newOCLImage := extractOCLImageFromMachineConfig(newConfig) + err = upgrademonitor.GenerateAndApplyMachineConfigNodes( + &upgrademonitor.Condition{State: mcfgv1.MachineConfigNodeUpdateExecuted, Reason: string(mcfgv1.MachineConfigNodeImagePulledFromRegistry), Message: fmt.Sprintf("Image %s pulled from registry.", newOCLImage)}, + &upgrademonitor.Condition{State: mcfgv1.MachineConfigNodeImagePulledFromRegistry, Reason: fmt.Sprintf("%s%s", string(mcfgv1.MachineConfigNodeUpdateExecuted), string(mcfgv1.MachineConfigNodeImagePulledFromRegistry)), Message: fmt.Sprintf("Image %s pulled from registry.", newOCLImage)}, + metav1.ConditionUnknown, + metav1.ConditionTrue, + dn.node, + dn.mcfgClient, + dn.featureGatesAccessor, + pool, + ) + if err != nil { + klog.Errorf("Error making MCN for Pulling Image from Registry: %v", err) + } + mcdPivotErr.Inc() return err }