diff --git a/go.mod b/go.mod index 05ee80bb2..2458393b7 100644 --- a/go.mod +++ b/go.mod @@ -10,7 +10,7 @@ require ( github.com/onsi/ginkgo/v2 v2.21.0 github.com/onsi/gomega v1.35.1 github.com/openshift-eng/openshift-tests-extension v0.0.0-20250220212757-b9c4d98a0c45 - github.com/openshift/api v0.0.0-20251127005036-0e3c378fdedc + github.com/openshift/api v0.0.0-20251222154221-d4b2fef98af2 github.com/openshift/client-go v0.0.0-20251201171210-333716c1124a github.com/openshift/library-go v0.0.0-20251120164824-14a789e09884 github.com/operator-framework/api v0.17.1 @@ -93,3 +93,7 @@ require ( ) replace github.com/onsi/ginkgo/v2 => github.com/openshift/onsi-ginkgo/v2 v2.6.1-0.20241205171354-8006f302fd12 + +replace github.com/openshift/api => github.com/hongkailiu/api v0.0.0-20251223025917-1321bde686ff + +replace github.com/openshift/client-go => github.com/openshift/client-go v0.0.0-20251223102348-558b0eef16bc diff --git a/go.sum b/go.sum index 359398b7a..53f2e7962 100644 --- a/go.sum +++ b/go.sum @@ -45,6 +45,8 @@ github.com/google/pprof v0.0.0-20241029153458-d1b30febd7db h1:097atOisP2aRj7vFgY github.com/google/pprof v0.0.0-20241029153458-d1b30febd7db/go.mod h1:vavhavw2zAxS5dIdcRluK6cSGGPlZynqzFM8NdvU144= github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0= github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= +github.com/hongkailiu/api v0.0.0-20251223025917-1321bde686ff h1:D9VFJdZ/Kop93dbmdDJO4fal4vFzKMDtzrmiOc9J5oQ= +github.com/hongkailiu/api v0.0.0-20251223025917-1321bde686ff/go.mod h1:d5uzF0YN2nQQFA0jIEWzzOZ+edmo6wzlGLvx5Fhz4uY= github.com/inconshreveable/mousetrap v1.1.0 h1:wN+x4NVGpMsO7ErUn/mUI3vEoE6Jt13X2s0bqwp9tc8= github.com/inconshreveable/mousetrap v1.1.0/go.mod h1:vpF70FUmC8bwa3OWnCshd2FqLfsEA9PFc4w1p2J65bw= github.com/josharian/intern v1.0.0 h1:vlS4z54oSdjm0bgjRigI+G1HpF+tI+9rE5LLzOg8HmY= @@ -86,10 +88,8 @@ github.com/onsi/gomega v1.35.1 h1:Cwbd75ZBPxFSuZ6T+rN/WCb/gOc6YgFBXLlZLhC7Ds4= github.com/onsi/gomega v1.35.1/go.mod h1:PvZbdDc8J6XJEpDK4HCuRBm8a6Fzp9/DmhC9C7yFlog= github.com/openshift-eng/openshift-tests-extension v0.0.0-20250220212757-b9c4d98a0c45 h1:hXpbYtP3iTh8oy/RKwKkcMziwchY3fIk95ciczf7cOA= github.com/openshift-eng/openshift-tests-extension v0.0.0-20250220212757-b9c4d98a0c45/go.mod h1:6gkP5f2HL0meusT0Aim8icAspcD1cG055xxBZ9yC68M= -github.com/openshift/api v0.0.0-20251127005036-0e3c378fdedc h1:p83VYAk7mlqYZrMaKuu2bBNNLUKBUSCa6YzjPDqbOlk= -github.com/openshift/api v0.0.0-20251127005036-0e3c378fdedc/go.mod h1:d5uzF0YN2nQQFA0jIEWzzOZ+edmo6wzlGLvx5Fhz4uY= -github.com/openshift/client-go v0.0.0-20251201171210-333716c1124a h1:iJYjd+rxyjMa3Sk6Vg55secJ4yMrabr/ulnTiy+vDH0= -github.com/openshift/client-go v0.0.0-20251201171210-333716c1124a/go.mod h1:WD7m8ADeqiAKTHWx/mBoE/1MFMtnt9MYTyBOnf0L3LI= +github.com/openshift/client-go v0.0.0-20251223102348-558b0eef16bc h1:nIlRaJfr/yGjPV15MNF5eVHLAGyXFjcUzO+hXeWDDk8= +github.com/openshift/client-go v0.0.0-20251223102348-558b0eef16bc/go.mod h1:cs9BwTu96sm2vQvy7r9rOiltgu90M6ju2qIHFG9WU+o= github.com/openshift/library-go v0.0.0-20251120164824-14a789e09884 h1:6512TMT14gnXQ4vyshzAQGjkctU0PO9G+y0tcBjw6Vk= github.com/openshift/library-go v0.0.0-20251120164824-14a789e09884/go.mod h1:ErDfiIrPHH+menTP/B4LKd0nxFDdvCbTamAc6SWMIh8= github.com/openshift/onsi-ginkgo/v2 v2.6.1-0.20241205171354-8006f302fd12 h1:AKx/w1qpS8We43bsRgf8Nll3CGlDHpr/WAXvuedTNZI= diff --git a/pkg/cvo/availableupdates.go b/pkg/cvo/availableupdates.go index 73ebe078d..b00646d43 100644 --- a/pkg/cvo/availableupdates.go +++ b/pkg/cvo/availableupdates.go @@ -16,12 +16,14 @@ import ( "k8s.io/apimachinery/pkg/api/equality" "k8s.io/apimachinery/pkg/api/meta" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/apimachinery/pkg/util/sets" "k8s.io/klog/v2" configv1 "github.com/openshift/api/config/v1" "github.com/openshift/cluster-version-operator/lib/resourcemerge" "github.com/openshift/cluster-version-operator/pkg/cincinnati" "github.com/openshift/cluster-version-operator/pkg/clusterconditions" + "github.com/openshift/cluster-version-operator/pkg/internal" ) const noArchitecture string = "NoArchitecture" @@ -50,6 +52,12 @@ func (optr *Operator) syncAvailableUpdates(ctx context.Context, config *configv1 channel := config.Spec.Channel desiredArch := optr.getDesiredArchitecture(config.Spec.DesiredUpdate) currentArch := optr.getCurrentArchitecture() + acceptRisks := sets.New[string]() + if config.Spec.DesiredUpdate != nil { + for _, risk := range config.Spec.DesiredUpdate.AcceptRisks { + acceptRisks.Insert(risk.Name) + } + } // updates are only checked at most once per minimumUpdateCheckInterval or if the generation changes optrAvailableUpdates := optr.getAvailableUpdates() @@ -129,6 +137,9 @@ func (optr *Operator) syncAvailableUpdates(ctx context.Context, config *configv1 optrAvailableUpdates.UpdateService = updateService optrAvailableUpdates.Channel = channel optrAvailableUpdates.Architecture = desiredArch + optrAvailableUpdates.ShouldReconcileAcceptRisks = optr.shouldReconcileAcceptRisks + optrAvailableUpdates.AcceptRisks = acceptRisks + optrAvailableUpdates.RiskConditions = map[string][]metav1.Condition{} optrAvailableUpdates.ConditionRegistry = optr.conditionRegistry optrAvailableUpdates.Condition = condition @@ -167,9 +178,11 @@ func (optr *Operator) syncAvailableUpdates(ctx context.Context, config *configv1 } type availableUpdates struct { - UpdateService string - Channel string - Architecture string + UpdateService string + Channel string + Architecture string + ShouldReconcileAcceptRisks func() bool + AcceptRisks sets.Set[string] // LastAttempt records the time of the most recent attempt at update // retrieval, regardless of whether it was successful. @@ -192,6 +205,11 @@ type availableUpdates struct { ConditionRegistry clusterconditions.ConditionRegistry Condition configv1.ClusterOperatorStatusCondition + + // RiskConditions stores the condition for every risk (name, url, message, matchingRules). + // The key of the risk is represented by its name which is ensured by validating our graph-data. + // https://github.com/openshift/cincinnati-graph-data/blob/af701850c24b4a53426c2a5400c63895fdf9de60/hack/validate-blocked-edges.py#L25C77-L25C90 + RiskConditions map[string][]metav1.Condition } func (u *availableUpdates) RecentlyAttempted(interval time.Duration) bool { @@ -291,14 +309,17 @@ func (optr *Operator) getAvailableUpdates() *availableUpdates { } u := &availableUpdates{ - UpdateService: optr.availableUpdates.UpdateService, - Channel: optr.availableUpdates.Channel, - Architecture: optr.availableUpdates.Architecture, - LastAttempt: optr.availableUpdates.LastAttempt, - LastSyncOrConfigChange: optr.availableUpdates.LastSyncOrConfigChange, - Current: *optr.availableUpdates.Current.DeepCopy(), - ConditionRegistry: optr.availableUpdates.ConditionRegistry, // intentionally not a copy, to preserve cache state - Condition: optr.availableUpdates.Condition, + UpdateService: optr.availableUpdates.UpdateService, + Channel: optr.availableUpdates.Channel, + Architecture: optr.availableUpdates.Architecture, + ShouldReconcileAcceptRisks: optr.shouldReconcileAcceptRisks, + AcceptRisks: optr.availableUpdates.AcceptRisks, + RiskConditions: optr.availableUpdates.RiskConditions, + LastAttempt: optr.availableUpdates.LastAttempt, + LastSyncOrConfigChange: optr.availableUpdates.LastSyncOrConfigChange, + Current: *optr.availableUpdates.Current.DeepCopy(), + ConditionRegistry: optr.availableUpdates.ConditionRegistry, // intentionally not a copy, to preserve cache state + Condition: optr.availableUpdates.Condition, } if optr.availableUpdates.Updates != nil { @@ -427,7 +448,7 @@ func (u *availableUpdates) evaluateConditionalUpdates(ctx context.Context) { return vi.GTE(vj) }) for i, conditionalUpdate := range u.ConditionalUpdates { - condition := evaluateConditionalUpdate(ctx, conditionalUpdate.Risks, u.ConditionRegistry) + condition := evaluateConditionalUpdate(ctx, conditionalUpdate.Risks, u.ConditionRegistry, u.AcceptRisks, u.ShouldReconcileAcceptRisks, u.RiskConditions) if condition.Status == metav1.ConditionTrue { u.addUpdate(conditionalUpdate.Release) @@ -478,13 +499,16 @@ func newRecommendedStatus(now, want metav1.ConditionStatus) metav1.ConditionStat } const ( - recommendedReasonRisksNotExposed = "NotExposedToRisks" - recommendedReasonEvaluationFailed = "EvaluationFailed" - recommendedReasonMultiple = "MultipleReasons" + recommendedReasonRisksNotExposed = "NotExposedToRisks" + recommendedReasonExposedOnlyToAcceptedRisks = "ExposedOnlyToAcceptedRisks" + recommendedReasonEvaluationFailed = "EvaluationFailed" + recommendedReasonMultiple = "MultipleReasons" // recommendedReasonExposed is used instead of the original name if it does // not match the pattern for a valid k8s condition reason. recommendedReasonExposed = "ExposedToRisks" + + riskConditionReasonEvaluationFailed = "EvaluationFailed" ) // Reasons follow same pattern as k8s Condition Reasons @@ -493,18 +517,25 @@ var reasonPattern = regexp.MustCompile(`^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ func newRecommendedReason(now, want string) string { switch { - case now == recommendedReasonRisksNotExposed: + case now == recommendedReasonRisksNotExposed || now == recommendedReasonExposedOnlyToAcceptedRisks && now != want: return want - case now == want: + case now == recommendedReasonExposedOnlyToAcceptedRisks && want == recommendedReasonRisksNotExposed || now == want: return now default: return recommendedReasonMultiple } } -func evaluateConditionalUpdate(ctx context.Context, risks []configv1.ConditionalUpdateRisk, conditionRegistry clusterconditions.ConditionRegistry) metav1.Condition { +func evaluateConditionalUpdate( + ctx context.Context, + risks []configv1.ConditionalUpdateRisk, + conditionRegistry clusterconditions.ConditionRegistry, + acceptRisks sets.Set[string], + shouldReconcileAcceptRisks func() bool, + riskConditions map[string][]metav1.Condition, +) metav1.Condition { recommended := metav1.Condition{ - Type: ConditionalUpdateConditionTypeRecommended, + Type: internal.ConditionalUpdateConditionTypeRecommended, Status: metav1.ConditionTrue, // FIXME: ObservedGeneration? That would capture upstream/channel, but not necessarily the currently-reconciling version. Reason: recommendedReasonRisksNotExposed, @@ -513,18 +544,37 @@ func evaluateConditionalUpdate(ctx context.Context, risks []configv1.Conditional var errorMessages []string for _, risk := range risks { + riskCondition := metav1.Condition{ + Type: internal.ConditionalUpdateRiskConditionTypeApplies, + Status: metav1.ConditionFalse, + } if match, err := conditionRegistry.Match(ctx, risk.MatchingRules); err != nil { + msg := unknownExposureMessage(risk, err) recommended.Status = newRecommendedStatus(recommended.Status, metav1.ConditionUnknown) recommended.Reason = newRecommendedReason(recommended.Reason, recommendedReasonEvaluationFailed) - errorMessages = append(errorMessages, unknownExposureMessage(risk, err)) + errorMessages = append(errorMessages, msg) + riskCondition.Status = metav1.ConditionUnknown + riskCondition.Reason = riskConditionReasonEvaluationFailed + riskCondition.Message = msg } else if match { - recommended.Status = newRecommendedStatus(recommended.Status, metav1.ConditionFalse) - wantReason := recommendedReasonExposed - if reasonPattern.MatchString(risk.Name) { - wantReason = risk.Name + riskCondition.Status = metav1.ConditionTrue + if shouldReconcileAcceptRisks() && acceptRisks.Has(risk.Name) { + recommended.Status = newRecommendedStatus(recommended.Status, metav1.ConditionTrue) + recommended.Reason = newRecommendedReason(recommended.Reason, recommendedReasonExposedOnlyToAcceptedRisks) + recommended.Message = "The update is recommended, because either risk does not apply to this cluster or it is accepted by cluster admins." + klog.V(2).Infof("Risk with name %q is accepted by the cluster admin and thus not in the evaluation of conditional update", risk.Name) + } else { + recommended.Status = newRecommendedStatus(recommended.Status, metav1.ConditionFalse) + wantReason := recommendedReasonExposed + if reasonPattern.MatchString(risk.Name) { + wantReason = risk.Name + } + recommended.Reason = newRecommendedReason(recommended.Reason, wantReason) + errorMessages = append(errorMessages, fmt.Sprintf("%s %s", risk.Message, risk.URL)) } - recommended.Reason = newRecommendedReason(recommended.Reason, wantReason) - errorMessages = append(errorMessages, fmt.Sprintf("%s %s", risk.Message, risk.URL)) + } + if _, ok := riskConditions[risk.Name]; !ok { + riskConditions[risk.Name] = []metav1.Condition{riskCondition} } } if len(errorMessages) > 0 { diff --git a/pkg/cvo/availableupdates_test.go b/pkg/cvo/availableupdates_test.go index e8f9d85dd..edb863f40 100644 --- a/pkg/cvo/availableupdates_test.go +++ b/pkg/cvo/availableupdates_test.go @@ -19,12 +19,14 @@ import ( metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/labels" "k8s.io/apimachinery/pkg/runtime/schema" + "k8s.io/apimachinery/pkg/util/sets" "k8s.io/client-go/util/workqueue" configv1 "github.com/openshift/api/config/v1" "github.com/openshift/cluster-version-operator/pkg/clusterconditions" "github.com/openshift/cluster-version-operator/pkg/clusterconditions/always" "github.com/openshift/cluster-version-operator/pkg/clusterconditions/mock" + "github.com/openshift/cluster-version-operator/pkg/featuregates" ) // notFoundProxyLister is a stub for ProxyLister @@ -207,6 +209,7 @@ var cvFixture = &configv1.ClusterVersion{ } var availableUpdatesCmpOpts = []cmp.Option{ + cmpopts.IgnoreFields(availableUpdates{}, "ShouldReconcileAcceptRisks"), cmpopts.IgnoreTypes(time.Time{}), cmpopts.IgnoreInterfaces(struct { clusterconditions.ConditionRegistry @@ -230,7 +233,9 @@ func TestSyncAvailableUpdates(t *testing.T) { Type: configv1.RetrievedUpdates, Status: configv1.ConditionTrue, } + expectedAvailableUpdates.RiskConditions = map[string][]metav1.Condition{"FourFiveSix": {{Type: "Applies", Status: "True"}}} + optr.enabledFeatureGates = featuregates.DefaultCvoGates("version") err := optr.syncAvailableUpdates(context.Background(), cvFixture) if err != nil { @@ -319,6 +324,7 @@ func TestSyncAvailableUpdates_ConditionalUpdateRecommendedConditions(t *testing. tc.modifyOriginalState(optr) tc.modifyCV(cv, fixture.expectedConditionalUpdates[0]) + optr.enabledFeatureGates = featuregates.DefaultCvoGates("version") err := optr.syncAvailableUpdates(context.Background(), cv) if err != nil { @@ -345,10 +351,14 @@ func TestSyncAvailableUpdates_ConditionalUpdateRecommendedConditions(t *testing. func TestEvaluateConditionalUpdate(t *testing.T) { testcases := []struct { - name string - risks []configv1.ConditionalUpdateRisk - mockPromql clusterconditions.Condition - expected metav1.Condition + name string + risks []configv1.ConditionalUpdateRisk + mockPromql clusterconditions.Condition + acceptRisks sets.Set[string] + shouldReconcileAcceptRisks func() bool + riskConditions map[string][]metav1.Condition + expected metav1.Condition + expectedRiskConditions map[string][]metav1.Condition }{ { name: "no risks", @@ -358,6 +368,7 @@ func TestEvaluateConditionalUpdate(t *testing.T) { Reason: recommendedReasonRisksNotExposed, Message: "The update is recommended, because none of the conditional update risks apply to this cluster.", }, + expectedRiskConditions: map[string][]metav1.Condition{}, }, { name: "one risk that does not match", @@ -379,6 +390,7 @@ func TestEvaluateConditionalUpdate(t *testing.T) { Reason: recommendedReasonRisksNotExposed, Message: "The update is recommended, because none of the conditional update risks apply to this cluster.", }, + expectedRiskConditions: map[string][]metav1.Condition{"ShouldNotApply": {{Type: "Applies", Status: metav1.ConditionFalse}}}, }, { name: "one risk that matches", @@ -400,6 +412,31 @@ func TestEvaluateConditionalUpdate(t *testing.T) { Reason: "RiskThatApplies", Message: "This is a risk! https://match.es", }, + expectedRiskConditions: map[string][]metav1.Condition{"RiskThatApplies": {{Type: "Applies", Status: metav1.ConditionTrue}}}, + }, + { + name: "one risk that matches and is accepted", + risks: []configv1.ConditionalUpdateRisk{ + { + URL: "https://match.es", + Name: "RiskThatApplies", + Message: "This is a risk!", + MatchingRules: []configv1.ClusterCondition{{Type: "PromQL"}}, + }, + }, + mockPromql: &mock.Mock{ + ValidQueue: []error{nil}, + MatchQueue: []mock.MatchResult{{Match: true, Error: nil}}, + }, + acceptRisks: sets.New[string]("RiskThatApplies", "not-important"), + shouldReconcileAcceptRisks: func() bool { return true }, + expected: metav1.Condition{ + Type: "Recommended", + Status: metav1.ConditionTrue, + Reason: "ExposedOnlyToAcceptedRisks", + Message: "The update is recommended, because either risk does not apply to this cluster or it is accepted by cluster admins.", + }, + expectedRiskConditions: map[string][]metav1.Condition{"RiskThatApplies": {{Type: "Applies", Status: metav1.ConditionTrue}}}, }, { name: "matching risk with name that cannot be used as a condition reason", @@ -421,6 +458,7 @@ func TestEvaluateConditionalUpdate(t *testing.T) { Reason: recommendedReasonExposed, Message: "This is a risk! https://match.es", }, + expectedRiskConditions: map[string][]metav1.Condition{"RISK-THAT-APPLIES": {{Type: "Applies", Status: metav1.ConditionTrue}}}, }, { name: "two risks that match", @@ -431,6 +469,12 @@ func TestEvaluateConditionalUpdate(t *testing.T) { Message: "This is a risk!", MatchingRules: []configv1.ClusterCondition{{Type: "PromQL"}}, }, + { + URL: "https://doesnotmat.ch", + Name: "ShouldNotApply", + Message: "ShouldNotApply", + MatchingRules: []configv1.ClusterCondition{{Type: "PromQL"}}, + }, { URL: "https://match.es/too", Name: "RiskThatAppliesToo", @@ -440,7 +484,7 @@ func TestEvaluateConditionalUpdate(t *testing.T) { }, mockPromql: &mock.Mock{ ValidQueue: []error{nil, nil}, - MatchQueue: []mock.MatchResult{{Match: true, Error: nil}, {Match: true, Error: nil}}, + MatchQueue: []mock.MatchResult{{Match: true, Error: nil}, {Match: false, Error: nil}, {Match: true, Error: nil}}, }, expected: metav1.Condition{ Type: "Recommended", @@ -448,6 +492,9 @@ func TestEvaluateConditionalUpdate(t *testing.T) { Reason: recommendedReasonMultiple, Message: "This is a risk! https://match.es\n\nThis is a risk too! https://match.es/too", }, + expectedRiskConditions: map[string][]metav1.Condition{"RiskThatApplies": {{Type: "Applies", Status: metav1.ConditionTrue}}, + "ShouldNotApply": {{Type: "Applies", Status: metav1.ConditionFalse}}, + "RiskThatAppliesToo": {{Type: "Applies", Status: metav1.ConditionTrue}}}, }, { name: "first risk matches, second fails to evaluate", @@ -478,6 +525,8 @@ func TestEvaluateConditionalUpdate(t *testing.T) { " RiskThatFailsToEvaluate description: This is a risk too!\n" + " RiskThatFailsToEvaluate URL: https://whokno.ws", }, + expectedRiskConditions: map[string][]metav1.Condition{"RiskThatApplies": {{Type: "Applies", Status: metav1.ConditionTrue}}, + "RiskThatFailsToEvaluate": {{Type: "Applies", Status: metav1.ConditionUnknown, Reason: "EvaluationFailed", Message: "Could not evaluate exposure to update risk RiskThatFailsToEvaluate (ERROR)\n RiskThatFailsToEvaluate description: This is a risk too!\n RiskThatFailsToEvaluate URL: https://whokno.ws"}}}, }, { name: "one risk that fails to evaluate", @@ -501,16 +550,29 @@ func TestEvaluateConditionalUpdate(t *testing.T) { " RiskThatFailsToEvaluate description: This is a risk!\n" + " RiskThatFailsToEvaluate URL: https://whokno.ws", }, + expectedRiskConditions: map[string][]metav1.Condition{"RiskThatFailsToEvaluate": {{Type: "Applies", Status: metav1.ConditionUnknown, Reason: "EvaluationFailed", Message: "Could not evaluate exposure to update risk RiskThatFailsToEvaluate (ERROR)\n RiskThatFailsToEvaluate description: This is a risk!\n RiskThatFailsToEvaluate URL: https://whokno.ws"}}}, }, } for _, tc := range testcases { t.Run(tc.name, func(t *testing.T) { registry := clusterconditions.NewConditionRegistry() registry.Register("PromQL", tc.mockPromql) - actual := evaluateConditionalUpdate(context.Background(), tc.risks, registry) + if tc.shouldReconcileAcceptRisks == nil { + tc.shouldReconcileAcceptRisks = func() bool { + return false + } + } + if tc.riskConditions == nil { + tc.riskConditions = map[string][]metav1.Condition{} + } + actual := evaluateConditionalUpdate(context.Background(), tc.risks, registry, tc.acceptRisks, tc.shouldReconcileAcceptRisks, tc.riskConditions) if diff := cmp.Diff(tc.expected, actual); diff != "" { t.Errorf("actual condition differs from expected:\n%s", diff) } + + if diff := cmp.Diff(tc.expectedRiskConditions, tc.riskConditions); diff != "" { + t.Errorf("actual risk conditions differs from expected:\n%s", diff) + } }) } } @@ -533,9 +595,10 @@ func TestSyncAvailableUpdatesDesiredUpdate(t *testing.T) { conditionalUpdates []configv1.ConditionalUpdate } tests := []struct { - name string - args args - expected expected + name string + args args + expected expected + expectedRiskConditions map[string][]metav1.Condition }{ // -------------------------------- Valid set desiredUpdate field combinations -------------------------------- // Some combinations, such as all fields being set, are omitted due to them causing API validation errors; @@ -556,6 +619,7 @@ func TestSyncAvailableUpdatesDesiredUpdate(t *testing.T) { conditionalUpdates: expectedConditionalUpdates, queryParamArch: "multi", }, + expectedRiskConditions: map[string][]metav1.Condition{"FourFiveSix": {{Type: "Applies", Status: "True"}}}, }, { name: "operator is multi, image is specified, version is not specified, architecture is not specified", @@ -570,6 +634,7 @@ func TestSyncAvailableUpdatesDesiredUpdate(t *testing.T) { conditionalUpdates: expectedConditionalUpdates, queryParamArch: "multi", }, + expectedRiskConditions: map[string][]metav1.Condition{"FourFiveSix": {{Type: "Applies", Status: "True"}}}, }, { name: "operator is multi, image is not specified, version is specified, architecture is specified", @@ -585,6 +650,7 @@ func TestSyncAvailableUpdatesDesiredUpdate(t *testing.T) { conditionalUpdates: expectedConditionalUpdates, queryParamArch: "multi", }, + expectedRiskConditions: map[string][]metav1.Condition{"FourFiveSix": {{Type: "Applies", Status: "True"}}}, }, { name: "operator is multi, image is not specified, version is specified, architecture is not specified", @@ -599,6 +665,7 @@ func TestSyncAvailableUpdatesDesiredUpdate(t *testing.T) { conditionalUpdates: expectedConditionalUpdates, queryParamArch: "multi", }, + expectedRiskConditions: map[string][]metav1.Condition{"FourFiveSix": {{Type: "Applies", Status: "True"}}}, }, // ---------------- Cases where the operator is single arch { @@ -615,6 +682,7 @@ func TestSyncAvailableUpdatesDesiredUpdate(t *testing.T) { conditionalUpdates: expectedConditionalUpdates, queryParamArch: runtime.GOARCH, }, + expectedRiskConditions: map[string][]metav1.Condition{"FourFiveSix": {{Type: "Applies", Status: "True"}}}, }, { name: "operator is not multi, image is specified, version is not specified, architecture is not specified", @@ -629,6 +697,7 @@ func TestSyncAvailableUpdatesDesiredUpdate(t *testing.T) { conditionalUpdates: expectedConditionalUpdates, queryParamArch: runtime.GOARCH, }, + expectedRiskConditions: map[string][]metav1.Condition{"FourFiveSix": {{Type: "Applies", Status: "True"}}}, }, { name: "operator is not multi, image is not specified, version is specified, architecture is specified - migration to multi arch issued", @@ -654,6 +723,7 @@ func TestSyncAvailableUpdatesDesiredUpdate(t *testing.T) { updates: []configv1.Release{{Version: data.from.version, Image: data.from.image}}, queryParamArch: "multi", }, + expectedRiskConditions: map[string][]metav1.Condition{}, }, { name: "operator is not multi, image is not specified, version is specified, architecture is specified - migration && update", @@ -671,6 +741,7 @@ func TestSyncAvailableUpdatesDesiredUpdate(t *testing.T) { updates: []configv1.Release{{Version: data.from.version, Image: data.from.image}}, queryParamArch: "multi", }, + expectedRiskConditions: map[string][]metav1.Condition{}, }, { name: "operator is not multi, image is not specified, version is specified, architecture is not specified", @@ -685,6 +756,7 @@ func TestSyncAvailableUpdatesDesiredUpdate(t *testing.T) { conditionalUpdates: expectedConditionalUpdates, queryParamArch: runtime.GOARCH, }, + expectedRiskConditions: map[string][]metav1.Condition{"FourFiveSix": {{Type: "Applies", Status: "True"}}}, }, // -------------------------------- Desired Update Is NOT set -------------------------------- // ---------------- The operator is multi arch @@ -699,6 +771,7 @@ func TestSyncAvailableUpdatesDesiredUpdate(t *testing.T) { conditionalUpdates: expectedConditionalUpdates, queryParamArch: "multi", }, + expectedRiskConditions: map[string][]metav1.Condition{"FourFiveSix": {{Type: "Applies", Status: "True"}}}, }, // ---------------- The operator is single arch { @@ -712,6 +785,7 @@ func TestSyncAvailableUpdatesDesiredUpdate(t *testing.T) { conditionalUpdates: expectedConditionalUpdates, queryParamArch: runtime.GOARCH, }, + expectedRiskConditions: map[string][]metav1.Condition{"FourFiveSix": {{Type: "Applies", Status: "True"}}}, }, } for _, tt := range tests { @@ -734,6 +808,7 @@ func TestSyncAvailableUpdatesDesiredUpdate(t *testing.T) { Type: configv1.RetrievedUpdates, Status: configv1.ConditionTrue, } + expectedAvailableUpdates.RiskConditions = tt.expectedRiskConditions expectedQueryParams := url.Values{ "arch": {tt.expected.queryParamArch}, @@ -744,6 +819,7 @@ func TestSyncAvailableUpdatesDesiredUpdate(t *testing.T) { cv := cvFixture.DeepCopy() cv.Spec.DesiredUpdate = tt.args.desiredUpdate + optr.enabledFeatureGates = featuregates.DefaultCvoGates("version") if err := optr.syncAvailableUpdates(context.Background(), cv); err != nil { t.Fatalf("syncAvailableUpdates() unexpected error: %v", err) } diff --git a/pkg/cvo/cvo.go b/pkg/cvo/cvo.go index 59b1da6ce..a98b8fd16 100644 --- a/pkg/cvo/cvo.go +++ b/pkg/cvo/cvo.go @@ -1091,3 +1091,12 @@ func (optr *Operator) shouldReconcileCVOConfiguration() bool { // The relevant CRD and CR are not applied in HyperShift, which configures the CVO via a configuration file return optr.enabledFeatureGates.CVOConfiguration() && !optr.hypershift } + +// shouldReconcileAcceptRisks returns whether the CVO should reconcile spec.desiredUpdate.acceptRisks and populate the +// relevant fields in status. +// +// enabledFeatureGates must be initialized before the function is called. +func (optr *Operator) shouldReconcileAcceptRisks() bool { + // HyperShift will be supported later if needed + return optr.enabledFeatureGates.AcceptRisks() && !optr.hypershift +} diff --git a/pkg/cvo/cvo_test.go b/pkg/cvo/cvo_test.go index 0be327dd0..cf6a70cd6 100644 --- a/pkg/cvo/cvo_test.go +++ b/pkg/cvo/cvo_test.go @@ -16,6 +16,7 @@ import ( "github.com/davecgh/go-spew/spew" "github.com/google/go-cmp/cmp" + "github.com/google/go-cmp/cmp/cmpopts" "github.com/google/uuid" appsv1 "k8s.io/api/apps/v1" corev1 "k8s.io/api/core/v1" @@ -2303,7 +2304,6 @@ func TestOperator_sync(t *testing.T) { func TestOperator_availableUpdatesSync(t *testing.T) { id := uuid.Must(uuid.NewRandom()).String() - tests := []struct { name string key string @@ -2364,6 +2364,7 @@ func TestOperator_availableUpdatesSync(t *testing.T) { Reason: "VersionNotFound", Message: `Unable to retrieve available updates: currently reconciling cluster version 4.0.1 not found in the "fast" channel`, }, + RiskConditions: map[string][]metav1.Condition{}, }, }, { @@ -2407,6 +2408,7 @@ func TestOperator_availableUpdatesSync(t *testing.T) { Reason: noChannel, Message: "The update channel has not been configured.", }, + RiskConditions: map[string][]metav1.Condition{}, }, }, { @@ -2449,6 +2451,7 @@ func TestOperator_availableUpdatesSync(t *testing.T) { Reason: "NoCurrentVersion", Message: "The cluster version does not have a semantic version assigned and cannot calculate valid upgrades.", }, + RiskConditions: map[string][]metav1.Condition{}, }, }, { @@ -2498,6 +2501,7 @@ func TestOperator_availableUpdatesSync(t *testing.T) { Reason: "ResponseFailed", Message: "Unable to retrieve available updates: unexpected HTTP status: 500 Internal Server Error", }, + RiskConditions: map[string][]metav1.Condition{}, }, }, { @@ -2566,6 +2570,7 @@ func TestOperator_availableUpdatesSync(t *testing.T) { Type: configv1.RetrievedUpdates, Status: configv1.ConditionTrue, }, + RiskConditions: map[string][]metav1.Condition{}, }, }, { @@ -2632,6 +2637,7 @@ func TestOperator_availableUpdatesSync(t *testing.T) { Type: configv1.RetrievedUpdates, Status: configv1.ConditionTrue, }, + RiskConditions: map[string][]metav1.Condition{}, }, }, { @@ -2730,6 +2736,7 @@ func TestOperator_availableUpdatesSync(t *testing.T) { Reason: "ResponseFailed", Message: "Unable to retrieve available updates: unexpected HTTP status: 500 Internal Server Error", }, + RiskConditions: map[string][]metav1.Condition{}, }, }, } @@ -2782,8 +2789,8 @@ func TestOperator_availableUpdatesSync(t *testing.T) { } } - if !reflect.DeepEqual(optr.availableUpdates, tt.wantUpdates) { - t.Fatalf("unexpected: %s", cmp.Diff(tt.wantUpdates, optr.availableUpdates)) + if diff := cmp.Diff(tt.wantUpdates, optr.availableUpdates, cmpopts.IgnoreFields(availableUpdates{}, "ShouldReconcileAcceptRisks")); diff != "" { + t.Fatalf("unexpected: %s", diff) } if (optr.queue.Len() > 0) != (optr.availableUpdates != nil) { t.Fatalf("unexpected queue") diff --git a/pkg/cvo/metrics.go b/pkg/cvo/metrics.go index 3962418c9..bbbf44263 100644 --- a/pkg/cvo/metrics.go +++ b/pkg/cvo/metrics.go @@ -441,7 +441,7 @@ func (m *operatorMetrics) Describe(ch chan<- *prometheus.Desc) { func (m *operatorMetrics) collectConditionalUpdates(ch chan<- prometheus.Metric, updates []configv1.ConditionalUpdate) { for _, update := range updates { for _, condition := range update.Conditions { - if condition.Type != ConditionalUpdateConditionTypeRecommended { + if condition.Type != internal.ConditionalUpdateConditionTypeRecommended { continue } diff --git a/pkg/cvo/metrics_test.go b/pkg/cvo/metrics_test.go index 6392ed5a4..18950dc90 100644 --- a/pkg/cvo/metrics_test.go +++ b/pkg/cvo/metrics_test.go @@ -47,7 +47,7 @@ func Test_operatorMetrics_Collect(t *testing.T) { Release: configv1.Release{Version: "4.5.6", Image: "pullspec/4.5.6"}, Conditions: []metav1.Condition{ { - Type: ConditionalUpdateConditionTypeRecommended, + Type: internal.ConditionalUpdateConditionTypeRecommended, Status: metav1.ConditionTrue, LastTransitionTime: metav1.NewTime(time.Unix(3, 0)), Reason: "RiskDoesNotApply", @@ -838,7 +838,7 @@ func TestCollectUnknownConditionalUpdates(t *testing.T) { Release: configv1.Release{Version: "4.13.1", Image: "pullspec"}, Risks: []configv1.ConditionalUpdateRisk{{Name: "Risk"}}, Conditions: []metav1.Condition{{ - Type: ConditionalUpdateConditionTypeRecommended, + Type: internal.ConditionalUpdateConditionTypeRecommended, Status: metav1.ConditionFalse, LastTransitionTime: metav1.NewTime(anchorTime), Reason: "RiskApplies", @@ -858,7 +858,7 @@ func TestCollectUnknownConditionalUpdates(t *testing.T) { Release: configv1.Release{Version: "4.13.1", Image: "pullspec"}, Risks: []configv1.ConditionalUpdateRisk{{Name: "Risk"}}, Conditions: []metav1.Condition{{ - Type: ConditionalUpdateConditionTypeRecommended, + Type: internal.ConditionalUpdateConditionTypeRecommended, Status: metav1.ConditionTrue, LastTransitionTime: metav1.NewTime(anchorTime), Reason: "RiskDoesNotApply", @@ -878,7 +878,7 @@ func TestCollectUnknownConditionalUpdates(t *testing.T) { Release: configv1.Release{Version: "4.13.1", Image: "pullspec"}, Risks: []configv1.ConditionalUpdateRisk{{Name: "Risk"}}, Conditions: []metav1.Condition{{ - Type: ConditionalUpdateConditionTypeRecommended, + Type: internal.ConditionalUpdateConditionTypeRecommended, Status: metav1.ConditionUnknown, LastTransitionTime: metav1.NewTime(anchorTime), Reason: "EvaluationFailed", @@ -898,7 +898,7 @@ func TestCollectUnknownConditionalUpdates(t *testing.T) { Release: configv1.Release{Version: "4.13.1", Image: "pullspec"}, Risks: []configv1.ConditionalUpdateRisk{{Name: "Risk"}}, Conditions: []metav1.Condition{{ - Type: ConditionalUpdateConditionTypeRecommended, + Type: internal.ConditionalUpdateConditionTypeRecommended, Status: metav1.ConditionFalse, LastTransitionTime: metav1.NewTime(anchorTime), Reason: "RiskApplies", @@ -909,7 +909,7 @@ func TestCollectUnknownConditionalUpdates(t *testing.T) { Release: configv1.Release{Version: "4.13.2", Image: "pullspec"}, Risks: []configv1.ConditionalUpdateRisk{{Name: "Risk"}}, Conditions: []metav1.Condition{{ - Type: ConditionalUpdateConditionTypeRecommended, + Type: internal.ConditionalUpdateConditionTypeRecommended, Status: metav1.ConditionTrue, LastTransitionTime: metav1.NewTime(anchorTime.Add(time.Minute)), Reason: "RiskDoesNotApply", @@ -920,7 +920,7 @@ func TestCollectUnknownConditionalUpdates(t *testing.T) { Release: configv1.Release{Version: "4.13.3", Image: "pullspec"}, Risks: []configv1.ConditionalUpdateRisk{{Name: "Risk"}}, Conditions: []metav1.Condition{{ - Type: ConditionalUpdateConditionTypeRecommended, + Type: internal.ConditionalUpdateConditionTypeRecommended, Status: metav1.ConditionUnknown, LastTransitionTime: metav1.NewTime(anchorTime.Add(time.Minute * 2)), Reason: "EvaluationFailed", diff --git a/pkg/cvo/status.go b/pkg/cvo/status.go index 8194d683a..5af661e73 100644 --- a/pkg/cvo/status.go +++ b/pkg/cvo/status.go @@ -17,6 +17,7 @@ import ( apierrors "k8s.io/apimachinery/pkg/api/errors" "k8s.io/apimachinery/pkg/api/meta" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/apimachinery/pkg/util/sets" "k8s.io/apimachinery/pkg/util/validation/field" configv1 "github.com/openshift/api/config/v1" @@ -29,10 +30,6 @@ import ( ) const ( - // ConditionalUpdateConditionTypeRecommended is a type of the condition present on a conditional update - // that indicates whether the conditional update is recommended or not - ConditionalUpdateConditionTypeRecommended = "Recommended" - // MaxHistory is the maximum size of ClusterVersion history. Once exceeded // ClusterVersion history will be pruned. It is declared here and passed // into the pruner function to allow easier testing. @@ -40,7 +37,7 @@ const ( ) func findRecommendedCondition(conditions []metav1.Condition) *metav1.Condition { - return meta.FindStatusCondition(conditions, ConditionalUpdateConditionTypeRecommended) + return meta.FindStatusCondition(conditions, internal.ConditionalUpdateConditionTypeRecommended) } func mergeEqualVersions(current *configv1.UpdateHistory, desired configv1.Release) bool { @@ -180,7 +177,7 @@ func (optr *Operator) syncStatus(ctx context.Context, original, config *configv1 original = config.DeepCopy() } - updateClusterVersionStatus(&config.Status, status, optr.release, optr.getAvailableUpdates, optr.enabledFeatureGates, validationErrs) + updateClusterVersionStatus(&config.Status, status, optr.release, optr.getAvailableUpdates, optr.enabledFeatureGates, validationErrs, optr.shouldReconcileAcceptRisks) if klog.V(6).Enabled() { klog.Infof("Apply config: %s", cmp.Diff(original, config)) @@ -191,9 +188,15 @@ func (optr *Operator) syncStatus(ctx context.Context, original, config *configv1 } // updateClusterVersionStatus updates the passed cvStatus with the latest status information -func updateClusterVersionStatus(cvStatus *configv1.ClusterVersionStatus, status *SyncWorkerStatus, - release configv1.Release, getAvailableUpdates func() *availableUpdates, enabledGates featuregates.CvoGateChecker, - validationErrs field.ErrorList) { +func updateClusterVersionStatus( + cvStatus *configv1.ClusterVersionStatus, + status *SyncWorkerStatus, + release configv1.Release, + getAvailableUpdates func() *availableUpdates, + enabledGates featuregates.CvoGateChecker, + validationErrs field.ErrorList, + shouldReconcileAcceptRisks func() bool, +) { cvStatus.ObservedGeneration = status.Generation if len(status.VersionHash) > 0 { @@ -222,9 +225,26 @@ func updateClusterVersionStatus(cvStatus *configv1.ClusterVersionStatus, status desired.Architecture = configv1.ClusterVersionArchitecture("") } + var riskNamesForDesiredImage []string + if shouldReconcileAcceptRisks() { + cvStatus.ConditionalUpdates, riskNamesForDesiredImage = conditionalUpdateWithRiskNamesAndRiskConditions(cvStatus.ConditionalUpdates, getAvailableUpdates, desired.Image) + cvStatus.ConditionalUpdateRisks = conditionalUpdateRisks(cvStatus.ConditionalUpdates) + } + risksMsg := "" if desired.Image == status.loadPayloadStatus.Update.Image { risksMsg = status.loadPayloadStatus.AcceptedRisks + // Include the accepted risks from clusterversion.spec.desiredUpdate.acceptRisks that apply to the cluster + // Ideally this should be formed earlier like others from a condition's message. + // However, it is not easy to follow the tradition because the existing pattern is for the error cases. + // Here Recommended=True because admins accept risks already leads to no error. + if shouldReconcileAcceptRisks() && len(riskNamesForDesiredImage) > 0 { + if risksMsg == "" { + risksMsg = fmt.Sprintf("The target release %s is exposed to the risks [%s] and accepted by CVO because either the risk is considered acceptable by the cluster admin or it does not apply to the cluster.", desired.Image, strings.Join(riskNamesForDesiredImage, ",")) + } else { + risksMsg = fmt.Sprintf("%s; It is exposed to the risks [%s] and accepted by CVO because either the risk is considered acceptable by the cluster admin or it does not apply to the cluster.", risksMsg, strings.Join(riskNamesForDesiredImage, ",")) + } + } } mergeOperatorHistory(cvStatus, desired, status.Verified, now, status.Completed > 0, risksMsg, status.loadPayloadStatus.Local) @@ -402,6 +422,72 @@ func updateClusterVersionStatus(cvStatus *configv1.ClusterVersionStatus, status } } +func conditionalUpdateWithRiskNamesAndRiskConditions(conditionalUpdates []configv1.ConditionalUpdate, getAvailableUpdates func() *availableUpdates, desiredImage string) ([]configv1.ConditionalUpdate, []string) { + var result []configv1.ConditionalUpdate + var riskNamesForDesiredImage []string + var riskConditions map[string][]metav1.Condition + updates := getAvailableUpdates() + if updates != nil { + riskConditions = updates.RiskConditions + } + for _, conditionalUpdate := range conditionalUpdates { + riskNames := sets.New[string]() + var risks []configv1.ConditionalUpdateRisk + for _, risk := range conditionalUpdate.Risks { + riskNames.Insert(risk.Name) + riskTypesToRemove := sets.New[string]() + conditions, ok := riskConditions[risk.Name] + if !ok { + // This should never happen + conditions = []metav1.Condition{ + { + Type: internal.ConditionalUpdateRiskConditionTypeApplies, + Status: metav1.ConditionUnknown, + Reason: "InternalErrorNoConditionCollected", + }, + } + } + for _, condition := range risk.Conditions { + if found := meta.FindStatusCondition(conditions, condition.Type); found == nil { + riskTypesToRemove.Insert(condition.Type) + } + } + for riskTypeToRemove := range riskTypesToRemove { + meta.RemoveStatusCondition(&risk.Conditions, riskTypeToRemove) + } + for _, condition := range conditions { + meta.SetStatusCondition(&risk.Conditions, condition) + } + risks = append(risks, risk) + } + if riskNames.Len() > 0 { + conditionalUpdate.RiskNames = sets.List[string](riskNames) + } + conditionalUpdate.Risks = risks + + if desiredImage == conditionalUpdate.Release.Image { + riskNamesForDesiredImage = conditionalUpdate.RiskNames + } + result = append(result, conditionalUpdate) + } + return result, riskNamesForDesiredImage +} + +func conditionalUpdateRisks(conditionalUpdates []configv1.ConditionalUpdate) []configv1.ConditionalUpdateRisk { + var result []configv1.ConditionalUpdateRisk + riskNames := sets.New[string]() + for _, conditionalUpdate := range conditionalUpdates { + for _, risk := range conditionalUpdate.Risks { + if riskNames.Has(risk.Name) { + continue + } + riskNames.Insert(risk.Name) + result = append(result, risk) + } + } + return result +} + // getReasonMessageFromError returns the reason and the message from an error. // If the reason or message is not available, an empty string is returned. func getReasonMessageFromError(err error) (reason, message string) { diff --git a/pkg/cvo/status_test.go b/pkg/cvo/status_test.go index 1e1711c3c..91d13add1 100644 --- a/pkg/cvo/status_test.go +++ b/pkg/cvo/status_test.go @@ -203,6 +203,7 @@ type fakeRiFlags struct { unknownVersion bool statusReleaseArchitecture bool cvoConfiguration bool + acceptRisks bool } func (f fakeRiFlags) UnknownVersion() bool { @@ -217,6 +218,10 @@ func (f fakeRiFlags) CVOConfiguration() bool { return f.cvoConfiguration } +func (f fakeRiFlags) AcceptRisks() bool { + return f.acceptRisks +} + func TestUpdateClusterVersionStatus_FilteringMultipleErrorsForFailingCondition(t *testing.T) { ignoreLastTransitionTime := cmpopts.IgnoreFields(configv1.ClusterOperatorStatusCondition{}, "LastTransitionTime") type args struct { @@ -741,7 +746,9 @@ func TestUpdateClusterVersionStatus_FilteringMultipleErrorsForFailingCondition(t if tc.shouldModifyWhenNotReconcilingAndHistoryNotEmpty && !c.isReconciling && !c.isHistoryEmpty { expectedCondition = tc.expectedConditionModified } - updateClusterVersionStatus(cvStatus, tc.args.syncWorkerStatus, release, getAvailableUpdates, gates, noErrors) + updateClusterVersionStatus(cvStatus, tc.args.syncWorkerStatus, release, getAvailableUpdates, gates, noErrors, func() bool { + return false + }) condition := resourcemerge.FindOperatorStatusCondition(cvStatus.Conditions, internal.ClusterStatusFailing) if diff := cmp.Diff(expectedCondition, condition, ignoreLastTransitionTime); diff != "" { t.Errorf("unexpected condition when Reconciling == %t && isHistoryEmpty == %t\n:%s", c.isReconciling, c.isHistoryEmpty, diff) @@ -935,3 +942,208 @@ func Test_filterOutUpdateErrors(t *testing.T) { }) } } + +var ( + cu1 = configv1.ConditionalUpdate{ + Release: configv1.Release{Version: "4.5.6", Image: "pullspec/4.5.6"}, + RiskNames: []string{"wrongName"}, + Risks: []configv1.ConditionalUpdateRisk{ + { + Name: "Risk1", + Conditions: []metav1.Condition{ + {Type: "wrongType", Status: metav1.ConditionUnknown}, + }, + }, + }, + } + + cu2 = configv1.ConditionalUpdate{ + Release: configv1.Release{Version: "4.5.7", Image: "pullspec/4.5.7"}, + Risks: []configv1.ConditionalUpdateRisk{ + { + Name: "Risk1", + }, + { + Name: "Risk2", + }, + }, + } +) + +func Test_conditionalUpdateWithRiskNamesAndRiskConditions(t *testing.T) { + tests := []struct { + name string + conditionalUpdates []configv1.ConditionalUpdate + desiredImage string + availableUpdates *availableUpdates + expected []configv1.ConditionalUpdate + expectedNames []string + }{ + { + name: "nil available updates", + conditionalUpdates: []configv1.ConditionalUpdate{*cu1.DeepCopy()}, + expected: []configv1.ConditionalUpdate{{ + RiskNames: []string{"Risk1"}, + Release: configv1.Release{Version: "4.5.6", Image: "pullspec/4.5.6"}, + Risks: []configv1.ConditionalUpdateRisk{ + { + Name: "Risk1", Conditions: []metav1.Condition{{ + Type: "Applies", + Status: metav1.ConditionUnknown, + Reason: "InternalErrorNoConditionCollected", + }, + }}, + }, + }}, + }, + { + name: "no risk conditions", + availableUpdates: &availableUpdates{}, + conditionalUpdates: []configv1.ConditionalUpdate{*cu1.DeepCopy()}, + expected: []configv1.ConditionalUpdate{{ + Release: configv1.Release{Version: "4.5.6", Image: "pullspec/4.5.6"}, + RiskNames: []string{"Risk1"}, + Risks: []configv1.ConditionalUpdateRisk{{Name: "Risk1", + Conditions: []metav1.Condition{{ + Type: "Applies", + Status: metav1.ConditionUnknown, + Reason: "InternalErrorNoConditionCollected", + }, + }}}, + }}, + }, + { + name: "no risk conditions but desired image matches", + desiredImage: "pullspec/4.5.6", + availableUpdates: &availableUpdates{}, + conditionalUpdates: []configv1.ConditionalUpdate{*cu1.DeepCopy()}, + expected: []configv1.ConditionalUpdate{{ + Release: configv1.Release{Version: "4.5.6", Image: "pullspec/4.5.6"}, + RiskNames: []string{"Risk1"}, + Risks: []configv1.ConditionalUpdateRisk{{Name: "Risk1", + Conditions: []metav1.Condition{{ + Type: "Applies", + Status: metav1.ConditionUnknown, + Reason: "InternalErrorNoConditionCollected", + }, + }}}, + }}, + expectedNames: []string{"Risk1"}, + }, + { + name: "basic case", + desiredImage: "pullspec/4.5.7", + availableUpdates: &availableUpdates{ + RiskConditions: map[string][]metav1.Condition{ + "Risk1": {{Type: "Applies", Status: metav1.ConditionTrue}}, + "Risk2": {{Type: "Applies", Status: metav1.ConditionFalse}}, + }, + }, + conditionalUpdates: []configv1.ConditionalUpdate{*cu1.DeepCopy(), *cu2.DeepCopy()}, + expected: []configv1.ConditionalUpdate{{ + Release: configv1.Release{Version: "4.5.6", Image: "pullspec/4.5.6"}, + RiskNames: []string{"Risk1"}, + Risks: []configv1.ConditionalUpdateRisk{{Name: "Risk1", + Conditions: []metav1.Condition{{ + Type: "Applies", + Status: metav1.ConditionTrue, + }, + }}}, + }, { + Release: configv1.Release{Version: "4.5.7", Image: "pullspec/4.5.7"}, + RiskNames: []string{"Risk1", "Risk2"}, + Risks: []configv1.ConditionalUpdateRisk{{Name: "Risk1", + Conditions: []metav1.Condition{{ + Type: "Applies", + Status: metav1.ConditionTrue, + }, + }}, {Name: "Risk2", + Conditions: []metav1.Condition{{ + Type: "Applies", + Status: metav1.ConditionFalse, + }, + }}}, + }}, + expectedNames: []string{"Risk1", "Risk2"}, + }, + } + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + getAvailableUpdates := func() *availableUpdates { + return tt.availableUpdates + } + actual, actualNames := conditionalUpdateWithRiskNamesAndRiskConditions(tt.conditionalUpdates, getAvailableUpdates, tt.desiredImage) + if difference := cmp.Diff(tt.expected, actual, cmpopts.IgnoreFields(metav1.Condition{}, "LastTransitionTime")); difference != "" { + t.Errorf("conditional updates differ from expected:\n%s", difference) + } + if difference := cmp.Diff(tt.expectedNames, actualNames); difference != "" { + t.Errorf("risk names differ from expected:\n%s", difference) + } + }) + } +} + +func Test_conditionalUpdateRisks(t *testing.T) { + tests := []struct { + name string + conditionalUpdates []configv1.ConditionalUpdate + expected []configv1.ConditionalUpdateRisk + }{ + { + name: "basic case", + conditionalUpdates: []configv1.ConditionalUpdate{{ + Release: configv1.Release{Version: "4.5.6", Image: "pullspec/4.5.6"}, + RiskNames: []string{"Risk1", "Risk3"}, + Risks: []configv1.ConditionalUpdateRisk{{Name: "Risk1", + Conditions: []metav1.Condition{{ + Type: "Applies", + Status: metav1.ConditionTrue, + }, + }}, {Name: "Risk3", + Conditions: []metav1.Condition{{ + Type: "Applies", + Status: metav1.ConditionTrue, + }, + }}}, + }, { + Release: configv1.Release{Version: "4.5.7", Image: "pullspec/4.5.7"}, + RiskNames: []string{"Risk1", "Risk2"}, + Risks: []configv1.ConditionalUpdateRisk{{Name: "Risk1", + Conditions: []metav1.Condition{{ + Type: "Applies", + Status: metav1.ConditionTrue, + }, + }}, {Name: "Risk2", + Conditions: []metav1.Condition{{ + Type: "Applies", + Status: metav1.ConditionFalse, + }, + }}}, + }}, + expected: []configv1.ConditionalUpdateRisk{{Name: "Risk1", + Conditions: []metav1.Condition{{ + Type: "Applies", + Status: metav1.ConditionTrue, + }, + }}, {Name: "Risk3", + Conditions: []metav1.Condition{{ + Type: "Applies", + Status: metav1.ConditionTrue, + }, + }}, {Name: "Risk2", + Conditions: []metav1.Condition{{ + Type: "Applies", + Status: metav1.ConditionFalse, + }, + }}}, + }, + } + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + actual := conditionalUpdateRisks(tt.conditionalUpdates) + if difference := cmp.Diff(tt.expected, actual, cmpopts.IgnoreFields(metav1.Condition{}, "LastTransitionTime")); difference != "" { + t.Errorf("actual differ from expected:\n%s", difference) + } + }) + } +} diff --git a/pkg/featuregates/featuregates.go b/pkg/featuregates/featuregates.go index 27fd627c3..a66e19ca2 100644 --- a/pkg/featuregates/featuregates.go +++ b/pkg/featuregates/featuregates.go @@ -35,6 +35,9 @@ type CvoGateChecker interface { // CVOConfiguration controls whether the CVO reconciles the ClusterVersionOperator resource that corresponds // to its configuration. CVOConfiguration() bool + + // AcceptRisks controls whether the CVO reconciles spec.desiredUpdate.acceptRisks. + AcceptRisks() bool } // CvoGates contains flags that control CVO functionality gated by product feature gates. The @@ -49,6 +52,7 @@ type CvoGates struct { unknownVersion bool statusReleaseArchitecture bool cvoConfiguration bool + acceptRisks bool } func (c CvoGates) StatusReleaseArchitecture() bool { @@ -63,6 +67,10 @@ func (c CvoGates) CVOConfiguration() bool { return c.cvoConfiguration } +func (c CvoGates) AcceptRisks() bool { + return c.acceptRisks +} + // DefaultCvoGates apply when actual features for given version are unknown func DefaultCvoGates(version string) CvoGates { return CvoGates{ @@ -70,6 +78,7 @@ func DefaultCvoGates(version string) CvoGates { unknownVersion: true, statusReleaseArchitecture: false, cvoConfiguration: false, + acceptRisks: false, } } @@ -91,6 +100,8 @@ func CvoGatesFromFeatureGate(gate *configv1.FeatureGate, version string) CvoGate enabledGates.statusReleaseArchitecture = true case features.FeatureGateCVOConfiguration: enabledGates.cvoConfiguration = true + case features.FeatureGateClusterUpdateAcceptRisks: + enabledGates.acceptRisks = true } } for _, disabled := range g.Disabled { @@ -99,6 +110,8 @@ func CvoGatesFromFeatureGate(gate *configv1.FeatureGate, version string) CvoGate enabledGates.statusReleaseArchitecture = false case features.FeatureGateCVOConfiguration: enabledGates.cvoConfiguration = false + case features.FeatureGateClusterUpdateAcceptRisks: + enabledGates.acceptRisks = false } } } diff --git a/pkg/internal/constants.go b/pkg/internal/constants.go index fa074c946..00e71fd70 100644 --- a/pkg/internal/constants.go +++ b/pkg/internal/constants.go @@ -70,4 +70,12 @@ const ( // UpgradeableUpgradeInProgress is True if an update is in progress UpgradeableUpgradeInProgress configv1.ClusterStatusConditionType = "UpgradeableUpgradeInProgress" + + // ConditionalUpdateConditionTypeRecommended is a type of the condition present on a conditional update + // that indicates whether the conditional update is recommended or not + ConditionalUpdateConditionTypeRecommended = "Recommended" + + // ConditionalUpdateRiskConditionTypeApplies is a type of the condition present on a conditional update risk + // that indicates whether the conditional update risk applies to the cluster + ConditionalUpdateRiskConditionTypeApplies = "Applies" ) diff --git a/pkg/payload/precondition/clusterversion/recommendedupdate.go b/pkg/payload/precondition/clusterversion/recommendedupdate.go index c4d7729c6..acfd67113 100644 --- a/pkg/payload/precondition/clusterversion/recommendedupdate.go +++ b/pkg/payload/precondition/clusterversion/recommendedupdate.go @@ -11,6 +11,7 @@ import ( metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "github.com/openshift/cluster-version-operator/lib/resourcemerge" + "github.com/openshift/cluster-version-operator/pkg/internal" precondition "github.com/openshift/cluster-version-operator/pkg/payload/precondition" ) @@ -51,7 +52,7 @@ func (ru *RecommendedUpdate) Run(ctx context.Context, releaseContext preconditio for _, conditionalUpdate := range clusterVersion.Status.ConditionalUpdates { if conditionalUpdate.Release.Version == releaseContext.DesiredVersion { for _, condition := range conditionalUpdate.Conditions { - if condition.Type == "Recommended" { + if condition.Type == internal.ConditionalUpdateConditionTypeRecommended { switch condition.Status { case metav1.ConditionTrue: return nil diff --git a/vendor/github.com/openshift/api/config/v1/register.go b/vendor/github.com/openshift/api/config/v1/register.go index 222c7f0cc..eac29a236 100644 --- a/vendor/github.com/openshift/api/config/v1/register.go +++ b/vendor/github.com/openshift/api/config/v1/register.go @@ -76,8 +76,6 @@ func addKnownTypes(scheme *runtime.Scheme) error { &ImagePolicyList{}, &ClusterImagePolicy{}, &ClusterImagePolicyList{}, - &InsightsDataGather{}, - &InsightsDataGatherList{}, ) metav1.AddToGroupVersion(scheme, GroupVersion) return nil diff --git a/vendor/github.com/openshift/api/config/v1/types_cluster_version.go b/vendor/github.com/openshift/api/config/v1/types_cluster_version.go index e5aad151e..2b9677ffa 100644 --- a/vendor/github.com/openshift/api/config/v1/types_cluster_version.go +++ b/vendor/github.com/openshift/api/config/v1/types_cluster_version.go @@ -202,6 +202,19 @@ type ClusterVersionStatus struct { // +listType=atomic // +optional ConditionalUpdates []ConditionalUpdate `json:"conditionalUpdates,omitempty"` + + // conditionalUpdateRisks contains the list of risks associated with conditionalUpdates. + // When performing a conditional update, all its associated risks will be compared with the set of accepted risks in the spec.desiredUpdate.acceptRisks field. + // If all risks for a conditional update are included in the spec.desiredUpdate.acceptRisks set, the conditional update can proceed, otherwise it is blocked. + // The risk names in the list must be unique. + // conditionalUpdateRisks must not contain more than 500 entries. + // +openshift:enable:FeatureGate=ClusterUpdateAcceptRisks + // +kubebuilder:validation:MaxItems=500 + // +kubebuilder:validation:MinItems=1 + // +listType=map + // +listMapKey=name + // +optional + ConditionalUpdateRisks []ConditionalUpdateRisk `json:"conditionalUpdateRisks,omitempty"` } // UpdateState is a constant representing whether an update was successfully @@ -258,7 +271,7 @@ type UpdateHistory struct { Verified bool `json:"verified"` // acceptedRisks records risks which were accepted to initiate the update. - // For example, it may menition an Upgradeable=False or missing signature + // For example, it may mention an Upgradeable=False or missing signature // that was overridden via desiredUpdate.force, or an update that was // initiated despite not being in the availableUpdates set of recommended // update targets. @@ -732,6 +745,30 @@ type Update struct { // // +optional Force bool `json:"force"` + + // acceptRisks is an optional set of names of conditional update risks that are considered acceptable. + // A conditional update is performed only if all of its risks are acceptable. + // This list may contain entries that apply to current, previous or future updates. + // The entries therefore may not map directly to a risk in .status.conditionalUpdateRisks. + // acceptRisks must not contain more than 1000 entries. + // Entries in this list must be unique. + // +openshift:enable:FeatureGate=ClusterUpdateAcceptRisks + // +kubebuilder:validation:MaxItems=1000 + // +kubebuilder:validation:MinItems=1 + // +listType=map + // +listMapKey=name + // +optional + AcceptRisks []AcceptRisk `json:"acceptRisks,omitempty"` +} + +// AcceptRisk represents a risk that is considered acceptable. +type AcceptRisk struct { + // name is the name of the acceptable risk. + // It must be a non-empty string and must not exceed 256 characters. + // +kubebuilder:validation:MinLength=1 + // +kubebuilder:validation:MaxLength=256 + // +required + Name string `json:"name,omitempty"` } // Release represents an OpenShift release image and associated metadata. @@ -787,6 +824,20 @@ type ConditionalUpdate struct { // +required Release Release `json:"release"` + // riskNames represents the set of the names of conditionalUpdateRisks that are relevant to this update for some clusters. + // The Applies condition of each conditionalUpdateRisks entry declares if that risk applies to this cluster. + // A conditional update is accepted only if each of its risks either does not apply to the cluster or is considered acceptable by the cluster administrator. + // The latter means that the risk names are included in value of the spec.desiredUpdate.acceptRisks field. + // Entries must be unique and must not exceed 256 characters. + // riskNames must not contain more than 500 entries. + // +openshift:enable:FeatureGate=ClusterUpdateAcceptRisks + // +kubebuilder:validation:MinItems=1 + // +kubebuilder:validation:items:MaxLength=256 + // +kubebuilder:validation:MaxItems=500 + // +listType=set + // +optional + RiskNames []string `json:"riskNames,omitempty"` + // risks represents the range of issues associated with // updating to the target release. The cluster-version // operator will evaluate all entries, and only recommend the @@ -813,6 +864,20 @@ type ConditionalUpdate struct { // for not recommending a conditional update. // +k8s:deepcopy-gen=true type ConditionalUpdateRisk struct { + // conditions represents the observations of the conditional update + // risk's current status. Known types are: + // * Applies, for whether the risk applies to the current cluster. + // The condition's types in the list must be unique. + // conditions must not contain more than one entry. + // +openshift:enable:FeatureGate=ClusterUpdateAcceptRisks + // +kubebuilder:validation:items:XValidation:rule="has(self.type) && self.type == 'Applies'",message="type must be 'Applies'" + // +kubebuilder:validation:MaxItems=1 + // +kubebuilder:validation:MinItems=1 + // +listType=map + // +listMapKey=type + // +optional + Conditions []metav1.Condition `json:"conditions,omitempty"` + // url contains information about this risk. // +kubebuilder:validation:Format=uri // +kubebuilder:validation:MinLength=1 diff --git a/vendor/github.com/openshift/api/config/v1/types_feature.go b/vendor/github.com/openshift/api/config/v1/types_feature.go index 169e29c5c..e111d518a 100644 --- a/vendor/github.com/openshift/api/config/v1/types_feature.go +++ b/vendor/github.com/openshift/api/config/v1/types_feature.go @@ -53,8 +53,12 @@ var ( // your cluster may fail in an unrecoverable way. CustomNoUpgrade FeatureSet = "CustomNoUpgrade" + // OKD turns on features for OKD. Turning this feature set ON is supported for OKD clusters, but NOT for OpenShift clusters. + // Once enabled, this feature set cannot be changed back to Default, but can be changed to other feature sets and it allows upgrades. + OKD FeatureSet = "OKD" + // AllFixedFeatureSets are the featuresets that have known featuregates. Custom doesn't for instance. LatencySensitive is dead - AllFixedFeatureSets = []FeatureSet{Default, TechPreviewNoUpgrade, DevPreviewNoUpgrade} + AllFixedFeatureSets = []FeatureSet{Default, TechPreviewNoUpgrade, DevPreviewNoUpgrade, OKD} ) type FeatureGateSpec struct { @@ -67,10 +71,11 @@ type FeatureGateSelection struct { // Turning on or off features may cause irreversible changes in your cluster which cannot be undone. // +unionDiscriminator // +optional - // +kubebuilder:validation:Enum=CustomNoUpgrade;DevPreviewNoUpgrade;TechPreviewNoUpgrade;"" + // +kubebuilder:validation:Enum=CustomNoUpgrade;DevPreviewNoUpgrade;TechPreviewNoUpgrade;OKD;"" // +kubebuilder:validation:XValidation:rule="oldSelf == 'CustomNoUpgrade' ? self == 'CustomNoUpgrade' : true",message="CustomNoUpgrade may not be changed" // +kubebuilder:validation:XValidation:rule="oldSelf == 'TechPreviewNoUpgrade' ? self == 'TechPreviewNoUpgrade' : true",message="TechPreviewNoUpgrade may not be changed" // +kubebuilder:validation:XValidation:rule="oldSelf == 'DevPreviewNoUpgrade' ? self == 'DevPreviewNoUpgrade' : true",message="DevPreviewNoUpgrade may not be changed" + // +kubebuilder:validation:XValidation:rule="oldSelf == 'OKD' ? self != '' : true",message="OKD cannot transition to Default" FeatureSet FeatureSet `json:"featureSet,omitempty"` // customNoUpgrade allows the enabling or disabling of any feature. Turning this feature set on IS NOT SUPPORTED, CANNOT BE UNDONE, and PREVENTS UPGRADES. diff --git a/vendor/github.com/openshift/api/config/v1/types_image_policy.go b/vendor/github.com/openshift/api/config/v1/types_image_policy.go index 54bd21adb..a6a640513 100644 --- a/vendor/github.com/openshift/api/config/v1/types_image_policy.go +++ b/vendor/github.com/openshift/api/config/v1/types_image_policy.go @@ -82,7 +82,7 @@ type PolicyRootOfTrust struct { // Allowed values are "PublicKey", "FulcioCAWithRekor", and "PKI". // When set to "PublicKey", the policy relies on a sigstore publicKey and may optionally use a Rekor verification. // When set to "FulcioCAWithRekor", the policy is based on the Fulcio certification and incorporates a Rekor verification. - // When set to "PKI", the policy is based on the certificates from Bring Your Own Public Key Infrastructure (BYOPKI). This value is enabled by turning on the SigstoreImageVerificationPKI feature gate. + // When set to "PKI", the policy is based on the certificates from Bring Your Own Public Key Infrastructure (BYOPKI). // +unionDiscriminator // +required PolicyType PolicyType `json:"policyType"` diff --git a/vendor/github.com/openshift/api/config/v1/types_insights.go b/vendor/github.com/openshift/api/config/v1/types_insights.go deleted file mode 100644 index b0959881f..000000000 --- a/vendor/github.com/openshift/api/config/v1/types_insights.go +++ /dev/null @@ -1,230 +0,0 @@ -package v1 - -import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" - -// InsightsDataGather provides data gather configuration options for the Insights Operator. -// -// +genclient -// +genclient:nonNamespaced -// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object -// -// +kubebuilder:object:root=true -// +kubebuilder:resource:path=insightsdatagathers,scope=Cluster -// +openshift:api-approved.openshift.io=https://github.com/openshift/api/pull/2448 -// +openshift:file-pattern=cvoRunLevel=0000_10,operatorName=config-operator,operatorOrdering=01 -// +openshift:enable:FeatureGate=InsightsConfig -// -// Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer). -// +openshift:compatibility-gen:level=1 -type InsightsDataGather struct { - metav1.TypeMeta `json:",inline"` - // metadata is the standard object's metadata. - // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata - // +optional - metav1.ObjectMeta `json:"metadata,omitempty"` - // spec holds user settable values for configuration - // +required - Spec InsightsDataGatherSpec `json:"spec,omitempty,omitzero"` -} - -// InsightsDataGatherSpec contains the configuration for the data gathering. -type InsightsDataGatherSpec struct { - // gatherConfig is a required spec attribute that includes all the configuration options related to gathering of the Insights data and its uploading to the ingress. - // +required - GatherConfig GatherConfig `json:"gatherConfig,omitempty,omitzero"` -} - -// GatherConfig provides data gathering configuration options. -type GatherConfig struct { - // dataPolicy is an optional list of DataPolicyOptions that allows user to enable additional obfuscation of the Insights archive data. - // It may not exceed 2 items and must not contain duplicates. - // Valid values are ObfuscateNetworking and WorkloadNames. - // When set to ObfuscateNetworking the IP addresses and the cluster domain name are obfuscated. - // When set to WorkloadNames, the gathered data about cluster resources will not contain the workload names for your deployments. Resources UIDs will be used instead. - // When omitted no obfuscation is applied. - // +kubebuilder:validation:MinItems=1 - // +kubebuilder:validation:MaxItems=2 - // +kubebuilder:validation:XValidation:rule="self.all(x, self.exists_one(y, x == y))",message="dataPolicy items must be unique" - // +listType=atomic - // +optional - DataPolicy []DataPolicyOption `json:"dataPolicy,omitempty"` - // gatherers is a required field that specifies the configuration of the gatherers. - // +required - Gatherers Gatherers `json:"gatherers,omitempty,omitzero"` - // storage is an optional field that allows user to define persistent storage for gathering jobs to store the Insights data archive. - // If omitted, the gathering job will use ephemeral storage. - // +optional - Storage Storage `json:"storage,omitempty,omitzero"` -} - -// Gatherers specifies the configuration of the gatherers -// +kubebuilder:validation:XValidation:rule="has(self.mode) && self.mode == 'Custom' ? has(self.custom) : !has(self.custom)",message="custom is required when mode is Custom, and forbidden otherwise" -// +union -type Gatherers struct { - // mode is a required field that specifies the mode for gatherers. Allowed values are All, None, and Custom. - // When set to All, all gatherers will run and gather data. - // When set to None, all gatherers will be disabled and no data will be gathered. - // When set to Custom, the custom configuration from the custom field will be applied. - // +unionDiscriminator - // +required - Mode GatheringMode `json:"mode,omitempty"` - // custom provides gathering configuration. - // It is required when mode is Custom, and forbidden otherwise. - // Custom configuration allows user to disable only a subset of gatherers. - // Gatherers that are not explicitly disabled in custom configuration will run. - // +unionMember - // +optional - Custom Custom `json:"custom,omitempty,omitzero"` -} - -// Custom provides the custom configuration of gatherers -type Custom struct { - // configs is a required list of gatherers configurations that can be used to enable or disable specific gatherers. - // It may not exceed 100 items and each gatherer can be present only once. - // It is possible to disable an entire set of gatherers while allowing a specific function within that set. - // The particular gatherers IDs can be found at https://github.com/openshift/insights-operator/blob/master/docs/gathered-data.md. - // Run the following command to get the names of last active gatherers: - // "oc get insightsoperators.operator.openshift.io cluster -o json | jq '.status.gatherStatus.gatherers[].name'" - // +kubebuilder:validation:MinItems=1 - // +kubebuilder:validation:MaxItems=100 - // +listType=map - // +listMapKey=name - // +required - Configs []GathererConfig `json:"configs,omitempty"` -} - -// GatheringMode defines the valid gathering modes. -// +kubebuilder:validation:Enum=All;None;Custom -type GatheringMode string - -const ( - // Enabled enables all gatherers - GatheringModeAll GatheringMode = "All" - // Disabled disables all gatherers - GatheringModeNone GatheringMode = "None" - // Custom applies the configuration from GatheringConfig. - GatheringModeCustom GatheringMode = "Custom" -) - -// DataPolicyOption declares valid data policy options -// +kubebuilder:validation:Enum=ObfuscateNetworking;WorkloadNames -type DataPolicyOption string - -const ( - // IP addresses and cluster domain name are obfuscated - DataPolicyOptionObfuscateNetworking DataPolicyOption = "ObfuscateNetworking" - // Data from Deployment Validation Operator are obfuscated - DataPolicyOptionObfuscateWorkloadNames DataPolicyOption = "WorkloadNames" -) - -// Storage provides persistent storage configuration options for gathering jobs. -// If the type is set to PersistentVolume, then the PersistentVolume must be defined. -// If the type is set to Ephemeral, then the PersistentVolume must not be defined. -// +kubebuilder:validation:XValidation:rule="has(self.type) && self.type == 'PersistentVolume' ? has(self.persistentVolume) : !has(self.persistentVolume)",message="persistentVolume is required when type is PersistentVolume, and forbidden otherwise" -// +union -type Storage struct { - // type is a required field that specifies the type of storage that will be used to store the Insights data archive. - // Valid values are "PersistentVolume" and "Ephemeral". - // When set to Ephemeral, the Insights data archive is stored in the ephemeral storage of the gathering job. - // When set to PersistentVolume, the Insights data archive is stored in the PersistentVolume that is defined by the persistentVolume field. - // +unionDiscriminator - // +required - Type StorageType `json:"type,omitempty"` - // persistentVolume is an optional field that specifies the PersistentVolume that will be used to store the Insights data archive. - // The PersistentVolume must be created in the openshift-insights namespace. - // +unionMember - // +optional - PersistentVolume PersistentVolumeConfig `json:"persistentVolume,omitempty,omitzero"` -} - -// StorageType declares valid storage types -// +kubebuilder:validation:Enum=PersistentVolume;Ephemeral -type StorageType string - -const ( - // StorageTypePersistentVolume storage type - StorageTypePersistentVolume StorageType = "PersistentVolume" - // StorageTypeEphemeral storage type - StorageTypeEphemeral StorageType = "Ephemeral" -) - -// PersistentVolumeConfig provides configuration options for PersistentVolume storage. -type PersistentVolumeConfig struct { - // claim is a required field that specifies the configuration of the PersistentVolumeClaim that will be used to store the Insights data archive. - // The PersistentVolumeClaim must be created in the openshift-insights namespace. - // +required - Claim PersistentVolumeClaimReference `json:"claim,omitempty,omitzero"` - // mountPath is an optional field specifying the directory where the PVC will be mounted inside the Insights data gathering Pod. - // When omitted, this means no opinion and the platform is left to choose a reasonable default, which is subject to change over time. - // The current default mount path is /var/lib/insights-operator - // The path may not exceed 1024 characters and must not contain a colon. - // +kubebuilder:validation:MinLength=1 - // +kubebuilder:validation:MaxLength=1024 - // +kubebuilder:validation:XValidation:rule="!self.contains(':')",message="mountPath must not contain a colon" - // +optional - MountPath string `json:"mountPath,omitempty"` -} - -// PersistentVolumeClaimReference is a reference to a PersistentVolumeClaim. -type PersistentVolumeClaimReference struct { - // name is the name of the PersistentVolumeClaim that will be used to store the Insights data archive. - // It is a string that follows the DNS1123 subdomain format. - // It must be at most 253 characters in length, and must consist only of lower case alphanumeric characters, '-' and '.', and must start and end with an alphanumeric character. - // +kubebuilder:validation:XValidation:rule="!format.dns1123Subdomain().validate(self).hasValue()",message="a lowercase RFC 1123 subdomain must consist of lower case alphanumeric characters, '-' or '.', and must start and end with an alphanumeric character." - // +kubebuilder:validation:MinLength=1 - // +kubebuilder:validation:MaxLength=253 - // +required - Name string `json:"name,omitempty"` -} - -// GathererConfig allows to configure specific gatherers -type GathererConfig struct { - // name is the required name of a specific gatherer. - // It may not exceed 256 characters. - // The format for a gatherer name is: {gatherer}/{function} where the function is optional. - // Gatherer consists of a lowercase letters only that may include underscores (_). - // Function consists of a lowercase letters only that may include underscores (_) and is separated from the gatherer by a forward slash (/). - // The particular gatherers can be found at https://github.com/openshift/insights-operator/blob/master/docs/gathered-data.md. - // Run the following command to get the names of last active gatherers: - // "oc get insightsoperators.operator.openshift.io cluster -o json | jq '.status.gatherStatus.gatherers[].name'" - // +kubebuilder:validation:MinLength=1 - // +kubebuilder:validation:MaxLength=256 - // +kubebuilder:validation:XValidation:rule=`self.matches("^[a-z]+[_a-z]*[a-z]([/a-z][_a-z]*)?[a-z]$")`,message=`gatherer name must be in the format of {gatherer}/{function} where the gatherer and function are lowercase letters only that may include underscores (_) and are separated by a forward slash (/) if the function is provided` - // +required - Name string `json:"name,omitempty"` - // state is a required field that allows you to configure specific gatherer. Valid values are "Enabled" and "Disabled". - // When set to Enabled the gatherer will run. - // When set to Disabled the gatherer will not run. - // +required - State GathererState `json:"state,omitempty"` -} - -// GathererState declares valid gatherer state types. -// +kubebuilder:validation:Enum=Enabled;Disabled -type GathererState string - -const ( - // GathererStateEnabled gatherer state, which means that the gatherer will run. - GathererStateEnabled GathererState = "Enabled" - // GathererStateDisabled gatherer state, which means that the gatherer will not run. - GathererStateDisabled GathererState = "Disabled" -) - -// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object - -// InsightsDataGatherList is a collection of items -// Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer). -// +openshift:compatibility-gen:level=1 -type InsightsDataGatherList struct { - metav1.TypeMeta `json:",inline"` - // metadata is the required standard list's metadata. - // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata - // +required - metav1.ListMeta `json:"metadata,omitempty"` - // items is the required list of InsightsDataGather objects - // it may not exceed 100 items - // +kubebuilder:validation:MinItems=0 - // +kubebuilder:validation:MaxItems=100 - // +required - Items []InsightsDataGather `json:"items,omitempty"` -} diff --git a/vendor/github.com/openshift/api/config/v1/types_scheduling.go b/vendor/github.com/openshift/api/config/v1/types_scheduling.go index 028bbd495..a81ed9f30 100644 --- a/vendor/github.com/openshift/api/config/v1/types_scheduling.go +++ b/vendor/github.com/openshift/api/config/v1/types_scheduling.go @@ -50,7 +50,6 @@ type SchedulerSpec struct { // profileCustomizations contains configuration for modifying the default behavior of existing scheduler profiles. // Deprecated: no longer needed, since DRA is GA starting with 4.21, and // is enabled by' default in the cluster, this field will be removed in 4.24. - // +openshift:enable:FeatureGate=DynamicResourceAllocation // +openshift:enable:FeatureGate=HyperShiftOnlyDynamicResourceAllocation // +optional ProfileCustomizations ProfileCustomizations `json:"profileCustomizations"` diff --git a/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_00_cluster-version-operator_01_clusterversions-CustomNoUpgrade.crd.yaml b/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_00_cluster-version-operator_01_clusterversions-CustomNoUpgrade.crd.yaml index 762416197..c7d71e188 100644 --- a/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_00_cluster-version-operator_01_clusterversions-CustomNoUpgrade.crd.yaml +++ b/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_00_cluster-version-operator_01_clusterversions-CustomNoUpgrade.crd.yaml @@ -156,6 +156,34 @@ spec: rollbacks will succeed, and some may unrecoverably break the cluster. properties: + acceptRisks: + description: |- + acceptRisks is an optional set of names of conditional update risks that are considered acceptable. + A conditional update is performed only if all of its risks are acceptable. + This list may contain entries that apply to current, previous or future updates. + The entries therefore may not map directly to a risk in .status.conditionalUpdateRisks. + acceptRisks must not contain more than 1000 entries. + Entries in this list must be unique. + items: + description: AcceptRisk represents a risk that is considered + acceptable. + properties: + name: + description: |- + name is the name of the acceptable risk. + It must be a non-empty string and must not exceed 256 characters. + maxLength: 256 + minLength: 1 + type: string + required: + - name + type: object + maxItems: 1000 + minItems: 1 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map architecture: description: |- architecture is an optional field that indicates the desired @@ -428,6 +456,166 @@ spec: type: array x-kubernetes-list-type: atomic type: object + conditionalUpdateRisks: + description: |- + conditionalUpdateRisks contains the list of risks associated with conditionalUpdates. + When performing a conditional update, all its associated risks will be compared with the set of accepted risks in the spec.desiredUpdate.acceptRisks field. + If all risks for a conditional update are included in the spec.desiredUpdate.acceptRisks set, the conditional update can proceed, otherwise it is blocked. + The risk names in the list must be unique. + conditionalUpdateRisks must not contain more than 500 entries. + items: + description: |- + ConditionalUpdateRisk represents a reason and cluster-state + for not recommending a conditional update. + properties: + conditions: + description: |- + conditions represents the observations of the conditional update + risk's current status. Known types are: + * Applies, for whether the risk applies to the current cluster. + The condition's types in the list must be unique. + conditions must not contain more than one entry. + items: + description: Condition contains details for one aspect of + the current state of this API Resource. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, + Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + x-kubernetes-validations: + - message: type must be 'Applies' + rule: has(self.type) && self.type == 'Applies' + maxItems: 1 + minItems: 1 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + matchingRules: + description: |- + matchingRules is a slice of conditions for deciding which + clusters match the risk and which do not. The slice is + ordered by decreasing precedence. The cluster-version + operator will walk the slice in order, and stop after the + first it can successfully evaluate. If no condition can be + successfully evaluated, the update will not be recommended. + items: + description: |- + ClusterCondition is a union of typed cluster conditions. The 'type' + property determines which of the type-specific properties are relevant. + When evaluated on a cluster, the condition may match, not match, or + fail to evaluate. + properties: + promql: + description: promql represents a cluster condition based + on PromQL. + properties: + promql: + description: |- + promql is a PromQL query classifying clusters. This query + query should return a 1 in the match case and a 0 in the + does-not-match case. Queries which return no time + series, or which return values besides 0 or 1, are + evaluation failures. + type: string + required: + - promql + type: object + type: + description: |- + type represents the cluster-condition type. This defines + the members and semantics of any additional properties. + enum: + - Always + - PromQL + type: string + required: + - type + type: object + minItems: 1 + type: array + x-kubernetes-list-type: atomic + message: + description: |- + message provides additional information about the risk of + updating, in the event that matchingRules match the cluster + state. This is only to be consumed by humans. It may + contain Line Feed characters (U+000A), which should be + rendered as new lines. + minLength: 1 + type: string + name: + description: |- + name is the CamelCase reason for not recommending a + conditional update, in the event that matchingRules match the + cluster state. + minLength: 1 + type: string + url: + description: url contains information about this risk. + format: uri + minLength: 1 + type: string + required: + - matchingRules + - message + - name + - url + type: object + maxItems: 500 + minItems: 1 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map conditionalUpdates: description: |- conditionalUpdates contains the list of updates that may be @@ -552,6 +740,21 @@ spec: - image - version type: object + riskNames: + description: |- + riskNames represents the set of the names of conditionalUpdateRisks that are relevant to this update for some clusters. + The Applies condition of each conditionalUpdateRisks entry declares if that risk applies to this cluster. + A conditional update is accepted only if each of its risks either does not apply to the cluster or is considered acceptable by the cluster administrator. + The latter means that the risk names are included in value of the spec.desiredUpdate.acceptRisks field. + Entries must be unique and must not exceed 256 characters. + riskNames must not contain more than 500 entries. + items: + maxLength: 256 + type: string + maxItems: 500 + minItems: 1 + type: array + x-kubernetes-list-type: set risks: description: |- risks represents the range of issues associated with @@ -564,6 +767,78 @@ spec: ConditionalUpdateRisk represents a reason and cluster-state for not recommending a conditional update. properties: + conditions: + description: |- + conditions represents the observations of the conditional update + risk's current status. Known types are: + * Applies, for whether the risk applies to the current cluster. + The condition's types in the list must be unique. + conditions must not contain more than one entry. + items: + description: Condition contains details for one aspect + of the current state of this API Resource. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, + False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in + foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + x-kubernetes-validations: + - message: type must be 'Applies' + rule: has(self.type) && self.type == 'Applies' + maxItems: 1 + minItems: 1 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map matchingRules: description: |- matchingRules is a slice of conditions for deciding which @@ -753,7 +1028,7 @@ spec: acceptedRisks: description: |- acceptedRisks records risks which were accepted to initiate the update. - For example, it may menition an Upgradeable=False or missing signature + For example, it may mention an Upgradeable=False or missing signature that was overridden via desiredUpdate.force, or an update that was initiated despite not being in the availableUpdates set of recommended update targets. diff --git a/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_00_cluster-version-operator_01_clusterversions-Default.crd.yaml b/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_00_cluster-version-operator_01_clusterversions-Default.crd.yaml index 1388523f8..6459a7d23 100644 --- a/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_00_cluster-version-operator_01_clusterversions-Default.crd.yaml +++ b/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_00_cluster-version-operator_01_clusterversions-Default.crd.yaml @@ -702,7 +702,7 @@ spec: acceptedRisks: description: |- acceptedRisks records risks which were accepted to initiate the update. - For example, it may menition an Upgradeable=False or missing signature + For example, it may mention an Upgradeable=False or missing signature that was overridden via desiredUpdate.force, or an update that was initiated despite not being in the availableUpdates set of recommended update targets. diff --git a/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_00_cluster-version-operator_01_clusterversions-DevPreviewNoUpgrade.crd.yaml b/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_00_cluster-version-operator_01_clusterversions-DevPreviewNoUpgrade.crd.yaml index cae91bdb4..75a8de357 100644 --- a/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_00_cluster-version-operator_01_clusterversions-DevPreviewNoUpgrade.crd.yaml +++ b/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_00_cluster-version-operator_01_clusterversions-DevPreviewNoUpgrade.crd.yaml @@ -156,6 +156,34 @@ spec: rollbacks will succeed, and some may unrecoverably break the cluster. properties: + acceptRisks: + description: |- + acceptRisks is an optional set of names of conditional update risks that are considered acceptable. + A conditional update is performed only if all of its risks are acceptable. + This list may contain entries that apply to current, previous or future updates. + The entries therefore may not map directly to a risk in .status.conditionalUpdateRisks. + acceptRisks must not contain more than 1000 entries. + Entries in this list must be unique. + items: + description: AcceptRisk represents a risk that is considered + acceptable. + properties: + name: + description: |- + name is the name of the acceptable risk. + It must be a non-empty string and must not exceed 256 characters. + maxLength: 256 + minLength: 1 + type: string + required: + - name + type: object + maxItems: 1000 + minItems: 1 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map architecture: description: |- architecture is an optional field that indicates the desired @@ -428,6 +456,166 @@ spec: type: array x-kubernetes-list-type: atomic type: object + conditionalUpdateRisks: + description: |- + conditionalUpdateRisks contains the list of risks associated with conditionalUpdates. + When performing a conditional update, all its associated risks will be compared with the set of accepted risks in the spec.desiredUpdate.acceptRisks field. + If all risks for a conditional update are included in the spec.desiredUpdate.acceptRisks set, the conditional update can proceed, otherwise it is blocked. + The risk names in the list must be unique. + conditionalUpdateRisks must not contain more than 500 entries. + items: + description: |- + ConditionalUpdateRisk represents a reason and cluster-state + for not recommending a conditional update. + properties: + conditions: + description: |- + conditions represents the observations of the conditional update + risk's current status. Known types are: + * Applies, for whether the risk applies to the current cluster. + The condition's types in the list must be unique. + conditions must not contain more than one entry. + items: + description: Condition contains details for one aspect of + the current state of this API Resource. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, + Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + x-kubernetes-validations: + - message: type must be 'Applies' + rule: has(self.type) && self.type == 'Applies' + maxItems: 1 + minItems: 1 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + matchingRules: + description: |- + matchingRules is a slice of conditions for deciding which + clusters match the risk and which do not. The slice is + ordered by decreasing precedence. The cluster-version + operator will walk the slice in order, and stop after the + first it can successfully evaluate. If no condition can be + successfully evaluated, the update will not be recommended. + items: + description: |- + ClusterCondition is a union of typed cluster conditions. The 'type' + property determines which of the type-specific properties are relevant. + When evaluated on a cluster, the condition may match, not match, or + fail to evaluate. + properties: + promql: + description: promql represents a cluster condition based + on PromQL. + properties: + promql: + description: |- + promql is a PromQL query classifying clusters. This query + query should return a 1 in the match case and a 0 in the + does-not-match case. Queries which return no time + series, or which return values besides 0 or 1, are + evaluation failures. + type: string + required: + - promql + type: object + type: + description: |- + type represents the cluster-condition type. This defines + the members and semantics of any additional properties. + enum: + - Always + - PromQL + type: string + required: + - type + type: object + minItems: 1 + type: array + x-kubernetes-list-type: atomic + message: + description: |- + message provides additional information about the risk of + updating, in the event that matchingRules match the cluster + state. This is only to be consumed by humans. It may + contain Line Feed characters (U+000A), which should be + rendered as new lines. + minLength: 1 + type: string + name: + description: |- + name is the CamelCase reason for not recommending a + conditional update, in the event that matchingRules match the + cluster state. + minLength: 1 + type: string + url: + description: url contains information about this risk. + format: uri + minLength: 1 + type: string + required: + - matchingRules + - message + - name + - url + type: object + maxItems: 500 + minItems: 1 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map conditionalUpdates: description: |- conditionalUpdates contains the list of updates that may be @@ -552,6 +740,21 @@ spec: - image - version type: object + riskNames: + description: |- + riskNames represents the set of the names of conditionalUpdateRisks that are relevant to this update for some clusters. + The Applies condition of each conditionalUpdateRisks entry declares if that risk applies to this cluster. + A conditional update is accepted only if each of its risks either does not apply to the cluster or is considered acceptable by the cluster administrator. + The latter means that the risk names are included in value of the spec.desiredUpdate.acceptRisks field. + Entries must be unique and must not exceed 256 characters. + riskNames must not contain more than 500 entries. + items: + maxLength: 256 + type: string + maxItems: 500 + minItems: 1 + type: array + x-kubernetes-list-type: set risks: description: |- risks represents the range of issues associated with @@ -564,6 +767,78 @@ spec: ConditionalUpdateRisk represents a reason and cluster-state for not recommending a conditional update. properties: + conditions: + description: |- + conditions represents the observations of the conditional update + risk's current status. Known types are: + * Applies, for whether the risk applies to the current cluster. + The condition's types in the list must be unique. + conditions must not contain more than one entry. + items: + description: Condition contains details for one aspect + of the current state of this API Resource. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, + False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in + foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + x-kubernetes-validations: + - message: type must be 'Applies' + rule: has(self.type) && self.type == 'Applies' + maxItems: 1 + minItems: 1 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map matchingRules: description: |- matchingRules is a slice of conditions for deciding which @@ -753,7 +1028,7 @@ spec: acceptedRisks: description: |- acceptedRisks records risks which were accepted to initiate the update. - For example, it may menition an Upgradeable=False or missing signature + For example, it may mention an Upgradeable=False or missing signature that was overridden via desiredUpdate.force, or an update that was initiated despite not being in the availableUpdates set of recommended update targets. diff --git a/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_00_cluster-version-operator_01_clusterversions-OKD.crd.yaml b/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_00_cluster-version-operator_01_clusterversions-OKD.crd.yaml new file mode 100644 index 000000000..329e0a838 --- /dev/null +++ b/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_00_cluster-version-operator_01_clusterversions-OKD.crd.yaml @@ -0,0 +1,794 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.openshift.io: https://github.com/openshift/api/pull/495 + api.openshift.io/merged-by-featuregates: "true" + include.release.openshift.io/self-managed-high-availability: "true" + release.openshift.io/feature-set: OKD + name: clusterversions.config.openshift.io +spec: + group: config.openshift.io + names: + kind: ClusterVersion + listKind: ClusterVersionList + plural: clusterversions + singular: clusterversion + scope: Cluster + versions: + - additionalPrinterColumns: + - jsonPath: .status.history[?(@.state=="Completed")].version + name: Version + type: string + - jsonPath: .status.conditions[?(@.type=="Available")].status + name: Available + type: string + - jsonPath: .status.conditions[?(@.type=="Progressing")].status + name: Progressing + type: string + - jsonPath: .status.conditions[?(@.type=="Progressing")].lastTransitionTime + name: Since + type: date + - jsonPath: .status.conditions[?(@.type=="Progressing")].message + name: Status + type: string + name: v1 + schema: + openAPIV3Schema: + description: |- + ClusterVersion is the configuration for the ClusterVersionOperator. This is where + parameters related to automatic updates can be set. + + Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer). + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: |- + spec is the desired state of the cluster version - the operator will work + to ensure that the desired version is applied to the cluster. + properties: + capabilities: + description: |- + capabilities configures the installation of optional, core + cluster components. A null value here is identical to an + empty object; see the child properties for default semantics. + properties: + additionalEnabledCapabilities: + description: |- + additionalEnabledCapabilities extends the set of managed + capabilities beyond the baseline defined in + baselineCapabilitySet. The default is an empty set. + items: + description: ClusterVersionCapability enumerates optional, core + cluster components. + enum: + - openshift-samples + - baremetal + - marketplace + - Console + - Insights + - Storage + - CSISnapshot + - NodeTuning + - MachineAPI + - Build + - DeploymentConfig + - ImageRegistry + - OperatorLifecycleManager + - CloudCredential + - Ingress + - CloudControllerManager + - OperatorLifecycleManagerV1 + type: string + type: array + x-kubernetes-list-type: atomic + baselineCapabilitySet: + description: |- + baselineCapabilitySet selects an initial set of + optional capabilities to enable, which can be extended via + additionalEnabledCapabilities. If unset, the cluster will + choose a default, and the default may change over time. + The current default is vCurrent. + enum: + - None + - v4.11 + - v4.12 + - v4.13 + - v4.14 + - v4.15 + - v4.16 + - v4.17 + - v4.18 + - vCurrent + type: string + type: object + channel: + description: |- + channel is an identifier for explicitly requesting a non-default set + of updates to be applied to this cluster. The default channel will + contain stable updates that are appropriate for production clusters. + type: string + clusterID: + description: |- + clusterID uniquely identifies this cluster. This is expected to be + an RFC4122 UUID value (xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx in + hexadecimal values). This is a required field. + type: string + desiredUpdate: + description: |- + desiredUpdate is an optional field that indicates the desired value of + the cluster version. Setting this value will trigger an upgrade (if + the current version does not match the desired version). The set of + recommended update values is listed as part of available updates in + status, and setting values outside that range may cause the upgrade + to fail. + + Some of the fields are inter-related with restrictions and meanings described here. + 1. image is specified, version is specified, architecture is specified. API validation error. + 2. image is specified, version is specified, architecture is not specified. The version extracted from the referenced image must match the specified version. + 3. image is specified, version is not specified, architecture is specified. API validation error. + 4. image is specified, version is not specified, architecture is not specified. image is used. + 5. image is not specified, version is specified, architecture is specified. version and desired architecture are used to select an image. + 6. image is not specified, version is specified, architecture is not specified. version and current architecture are used to select an image. + 7. image is not specified, version is not specified, architecture is specified. API validation error. + 8. image is not specified, version is not specified, architecture is not specified. API validation error. + + If an upgrade fails the operator will halt and report status + about the failing component. Setting the desired update value back to + the previous version will cause a rollback to be attempted if the + previous version is within the current minor version. Not all + rollbacks will succeed, and some may unrecoverably break the + cluster. + properties: + architecture: + description: |- + architecture is an optional field that indicates the desired + value of the cluster architecture. In this context cluster + architecture means either a single architecture or a multi + architecture. architecture can only be set to Multi thereby + only allowing updates from single to multi architecture. If + architecture is set, image cannot be set and version must be + set. + Valid values are 'Multi' and empty. + enum: + - Multi + - "" + type: string + force: + description: |- + force allows an administrator to update to an image that has failed + verification or upgradeable checks that are designed to keep your + cluster safe. Only use this if: + * you are testing unsigned release images in short-lived test clusters or + * you are working around a known bug in the cluster-version + operator and you have verified the authenticity of the provided + image yourself. + The provided image will run with full administrative access + to the cluster. Do not use this flag with images that come from unknown + or potentially malicious sources. + type: boolean + image: + description: |- + image is a container image location that contains the update. + image should be used when the desired version does not exist in availableUpdates or history. + When image is set, architecture cannot be specified. + If both version and image are set, the version extracted from the referenced image must match the specified version. + type: string + version: + description: |- + version is a semantic version identifying the update version. + version is required if architecture is specified. + If both version and image are set, the version extracted from the referenced image must match the specified version. + type: string + type: object + x-kubernetes-validations: + - message: cannot set both Architecture and Image + rule: 'has(self.architecture) && has(self.image) ? (self.architecture + == "" || self.image == "") : true' + - message: Version must be set if Architecture is set + rule: 'has(self.architecture) && self.architecture != "" ? self.version + != "" : true' + overrides: + description: |- + overrides is list of overides for components that are managed by + cluster version operator. Marking a component unmanaged will prevent + the operator from creating or updating the object. + items: + description: |- + ComponentOverride allows overriding cluster version operator's behavior + for a component. + properties: + group: + description: group identifies the API group that the kind is + in. + type: string + kind: + description: kind indentifies which object to override. + type: string + name: + description: name is the component's name. + type: string + namespace: + description: |- + namespace is the component's namespace. If the resource is cluster + scoped, the namespace should be empty. + type: string + unmanaged: + description: |- + unmanaged controls if cluster version operator should stop managing the + resources in this cluster. + Default: false + type: boolean + required: + - group + - kind + - name + - namespace + - unmanaged + type: object + type: array + x-kubernetes-list-map-keys: + - kind + - group + - namespace + - name + x-kubernetes-list-type: map + upstream: + description: |- + upstream may be used to specify the preferred update server. By default + it will use the appropriate update server for the cluster and region. + type: string + required: + - clusterID + type: object + status: + description: |- + status contains information about the available updates and any in-progress + updates. + properties: + availableUpdates: + description: |- + availableUpdates contains updates recommended for this + cluster. Updates which appear in conditionalUpdates but not in + availableUpdates may expose this cluster to known issues. This list + may be empty if no updates are recommended, if the update service + is unavailable, or if an invalid channel has been specified. + items: + description: Release represents an OpenShift release image and associated + metadata. + properties: + architecture: + description: |- + architecture is an optional field that indicates the + value of the cluster architecture. In this context cluster + architecture means either a single architecture or a multi + architecture. + Valid values are 'Multi' and empty. + enum: + - Multi + - "" + type: string + channels: + description: |- + channels is the set of Cincinnati channels to which the release + currently belongs. + items: + type: string + type: array + x-kubernetes-list-type: set + image: + description: |- + image is a container image location that contains the update. When this + field is part of spec, image is optional if version is specified and the + availableUpdates field contains a matching version. + type: string + url: + description: |- + url contains information about this release. This URL is set by + the 'url' metadata property on a release or the metadata returned by + the update API and should be displayed as a link in user + interfaces. The URL field may not be set for test or nightly + releases. + type: string + version: + description: |- + version is a semantic version identifying the update version. When this + field is part of spec, version is optional if image is specified. + type: string + required: + - image + - version + type: object + nullable: true + type: array + x-kubernetes-list-type: atomic + capabilities: + description: capabilities describes the state of optional, core cluster + components. + properties: + enabledCapabilities: + description: enabledCapabilities lists all the capabilities that + are currently managed. + items: + description: ClusterVersionCapability enumerates optional, core + cluster components. + enum: + - openshift-samples + - baremetal + - marketplace + - Console + - Insights + - Storage + - CSISnapshot + - NodeTuning + - MachineAPI + - Build + - DeploymentConfig + - ImageRegistry + - OperatorLifecycleManager + - CloudCredential + - Ingress + - CloudControllerManager + - OperatorLifecycleManagerV1 + type: string + type: array + x-kubernetes-list-type: atomic + knownCapabilities: + description: knownCapabilities lists all the capabilities known + to the current cluster. + items: + description: ClusterVersionCapability enumerates optional, core + cluster components. + enum: + - openshift-samples + - baremetal + - marketplace + - Console + - Insights + - Storage + - CSISnapshot + - NodeTuning + - MachineAPI + - Build + - DeploymentConfig + - ImageRegistry + - OperatorLifecycleManager + - CloudCredential + - Ingress + - CloudControllerManager + - OperatorLifecycleManagerV1 + type: string + type: array + x-kubernetes-list-type: atomic + type: object + conditionalUpdates: + description: |- + conditionalUpdates contains the list of updates that may be + recommended for this cluster if it meets specific required + conditions. Consumers interested in the set of updates that are + actually recommended for this cluster should use + availableUpdates. This list may be empty if no updates are + recommended, if the update service is unavailable, or if an empty + or invalid channel has been specified. + items: + description: |- + ConditionalUpdate represents an update which is recommended to some + clusters on the version the current cluster is reconciling, but which + may not be recommended for the current cluster. + properties: + conditions: + description: |- + conditions represents the observations of the conditional update's + current status. Known types are: + * Recommended, for whether the update is recommended for the current cluster. + items: + description: Condition contains details for one aspect of + the current state of this API Resource. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, + Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + release: + description: release is the target of the update. + properties: + architecture: + description: |- + architecture is an optional field that indicates the + value of the cluster architecture. In this context cluster + architecture means either a single architecture or a multi + architecture. + Valid values are 'Multi' and empty. + enum: + - Multi + - "" + type: string + channels: + description: |- + channels is the set of Cincinnati channels to which the release + currently belongs. + items: + type: string + type: array + x-kubernetes-list-type: set + image: + description: |- + image is a container image location that contains the update. When this + field is part of spec, image is optional if version is specified and the + availableUpdates field contains a matching version. + type: string + url: + description: |- + url contains information about this release. This URL is set by + the 'url' metadata property on a release or the metadata returned by + the update API and should be displayed as a link in user + interfaces. The URL field may not be set for test or nightly + releases. + type: string + version: + description: |- + version is a semantic version identifying the update version. When this + field is part of spec, version is optional if image is specified. + type: string + required: + - image + - version + type: object + risks: + description: |- + risks represents the range of issues associated with + updating to the target release. The cluster-version + operator will evaluate all entries, and only recommend the + update if there is at least one entry and all entries + recommend the update. + items: + description: |- + ConditionalUpdateRisk represents a reason and cluster-state + for not recommending a conditional update. + properties: + matchingRules: + description: |- + matchingRules is a slice of conditions for deciding which + clusters match the risk and which do not. The slice is + ordered by decreasing precedence. The cluster-version + operator will walk the slice in order, and stop after the + first it can successfully evaluate. If no condition can be + successfully evaluated, the update will not be recommended. + items: + description: |- + ClusterCondition is a union of typed cluster conditions. The 'type' + property determines which of the type-specific properties are relevant. + When evaluated on a cluster, the condition may match, not match, or + fail to evaluate. + properties: + promql: + description: promql represents a cluster condition + based on PromQL. + properties: + promql: + description: |- + promql is a PromQL query classifying clusters. This query + query should return a 1 in the match case and a 0 in the + does-not-match case. Queries which return no time + series, or which return values besides 0 or 1, are + evaluation failures. + type: string + required: + - promql + type: object + type: + description: |- + type represents the cluster-condition type. This defines + the members and semantics of any additional properties. + enum: + - Always + - PromQL + type: string + required: + - type + type: object + minItems: 1 + type: array + x-kubernetes-list-type: atomic + message: + description: |- + message provides additional information about the risk of + updating, in the event that matchingRules match the cluster + state. This is only to be consumed by humans. It may + contain Line Feed characters (U+000A), which should be + rendered as new lines. + minLength: 1 + type: string + name: + description: |- + name is the CamelCase reason for not recommending a + conditional update, in the event that matchingRules match the + cluster state. + minLength: 1 + type: string + url: + description: url contains information about this risk. + format: uri + minLength: 1 + type: string + required: + - matchingRules + - message + - name + - url + type: object + minItems: 1 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + required: + - release + - risks + type: object + type: array + x-kubernetes-list-type: atomic + conditions: + description: |- + conditions provides information about the cluster version. The condition + "Available" is set to true if the desiredUpdate has been reached. The + condition "Progressing" is set to true if an update is being applied. + The condition "Degraded" is set to true if an update is currently blocked + by a temporary or permanent error. Conditions are only valid for the + current desiredUpdate when metadata.generation is equal to + status.generation. + items: + description: |- + ClusterOperatorStatusCondition represents the state of the operator's + managed and monitored components. + properties: + lastTransitionTime: + description: lastTransitionTime is the time of the last update + to the current status property. + format: date-time + type: string + message: + description: |- + message provides additional information about the current condition. + This is only to be consumed by humans. It may contain Line Feed + characters (U+000A), which should be rendered as new lines. + type: string + reason: + description: reason is the CamelCase reason for the condition's + current status. + type: string + status: + description: status of the condition, one of True, False, Unknown. + type: string + type: + description: type specifies the aspect reported by this condition. + type: string + required: + - lastTransitionTime + - status + - type + type: object + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + desired: + description: |- + desired is the version that the cluster is reconciling towards. + If the cluster is not yet fully initialized desired will be set + with the information available, which may be an image or a tag. + properties: + architecture: + description: |- + architecture is an optional field that indicates the + value of the cluster architecture. In this context cluster + architecture means either a single architecture or a multi + architecture. + Valid values are 'Multi' and empty. + enum: + - Multi + - "" + type: string + channels: + description: |- + channels is the set of Cincinnati channels to which the release + currently belongs. + items: + type: string + type: array + x-kubernetes-list-type: set + image: + description: |- + image is a container image location that contains the update. When this + field is part of spec, image is optional if version is specified and the + availableUpdates field contains a matching version. + type: string + url: + description: |- + url contains information about this release. This URL is set by + the 'url' metadata property on a release or the metadata returned by + the update API and should be displayed as a link in user + interfaces. The URL field may not be set for test or nightly + releases. + type: string + version: + description: |- + version is a semantic version identifying the update version. When this + field is part of spec, version is optional if image is specified. + type: string + required: + - image + - version + type: object + history: + description: |- + history contains a list of the most recent versions applied to the cluster. + This value may be empty during cluster startup, and then will be updated + when a new update is being applied. The newest update is first in the + list and it is ordered by recency. Updates in the history have state + Completed if the rollout completed - if an update was failing or halfway + applied the state will be Partial. Only a limited amount of update history + is preserved. + items: + description: UpdateHistory is a single attempted update to the cluster. + properties: + acceptedRisks: + description: |- + acceptedRisks records risks which were accepted to initiate the update. + For example, it may mention an Upgradeable=False or missing signature + that was overridden via desiredUpdate.force, or an update that was + initiated despite not being in the availableUpdates set of recommended + update targets. + type: string + completionTime: + description: |- + completionTime, if set, is when the update was fully applied. The update + that is currently being applied will have a null completion time. + Completion time will always be set for entries that are not the current + update (usually to the started time of the next update). + format: date-time + nullable: true + type: string + image: + description: |- + image is a container image location that contains the update. This value + is always populated. + type: string + startedTime: + description: startedTime is the time at which the update was + started. + format: date-time + type: string + state: + description: |- + state reflects whether the update was fully applied. The Partial state + indicates the update is not fully applied, while the Completed state + indicates the update was successfully rolled out at least once (all + parts of the update successfully applied). + type: string + verified: + description: |- + verified indicates whether the provided update was properly verified + before it was installed. If this is false the cluster may not be trusted. + Verified does not cover upgradeable checks that depend on the cluster + state at the time when the update target was accepted. + type: boolean + version: + description: |- + version is a semantic version identifying the update version. If the + requested image does not define a version, or if a failure occurs + retrieving the image, this value may be empty. + type: string + required: + - completionTime + - image + - startedTime + - state + - verified + type: object + type: array + x-kubernetes-list-type: atomic + observedGeneration: + description: |- + observedGeneration reports which version of the spec is being synced. + If this value is not equal to metadata.generation, then the desired + and conditions fields may represent a previous version. + format: int64 + type: integer + versionHash: + description: |- + versionHash is a fingerprint of the content that the cluster will be + updated with. It is used by the operator to avoid unnecessary work + and is for internal use only. + type: string + required: + - availableUpdates + - desired + - observedGeneration + - versionHash + type: object + required: + - spec + type: object + x-kubernetes-validations: + - message: the `marketplace` capability requires the `OperatorLifecycleManager` + capability, which is neither explicitly or implicitly enabled in this + cluster, please enable the `OperatorLifecycleManager` capability + rule: 'has(self.spec.capabilities) && has(self.spec.capabilities.additionalEnabledCapabilities) + && self.spec.capabilities.baselineCapabilitySet == ''None'' && ''marketplace'' + in self.spec.capabilities.additionalEnabledCapabilities ? ''OperatorLifecycleManager'' + in self.spec.capabilities.additionalEnabledCapabilities || (has(self.status) + && has(self.status.capabilities) && has(self.status.capabilities.enabledCapabilities) + && ''OperatorLifecycleManager'' in self.status.capabilities.enabledCapabilities) + : true' + served: true + storage: true + subresources: + status: {} diff --git a/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_00_cluster-version-operator_01_clusterversions-TechPreviewNoUpgrade.crd.yaml b/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_00_cluster-version-operator_01_clusterversions-TechPreviewNoUpgrade.crd.yaml index 376651de5..bd1b206a0 100644 --- a/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_00_cluster-version-operator_01_clusterversions-TechPreviewNoUpgrade.crd.yaml +++ b/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_00_cluster-version-operator_01_clusterversions-TechPreviewNoUpgrade.crd.yaml @@ -156,6 +156,34 @@ spec: rollbacks will succeed, and some may unrecoverably break the cluster. properties: + acceptRisks: + description: |- + acceptRisks is an optional set of names of conditional update risks that are considered acceptable. + A conditional update is performed only if all of its risks are acceptable. + This list may contain entries that apply to current, previous or future updates. + The entries therefore may not map directly to a risk in .status.conditionalUpdateRisks. + acceptRisks must not contain more than 1000 entries. + Entries in this list must be unique. + items: + description: AcceptRisk represents a risk that is considered + acceptable. + properties: + name: + description: |- + name is the name of the acceptable risk. + It must be a non-empty string and must not exceed 256 characters. + maxLength: 256 + minLength: 1 + type: string + required: + - name + type: object + maxItems: 1000 + minItems: 1 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map architecture: description: |- architecture is an optional field that indicates the desired @@ -428,6 +456,166 @@ spec: type: array x-kubernetes-list-type: atomic type: object + conditionalUpdateRisks: + description: |- + conditionalUpdateRisks contains the list of risks associated with conditionalUpdates. + When performing a conditional update, all its associated risks will be compared with the set of accepted risks in the spec.desiredUpdate.acceptRisks field. + If all risks for a conditional update are included in the spec.desiredUpdate.acceptRisks set, the conditional update can proceed, otherwise it is blocked. + The risk names in the list must be unique. + conditionalUpdateRisks must not contain more than 500 entries. + items: + description: |- + ConditionalUpdateRisk represents a reason and cluster-state + for not recommending a conditional update. + properties: + conditions: + description: |- + conditions represents the observations of the conditional update + risk's current status. Known types are: + * Applies, for whether the risk applies to the current cluster. + The condition's types in the list must be unique. + conditions must not contain more than one entry. + items: + description: Condition contains details for one aspect of + the current state of this API Resource. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, + Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + x-kubernetes-validations: + - message: type must be 'Applies' + rule: has(self.type) && self.type == 'Applies' + maxItems: 1 + minItems: 1 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + matchingRules: + description: |- + matchingRules is a slice of conditions for deciding which + clusters match the risk and which do not. The slice is + ordered by decreasing precedence. The cluster-version + operator will walk the slice in order, and stop after the + first it can successfully evaluate. If no condition can be + successfully evaluated, the update will not be recommended. + items: + description: |- + ClusterCondition is a union of typed cluster conditions. The 'type' + property determines which of the type-specific properties are relevant. + When evaluated on a cluster, the condition may match, not match, or + fail to evaluate. + properties: + promql: + description: promql represents a cluster condition based + on PromQL. + properties: + promql: + description: |- + promql is a PromQL query classifying clusters. This query + query should return a 1 in the match case and a 0 in the + does-not-match case. Queries which return no time + series, or which return values besides 0 or 1, are + evaluation failures. + type: string + required: + - promql + type: object + type: + description: |- + type represents the cluster-condition type. This defines + the members and semantics of any additional properties. + enum: + - Always + - PromQL + type: string + required: + - type + type: object + minItems: 1 + type: array + x-kubernetes-list-type: atomic + message: + description: |- + message provides additional information about the risk of + updating, in the event that matchingRules match the cluster + state. This is only to be consumed by humans. It may + contain Line Feed characters (U+000A), which should be + rendered as new lines. + minLength: 1 + type: string + name: + description: |- + name is the CamelCase reason for not recommending a + conditional update, in the event that matchingRules match the + cluster state. + minLength: 1 + type: string + url: + description: url contains information about this risk. + format: uri + minLength: 1 + type: string + required: + - matchingRules + - message + - name + - url + type: object + maxItems: 500 + minItems: 1 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map conditionalUpdates: description: |- conditionalUpdates contains the list of updates that may be @@ -552,6 +740,21 @@ spec: - image - version type: object + riskNames: + description: |- + riskNames represents the set of the names of conditionalUpdateRisks that are relevant to this update for some clusters. + The Applies condition of each conditionalUpdateRisks entry declares if that risk applies to this cluster. + A conditional update is accepted only if each of its risks either does not apply to the cluster or is considered acceptable by the cluster administrator. + The latter means that the risk names are included in value of the spec.desiredUpdate.acceptRisks field. + Entries must be unique and must not exceed 256 characters. + riskNames must not contain more than 500 entries. + items: + maxLength: 256 + type: string + maxItems: 500 + minItems: 1 + type: array + x-kubernetes-list-type: set risks: description: |- risks represents the range of issues associated with @@ -564,6 +767,78 @@ spec: ConditionalUpdateRisk represents a reason and cluster-state for not recommending a conditional update. properties: + conditions: + description: |- + conditions represents the observations of the conditional update + risk's current status. Known types are: + * Applies, for whether the risk applies to the current cluster. + The condition's types in the list must be unique. + conditions must not contain more than one entry. + items: + description: Condition contains details for one aspect + of the current state of this API Resource. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, + False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in + foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + x-kubernetes-validations: + - message: type must be 'Applies' + rule: has(self.type) && self.type == 'Applies' + maxItems: 1 + minItems: 1 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map matchingRules: description: |- matchingRules is a slice of conditions for deciding which @@ -753,7 +1028,7 @@ spec: acceptedRisks: description: |- acceptedRisks records risks which were accepted to initiate the update. - For example, it may menition an Upgradeable=False or missing signature + For example, it may mention an Upgradeable=False or missing signature that was overridden via desiredUpdate.force, or an update that was initiated despite not being in the availableUpdates set of recommended update targets. diff --git a/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-OKD.crd.yaml b/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-OKD.crd.yaml new file mode 100644 index 000000000..9f50839d3 --- /dev/null +++ b/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-OKD.crd.yaml @@ -0,0 +1,437 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.openshift.io: https://github.com/openshift/api/pull/470 + api.openshift.io/merged-by-featuregates: "true" + include.release.openshift.io/ibm-cloud-managed: "true" + include.release.openshift.io/self-managed-high-availability: "true" + release.openshift.io/bootstrap-required: "true" + release.openshift.io/feature-set: OKD + name: apiservers.config.openshift.io +spec: + group: config.openshift.io + names: + kind: APIServer + listKind: APIServerList + plural: apiservers + singular: apiserver + scope: Cluster + versions: + - name: v1 + schema: + openAPIV3Schema: + description: |- + APIServer holds configuration (like serving certificates, client CA and CORS domains) + shared by all API servers in the system, among them especially kube-apiserver + and openshift-apiserver. The canonical name of an instance is 'cluster'. + + Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer). + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: spec holds user settable values for configuration + properties: + additionalCORSAllowedOrigins: + description: |- + additionalCORSAllowedOrigins lists additional, user-defined regular expressions describing hosts for which the + API server allows access using the CORS headers. This may be needed to access the API and the integrated OAuth + server from JavaScript applications. + The values are regular expressions that correspond to the Golang regular expression language. + items: + type: string + type: array + x-kubernetes-list-type: atomic + audit: + default: + profile: Default + description: |- + audit specifies the settings for audit configuration to be applied to all OpenShift-provided + API servers in the cluster. + properties: + customRules: + description: |- + customRules specify profiles per group. These profile take precedence over the + top-level profile field if they apply. They are evaluation from top to bottom and + the first one that matches, applies. + items: + description: |- + AuditCustomRule describes a custom rule for an audit profile that takes precedence over + the top-level profile. + properties: + group: + description: group is a name of group a request user must + be member of in order to this profile to apply. + minLength: 1 + type: string + profile: + description: |- + profile specifies the name of the desired audit policy configuration to be deployed to + all OpenShift-provided API servers in the cluster. + + The following profiles are provided: + - Default: the existing default policy. + - WriteRequestBodies: like 'Default', but logs request and response HTTP payloads for + write requests (create, update, patch). + - AllRequestBodies: like 'WriteRequestBodies', but also logs request and response + HTTP payloads for read requests (get, list). + - None: no requests are logged at all, not even oauthaccesstokens and oauthauthorizetokens. + + If unset, the 'Default' profile is used as the default. + enum: + - Default + - WriteRequestBodies + - AllRequestBodies + - None + type: string + required: + - group + - profile + type: object + type: array + x-kubernetes-list-map-keys: + - group + x-kubernetes-list-type: map + profile: + default: Default + description: |- + profile specifies the name of the desired top-level audit profile to be applied to all requests + sent to any of the OpenShift-provided API servers in the cluster (kube-apiserver, + openshift-apiserver and oauth-apiserver), with the exception of those requests that match + one or more of the customRules. + + The following profiles are provided: + - Default: default policy which means MetaData level logging with the exception of events + (not logged at all), oauthaccesstokens and oauthauthorizetokens (both logged at RequestBody + level). + - WriteRequestBodies: like 'Default', but logs request and response HTTP payloads for + write requests (create, update, patch). + - AllRequestBodies: like 'WriteRequestBodies', but also logs request and response + HTTP payloads for read requests (get, list). + - None: no requests are logged at all, not even oauthaccesstokens and oauthauthorizetokens. + + Warning: It is not recommended to disable audit logging by using the `None` profile unless you + are fully aware of the risks of not logging data that can be beneficial when troubleshooting issues. + If you disable audit logging and a support situation arises, you might need to enable audit logging + and reproduce the issue in order to troubleshoot properly. + + If unset, the 'Default' profile is used as the default. + enum: + - Default + - WriteRequestBodies + - AllRequestBodies + - None + type: string + type: object + clientCA: + description: |- + clientCA references a ConfigMap containing a certificate bundle for the signers that will be recognized for + incoming client certificates in addition to the operator managed signers. If this is empty, then only operator managed signers are valid. + You usually only have to set this if you have your own PKI you wish to honor client certificates from. + The ConfigMap must exist in the openshift-config namespace and contain the following required fields: + - ConfigMap.Data["ca-bundle.crt"] - CA bundle. + properties: + name: + description: name is the metadata.name of the referenced config + map + type: string + required: + - name + type: object + encryption: + description: encryption allows the configuration of encryption of + resources at the datastore layer. + properties: + type: + description: |- + type defines what encryption type should be used to encrypt resources at the datastore layer. + When this field is unset (i.e. when it is set to the empty string), identity is implied. + The behavior of unset can and will change over time. Even if encryption is enabled by default, + the meaning of unset may change to a different encryption type based on changes in best practices. + + When encryption is enabled, all sensitive resources shipped with the platform are encrypted. + This list of sensitive resources can and will change over time. The current authoritative list is: + + 1. secrets + 2. configmaps + 3. routes.route.openshift.io + 4. oauthaccesstokens.oauth.openshift.io + 5. oauthauthorizetokens.oauth.openshift.io + enum: + - "" + - identity + - aescbc + - aesgcm + type: string + type: object + servingCerts: + description: |- + servingCert is the TLS cert info for serving secure traffic. If not specified, operator managed certificates + will be used for serving secure traffic. + properties: + namedCertificates: + description: |- + namedCertificates references secrets containing the TLS cert info for serving secure traffic to specific hostnames. + If no named certificates are provided, or no named certificates match the server name as understood by a client, + the defaultServingCertificate will be used. + items: + description: APIServerNamedServingCert maps a server DNS name, + as understood by a client, to a certificate. + properties: + names: + description: |- + names is a optional list of explicit DNS names (leading wildcards allowed) that should use this certificate to + serve secure traffic. If no names are provided, the implicit names will be extracted from the certificates. + Exact names trump over wildcard names. Explicit names defined here trump over extracted implicit names. + items: + type: string + maxItems: 64 + type: array + x-kubernetes-list-type: atomic + servingCertificate: + description: |- + servingCertificate references a kubernetes.io/tls type secret containing the TLS cert info for serving secure traffic. + The secret must exist in the openshift-config namespace and contain the following required fields: + - Secret.Data["tls.key"] - TLS private key. + - Secret.Data["tls.crt"] - TLS certificate. + properties: + name: + description: name is the metadata.name of the referenced + secret + type: string + required: + - name + type: object + type: object + maxItems: 32 + type: array + x-kubernetes-list-type: atomic + type: object + tlsSecurityProfile: + description: |- + tlsSecurityProfile specifies settings for TLS connections for externally exposed servers. + + When omitted, this means no opinion and the platform is left to choose a reasonable default, which is subject to change over time. + The current default is the Intermediate profile. + properties: + custom: + description: |- + custom is a user-defined TLS security profile. Be extremely careful using a custom + profile as invalid configurations can be catastrophic. An example custom profile + looks like this: + + ciphers: + + - ECDHE-ECDSA-CHACHA20-POLY1305 + + - ECDHE-RSA-CHACHA20-POLY1305 + + - ECDHE-RSA-AES128-GCM-SHA256 + + - ECDHE-ECDSA-AES128-GCM-SHA256 + + minTLSVersion: VersionTLS11 + nullable: true + properties: + ciphers: + description: |- + ciphers is used to specify the cipher algorithms that are negotiated + during the TLS handshake. Operators may remove entries their operands + do not support. For example, to use DES-CBC3-SHA (yaml): + + ciphers: + - DES-CBC3-SHA + items: + type: string + type: array + x-kubernetes-list-type: atomic + minTLSVersion: + description: |- + minTLSVersion is used to specify the minimal version of the TLS protocol + that is negotiated during the TLS handshake. For example, to use TLS + versions 1.1, 1.2 and 1.3 (yaml): + + minTLSVersion: VersionTLS11 + + NOTE: currently the highest minTLSVersion allowed is VersionTLS12 + enum: + - VersionTLS10 + - VersionTLS11 + - VersionTLS12 + - VersionTLS13 + type: string + type: object + intermediate: + description: |- + intermediate is a TLS security profile based on: + + https://wiki.mozilla.org/Security/Server_Side_TLS#Intermediate_compatibility_.28recommended.29 + + and looks like this (yaml): + + ciphers: + + - TLS_AES_128_GCM_SHA256 + + - TLS_AES_256_GCM_SHA384 + + - TLS_CHACHA20_POLY1305_SHA256 + + - ECDHE-ECDSA-AES128-GCM-SHA256 + + - ECDHE-RSA-AES128-GCM-SHA256 + + - ECDHE-ECDSA-AES256-GCM-SHA384 + + - ECDHE-RSA-AES256-GCM-SHA384 + + - ECDHE-ECDSA-CHACHA20-POLY1305 + + - ECDHE-RSA-CHACHA20-POLY1305 + + - DHE-RSA-AES128-GCM-SHA256 + + - DHE-RSA-AES256-GCM-SHA384 + + minTLSVersion: VersionTLS12 + nullable: true + type: object + modern: + description: |- + modern is a TLS security profile based on: + + https://wiki.mozilla.org/Security/Server_Side_TLS#Modern_compatibility + + and looks like this (yaml): + + ciphers: + + - TLS_AES_128_GCM_SHA256 + + - TLS_AES_256_GCM_SHA384 + + - TLS_CHACHA20_POLY1305_SHA256 + + minTLSVersion: VersionTLS13 + nullable: true + type: object + old: + description: |- + old is a TLS security profile based on: + + https://wiki.mozilla.org/Security/Server_Side_TLS#Old_backward_compatibility + + and looks like this (yaml): + + ciphers: + + - TLS_AES_128_GCM_SHA256 + + - TLS_AES_256_GCM_SHA384 + + - TLS_CHACHA20_POLY1305_SHA256 + + - ECDHE-ECDSA-AES128-GCM-SHA256 + + - ECDHE-RSA-AES128-GCM-SHA256 + + - ECDHE-ECDSA-AES256-GCM-SHA384 + + - ECDHE-RSA-AES256-GCM-SHA384 + + - ECDHE-ECDSA-CHACHA20-POLY1305 + + - ECDHE-RSA-CHACHA20-POLY1305 + + - DHE-RSA-AES128-GCM-SHA256 + + - DHE-RSA-AES256-GCM-SHA384 + + - DHE-RSA-CHACHA20-POLY1305 + + - ECDHE-ECDSA-AES128-SHA256 + + - ECDHE-RSA-AES128-SHA256 + + - ECDHE-ECDSA-AES128-SHA + + - ECDHE-RSA-AES128-SHA + + - ECDHE-ECDSA-AES256-SHA384 + + - ECDHE-RSA-AES256-SHA384 + + - ECDHE-ECDSA-AES256-SHA + + - ECDHE-RSA-AES256-SHA + + - DHE-RSA-AES128-SHA256 + + - DHE-RSA-AES256-SHA256 + + - AES128-GCM-SHA256 + + - AES256-GCM-SHA384 + + - AES128-SHA256 + + - AES256-SHA256 + + - AES128-SHA + + - AES256-SHA + + - DES-CBC3-SHA + + minTLSVersion: VersionTLS10 + nullable: true + type: object + type: + description: |- + type is one of Old, Intermediate, Modern or Custom. Custom provides + the ability to specify individual TLS security profile parameters. + Old, Intermediate and Modern are TLS security profiles based on: + + https://wiki.mozilla.org/Security/Server_Side_TLS#Recommended_configurations + + The profiles are intent based, so they may change over time as new ciphers are developed and existing ciphers + are found to be insecure. Depending on precisely which ciphers are available to a process, the list may be + reduced. + + Note that the Modern profile is currently not supported because it is not + yet well adopted by common software libraries. + enum: + - Old + - Intermediate + - Modern + - Custom + type: string + type: object + type: object + status: + description: status holds observed values from the cluster. They may not + be overridden. + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} diff --git a/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_clusterimagepolicies-Default.crd.yaml b/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_clusterimagepolicies-Default.crd.yaml deleted file mode 100644 index 29dc56153..000000000 --- a/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_clusterimagepolicies-Default.crd.yaml +++ /dev/null @@ -1,415 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - api-approved.openshift.io: https://github.com/openshift/api/pull/2310 - api.openshift.io/merged-by-featuregates: "true" - include.release.openshift.io/ibm-cloud-managed: "true" - include.release.openshift.io/self-managed-high-availability: "true" - release.openshift.io/feature-set: Default - name: clusterimagepolicies.config.openshift.io -spec: - group: config.openshift.io - names: - kind: ClusterImagePolicy - listKind: ClusterImagePolicyList - plural: clusterimagepolicies - singular: clusterimagepolicy - scope: Cluster - versions: - - name: v1 - schema: - openAPIV3Schema: - description: |- - ClusterImagePolicy holds cluster-wide configuration for image signature verification - - Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer). - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: spec contains the configuration for the cluster image policy. - properties: - policy: - description: |- - policy is a required field that contains configuration to allow scopes to be verified, and defines how - images not matching the verification policy will be treated. - properties: - rootOfTrust: - description: |- - rootOfTrust is a required field that defines the root of trust for verifying image signatures during retrieval. - This allows image consumers to specify policyType and corresponding configuration of the policy, matching how the policy was generated. - properties: - fulcioCAWithRekor: - description: |- - fulcioCAWithRekor defines the root of trust configuration based on the Fulcio certificate and the Rekor public key. - fulcioCAWithRekor is required when policyType is FulcioCAWithRekor, and forbidden otherwise - For more information about Fulcio and Rekor, please refer to the document at: - https://github.com/sigstore/fulcio and https://github.com/sigstore/rekor - properties: - fulcioCAData: - description: |- - fulcioCAData is a required field contains inline base64-encoded data for the PEM format fulcio CA. - fulcioCAData must be at most 8192 characters. - format: byte - maxLength: 8192 - type: string - x-kubernetes-validations: - - message: the fulcioCAData must start with base64 encoding - of '-----BEGIN CERTIFICATE-----'. - rule: string(self).startsWith('-----BEGIN CERTIFICATE-----') - - message: the fulcioCAData must end with base64 encoding - of '-----END CERTIFICATE-----'. - rule: string(self).endsWith('-----END CERTIFICATE-----\n') - || string(self).endsWith('-----END CERTIFICATE-----') - fulcioSubject: - description: fulcioSubject is a required field specifies - OIDC issuer and the email of the Fulcio authentication - configuration. - properties: - oidcIssuer: - description: |- - oidcIssuer is a required filed contains the expected OIDC issuer. The oidcIssuer must be a valid URL and at most 2048 characters in length. - It will be verified that the Fulcio-issued certificate contains a (Fulcio-defined) certificate extension pointing at this OIDC issuer URL. - When Fulcio issues certificates, it includes a value based on an URL inside the client-provided ID token. - Example: "https://expected.OIDC.issuer/" - maxLength: 2048 - type: string - x-kubernetes-validations: - - message: oidcIssuer must be a valid URL - rule: isURL(self) - signedEmail: - description: |- - signedEmail is a required field holds the email address that the Fulcio certificate is issued for. - The signedEmail must be a valid email address and at most 320 characters in length. - Example: "expected-signing-user@example.com" - maxLength: 320 - type: string - x-kubernetes-validations: - - message: invalid email address - rule: self.matches('^\\S+@\\S+$') - required: - - oidcIssuer - - signedEmail - type: object - rekorKeyData: - description: |- - rekorKeyData is a required field contains inline base64-encoded data for the PEM format from the Rekor public key. - rekorKeyData must be at most 8192 characters. - format: byte - maxLength: 8192 - type: string - x-kubernetes-validations: - - message: the rekorKeyData must start with base64 encoding - of '-----BEGIN PUBLIC KEY-----'. - rule: string(self).startsWith('-----BEGIN PUBLIC KEY-----') - - message: the rekorKeyData must end with base64 encoding - of '-----END PUBLIC KEY-----'. - rule: string(self).endsWith('-----END PUBLIC KEY-----\n') - || string(self).endsWith('-----END PUBLIC KEY-----') - required: - - fulcioCAData - - fulcioSubject - - rekorKeyData - type: object - policyType: - description: |- - policyType is a required field specifies the type of the policy for verification. This field must correspond to how the policy was generated. - Allowed values are "PublicKey", "FulcioCAWithRekor", and "PKI". - When set to "PublicKey", the policy relies on a sigstore publicKey and may optionally use a Rekor verification. - When set to "FulcioCAWithRekor", the policy is based on the Fulcio certification and incorporates a Rekor verification. - When set to "PKI", the policy is based on the certificates from Bring Your Own Public Key Infrastructure (BYOPKI). This value is enabled by turning on the SigstoreImageVerificationPKI feature gate. - type: string - publicKey: - description: |- - publicKey defines the root of trust configuration based on a sigstore public key. Optionally include a Rekor public key for Rekor verification. - publicKey is required when policyType is PublicKey, and forbidden otherwise. - properties: - keyData: - description: |- - keyData is a required field contains inline base64-encoded data for the PEM format public key. - keyData must be at most 8192 characters. - format: byte - maxLength: 8192 - minLength: 68 - type: string - x-kubernetes-validations: - - message: the keyData must start with base64 encoding - of '-----BEGIN PUBLIC KEY-----'. - rule: string(self).startsWith('-----BEGIN PUBLIC KEY-----') - - message: the keyData must end with base64 encoding of - '-----END PUBLIC KEY-----'. - rule: string(self).endsWith('-----END PUBLIC KEY-----\n') - || string(self).endsWith('-----END PUBLIC KEY-----') - rekorKeyData: - description: |- - rekorKeyData is an optional field contains inline base64-encoded data for the PEM format from the Rekor public key. - rekorKeyData must be at most 8192 characters. - format: byte - maxLength: 8192 - type: string - x-kubernetes-validations: - - message: the rekorKeyData must start with base64 encoding - of '-----BEGIN PUBLIC KEY-----'. - rule: string(self).startsWith('-----BEGIN PUBLIC KEY-----') - - message: the rekorKeyData must end with base64 encoding - of '-----END PUBLIC KEY-----'. - rule: string(self).endsWith('-----END PUBLIC KEY-----\n') - || string(self).endsWith('-----END PUBLIC KEY-----') - required: - - keyData - type: object - required: - - policyType - type: object - x-kubernetes-validations: - - message: publicKey is required when policyType is PublicKey, - and forbidden otherwise - rule: 'has(self.policyType) && self.policyType == ''PublicKey'' - ? has(self.publicKey) : !has(self.publicKey)' - - message: fulcioCAWithRekor is required when policyType is FulcioCAWithRekor, - and forbidden otherwise - rule: 'has(self.policyType) && self.policyType == ''FulcioCAWithRekor'' - ? has(self.fulcioCAWithRekor) : !has(self.fulcioCAWithRekor)' - signedIdentity: - description: |- - signedIdentity is an optional field specifies what image identity the signature claims about the image. This is useful when the image identity in the signature differs from the original image spec, such as when mirror registry is configured for the image scope, the signature from the mirror registry contains the image identity of the mirror instead of the original scope. - The required matchPolicy field specifies the approach used in the verification process to verify the identity in the signature and the actual image identity, the default matchPolicy is "MatchRepoDigestOrExact". - properties: - exactRepository: - description: |- - exactRepository specifies the repository that must be exactly matched by the identity in the signature. - exactRepository is required if matchPolicy is set to "ExactRepository". It is used to verify that the signature claims an identity matching this exact repository, rather than the original image identity. - properties: - repository: - description: |- - repository is the reference of the image identity to be matched. - repository is required if matchPolicy is set to "ExactRepository". - The value should be a repository name (by omitting the tag or digest) in a registry implementing the "Docker Registry HTTP API V2". For example, docker.io/library/busybox - maxLength: 512 - type: string - x-kubernetes-validations: - - message: invalid repository or prefix in the signedIdentity, - should not include the tag or digest - rule: 'self.matches(''.*:([\\w][\\w.-]{0,127})$'')? - self.matches(''^(localhost:[0-9]+)$''): true' - - message: invalid repository or prefix in the signedIdentity. - The repository or prefix must starts with 'localhost' - or a valid '.' separated domain. If contains registry - paths, the path component names must start with at - least one letter or number, with following parts able - to be separated by one period, one or two underscore - and multiple dashes. - rule: self.matches('^(((?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9])(?:\\.(?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9]))+(?::[0-9]+)?)|(localhost(?::[0-9]+)?))(?:(?:/[a-z0-9]+(?:(?:(?:[._]|__|[-]*)[a-z0-9]+)+)?)+)?$') - required: - - repository - type: object - matchPolicy: - description: |- - matchPolicy is a required filed specifies matching strategy to verify the image identity in the signature against the image scope. - Allowed values are "MatchRepoDigestOrExact", "MatchRepository", "ExactRepository", "RemapIdentity". When omitted, the default value is "MatchRepoDigestOrExact". - When set to "MatchRepoDigestOrExact", the identity in the signature must be in the same repository as the image identity if the image identity is referenced by a digest. Otherwise, the identity in the signature must be the same as the image identity. - When set to "MatchRepository", the identity in the signature must be in the same repository as the image identity. - When set to "ExactRepository", the exactRepository must be specified. The identity in the signature must be in the same repository as a specific identity specified by "repository". - When set to "RemapIdentity", the remapIdentity must be specified. The signature must be in the same as the remapped image identity. Remapped image identity is obtained by replacing the "prefix" with the specified “signedPrefix” if the the image identity matches the specified remapPrefix. - enum: - - MatchRepoDigestOrExact - - MatchRepository - - ExactRepository - - RemapIdentity - type: string - remapIdentity: - description: |- - remapIdentity specifies the prefix remapping rule for verifying image identity. - remapIdentity is required if matchPolicy is set to "RemapIdentity". It is used to verify that the signature claims a different registry/repository prefix than the original image. - properties: - prefix: - description: |- - prefix is required if matchPolicy is set to "RemapIdentity". - prefix is the prefix of the image identity to be matched. - If the image identity matches the specified prefix, that prefix is replaced by the specified “signedPrefix” (otherwise it is used as unchanged and no remapping takes place). - This is useful when verifying signatures for a mirror of some other repository namespace that preserves the vendor’s repository structure. - The prefix and signedPrefix values can be either host[:port] values (matching exactly the same host[:port], string), repository namespaces, - or repositories (i.e. they must not contain tags/digests), and match as prefixes of the fully expanded form. - For example, docker.io/library/busybox (not busybox) to specify that single repository, or docker.io/library (not an empty string) to specify the parent namespace of docker.io/library/busybox. - maxLength: 512 - type: string - x-kubernetes-validations: - - message: invalid repository or prefix in the signedIdentity, - should not include the tag or digest - rule: 'self.matches(''.*:([\\w][\\w.-]{0,127})$'')? - self.matches(''^(localhost:[0-9]+)$''): true' - - message: invalid repository or prefix in the signedIdentity. - The repository or prefix must starts with 'localhost' - or a valid '.' separated domain. If contains registry - paths, the path component names must start with at - least one letter or number, with following parts able - to be separated by one period, one or two underscore - and multiple dashes. - rule: self.matches('^(((?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9])(?:\\.(?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9]))+(?::[0-9]+)?)|(localhost(?::[0-9]+)?))(?:(?:/[a-z0-9]+(?:(?:(?:[._]|__|[-]*)[a-z0-9]+)+)?)+)?$') - signedPrefix: - description: |- - signedPrefix is required if matchPolicy is set to "RemapIdentity". - signedPrefix is the prefix of the image identity to be matched in the signature. The format is the same as "prefix". The values can be either host[:port] values (matching exactly the same host[:port], string), repository namespaces, - or repositories (i.e. they must not contain tags/digests), and match as prefixes of the fully expanded form. - For example, docker.io/library/busybox (not busybox) to specify that single repository, or docker.io/library (not an empty string) to specify the parent namespace of docker.io/library/busybox. - maxLength: 512 - type: string - x-kubernetes-validations: - - message: invalid repository or prefix in the signedIdentity, - should not include the tag or digest - rule: 'self.matches(''.*:([\\w][\\w.-]{0,127})$'')? - self.matches(''^(localhost:[0-9]+)$''): true' - - message: invalid repository or prefix in the signedIdentity. - The repository or prefix must starts with 'localhost' - or a valid '.' separated domain. If contains registry - paths, the path component names must start with at - least one letter or number, with following parts able - to be separated by one period, one or two underscore - and multiple dashes. - rule: self.matches('^(((?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9])(?:\\.(?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9]))+(?::[0-9]+)?)|(localhost(?::[0-9]+)?))(?:(?:/[a-z0-9]+(?:(?:(?:[._]|__|[-]*)[a-z0-9]+)+)?)+)?$') - required: - - prefix - - signedPrefix - type: object - required: - - matchPolicy - type: object - x-kubernetes-validations: - - message: exactRepository is required when matchPolicy is ExactRepository, - and forbidden otherwise - rule: '(has(self.matchPolicy) && self.matchPolicy == ''ExactRepository'') - ? has(self.exactRepository) : !has(self.exactRepository)' - - message: remapIdentity is required when matchPolicy is RemapIdentity, - and forbidden otherwise - rule: '(has(self.matchPolicy) && self.matchPolicy == ''RemapIdentity'') - ? has(self.remapIdentity) : !has(self.remapIdentity)' - required: - - rootOfTrust - type: object - scopes: - description: |- - scopes is a required field that defines the list of image identities assigned to a policy. Each item refers to a scope in a registry implementing the "Docker Registry HTTP API V2". - Scopes matching individual images are named Docker references in the fully expanded form, either using a tag or digest. For example, docker.io/library/busybox:latest (not busybox:latest). - More general scopes are prefixes of individual-image scopes, and specify a repository (by omitting the tag or digest), a repository - namespace, or a registry host (by only specifying the host name and possibly a port number) or a wildcard expression starting with `*.`, for matching all subdomains (not including a port number). - Wildcards are only supported for subdomain matching, and may not be used in the middle of the host, i.e. *.example.com is a valid case, but example*.*.com is not. - This support no more than 256 scopes in one object. If multiple scopes match a given image, only the policy requirements for the most specific scope apply. The policy requirements for more general scopes are ignored. - In addition to setting a policy appropriate for your own deployed applications, make sure that a policy on the OpenShift image repositories - quay.io/openshift-release-dev/ocp-release, quay.io/openshift-release-dev/ocp-v4.0-art-dev (or on a more general scope) allows deployment of the OpenShift images required for cluster operation. - If a scope is configured in both the ClusterImagePolicy and the ImagePolicy, or if the scope in ImagePolicy is nested under one of the scopes from the ClusterImagePolicy, only the policy from the ClusterImagePolicy will be applied. - For additional details about the format, please refer to the document explaining the docker transport field, - which can be found at: https://github.com/containers/image/blob/main/docs/containers-policy.json.5.md#docker - items: - maxLength: 512 - type: string - x-kubernetes-validations: - - message: invalid image scope format, scope must contain a fully - qualified domain name or 'localhost' - rule: 'size(self.split(''/'')[0].split(''.'')) == 1 ? self.split(''/'')[0].split(''.'')[0].split('':'')[0] - == ''localhost'' : true' - - message: invalid image scope with wildcard, a wildcard can only - be at the start of the domain and is only supported for subdomain - matching, not path matching - rule: 'self.contains(''*'') ? self.matches(''^\\*(?:\\.(?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9]))+$'') - : true' - - message: invalid repository namespace or image specification in - the image scope - rule: '!self.contains(''*'') ? self.matches(''^((((?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9])(?:\\.(?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9]))+(?::[0-9]+)?)|(localhost(?::[0-9]+)?))(?:(?:/[a-z0-9]+(?:(?:(?:[._]|__|[-]*)[a-z0-9]+)+)?)+)?)(?::([\\w][\\w.-]{0,127}))?(?:@([A-Za-z][A-Za-z0-9]*(?:[-_+.][A-Za-z][A-Za-z0-9]*)*[:][[:xdigit:]]{32,}))?$'') - : true' - maxItems: 256 - type: array - x-kubernetes-list-type: set - required: - - policy - - scopes - type: object - status: - description: status contains the observed state of the resource. - properties: - conditions: - description: conditions provide details on the status of this API - Resource. - items: - description: Condition contains details for one aspect of the current - state of this API Resource. - properties: - lastTransitionTime: - description: |- - lastTransitionTime is the last time the condition transitioned from one status to another. - This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: |- - message is a human readable message indicating details about the transition. - This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: - description: |- - observedGeneration represents the .metadata.generation that the condition was set based upon. - For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date - with respect to the current state of the instance. - format: int64 - minimum: 0 - type: integer - reason: - description: |- - reason contains a programmatic identifier indicating the reason for the condition's last transition. - Producers of specific condition types may define expected values and meanings for this field, - and whether the values are considered a guaranteed API. - The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, False, Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - message - - reason - - status - - type - type: object - maxItems: 8 - minItems: 1 - type: array - x-kubernetes-list-map-keys: - - type - x-kubernetes-list-type: map - type: object - required: - - spec - type: object - served: true - storage: true - subresources: - status: {} diff --git a/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_clusterimagepolicies-DevPreviewNoUpgrade.crd.yaml b/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_clusterimagepolicies-DevPreviewNoUpgrade.crd.yaml deleted file mode 100644 index c36e20e2d..000000000 --- a/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_clusterimagepolicies-DevPreviewNoUpgrade.crd.yaml +++ /dev/null @@ -1,510 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - api-approved.openshift.io: https://github.com/openshift/api/pull/2310 - api.openshift.io/merged-by-featuregates: "true" - include.release.openshift.io/ibm-cloud-managed: "true" - include.release.openshift.io/self-managed-high-availability: "true" - release.openshift.io/feature-set: DevPreviewNoUpgrade - name: clusterimagepolicies.config.openshift.io -spec: - group: config.openshift.io - names: - kind: ClusterImagePolicy - listKind: ClusterImagePolicyList - plural: clusterimagepolicies - singular: clusterimagepolicy - scope: Cluster - versions: - - name: v1 - schema: - openAPIV3Schema: - description: |- - ClusterImagePolicy holds cluster-wide configuration for image signature verification - - Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer). - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: spec contains the configuration for the cluster image policy. - properties: - policy: - description: |- - policy is a required field that contains configuration to allow scopes to be verified, and defines how - images not matching the verification policy will be treated. - properties: - rootOfTrust: - description: |- - rootOfTrust is a required field that defines the root of trust for verifying image signatures during retrieval. - This allows image consumers to specify policyType and corresponding configuration of the policy, matching how the policy was generated. - properties: - fulcioCAWithRekor: - description: |- - fulcioCAWithRekor defines the root of trust configuration based on the Fulcio certificate and the Rekor public key. - fulcioCAWithRekor is required when policyType is FulcioCAWithRekor, and forbidden otherwise - For more information about Fulcio and Rekor, please refer to the document at: - https://github.com/sigstore/fulcio and https://github.com/sigstore/rekor - properties: - fulcioCAData: - description: |- - fulcioCAData is a required field contains inline base64-encoded data for the PEM format fulcio CA. - fulcioCAData must be at most 8192 characters. - format: byte - maxLength: 8192 - type: string - x-kubernetes-validations: - - message: the fulcioCAData must start with base64 encoding - of '-----BEGIN CERTIFICATE-----'. - rule: string(self).startsWith('-----BEGIN CERTIFICATE-----') - - message: the fulcioCAData must end with base64 encoding - of '-----END CERTIFICATE-----'. - rule: string(self).endsWith('-----END CERTIFICATE-----\n') - || string(self).endsWith('-----END CERTIFICATE-----') - fulcioSubject: - description: fulcioSubject is a required field specifies - OIDC issuer and the email of the Fulcio authentication - configuration. - properties: - oidcIssuer: - description: |- - oidcIssuer is a required filed contains the expected OIDC issuer. The oidcIssuer must be a valid URL and at most 2048 characters in length. - It will be verified that the Fulcio-issued certificate contains a (Fulcio-defined) certificate extension pointing at this OIDC issuer URL. - When Fulcio issues certificates, it includes a value based on an URL inside the client-provided ID token. - Example: "https://expected.OIDC.issuer/" - maxLength: 2048 - type: string - x-kubernetes-validations: - - message: oidcIssuer must be a valid URL - rule: isURL(self) - signedEmail: - description: |- - signedEmail is a required field holds the email address that the Fulcio certificate is issued for. - The signedEmail must be a valid email address and at most 320 characters in length. - Example: "expected-signing-user@example.com" - maxLength: 320 - type: string - x-kubernetes-validations: - - message: invalid email address - rule: self.matches('^\\S+@\\S+$') - required: - - oidcIssuer - - signedEmail - type: object - rekorKeyData: - description: |- - rekorKeyData is a required field contains inline base64-encoded data for the PEM format from the Rekor public key. - rekorKeyData must be at most 8192 characters. - format: byte - maxLength: 8192 - type: string - x-kubernetes-validations: - - message: the rekorKeyData must start with base64 encoding - of '-----BEGIN PUBLIC KEY-----'. - rule: string(self).startsWith('-----BEGIN PUBLIC KEY-----') - - message: the rekorKeyData must end with base64 encoding - of '-----END PUBLIC KEY-----'. - rule: string(self).endsWith('-----END PUBLIC KEY-----\n') - || string(self).endsWith('-----END PUBLIC KEY-----') - required: - - fulcioCAData - - fulcioSubject - - rekorKeyData - type: object - pki: - description: |- - pki defines the root of trust configuration based on Bring Your Own Public Key Infrastructure (BYOPKI) Root CA(s) and corresponding intermediate certificates. - pki is required when policyType is PKI, and forbidden otherwise. - properties: - caIntermediatesData: - description: |- - caIntermediatesData contains base64-encoded data of a certificate bundle PEM file, which contains one or more intermediate certificates in the PEM format. The total length of the data must not exceed 8192 characters. - caIntermediatesData requires caRootsData to be set. - format: byte - maxLength: 8192 - minLength: 72 - type: string - x-kubernetes-validations: - - message: the caIntermediatesData must start with base64 - encoding of '-----BEGIN CERTIFICATE-----'. - rule: string(self).startsWith('-----BEGIN CERTIFICATE-----') - - message: the caIntermediatesData must end with base64 - encoding of '-----END CERTIFICATE-----'. - rule: string(self).endsWith('-----END CERTIFICATE-----\n') - || string(self).endsWith('-----END CERTIFICATE-----') - - message: caIntermediatesData must be base64 encoding - of valid PEM format data contain the same number of - '-----BEGIN CERTIFICATE-----' and '-----END CERTIFICATE-----' - markers. - rule: string(self).findAll('-----BEGIN CERTIFICATE-----').size() - == string(self).findAll('-----END CERTIFICATE-----').size() - caRootsData: - description: caRootsData contains base64-encoded data - of a certificate bundle PEM file, which contains one - or more CA roots in the PEM format. The total length - of the data must not exceed 8192 characters. - format: byte - maxLength: 8192 - minLength: 72 - type: string - x-kubernetes-validations: - - message: the caRootsData must start with base64 encoding - of '-----BEGIN CERTIFICATE-----'. - rule: string(self).startsWith('-----BEGIN CERTIFICATE-----') - - message: the caRootsData must end with base64 encoding - of '-----END CERTIFICATE-----'. - rule: string(self).endsWith('-----END CERTIFICATE-----\n') - || string(self).endsWith('-----END CERTIFICATE-----') - - message: caRootsData must be base64 encoding of valid - PEM format data contain the same number of '-----BEGIN - CERTIFICATE-----' and '-----END CERTIFICATE-----' - markers. - rule: string(self).findAll('-----BEGIN CERTIFICATE-----').size() - == string(self).findAll('-----END CERTIFICATE-----').size() - pkiCertificateSubject: - description: pkiCertificateSubject defines the requirements - imposed on the subject to which the certificate was - issued. - properties: - email: - description: |- - email specifies the expected email address imposed on the subject to which the certificate was issued, and must match the email address listed in the Subject Alternative Name (SAN) field of the certificate. - The email must be a valid email address and at most 320 characters in length. - maxLength: 320 - type: string - x-kubernetes-validations: - - message: invalid email address - rule: self.matches('^\\S+@\\S+$') - hostname: - description: |- - hostname specifies the expected hostname imposed on the subject to which the certificate was issued, and it must match the hostname listed in the Subject Alternative Name (SAN) DNS field of the certificate. - The hostname must be a valid dns 1123 subdomain name, optionally prefixed by '*.', and at most 253 characters in length. - It must consist only of lowercase alphanumeric characters, hyphens, periods and the optional preceding asterisk. - maxLength: 253 - type: string - x-kubernetes-validations: - - message: hostname must be a valid dns 1123 subdomain - name, optionally prefixed by '*.'. It must consist - only of lowercase alphanumeric characters, hyphens, - periods and the optional preceding asterisk. - rule: 'self.startsWith(''*.'') ? !format.dns1123Subdomain().validate(self.replace(''*.'', - '''', 1)).hasValue() : !format.dns1123Subdomain().validate(self).hasValue()' - type: object - x-kubernetes-validations: - - message: at least one of email or hostname must be set - in pkiCertificateSubject - rule: has(self.email) || has(self.hostname) - required: - - caRootsData - - pkiCertificateSubject - type: object - policyType: - description: |- - policyType is a required field specifies the type of the policy for verification. This field must correspond to how the policy was generated. - Allowed values are "PublicKey", "FulcioCAWithRekor", and "PKI". - When set to "PublicKey", the policy relies on a sigstore publicKey and may optionally use a Rekor verification. - When set to "FulcioCAWithRekor", the policy is based on the Fulcio certification and incorporates a Rekor verification. - When set to "PKI", the policy is based on the certificates from Bring Your Own Public Key Infrastructure (BYOPKI). This value is enabled by turning on the SigstoreImageVerificationPKI feature gate. - enum: - - PublicKey - - FulcioCAWithRekor - - PKI - type: string - publicKey: - description: |- - publicKey defines the root of trust configuration based on a sigstore public key. Optionally include a Rekor public key for Rekor verification. - publicKey is required when policyType is PublicKey, and forbidden otherwise. - properties: - keyData: - description: |- - keyData is a required field contains inline base64-encoded data for the PEM format public key. - keyData must be at most 8192 characters. - format: byte - maxLength: 8192 - minLength: 68 - type: string - x-kubernetes-validations: - - message: the keyData must start with base64 encoding - of '-----BEGIN PUBLIC KEY-----'. - rule: string(self).startsWith('-----BEGIN PUBLIC KEY-----') - - message: the keyData must end with base64 encoding of - '-----END PUBLIC KEY-----'. - rule: string(self).endsWith('-----END PUBLIC KEY-----\n') - || string(self).endsWith('-----END PUBLIC KEY-----') - rekorKeyData: - description: |- - rekorKeyData is an optional field contains inline base64-encoded data for the PEM format from the Rekor public key. - rekorKeyData must be at most 8192 characters. - format: byte - maxLength: 8192 - type: string - x-kubernetes-validations: - - message: the rekorKeyData must start with base64 encoding - of '-----BEGIN PUBLIC KEY-----'. - rule: string(self).startsWith('-----BEGIN PUBLIC KEY-----') - - message: the rekorKeyData must end with base64 encoding - of '-----END PUBLIC KEY-----'. - rule: string(self).endsWith('-----END PUBLIC KEY-----\n') - || string(self).endsWith('-----END PUBLIC KEY-----') - required: - - keyData - type: object - required: - - policyType - type: object - x-kubernetes-validations: - - message: pki is required when policyType is PKI, and forbidden - otherwise - rule: 'has(self.policyType) && self.policyType == ''PKI'' ? - has(self.pki) : !has(self.pki)' - - message: publicKey is required when policyType is PublicKey, - and forbidden otherwise - rule: 'has(self.policyType) && self.policyType == ''PublicKey'' - ? has(self.publicKey) : !has(self.publicKey)' - - message: fulcioCAWithRekor is required when policyType is FulcioCAWithRekor, - and forbidden otherwise - rule: 'has(self.policyType) && self.policyType == ''FulcioCAWithRekor'' - ? has(self.fulcioCAWithRekor) : !has(self.fulcioCAWithRekor)' - signedIdentity: - description: |- - signedIdentity is an optional field specifies what image identity the signature claims about the image. This is useful when the image identity in the signature differs from the original image spec, such as when mirror registry is configured for the image scope, the signature from the mirror registry contains the image identity of the mirror instead of the original scope. - The required matchPolicy field specifies the approach used in the verification process to verify the identity in the signature and the actual image identity, the default matchPolicy is "MatchRepoDigestOrExact". - properties: - exactRepository: - description: |- - exactRepository specifies the repository that must be exactly matched by the identity in the signature. - exactRepository is required if matchPolicy is set to "ExactRepository". It is used to verify that the signature claims an identity matching this exact repository, rather than the original image identity. - properties: - repository: - description: |- - repository is the reference of the image identity to be matched. - repository is required if matchPolicy is set to "ExactRepository". - The value should be a repository name (by omitting the tag or digest) in a registry implementing the "Docker Registry HTTP API V2". For example, docker.io/library/busybox - maxLength: 512 - type: string - x-kubernetes-validations: - - message: invalid repository or prefix in the signedIdentity, - should not include the tag or digest - rule: 'self.matches(''.*:([\\w][\\w.-]{0,127})$'')? - self.matches(''^(localhost:[0-9]+)$''): true' - - message: invalid repository or prefix in the signedIdentity. - The repository or prefix must starts with 'localhost' - or a valid '.' separated domain. If contains registry - paths, the path component names must start with at - least one letter or number, with following parts able - to be separated by one period, one or two underscore - and multiple dashes. - rule: self.matches('^(((?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9])(?:\\.(?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9]))+(?::[0-9]+)?)|(localhost(?::[0-9]+)?))(?:(?:/[a-z0-9]+(?:(?:(?:[._]|__|[-]*)[a-z0-9]+)+)?)+)?$') - required: - - repository - type: object - matchPolicy: - description: |- - matchPolicy is a required filed specifies matching strategy to verify the image identity in the signature against the image scope. - Allowed values are "MatchRepoDigestOrExact", "MatchRepository", "ExactRepository", "RemapIdentity". When omitted, the default value is "MatchRepoDigestOrExact". - When set to "MatchRepoDigestOrExact", the identity in the signature must be in the same repository as the image identity if the image identity is referenced by a digest. Otherwise, the identity in the signature must be the same as the image identity. - When set to "MatchRepository", the identity in the signature must be in the same repository as the image identity. - When set to "ExactRepository", the exactRepository must be specified. The identity in the signature must be in the same repository as a specific identity specified by "repository". - When set to "RemapIdentity", the remapIdentity must be specified. The signature must be in the same as the remapped image identity. Remapped image identity is obtained by replacing the "prefix" with the specified “signedPrefix” if the the image identity matches the specified remapPrefix. - enum: - - MatchRepoDigestOrExact - - MatchRepository - - ExactRepository - - RemapIdentity - type: string - remapIdentity: - description: |- - remapIdentity specifies the prefix remapping rule for verifying image identity. - remapIdentity is required if matchPolicy is set to "RemapIdentity". It is used to verify that the signature claims a different registry/repository prefix than the original image. - properties: - prefix: - description: |- - prefix is required if matchPolicy is set to "RemapIdentity". - prefix is the prefix of the image identity to be matched. - If the image identity matches the specified prefix, that prefix is replaced by the specified “signedPrefix” (otherwise it is used as unchanged and no remapping takes place). - This is useful when verifying signatures for a mirror of some other repository namespace that preserves the vendor’s repository structure. - The prefix and signedPrefix values can be either host[:port] values (matching exactly the same host[:port], string), repository namespaces, - or repositories (i.e. they must not contain tags/digests), and match as prefixes of the fully expanded form. - For example, docker.io/library/busybox (not busybox) to specify that single repository, or docker.io/library (not an empty string) to specify the parent namespace of docker.io/library/busybox. - maxLength: 512 - type: string - x-kubernetes-validations: - - message: invalid repository or prefix in the signedIdentity, - should not include the tag or digest - rule: 'self.matches(''.*:([\\w][\\w.-]{0,127})$'')? - self.matches(''^(localhost:[0-9]+)$''): true' - - message: invalid repository or prefix in the signedIdentity. - The repository or prefix must starts with 'localhost' - or a valid '.' separated domain. If contains registry - paths, the path component names must start with at - least one letter or number, with following parts able - to be separated by one period, one or two underscore - and multiple dashes. - rule: self.matches('^(((?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9])(?:\\.(?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9]))+(?::[0-9]+)?)|(localhost(?::[0-9]+)?))(?:(?:/[a-z0-9]+(?:(?:(?:[._]|__|[-]*)[a-z0-9]+)+)?)+)?$') - signedPrefix: - description: |- - signedPrefix is required if matchPolicy is set to "RemapIdentity". - signedPrefix is the prefix of the image identity to be matched in the signature. The format is the same as "prefix". The values can be either host[:port] values (matching exactly the same host[:port], string), repository namespaces, - or repositories (i.e. they must not contain tags/digests), and match as prefixes of the fully expanded form. - For example, docker.io/library/busybox (not busybox) to specify that single repository, or docker.io/library (not an empty string) to specify the parent namespace of docker.io/library/busybox. - maxLength: 512 - type: string - x-kubernetes-validations: - - message: invalid repository or prefix in the signedIdentity, - should not include the tag or digest - rule: 'self.matches(''.*:([\\w][\\w.-]{0,127})$'')? - self.matches(''^(localhost:[0-9]+)$''): true' - - message: invalid repository or prefix in the signedIdentity. - The repository or prefix must starts with 'localhost' - or a valid '.' separated domain. If contains registry - paths, the path component names must start with at - least one letter or number, with following parts able - to be separated by one period, one or two underscore - and multiple dashes. - rule: self.matches('^(((?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9])(?:\\.(?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9]))+(?::[0-9]+)?)|(localhost(?::[0-9]+)?))(?:(?:/[a-z0-9]+(?:(?:(?:[._]|__|[-]*)[a-z0-9]+)+)?)+)?$') - required: - - prefix - - signedPrefix - type: object - required: - - matchPolicy - type: object - x-kubernetes-validations: - - message: exactRepository is required when matchPolicy is ExactRepository, - and forbidden otherwise - rule: '(has(self.matchPolicy) && self.matchPolicy == ''ExactRepository'') - ? has(self.exactRepository) : !has(self.exactRepository)' - - message: remapIdentity is required when matchPolicy is RemapIdentity, - and forbidden otherwise - rule: '(has(self.matchPolicy) && self.matchPolicy == ''RemapIdentity'') - ? has(self.remapIdentity) : !has(self.remapIdentity)' - required: - - rootOfTrust - type: object - scopes: - description: |- - scopes is a required field that defines the list of image identities assigned to a policy. Each item refers to a scope in a registry implementing the "Docker Registry HTTP API V2". - Scopes matching individual images are named Docker references in the fully expanded form, either using a tag or digest. For example, docker.io/library/busybox:latest (not busybox:latest). - More general scopes are prefixes of individual-image scopes, and specify a repository (by omitting the tag or digest), a repository - namespace, or a registry host (by only specifying the host name and possibly a port number) or a wildcard expression starting with `*.`, for matching all subdomains (not including a port number). - Wildcards are only supported for subdomain matching, and may not be used in the middle of the host, i.e. *.example.com is a valid case, but example*.*.com is not. - This support no more than 256 scopes in one object. If multiple scopes match a given image, only the policy requirements for the most specific scope apply. The policy requirements for more general scopes are ignored. - In addition to setting a policy appropriate for your own deployed applications, make sure that a policy on the OpenShift image repositories - quay.io/openshift-release-dev/ocp-release, quay.io/openshift-release-dev/ocp-v4.0-art-dev (or on a more general scope) allows deployment of the OpenShift images required for cluster operation. - If a scope is configured in both the ClusterImagePolicy and the ImagePolicy, or if the scope in ImagePolicy is nested under one of the scopes from the ClusterImagePolicy, only the policy from the ClusterImagePolicy will be applied. - For additional details about the format, please refer to the document explaining the docker transport field, - which can be found at: https://github.com/containers/image/blob/main/docs/containers-policy.json.5.md#docker - items: - maxLength: 512 - type: string - x-kubernetes-validations: - - message: invalid image scope format, scope must contain a fully - qualified domain name or 'localhost' - rule: 'size(self.split(''/'')[0].split(''.'')) == 1 ? self.split(''/'')[0].split(''.'')[0].split('':'')[0] - == ''localhost'' : true' - - message: invalid image scope with wildcard, a wildcard can only - be at the start of the domain and is only supported for subdomain - matching, not path matching - rule: 'self.contains(''*'') ? self.matches(''^\\*(?:\\.(?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9]))+$'') - : true' - - message: invalid repository namespace or image specification in - the image scope - rule: '!self.contains(''*'') ? self.matches(''^((((?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9])(?:\\.(?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9]))+(?::[0-9]+)?)|(localhost(?::[0-9]+)?))(?:(?:/[a-z0-9]+(?:(?:(?:[._]|__|[-]*)[a-z0-9]+)+)?)+)?)(?::([\\w][\\w.-]{0,127}))?(?:@([A-Za-z][A-Za-z0-9]*(?:[-_+.][A-Za-z][A-Za-z0-9]*)*[:][[:xdigit:]]{32,}))?$'') - : true' - maxItems: 256 - type: array - x-kubernetes-list-type: set - required: - - policy - - scopes - type: object - status: - description: status contains the observed state of the resource. - properties: - conditions: - description: conditions provide details on the status of this API - Resource. - items: - description: Condition contains details for one aspect of the current - state of this API Resource. - properties: - lastTransitionTime: - description: |- - lastTransitionTime is the last time the condition transitioned from one status to another. - This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: |- - message is a human readable message indicating details about the transition. - This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: - description: |- - observedGeneration represents the .metadata.generation that the condition was set based upon. - For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date - with respect to the current state of the instance. - format: int64 - minimum: 0 - type: integer - reason: - description: |- - reason contains a programmatic identifier indicating the reason for the condition's last transition. - Producers of specific condition types may define expected values and meanings for this field, - and whether the values are considered a guaranteed API. - The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, False, Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - message - - reason - - status - - type - type: object - maxItems: 8 - minItems: 1 - type: array - x-kubernetes-list-map-keys: - - type - x-kubernetes-list-type: map - type: object - required: - - spec - type: object - served: true - storage: true - subresources: - status: {} diff --git a/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_clusterimagepolicies-TechPreviewNoUpgrade.crd.yaml b/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_clusterimagepolicies-TechPreviewNoUpgrade.crd.yaml deleted file mode 100644 index d4b1ae9cb..000000000 --- a/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_clusterimagepolicies-TechPreviewNoUpgrade.crd.yaml +++ /dev/null @@ -1,510 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - api-approved.openshift.io: https://github.com/openshift/api/pull/2310 - api.openshift.io/merged-by-featuregates: "true" - include.release.openshift.io/ibm-cloud-managed: "true" - include.release.openshift.io/self-managed-high-availability: "true" - release.openshift.io/feature-set: TechPreviewNoUpgrade - name: clusterimagepolicies.config.openshift.io -spec: - group: config.openshift.io - names: - kind: ClusterImagePolicy - listKind: ClusterImagePolicyList - plural: clusterimagepolicies - singular: clusterimagepolicy - scope: Cluster - versions: - - name: v1 - schema: - openAPIV3Schema: - description: |- - ClusterImagePolicy holds cluster-wide configuration for image signature verification - - Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer). - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: spec contains the configuration for the cluster image policy. - properties: - policy: - description: |- - policy is a required field that contains configuration to allow scopes to be verified, and defines how - images not matching the verification policy will be treated. - properties: - rootOfTrust: - description: |- - rootOfTrust is a required field that defines the root of trust for verifying image signatures during retrieval. - This allows image consumers to specify policyType and corresponding configuration of the policy, matching how the policy was generated. - properties: - fulcioCAWithRekor: - description: |- - fulcioCAWithRekor defines the root of trust configuration based on the Fulcio certificate and the Rekor public key. - fulcioCAWithRekor is required when policyType is FulcioCAWithRekor, and forbidden otherwise - For more information about Fulcio and Rekor, please refer to the document at: - https://github.com/sigstore/fulcio and https://github.com/sigstore/rekor - properties: - fulcioCAData: - description: |- - fulcioCAData is a required field contains inline base64-encoded data for the PEM format fulcio CA. - fulcioCAData must be at most 8192 characters. - format: byte - maxLength: 8192 - type: string - x-kubernetes-validations: - - message: the fulcioCAData must start with base64 encoding - of '-----BEGIN CERTIFICATE-----'. - rule: string(self).startsWith('-----BEGIN CERTIFICATE-----') - - message: the fulcioCAData must end with base64 encoding - of '-----END CERTIFICATE-----'. - rule: string(self).endsWith('-----END CERTIFICATE-----\n') - || string(self).endsWith('-----END CERTIFICATE-----') - fulcioSubject: - description: fulcioSubject is a required field specifies - OIDC issuer and the email of the Fulcio authentication - configuration. - properties: - oidcIssuer: - description: |- - oidcIssuer is a required filed contains the expected OIDC issuer. The oidcIssuer must be a valid URL and at most 2048 characters in length. - It will be verified that the Fulcio-issued certificate contains a (Fulcio-defined) certificate extension pointing at this OIDC issuer URL. - When Fulcio issues certificates, it includes a value based on an URL inside the client-provided ID token. - Example: "https://expected.OIDC.issuer/" - maxLength: 2048 - type: string - x-kubernetes-validations: - - message: oidcIssuer must be a valid URL - rule: isURL(self) - signedEmail: - description: |- - signedEmail is a required field holds the email address that the Fulcio certificate is issued for. - The signedEmail must be a valid email address and at most 320 characters in length. - Example: "expected-signing-user@example.com" - maxLength: 320 - type: string - x-kubernetes-validations: - - message: invalid email address - rule: self.matches('^\\S+@\\S+$') - required: - - oidcIssuer - - signedEmail - type: object - rekorKeyData: - description: |- - rekorKeyData is a required field contains inline base64-encoded data for the PEM format from the Rekor public key. - rekorKeyData must be at most 8192 characters. - format: byte - maxLength: 8192 - type: string - x-kubernetes-validations: - - message: the rekorKeyData must start with base64 encoding - of '-----BEGIN PUBLIC KEY-----'. - rule: string(self).startsWith('-----BEGIN PUBLIC KEY-----') - - message: the rekorKeyData must end with base64 encoding - of '-----END PUBLIC KEY-----'. - rule: string(self).endsWith('-----END PUBLIC KEY-----\n') - || string(self).endsWith('-----END PUBLIC KEY-----') - required: - - fulcioCAData - - fulcioSubject - - rekorKeyData - type: object - pki: - description: |- - pki defines the root of trust configuration based on Bring Your Own Public Key Infrastructure (BYOPKI) Root CA(s) and corresponding intermediate certificates. - pki is required when policyType is PKI, and forbidden otherwise. - properties: - caIntermediatesData: - description: |- - caIntermediatesData contains base64-encoded data of a certificate bundle PEM file, which contains one or more intermediate certificates in the PEM format. The total length of the data must not exceed 8192 characters. - caIntermediatesData requires caRootsData to be set. - format: byte - maxLength: 8192 - minLength: 72 - type: string - x-kubernetes-validations: - - message: the caIntermediatesData must start with base64 - encoding of '-----BEGIN CERTIFICATE-----'. - rule: string(self).startsWith('-----BEGIN CERTIFICATE-----') - - message: the caIntermediatesData must end with base64 - encoding of '-----END CERTIFICATE-----'. - rule: string(self).endsWith('-----END CERTIFICATE-----\n') - || string(self).endsWith('-----END CERTIFICATE-----') - - message: caIntermediatesData must be base64 encoding - of valid PEM format data contain the same number of - '-----BEGIN CERTIFICATE-----' and '-----END CERTIFICATE-----' - markers. - rule: string(self).findAll('-----BEGIN CERTIFICATE-----').size() - == string(self).findAll('-----END CERTIFICATE-----').size() - caRootsData: - description: caRootsData contains base64-encoded data - of a certificate bundle PEM file, which contains one - or more CA roots in the PEM format. The total length - of the data must not exceed 8192 characters. - format: byte - maxLength: 8192 - minLength: 72 - type: string - x-kubernetes-validations: - - message: the caRootsData must start with base64 encoding - of '-----BEGIN CERTIFICATE-----'. - rule: string(self).startsWith('-----BEGIN CERTIFICATE-----') - - message: the caRootsData must end with base64 encoding - of '-----END CERTIFICATE-----'. - rule: string(self).endsWith('-----END CERTIFICATE-----\n') - || string(self).endsWith('-----END CERTIFICATE-----') - - message: caRootsData must be base64 encoding of valid - PEM format data contain the same number of '-----BEGIN - CERTIFICATE-----' and '-----END CERTIFICATE-----' - markers. - rule: string(self).findAll('-----BEGIN CERTIFICATE-----').size() - == string(self).findAll('-----END CERTIFICATE-----').size() - pkiCertificateSubject: - description: pkiCertificateSubject defines the requirements - imposed on the subject to which the certificate was - issued. - properties: - email: - description: |- - email specifies the expected email address imposed on the subject to which the certificate was issued, and must match the email address listed in the Subject Alternative Name (SAN) field of the certificate. - The email must be a valid email address and at most 320 characters in length. - maxLength: 320 - type: string - x-kubernetes-validations: - - message: invalid email address - rule: self.matches('^\\S+@\\S+$') - hostname: - description: |- - hostname specifies the expected hostname imposed on the subject to which the certificate was issued, and it must match the hostname listed in the Subject Alternative Name (SAN) DNS field of the certificate. - The hostname must be a valid dns 1123 subdomain name, optionally prefixed by '*.', and at most 253 characters in length. - It must consist only of lowercase alphanumeric characters, hyphens, periods and the optional preceding asterisk. - maxLength: 253 - type: string - x-kubernetes-validations: - - message: hostname must be a valid dns 1123 subdomain - name, optionally prefixed by '*.'. It must consist - only of lowercase alphanumeric characters, hyphens, - periods and the optional preceding asterisk. - rule: 'self.startsWith(''*.'') ? !format.dns1123Subdomain().validate(self.replace(''*.'', - '''', 1)).hasValue() : !format.dns1123Subdomain().validate(self).hasValue()' - type: object - x-kubernetes-validations: - - message: at least one of email or hostname must be set - in pkiCertificateSubject - rule: has(self.email) || has(self.hostname) - required: - - caRootsData - - pkiCertificateSubject - type: object - policyType: - description: |- - policyType is a required field specifies the type of the policy for verification. This field must correspond to how the policy was generated. - Allowed values are "PublicKey", "FulcioCAWithRekor", and "PKI". - When set to "PublicKey", the policy relies on a sigstore publicKey and may optionally use a Rekor verification. - When set to "FulcioCAWithRekor", the policy is based on the Fulcio certification and incorporates a Rekor verification. - When set to "PKI", the policy is based on the certificates from Bring Your Own Public Key Infrastructure (BYOPKI). This value is enabled by turning on the SigstoreImageVerificationPKI feature gate. - enum: - - PublicKey - - FulcioCAWithRekor - - PKI - type: string - publicKey: - description: |- - publicKey defines the root of trust configuration based on a sigstore public key. Optionally include a Rekor public key for Rekor verification. - publicKey is required when policyType is PublicKey, and forbidden otherwise. - properties: - keyData: - description: |- - keyData is a required field contains inline base64-encoded data for the PEM format public key. - keyData must be at most 8192 characters. - format: byte - maxLength: 8192 - minLength: 68 - type: string - x-kubernetes-validations: - - message: the keyData must start with base64 encoding - of '-----BEGIN PUBLIC KEY-----'. - rule: string(self).startsWith('-----BEGIN PUBLIC KEY-----') - - message: the keyData must end with base64 encoding of - '-----END PUBLIC KEY-----'. - rule: string(self).endsWith('-----END PUBLIC KEY-----\n') - || string(self).endsWith('-----END PUBLIC KEY-----') - rekorKeyData: - description: |- - rekorKeyData is an optional field contains inline base64-encoded data for the PEM format from the Rekor public key. - rekorKeyData must be at most 8192 characters. - format: byte - maxLength: 8192 - type: string - x-kubernetes-validations: - - message: the rekorKeyData must start with base64 encoding - of '-----BEGIN PUBLIC KEY-----'. - rule: string(self).startsWith('-----BEGIN PUBLIC KEY-----') - - message: the rekorKeyData must end with base64 encoding - of '-----END PUBLIC KEY-----'. - rule: string(self).endsWith('-----END PUBLIC KEY-----\n') - || string(self).endsWith('-----END PUBLIC KEY-----') - required: - - keyData - type: object - required: - - policyType - type: object - x-kubernetes-validations: - - message: pki is required when policyType is PKI, and forbidden - otherwise - rule: 'has(self.policyType) && self.policyType == ''PKI'' ? - has(self.pki) : !has(self.pki)' - - message: publicKey is required when policyType is PublicKey, - and forbidden otherwise - rule: 'has(self.policyType) && self.policyType == ''PublicKey'' - ? has(self.publicKey) : !has(self.publicKey)' - - message: fulcioCAWithRekor is required when policyType is FulcioCAWithRekor, - and forbidden otherwise - rule: 'has(self.policyType) && self.policyType == ''FulcioCAWithRekor'' - ? has(self.fulcioCAWithRekor) : !has(self.fulcioCAWithRekor)' - signedIdentity: - description: |- - signedIdentity is an optional field specifies what image identity the signature claims about the image. This is useful when the image identity in the signature differs from the original image spec, such as when mirror registry is configured for the image scope, the signature from the mirror registry contains the image identity of the mirror instead of the original scope. - The required matchPolicy field specifies the approach used in the verification process to verify the identity in the signature and the actual image identity, the default matchPolicy is "MatchRepoDigestOrExact". - properties: - exactRepository: - description: |- - exactRepository specifies the repository that must be exactly matched by the identity in the signature. - exactRepository is required if matchPolicy is set to "ExactRepository". It is used to verify that the signature claims an identity matching this exact repository, rather than the original image identity. - properties: - repository: - description: |- - repository is the reference of the image identity to be matched. - repository is required if matchPolicy is set to "ExactRepository". - The value should be a repository name (by omitting the tag or digest) in a registry implementing the "Docker Registry HTTP API V2". For example, docker.io/library/busybox - maxLength: 512 - type: string - x-kubernetes-validations: - - message: invalid repository or prefix in the signedIdentity, - should not include the tag or digest - rule: 'self.matches(''.*:([\\w][\\w.-]{0,127})$'')? - self.matches(''^(localhost:[0-9]+)$''): true' - - message: invalid repository or prefix in the signedIdentity. - The repository or prefix must starts with 'localhost' - or a valid '.' separated domain. If contains registry - paths, the path component names must start with at - least one letter or number, with following parts able - to be separated by one period, one or two underscore - and multiple dashes. - rule: self.matches('^(((?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9])(?:\\.(?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9]))+(?::[0-9]+)?)|(localhost(?::[0-9]+)?))(?:(?:/[a-z0-9]+(?:(?:(?:[._]|__|[-]*)[a-z0-9]+)+)?)+)?$') - required: - - repository - type: object - matchPolicy: - description: |- - matchPolicy is a required filed specifies matching strategy to verify the image identity in the signature against the image scope. - Allowed values are "MatchRepoDigestOrExact", "MatchRepository", "ExactRepository", "RemapIdentity". When omitted, the default value is "MatchRepoDigestOrExact". - When set to "MatchRepoDigestOrExact", the identity in the signature must be in the same repository as the image identity if the image identity is referenced by a digest. Otherwise, the identity in the signature must be the same as the image identity. - When set to "MatchRepository", the identity in the signature must be in the same repository as the image identity. - When set to "ExactRepository", the exactRepository must be specified. The identity in the signature must be in the same repository as a specific identity specified by "repository". - When set to "RemapIdentity", the remapIdentity must be specified. The signature must be in the same as the remapped image identity. Remapped image identity is obtained by replacing the "prefix" with the specified “signedPrefix” if the the image identity matches the specified remapPrefix. - enum: - - MatchRepoDigestOrExact - - MatchRepository - - ExactRepository - - RemapIdentity - type: string - remapIdentity: - description: |- - remapIdentity specifies the prefix remapping rule for verifying image identity. - remapIdentity is required if matchPolicy is set to "RemapIdentity". It is used to verify that the signature claims a different registry/repository prefix than the original image. - properties: - prefix: - description: |- - prefix is required if matchPolicy is set to "RemapIdentity". - prefix is the prefix of the image identity to be matched. - If the image identity matches the specified prefix, that prefix is replaced by the specified “signedPrefix” (otherwise it is used as unchanged and no remapping takes place). - This is useful when verifying signatures for a mirror of some other repository namespace that preserves the vendor’s repository structure. - The prefix and signedPrefix values can be either host[:port] values (matching exactly the same host[:port], string), repository namespaces, - or repositories (i.e. they must not contain tags/digests), and match as prefixes of the fully expanded form. - For example, docker.io/library/busybox (not busybox) to specify that single repository, or docker.io/library (not an empty string) to specify the parent namespace of docker.io/library/busybox. - maxLength: 512 - type: string - x-kubernetes-validations: - - message: invalid repository or prefix in the signedIdentity, - should not include the tag or digest - rule: 'self.matches(''.*:([\\w][\\w.-]{0,127})$'')? - self.matches(''^(localhost:[0-9]+)$''): true' - - message: invalid repository or prefix in the signedIdentity. - The repository or prefix must starts with 'localhost' - or a valid '.' separated domain. If contains registry - paths, the path component names must start with at - least one letter or number, with following parts able - to be separated by one period, one or two underscore - and multiple dashes. - rule: self.matches('^(((?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9])(?:\\.(?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9]))+(?::[0-9]+)?)|(localhost(?::[0-9]+)?))(?:(?:/[a-z0-9]+(?:(?:(?:[._]|__|[-]*)[a-z0-9]+)+)?)+)?$') - signedPrefix: - description: |- - signedPrefix is required if matchPolicy is set to "RemapIdentity". - signedPrefix is the prefix of the image identity to be matched in the signature. The format is the same as "prefix". The values can be either host[:port] values (matching exactly the same host[:port], string), repository namespaces, - or repositories (i.e. they must not contain tags/digests), and match as prefixes of the fully expanded form. - For example, docker.io/library/busybox (not busybox) to specify that single repository, or docker.io/library (not an empty string) to specify the parent namespace of docker.io/library/busybox. - maxLength: 512 - type: string - x-kubernetes-validations: - - message: invalid repository or prefix in the signedIdentity, - should not include the tag or digest - rule: 'self.matches(''.*:([\\w][\\w.-]{0,127})$'')? - self.matches(''^(localhost:[0-9]+)$''): true' - - message: invalid repository or prefix in the signedIdentity. - The repository or prefix must starts with 'localhost' - or a valid '.' separated domain. If contains registry - paths, the path component names must start with at - least one letter or number, with following parts able - to be separated by one period, one or two underscore - and multiple dashes. - rule: self.matches('^(((?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9])(?:\\.(?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9]))+(?::[0-9]+)?)|(localhost(?::[0-9]+)?))(?:(?:/[a-z0-9]+(?:(?:(?:[._]|__|[-]*)[a-z0-9]+)+)?)+)?$') - required: - - prefix - - signedPrefix - type: object - required: - - matchPolicy - type: object - x-kubernetes-validations: - - message: exactRepository is required when matchPolicy is ExactRepository, - and forbidden otherwise - rule: '(has(self.matchPolicy) && self.matchPolicy == ''ExactRepository'') - ? has(self.exactRepository) : !has(self.exactRepository)' - - message: remapIdentity is required when matchPolicy is RemapIdentity, - and forbidden otherwise - rule: '(has(self.matchPolicy) && self.matchPolicy == ''RemapIdentity'') - ? has(self.remapIdentity) : !has(self.remapIdentity)' - required: - - rootOfTrust - type: object - scopes: - description: |- - scopes is a required field that defines the list of image identities assigned to a policy. Each item refers to a scope in a registry implementing the "Docker Registry HTTP API V2". - Scopes matching individual images are named Docker references in the fully expanded form, either using a tag or digest. For example, docker.io/library/busybox:latest (not busybox:latest). - More general scopes are prefixes of individual-image scopes, and specify a repository (by omitting the tag or digest), a repository - namespace, or a registry host (by only specifying the host name and possibly a port number) or a wildcard expression starting with `*.`, for matching all subdomains (not including a port number). - Wildcards are only supported for subdomain matching, and may not be used in the middle of the host, i.e. *.example.com is a valid case, but example*.*.com is not. - This support no more than 256 scopes in one object. If multiple scopes match a given image, only the policy requirements for the most specific scope apply. The policy requirements for more general scopes are ignored. - In addition to setting a policy appropriate for your own deployed applications, make sure that a policy on the OpenShift image repositories - quay.io/openshift-release-dev/ocp-release, quay.io/openshift-release-dev/ocp-v4.0-art-dev (or on a more general scope) allows deployment of the OpenShift images required for cluster operation. - If a scope is configured in both the ClusterImagePolicy and the ImagePolicy, or if the scope in ImagePolicy is nested under one of the scopes from the ClusterImagePolicy, only the policy from the ClusterImagePolicy will be applied. - For additional details about the format, please refer to the document explaining the docker transport field, - which can be found at: https://github.com/containers/image/blob/main/docs/containers-policy.json.5.md#docker - items: - maxLength: 512 - type: string - x-kubernetes-validations: - - message: invalid image scope format, scope must contain a fully - qualified domain name or 'localhost' - rule: 'size(self.split(''/'')[0].split(''.'')) == 1 ? self.split(''/'')[0].split(''.'')[0].split('':'')[0] - == ''localhost'' : true' - - message: invalid image scope with wildcard, a wildcard can only - be at the start of the domain and is only supported for subdomain - matching, not path matching - rule: 'self.contains(''*'') ? self.matches(''^\\*(?:\\.(?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9]))+$'') - : true' - - message: invalid repository namespace or image specification in - the image scope - rule: '!self.contains(''*'') ? self.matches(''^((((?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9])(?:\\.(?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9]))+(?::[0-9]+)?)|(localhost(?::[0-9]+)?))(?:(?:/[a-z0-9]+(?:(?:(?:[._]|__|[-]*)[a-z0-9]+)+)?)+)?)(?::([\\w][\\w.-]{0,127}))?(?:@([A-Za-z][A-Za-z0-9]*(?:[-_+.][A-Za-z][A-Za-z0-9]*)*[:][[:xdigit:]]{32,}))?$'') - : true' - maxItems: 256 - type: array - x-kubernetes-list-type: set - required: - - policy - - scopes - type: object - status: - description: status contains the observed state of the resource. - properties: - conditions: - description: conditions provide details on the status of this API - Resource. - items: - description: Condition contains details for one aspect of the current - state of this API Resource. - properties: - lastTransitionTime: - description: |- - lastTransitionTime is the last time the condition transitioned from one status to another. - This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: |- - message is a human readable message indicating details about the transition. - This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: - description: |- - observedGeneration represents the .metadata.generation that the condition was set based upon. - For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date - with respect to the current state of the instance. - format: int64 - minimum: 0 - type: integer - reason: - description: |- - reason contains a programmatic identifier indicating the reason for the condition's last transition. - Producers of specific condition types may define expected values and meanings for this field, - and whether the values are considered a guaranteed API. - The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, False, Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - message - - reason - - status - - type - type: object - maxItems: 8 - minItems: 1 - type: array - x-kubernetes-list-map-keys: - - type - x-kubernetes-list-type: map - type: object - required: - - spec - type: object - served: true - storage: true - subresources: - status: {} diff --git a/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_clusterimagepolicies-CustomNoUpgrade.crd.yaml b/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_clusterimagepolicies.crd.yaml similarity index 99% rename from vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_clusterimagepolicies-CustomNoUpgrade.crd.yaml rename to vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_clusterimagepolicies.crd.yaml index 8794f271f..435c425ea 100644 --- a/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_clusterimagepolicies-CustomNoUpgrade.crd.yaml +++ b/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_clusterimagepolicies.crd.yaml @@ -6,7 +6,6 @@ metadata: api.openshift.io/merged-by-featuregates: "true" include.release.openshift.io/ibm-cloud-managed: "true" include.release.openshift.io/self-managed-high-availability: "true" - release.openshift.io/feature-set: CustomNoUpgrade name: clusterimagepolicies.config.openshift.io spec: group: config.openshift.io @@ -220,7 +219,7 @@ spec: Allowed values are "PublicKey", "FulcioCAWithRekor", and "PKI". When set to "PublicKey", the policy relies on a sigstore publicKey and may optionally use a Rekor verification. When set to "FulcioCAWithRekor", the policy is based on the Fulcio certification and incorporates a Rekor verification. - When set to "PKI", the policy is based on the certificates from Bring Your Own Public Key Infrastructure (BYOPKI). This value is enabled by turning on the SigstoreImageVerificationPKI feature gate. + When set to "PKI", the policy is based on the certificates from Bring Your Own Public Key Infrastructure (BYOPKI). enum: - PublicKey - FulcioCAWithRekor diff --git a/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_featuregates.crd.yaml b/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_featuregates.crd.yaml index 55e5ddcb2..15ef1197d 100644 --- a/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_featuregates.crd.yaml +++ b/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_featuregates.crd.yaml @@ -79,6 +79,7 @@ spec: - CustomNoUpgrade - DevPreviewNoUpgrade - TechPreviewNoUpgrade + - OKD - "" type: string x-kubernetes-validations: @@ -91,6 +92,8 @@ spec: - message: DevPreviewNoUpgrade may not be changed rule: 'oldSelf == ''DevPreviewNoUpgrade'' ? self == ''DevPreviewNoUpgrade'' : true' + - message: OKD cannot transition to Default + rule: 'oldSelf == ''OKD'' ? self != '''' : true' type: object x-kubernetes-validations: - message: .spec.featureSet cannot be removed diff --git a/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_imagepolicies-Default.crd.yaml b/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_imagepolicies-Default.crd.yaml deleted file mode 100644 index ee88c398e..000000000 --- a/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_imagepolicies-Default.crd.yaml +++ /dev/null @@ -1,416 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - api-approved.openshift.io: https://github.com/openshift/api/pull/2310 - api.openshift.io/merged-by-featuregates: "true" - include.release.openshift.io/ibm-cloud-managed: "true" - include.release.openshift.io/self-managed-high-availability: "true" - release.openshift.io/feature-set: Default - name: imagepolicies.config.openshift.io -spec: - group: config.openshift.io - names: - kind: ImagePolicy - listKind: ImagePolicyList - plural: imagepolicies - singular: imagepolicy - scope: Namespaced - versions: - - name: v1 - schema: - openAPIV3Schema: - description: |- - ImagePolicy holds namespace-wide configuration for image signature verification - - Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer). - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: spec holds user settable values for configuration - properties: - policy: - description: |- - policy is a required field that contains configuration to allow scopes to be verified, and defines how - images not matching the verification policy will be treated. - properties: - rootOfTrust: - description: |- - rootOfTrust is a required field that defines the root of trust for verifying image signatures during retrieval. - This allows image consumers to specify policyType and corresponding configuration of the policy, matching how the policy was generated. - properties: - fulcioCAWithRekor: - description: |- - fulcioCAWithRekor defines the root of trust configuration based on the Fulcio certificate and the Rekor public key. - fulcioCAWithRekor is required when policyType is FulcioCAWithRekor, and forbidden otherwise - For more information about Fulcio and Rekor, please refer to the document at: - https://github.com/sigstore/fulcio and https://github.com/sigstore/rekor - properties: - fulcioCAData: - description: |- - fulcioCAData is a required field contains inline base64-encoded data for the PEM format fulcio CA. - fulcioCAData must be at most 8192 characters. - format: byte - maxLength: 8192 - type: string - x-kubernetes-validations: - - message: the fulcioCAData must start with base64 encoding - of '-----BEGIN CERTIFICATE-----'. - rule: string(self).startsWith('-----BEGIN CERTIFICATE-----') - - message: the fulcioCAData must end with base64 encoding - of '-----END CERTIFICATE-----'. - rule: string(self).endsWith('-----END CERTIFICATE-----\n') - || string(self).endsWith('-----END CERTIFICATE-----') - fulcioSubject: - description: fulcioSubject is a required field specifies - OIDC issuer and the email of the Fulcio authentication - configuration. - properties: - oidcIssuer: - description: |- - oidcIssuer is a required filed contains the expected OIDC issuer. The oidcIssuer must be a valid URL and at most 2048 characters in length. - It will be verified that the Fulcio-issued certificate contains a (Fulcio-defined) certificate extension pointing at this OIDC issuer URL. - When Fulcio issues certificates, it includes a value based on an URL inside the client-provided ID token. - Example: "https://expected.OIDC.issuer/" - maxLength: 2048 - type: string - x-kubernetes-validations: - - message: oidcIssuer must be a valid URL - rule: isURL(self) - signedEmail: - description: |- - signedEmail is a required field holds the email address that the Fulcio certificate is issued for. - The signedEmail must be a valid email address and at most 320 characters in length. - Example: "expected-signing-user@example.com" - maxLength: 320 - type: string - x-kubernetes-validations: - - message: invalid email address - rule: self.matches('^\\S+@\\S+$') - required: - - oidcIssuer - - signedEmail - type: object - rekorKeyData: - description: |- - rekorKeyData is a required field contains inline base64-encoded data for the PEM format from the Rekor public key. - rekorKeyData must be at most 8192 characters. - format: byte - maxLength: 8192 - type: string - x-kubernetes-validations: - - message: the rekorKeyData must start with base64 encoding - of '-----BEGIN PUBLIC KEY-----'. - rule: string(self).startsWith('-----BEGIN PUBLIC KEY-----') - - message: the rekorKeyData must end with base64 encoding - of '-----END PUBLIC KEY-----'. - rule: string(self).endsWith('-----END PUBLIC KEY-----\n') - || string(self).endsWith('-----END PUBLIC KEY-----') - required: - - fulcioCAData - - fulcioSubject - - rekorKeyData - type: object - policyType: - description: |- - policyType is a required field specifies the type of the policy for verification. This field must correspond to how the policy was generated. - Allowed values are "PublicKey", "FulcioCAWithRekor", and "PKI". - When set to "PublicKey", the policy relies on a sigstore publicKey and may optionally use a Rekor verification. - When set to "FulcioCAWithRekor", the policy is based on the Fulcio certification and incorporates a Rekor verification. - When set to "PKI", the policy is based on the certificates from Bring Your Own Public Key Infrastructure (BYOPKI). This value is enabled by turning on the SigstoreImageVerificationPKI feature gate. - type: string - publicKey: - description: |- - publicKey defines the root of trust configuration based on a sigstore public key. Optionally include a Rekor public key for Rekor verification. - publicKey is required when policyType is PublicKey, and forbidden otherwise. - properties: - keyData: - description: |- - keyData is a required field contains inline base64-encoded data for the PEM format public key. - keyData must be at most 8192 characters. - format: byte - maxLength: 8192 - minLength: 68 - type: string - x-kubernetes-validations: - - message: the keyData must start with base64 encoding - of '-----BEGIN PUBLIC KEY-----'. - rule: string(self).startsWith('-----BEGIN PUBLIC KEY-----') - - message: the keyData must end with base64 encoding of - '-----END PUBLIC KEY-----'. - rule: string(self).endsWith('-----END PUBLIC KEY-----\n') - || string(self).endsWith('-----END PUBLIC KEY-----') - rekorKeyData: - description: |- - rekorKeyData is an optional field contains inline base64-encoded data for the PEM format from the Rekor public key. - rekorKeyData must be at most 8192 characters. - format: byte - maxLength: 8192 - type: string - x-kubernetes-validations: - - message: the rekorKeyData must start with base64 encoding - of '-----BEGIN PUBLIC KEY-----'. - rule: string(self).startsWith('-----BEGIN PUBLIC KEY-----') - - message: the rekorKeyData must end with base64 encoding - of '-----END PUBLIC KEY-----'. - rule: string(self).endsWith('-----END PUBLIC KEY-----\n') - || string(self).endsWith('-----END PUBLIC KEY-----') - required: - - keyData - type: object - required: - - policyType - type: object - x-kubernetes-validations: - - message: publicKey is required when policyType is PublicKey, - and forbidden otherwise - rule: 'has(self.policyType) && self.policyType == ''PublicKey'' - ? has(self.publicKey) : !has(self.publicKey)' - - message: fulcioCAWithRekor is required when policyType is FulcioCAWithRekor, - and forbidden otherwise - rule: 'has(self.policyType) && self.policyType == ''FulcioCAWithRekor'' - ? has(self.fulcioCAWithRekor) : !has(self.fulcioCAWithRekor)' - signedIdentity: - description: |- - signedIdentity is an optional field specifies what image identity the signature claims about the image. This is useful when the image identity in the signature differs from the original image spec, such as when mirror registry is configured for the image scope, the signature from the mirror registry contains the image identity of the mirror instead of the original scope. - The required matchPolicy field specifies the approach used in the verification process to verify the identity in the signature and the actual image identity, the default matchPolicy is "MatchRepoDigestOrExact". - properties: - exactRepository: - description: |- - exactRepository specifies the repository that must be exactly matched by the identity in the signature. - exactRepository is required if matchPolicy is set to "ExactRepository". It is used to verify that the signature claims an identity matching this exact repository, rather than the original image identity. - properties: - repository: - description: |- - repository is the reference of the image identity to be matched. - repository is required if matchPolicy is set to "ExactRepository". - The value should be a repository name (by omitting the tag or digest) in a registry implementing the "Docker Registry HTTP API V2". For example, docker.io/library/busybox - maxLength: 512 - type: string - x-kubernetes-validations: - - message: invalid repository or prefix in the signedIdentity, - should not include the tag or digest - rule: 'self.matches(''.*:([\\w][\\w.-]{0,127})$'')? - self.matches(''^(localhost:[0-9]+)$''): true' - - message: invalid repository or prefix in the signedIdentity. - The repository or prefix must starts with 'localhost' - or a valid '.' separated domain. If contains registry - paths, the path component names must start with at - least one letter or number, with following parts able - to be separated by one period, one or two underscore - and multiple dashes. - rule: self.matches('^(((?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9])(?:\\.(?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9]))+(?::[0-9]+)?)|(localhost(?::[0-9]+)?))(?:(?:/[a-z0-9]+(?:(?:(?:[._]|__|[-]*)[a-z0-9]+)+)?)+)?$') - required: - - repository - type: object - matchPolicy: - description: |- - matchPolicy is a required filed specifies matching strategy to verify the image identity in the signature against the image scope. - Allowed values are "MatchRepoDigestOrExact", "MatchRepository", "ExactRepository", "RemapIdentity". When omitted, the default value is "MatchRepoDigestOrExact". - When set to "MatchRepoDigestOrExact", the identity in the signature must be in the same repository as the image identity if the image identity is referenced by a digest. Otherwise, the identity in the signature must be the same as the image identity. - When set to "MatchRepository", the identity in the signature must be in the same repository as the image identity. - When set to "ExactRepository", the exactRepository must be specified. The identity in the signature must be in the same repository as a specific identity specified by "repository". - When set to "RemapIdentity", the remapIdentity must be specified. The signature must be in the same as the remapped image identity. Remapped image identity is obtained by replacing the "prefix" with the specified “signedPrefix” if the the image identity matches the specified remapPrefix. - enum: - - MatchRepoDigestOrExact - - MatchRepository - - ExactRepository - - RemapIdentity - type: string - remapIdentity: - description: |- - remapIdentity specifies the prefix remapping rule for verifying image identity. - remapIdentity is required if matchPolicy is set to "RemapIdentity". It is used to verify that the signature claims a different registry/repository prefix than the original image. - properties: - prefix: - description: |- - prefix is required if matchPolicy is set to "RemapIdentity". - prefix is the prefix of the image identity to be matched. - If the image identity matches the specified prefix, that prefix is replaced by the specified “signedPrefix” (otherwise it is used as unchanged and no remapping takes place). - This is useful when verifying signatures for a mirror of some other repository namespace that preserves the vendor’s repository structure. - The prefix and signedPrefix values can be either host[:port] values (matching exactly the same host[:port], string), repository namespaces, - or repositories (i.e. they must not contain tags/digests), and match as prefixes of the fully expanded form. - For example, docker.io/library/busybox (not busybox) to specify that single repository, or docker.io/library (not an empty string) to specify the parent namespace of docker.io/library/busybox. - maxLength: 512 - type: string - x-kubernetes-validations: - - message: invalid repository or prefix in the signedIdentity, - should not include the tag or digest - rule: 'self.matches(''.*:([\\w][\\w.-]{0,127})$'')? - self.matches(''^(localhost:[0-9]+)$''): true' - - message: invalid repository or prefix in the signedIdentity. - The repository or prefix must starts with 'localhost' - or a valid '.' separated domain. If contains registry - paths, the path component names must start with at - least one letter or number, with following parts able - to be separated by one period, one or two underscore - and multiple dashes. - rule: self.matches('^(((?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9])(?:\\.(?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9]))+(?::[0-9]+)?)|(localhost(?::[0-9]+)?))(?:(?:/[a-z0-9]+(?:(?:(?:[._]|__|[-]*)[a-z0-9]+)+)?)+)?$') - signedPrefix: - description: |- - signedPrefix is required if matchPolicy is set to "RemapIdentity". - signedPrefix is the prefix of the image identity to be matched in the signature. The format is the same as "prefix". The values can be either host[:port] values (matching exactly the same host[:port], string), repository namespaces, - or repositories (i.e. they must not contain tags/digests), and match as prefixes of the fully expanded form. - For example, docker.io/library/busybox (not busybox) to specify that single repository, or docker.io/library (not an empty string) to specify the parent namespace of docker.io/library/busybox. - maxLength: 512 - type: string - x-kubernetes-validations: - - message: invalid repository or prefix in the signedIdentity, - should not include the tag or digest - rule: 'self.matches(''.*:([\\w][\\w.-]{0,127})$'')? - self.matches(''^(localhost:[0-9]+)$''): true' - - message: invalid repository or prefix in the signedIdentity. - The repository or prefix must starts with 'localhost' - or a valid '.' separated domain. If contains registry - paths, the path component names must start with at - least one letter or number, with following parts able - to be separated by one period, one or two underscore - and multiple dashes. - rule: self.matches('^(((?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9])(?:\\.(?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9]))+(?::[0-9]+)?)|(localhost(?::[0-9]+)?))(?:(?:/[a-z0-9]+(?:(?:(?:[._]|__|[-]*)[a-z0-9]+)+)?)+)?$') - required: - - prefix - - signedPrefix - type: object - required: - - matchPolicy - type: object - x-kubernetes-validations: - - message: exactRepository is required when matchPolicy is ExactRepository, - and forbidden otherwise - rule: '(has(self.matchPolicy) && self.matchPolicy == ''ExactRepository'') - ? has(self.exactRepository) : !has(self.exactRepository)' - - message: remapIdentity is required when matchPolicy is RemapIdentity, - and forbidden otherwise - rule: '(has(self.matchPolicy) && self.matchPolicy == ''RemapIdentity'') - ? has(self.remapIdentity) : !has(self.remapIdentity)' - required: - - rootOfTrust - type: object - scopes: - description: |- - scopes is a required field that defines the list of image identities assigned to a policy. Each item refers to a scope in a registry implementing the "Docker Registry HTTP API V2". - Scopes matching individual images are named Docker references in the fully expanded form, either using a tag or digest. For example, docker.io/library/busybox:latest (not busybox:latest). - More general scopes are prefixes of individual-image scopes, and specify a repository (by omitting the tag or digest), a repository - namespace, or a registry host (by only specifying the host name and possibly a port number) or a wildcard expression starting with `*.`, for matching all subdomains (not including a port number). - Wildcards are only supported for subdomain matching, and may not be used in the middle of the host, i.e. *.example.com is a valid case, but example*.*.com is not. - This support no more than 256 scopes in one object. If multiple scopes match a given image, only the policy requirements for the most specific scope apply. The policy requirements for more general scopes are ignored. - In addition to setting a policy appropriate for your own deployed applications, make sure that a policy on the OpenShift image repositories - quay.io/openshift-release-dev/ocp-release, quay.io/openshift-release-dev/ocp-v4.0-art-dev (or on a more general scope) allows deployment of the OpenShift images required for cluster operation. - If a scope is configured in both the ClusterImagePolicy and the ImagePolicy, or if the scope in ImagePolicy is nested under one of the scopes from the ClusterImagePolicy, only the policy from the ClusterImagePolicy will be applied. - For additional details about the format, please refer to the document explaining the docker transport field, - which can be found at: https://github.com/containers/image/blob/main/docs/containers-policy.json.5.md#docker - items: - maxLength: 512 - type: string - x-kubernetes-validations: - - message: invalid image scope format, scope must contain a fully - qualified domain name or 'localhost' - rule: 'size(self.split(''/'')[0].split(''.'')) == 1 ? self.split(''/'')[0].split(''.'')[0].split('':'')[0] - == ''localhost'' : true' - - message: invalid image scope with wildcard, a wildcard can only - be at the start of the domain and is only supported for subdomain - matching, not path matching - rule: 'self.contains(''*'') ? self.matches(''^\\*(?:\\.(?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9]))+$'') - : true' - - message: invalid repository namespace or image specification in - the image scope - rule: '!self.contains(''*'') ? self.matches(''^((((?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9])(?:\\.(?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9]))+(?::[0-9]+)?)|(localhost(?::[0-9]+)?))(?:(?:/[a-z0-9]+(?:(?:(?:[._]|__|[-]*)[a-z0-9]+)+)?)+)?)(?::([\\w][\\w.-]{0,127}))?(?:@([A-Za-z][A-Za-z0-9]*(?:[-_+.][A-Za-z][A-Za-z0-9]*)*[:][[:xdigit:]]{32,}))?$'') - : true' - maxItems: 256 - type: array - x-kubernetes-list-type: set - required: - - policy - - scopes - type: object - status: - description: status contains the observed state of the resource. - properties: - conditions: - description: |- - conditions provide details on the status of this API Resource. - condition type 'Pending' indicates that the customer resource contains a policy that cannot take effect. It is either overwritten by a global policy or the image scope is not valid. - items: - description: Condition contains details for one aspect of the current - state of this API Resource. - properties: - lastTransitionTime: - description: |- - lastTransitionTime is the last time the condition transitioned from one status to another. - This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: |- - message is a human readable message indicating details about the transition. - This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: - description: |- - observedGeneration represents the .metadata.generation that the condition was set based upon. - For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date - with respect to the current state of the instance. - format: int64 - minimum: 0 - type: integer - reason: - description: |- - reason contains a programmatic identifier indicating the reason for the condition's last transition. - Producers of specific condition types may define expected values and meanings for this field, - and whether the values are considered a guaranteed API. - The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, False, Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - message - - reason - - status - - type - type: object - maxItems: 8 - minItems: 1 - type: array - x-kubernetes-list-map-keys: - - type - x-kubernetes-list-type: map - type: object - required: - - spec - type: object - served: true - storage: true - subresources: - status: {} diff --git a/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_imagepolicies-DevPreviewNoUpgrade.crd.yaml b/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_imagepolicies-DevPreviewNoUpgrade.crd.yaml deleted file mode 100644 index 99d2af133..000000000 --- a/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_imagepolicies-DevPreviewNoUpgrade.crd.yaml +++ /dev/null @@ -1,511 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - api-approved.openshift.io: https://github.com/openshift/api/pull/2310 - api.openshift.io/merged-by-featuregates: "true" - include.release.openshift.io/ibm-cloud-managed: "true" - include.release.openshift.io/self-managed-high-availability: "true" - release.openshift.io/feature-set: DevPreviewNoUpgrade - name: imagepolicies.config.openshift.io -spec: - group: config.openshift.io - names: - kind: ImagePolicy - listKind: ImagePolicyList - plural: imagepolicies - singular: imagepolicy - scope: Namespaced - versions: - - name: v1 - schema: - openAPIV3Schema: - description: |- - ImagePolicy holds namespace-wide configuration for image signature verification - - Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer). - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: spec holds user settable values for configuration - properties: - policy: - description: |- - policy is a required field that contains configuration to allow scopes to be verified, and defines how - images not matching the verification policy will be treated. - properties: - rootOfTrust: - description: |- - rootOfTrust is a required field that defines the root of trust for verifying image signatures during retrieval. - This allows image consumers to specify policyType and corresponding configuration of the policy, matching how the policy was generated. - properties: - fulcioCAWithRekor: - description: |- - fulcioCAWithRekor defines the root of trust configuration based on the Fulcio certificate and the Rekor public key. - fulcioCAWithRekor is required when policyType is FulcioCAWithRekor, and forbidden otherwise - For more information about Fulcio and Rekor, please refer to the document at: - https://github.com/sigstore/fulcio and https://github.com/sigstore/rekor - properties: - fulcioCAData: - description: |- - fulcioCAData is a required field contains inline base64-encoded data for the PEM format fulcio CA. - fulcioCAData must be at most 8192 characters. - format: byte - maxLength: 8192 - type: string - x-kubernetes-validations: - - message: the fulcioCAData must start with base64 encoding - of '-----BEGIN CERTIFICATE-----'. - rule: string(self).startsWith('-----BEGIN CERTIFICATE-----') - - message: the fulcioCAData must end with base64 encoding - of '-----END CERTIFICATE-----'. - rule: string(self).endsWith('-----END CERTIFICATE-----\n') - || string(self).endsWith('-----END CERTIFICATE-----') - fulcioSubject: - description: fulcioSubject is a required field specifies - OIDC issuer and the email of the Fulcio authentication - configuration. - properties: - oidcIssuer: - description: |- - oidcIssuer is a required filed contains the expected OIDC issuer. The oidcIssuer must be a valid URL and at most 2048 characters in length. - It will be verified that the Fulcio-issued certificate contains a (Fulcio-defined) certificate extension pointing at this OIDC issuer URL. - When Fulcio issues certificates, it includes a value based on an URL inside the client-provided ID token. - Example: "https://expected.OIDC.issuer/" - maxLength: 2048 - type: string - x-kubernetes-validations: - - message: oidcIssuer must be a valid URL - rule: isURL(self) - signedEmail: - description: |- - signedEmail is a required field holds the email address that the Fulcio certificate is issued for. - The signedEmail must be a valid email address and at most 320 characters in length. - Example: "expected-signing-user@example.com" - maxLength: 320 - type: string - x-kubernetes-validations: - - message: invalid email address - rule: self.matches('^\\S+@\\S+$') - required: - - oidcIssuer - - signedEmail - type: object - rekorKeyData: - description: |- - rekorKeyData is a required field contains inline base64-encoded data for the PEM format from the Rekor public key. - rekorKeyData must be at most 8192 characters. - format: byte - maxLength: 8192 - type: string - x-kubernetes-validations: - - message: the rekorKeyData must start with base64 encoding - of '-----BEGIN PUBLIC KEY-----'. - rule: string(self).startsWith('-----BEGIN PUBLIC KEY-----') - - message: the rekorKeyData must end with base64 encoding - of '-----END PUBLIC KEY-----'. - rule: string(self).endsWith('-----END PUBLIC KEY-----\n') - || string(self).endsWith('-----END PUBLIC KEY-----') - required: - - fulcioCAData - - fulcioSubject - - rekorKeyData - type: object - pki: - description: |- - pki defines the root of trust configuration based on Bring Your Own Public Key Infrastructure (BYOPKI) Root CA(s) and corresponding intermediate certificates. - pki is required when policyType is PKI, and forbidden otherwise. - properties: - caIntermediatesData: - description: |- - caIntermediatesData contains base64-encoded data of a certificate bundle PEM file, which contains one or more intermediate certificates in the PEM format. The total length of the data must not exceed 8192 characters. - caIntermediatesData requires caRootsData to be set. - format: byte - maxLength: 8192 - minLength: 72 - type: string - x-kubernetes-validations: - - message: the caIntermediatesData must start with base64 - encoding of '-----BEGIN CERTIFICATE-----'. - rule: string(self).startsWith('-----BEGIN CERTIFICATE-----') - - message: the caIntermediatesData must end with base64 - encoding of '-----END CERTIFICATE-----'. - rule: string(self).endsWith('-----END CERTIFICATE-----\n') - || string(self).endsWith('-----END CERTIFICATE-----') - - message: caIntermediatesData must be base64 encoding - of valid PEM format data contain the same number of - '-----BEGIN CERTIFICATE-----' and '-----END CERTIFICATE-----' - markers. - rule: string(self).findAll('-----BEGIN CERTIFICATE-----').size() - == string(self).findAll('-----END CERTIFICATE-----').size() - caRootsData: - description: caRootsData contains base64-encoded data - of a certificate bundle PEM file, which contains one - or more CA roots in the PEM format. The total length - of the data must not exceed 8192 characters. - format: byte - maxLength: 8192 - minLength: 72 - type: string - x-kubernetes-validations: - - message: the caRootsData must start with base64 encoding - of '-----BEGIN CERTIFICATE-----'. - rule: string(self).startsWith('-----BEGIN CERTIFICATE-----') - - message: the caRootsData must end with base64 encoding - of '-----END CERTIFICATE-----'. - rule: string(self).endsWith('-----END CERTIFICATE-----\n') - || string(self).endsWith('-----END CERTIFICATE-----') - - message: caRootsData must be base64 encoding of valid - PEM format data contain the same number of '-----BEGIN - CERTIFICATE-----' and '-----END CERTIFICATE-----' - markers. - rule: string(self).findAll('-----BEGIN CERTIFICATE-----').size() - == string(self).findAll('-----END CERTIFICATE-----').size() - pkiCertificateSubject: - description: pkiCertificateSubject defines the requirements - imposed on the subject to which the certificate was - issued. - properties: - email: - description: |- - email specifies the expected email address imposed on the subject to which the certificate was issued, and must match the email address listed in the Subject Alternative Name (SAN) field of the certificate. - The email must be a valid email address and at most 320 characters in length. - maxLength: 320 - type: string - x-kubernetes-validations: - - message: invalid email address - rule: self.matches('^\\S+@\\S+$') - hostname: - description: |- - hostname specifies the expected hostname imposed on the subject to which the certificate was issued, and it must match the hostname listed in the Subject Alternative Name (SAN) DNS field of the certificate. - The hostname must be a valid dns 1123 subdomain name, optionally prefixed by '*.', and at most 253 characters in length. - It must consist only of lowercase alphanumeric characters, hyphens, periods and the optional preceding asterisk. - maxLength: 253 - type: string - x-kubernetes-validations: - - message: hostname must be a valid dns 1123 subdomain - name, optionally prefixed by '*.'. It must consist - only of lowercase alphanumeric characters, hyphens, - periods and the optional preceding asterisk. - rule: 'self.startsWith(''*.'') ? !format.dns1123Subdomain().validate(self.replace(''*.'', - '''', 1)).hasValue() : !format.dns1123Subdomain().validate(self).hasValue()' - type: object - x-kubernetes-validations: - - message: at least one of email or hostname must be set - in pkiCertificateSubject - rule: has(self.email) || has(self.hostname) - required: - - caRootsData - - pkiCertificateSubject - type: object - policyType: - description: |- - policyType is a required field specifies the type of the policy for verification. This field must correspond to how the policy was generated. - Allowed values are "PublicKey", "FulcioCAWithRekor", and "PKI". - When set to "PublicKey", the policy relies on a sigstore publicKey and may optionally use a Rekor verification. - When set to "FulcioCAWithRekor", the policy is based on the Fulcio certification and incorporates a Rekor verification. - When set to "PKI", the policy is based on the certificates from Bring Your Own Public Key Infrastructure (BYOPKI). This value is enabled by turning on the SigstoreImageVerificationPKI feature gate. - enum: - - PublicKey - - FulcioCAWithRekor - - PKI - type: string - publicKey: - description: |- - publicKey defines the root of trust configuration based on a sigstore public key. Optionally include a Rekor public key for Rekor verification. - publicKey is required when policyType is PublicKey, and forbidden otherwise. - properties: - keyData: - description: |- - keyData is a required field contains inline base64-encoded data for the PEM format public key. - keyData must be at most 8192 characters. - format: byte - maxLength: 8192 - minLength: 68 - type: string - x-kubernetes-validations: - - message: the keyData must start with base64 encoding - of '-----BEGIN PUBLIC KEY-----'. - rule: string(self).startsWith('-----BEGIN PUBLIC KEY-----') - - message: the keyData must end with base64 encoding of - '-----END PUBLIC KEY-----'. - rule: string(self).endsWith('-----END PUBLIC KEY-----\n') - || string(self).endsWith('-----END PUBLIC KEY-----') - rekorKeyData: - description: |- - rekorKeyData is an optional field contains inline base64-encoded data for the PEM format from the Rekor public key. - rekorKeyData must be at most 8192 characters. - format: byte - maxLength: 8192 - type: string - x-kubernetes-validations: - - message: the rekorKeyData must start with base64 encoding - of '-----BEGIN PUBLIC KEY-----'. - rule: string(self).startsWith('-----BEGIN PUBLIC KEY-----') - - message: the rekorKeyData must end with base64 encoding - of '-----END PUBLIC KEY-----'. - rule: string(self).endsWith('-----END PUBLIC KEY-----\n') - || string(self).endsWith('-----END PUBLIC KEY-----') - required: - - keyData - type: object - required: - - policyType - type: object - x-kubernetes-validations: - - message: pki is required when policyType is PKI, and forbidden - otherwise - rule: 'has(self.policyType) && self.policyType == ''PKI'' ? - has(self.pki) : !has(self.pki)' - - message: publicKey is required when policyType is PublicKey, - and forbidden otherwise - rule: 'has(self.policyType) && self.policyType == ''PublicKey'' - ? has(self.publicKey) : !has(self.publicKey)' - - message: fulcioCAWithRekor is required when policyType is FulcioCAWithRekor, - and forbidden otherwise - rule: 'has(self.policyType) && self.policyType == ''FulcioCAWithRekor'' - ? has(self.fulcioCAWithRekor) : !has(self.fulcioCAWithRekor)' - signedIdentity: - description: |- - signedIdentity is an optional field specifies what image identity the signature claims about the image. This is useful when the image identity in the signature differs from the original image spec, such as when mirror registry is configured for the image scope, the signature from the mirror registry contains the image identity of the mirror instead of the original scope. - The required matchPolicy field specifies the approach used in the verification process to verify the identity in the signature and the actual image identity, the default matchPolicy is "MatchRepoDigestOrExact". - properties: - exactRepository: - description: |- - exactRepository specifies the repository that must be exactly matched by the identity in the signature. - exactRepository is required if matchPolicy is set to "ExactRepository". It is used to verify that the signature claims an identity matching this exact repository, rather than the original image identity. - properties: - repository: - description: |- - repository is the reference of the image identity to be matched. - repository is required if matchPolicy is set to "ExactRepository". - The value should be a repository name (by omitting the tag or digest) in a registry implementing the "Docker Registry HTTP API V2". For example, docker.io/library/busybox - maxLength: 512 - type: string - x-kubernetes-validations: - - message: invalid repository or prefix in the signedIdentity, - should not include the tag or digest - rule: 'self.matches(''.*:([\\w][\\w.-]{0,127})$'')? - self.matches(''^(localhost:[0-9]+)$''): true' - - message: invalid repository or prefix in the signedIdentity. - The repository or prefix must starts with 'localhost' - or a valid '.' separated domain. If contains registry - paths, the path component names must start with at - least one letter or number, with following parts able - to be separated by one period, one or two underscore - and multiple dashes. - rule: self.matches('^(((?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9])(?:\\.(?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9]))+(?::[0-9]+)?)|(localhost(?::[0-9]+)?))(?:(?:/[a-z0-9]+(?:(?:(?:[._]|__|[-]*)[a-z0-9]+)+)?)+)?$') - required: - - repository - type: object - matchPolicy: - description: |- - matchPolicy is a required filed specifies matching strategy to verify the image identity in the signature against the image scope. - Allowed values are "MatchRepoDigestOrExact", "MatchRepository", "ExactRepository", "RemapIdentity". When omitted, the default value is "MatchRepoDigestOrExact". - When set to "MatchRepoDigestOrExact", the identity in the signature must be in the same repository as the image identity if the image identity is referenced by a digest. Otherwise, the identity in the signature must be the same as the image identity. - When set to "MatchRepository", the identity in the signature must be in the same repository as the image identity. - When set to "ExactRepository", the exactRepository must be specified. The identity in the signature must be in the same repository as a specific identity specified by "repository". - When set to "RemapIdentity", the remapIdentity must be specified. The signature must be in the same as the remapped image identity. Remapped image identity is obtained by replacing the "prefix" with the specified “signedPrefix” if the the image identity matches the specified remapPrefix. - enum: - - MatchRepoDigestOrExact - - MatchRepository - - ExactRepository - - RemapIdentity - type: string - remapIdentity: - description: |- - remapIdentity specifies the prefix remapping rule for verifying image identity. - remapIdentity is required if matchPolicy is set to "RemapIdentity". It is used to verify that the signature claims a different registry/repository prefix than the original image. - properties: - prefix: - description: |- - prefix is required if matchPolicy is set to "RemapIdentity". - prefix is the prefix of the image identity to be matched. - If the image identity matches the specified prefix, that prefix is replaced by the specified “signedPrefix” (otherwise it is used as unchanged and no remapping takes place). - This is useful when verifying signatures for a mirror of some other repository namespace that preserves the vendor’s repository structure. - The prefix and signedPrefix values can be either host[:port] values (matching exactly the same host[:port], string), repository namespaces, - or repositories (i.e. they must not contain tags/digests), and match as prefixes of the fully expanded form. - For example, docker.io/library/busybox (not busybox) to specify that single repository, or docker.io/library (not an empty string) to specify the parent namespace of docker.io/library/busybox. - maxLength: 512 - type: string - x-kubernetes-validations: - - message: invalid repository or prefix in the signedIdentity, - should not include the tag or digest - rule: 'self.matches(''.*:([\\w][\\w.-]{0,127})$'')? - self.matches(''^(localhost:[0-9]+)$''): true' - - message: invalid repository or prefix in the signedIdentity. - The repository or prefix must starts with 'localhost' - or a valid '.' separated domain. If contains registry - paths, the path component names must start with at - least one letter or number, with following parts able - to be separated by one period, one or two underscore - and multiple dashes. - rule: self.matches('^(((?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9])(?:\\.(?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9]))+(?::[0-9]+)?)|(localhost(?::[0-9]+)?))(?:(?:/[a-z0-9]+(?:(?:(?:[._]|__|[-]*)[a-z0-9]+)+)?)+)?$') - signedPrefix: - description: |- - signedPrefix is required if matchPolicy is set to "RemapIdentity". - signedPrefix is the prefix of the image identity to be matched in the signature. The format is the same as "prefix". The values can be either host[:port] values (matching exactly the same host[:port], string), repository namespaces, - or repositories (i.e. they must not contain tags/digests), and match as prefixes of the fully expanded form. - For example, docker.io/library/busybox (not busybox) to specify that single repository, or docker.io/library (not an empty string) to specify the parent namespace of docker.io/library/busybox. - maxLength: 512 - type: string - x-kubernetes-validations: - - message: invalid repository or prefix in the signedIdentity, - should not include the tag or digest - rule: 'self.matches(''.*:([\\w][\\w.-]{0,127})$'')? - self.matches(''^(localhost:[0-9]+)$''): true' - - message: invalid repository or prefix in the signedIdentity. - The repository or prefix must starts with 'localhost' - or a valid '.' separated domain. If contains registry - paths, the path component names must start with at - least one letter or number, with following parts able - to be separated by one period, one or two underscore - and multiple dashes. - rule: self.matches('^(((?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9])(?:\\.(?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9]))+(?::[0-9]+)?)|(localhost(?::[0-9]+)?))(?:(?:/[a-z0-9]+(?:(?:(?:[._]|__|[-]*)[a-z0-9]+)+)?)+)?$') - required: - - prefix - - signedPrefix - type: object - required: - - matchPolicy - type: object - x-kubernetes-validations: - - message: exactRepository is required when matchPolicy is ExactRepository, - and forbidden otherwise - rule: '(has(self.matchPolicy) && self.matchPolicy == ''ExactRepository'') - ? has(self.exactRepository) : !has(self.exactRepository)' - - message: remapIdentity is required when matchPolicy is RemapIdentity, - and forbidden otherwise - rule: '(has(self.matchPolicy) && self.matchPolicy == ''RemapIdentity'') - ? has(self.remapIdentity) : !has(self.remapIdentity)' - required: - - rootOfTrust - type: object - scopes: - description: |- - scopes is a required field that defines the list of image identities assigned to a policy. Each item refers to a scope in a registry implementing the "Docker Registry HTTP API V2". - Scopes matching individual images are named Docker references in the fully expanded form, either using a tag or digest. For example, docker.io/library/busybox:latest (not busybox:latest). - More general scopes are prefixes of individual-image scopes, and specify a repository (by omitting the tag or digest), a repository - namespace, or a registry host (by only specifying the host name and possibly a port number) or a wildcard expression starting with `*.`, for matching all subdomains (not including a port number). - Wildcards are only supported for subdomain matching, and may not be used in the middle of the host, i.e. *.example.com is a valid case, but example*.*.com is not. - This support no more than 256 scopes in one object. If multiple scopes match a given image, only the policy requirements for the most specific scope apply. The policy requirements for more general scopes are ignored. - In addition to setting a policy appropriate for your own deployed applications, make sure that a policy on the OpenShift image repositories - quay.io/openshift-release-dev/ocp-release, quay.io/openshift-release-dev/ocp-v4.0-art-dev (or on a more general scope) allows deployment of the OpenShift images required for cluster operation. - If a scope is configured in both the ClusterImagePolicy and the ImagePolicy, or if the scope in ImagePolicy is nested under one of the scopes from the ClusterImagePolicy, only the policy from the ClusterImagePolicy will be applied. - For additional details about the format, please refer to the document explaining the docker transport field, - which can be found at: https://github.com/containers/image/blob/main/docs/containers-policy.json.5.md#docker - items: - maxLength: 512 - type: string - x-kubernetes-validations: - - message: invalid image scope format, scope must contain a fully - qualified domain name or 'localhost' - rule: 'size(self.split(''/'')[0].split(''.'')) == 1 ? self.split(''/'')[0].split(''.'')[0].split('':'')[0] - == ''localhost'' : true' - - message: invalid image scope with wildcard, a wildcard can only - be at the start of the domain and is only supported for subdomain - matching, not path matching - rule: 'self.contains(''*'') ? self.matches(''^\\*(?:\\.(?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9]))+$'') - : true' - - message: invalid repository namespace or image specification in - the image scope - rule: '!self.contains(''*'') ? self.matches(''^((((?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9])(?:\\.(?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9]))+(?::[0-9]+)?)|(localhost(?::[0-9]+)?))(?:(?:/[a-z0-9]+(?:(?:(?:[._]|__|[-]*)[a-z0-9]+)+)?)+)?)(?::([\\w][\\w.-]{0,127}))?(?:@([A-Za-z][A-Za-z0-9]*(?:[-_+.][A-Za-z][A-Za-z0-9]*)*[:][[:xdigit:]]{32,}))?$'') - : true' - maxItems: 256 - type: array - x-kubernetes-list-type: set - required: - - policy - - scopes - type: object - status: - description: status contains the observed state of the resource. - properties: - conditions: - description: |- - conditions provide details on the status of this API Resource. - condition type 'Pending' indicates that the customer resource contains a policy that cannot take effect. It is either overwritten by a global policy or the image scope is not valid. - items: - description: Condition contains details for one aspect of the current - state of this API Resource. - properties: - lastTransitionTime: - description: |- - lastTransitionTime is the last time the condition transitioned from one status to another. - This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: |- - message is a human readable message indicating details about the transition. - This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: - description: |- - observedGeneration represents the .metadata.generation that the condition was set based upon. - For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date - with respect to the current state of the instance. - format: int64 - minimum: 0 - type: integer - reason: - description: |- - reason contains a programmatic identifier indicating the reason for the condition's last transition. - Producers of specific condition types may define expected values and meanings for this field, - and whether the values are considered a guaranteed API. - The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, False, Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - message - - reason - - status - - type - type: object - maxItems: 8 - minItems: 1 - type: array - x-kubernetes-list-map-keys: - - type - x-kubernetes-list-type: map - type: object - required: - - spec - type: object - served: true - storage: true - subresources: - status: {} diff --git a/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_imagepolicies-TechPreviewNoUpgrade.crd.yaml b/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_imagepolicies-TechPreviewNoUpgrade.crd.yaml deleted file mode 100644 index a8b7aba7c..000000000 --- a/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_imagepolicies-TechPreviewNoUpgrade.crd.yaml +++ /dev/null @@ -1,511 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - api-approved.openshift.io: https://github.com/openshift/api/pull/2310 - api.openshift.io/merged-by-featuregates: "true" - include.release.openshift.io/ibm-cloud-managed: "true" - include.release.openshift.io/self-managed-high-availability: "true" - release.openshift.io/feature-set: TechPreviewNoUpgrade - name: imagepolicies.config.openshift.io -spec: - group: config.openshift.io - names: - kind: ImagePolicy - listKind: ImagePolicyList - plural: imagepolicies - singular: imagepolicy - scope: Namespaced - versions: - - name: v1 - schema: - openAPIV3Schema: - description: |- - ImagePolicy holds namespace-wide configuration for image signature verification - - Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer). - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: spec holds user settable values for configuration - properties: - policy: - description: |- - policy is a required field that contains configuration to allow scopes to be verified, and defines how - images not matching the verification policy will be treated. - properties: - rootOfTrust: - description: |- - rootOfTrust is a required field that defines the root of trust for verifying image signatures during retrieval. - This allows image consumers to specify policyType and corresponding configuration of the policy, matching how the policy was generated. - properties: - fulcioCAWithRekor: - description: |- - fulcioCAWithRekor defines the root of trust configuration based on the Fulcio certificate and the Rekor public key. - fulcioCAWithRekor is required when policyType is FulcioCAWithRekor, and forbidden otherwise - For more information about Fulcio and Rekor, please refer to the document at: - https://github.com/sigstore/fulcio and https://github.com/sigstore/rekor - properties: - fulcioCAData: - description: |- - fulcioCAData is a required field contains inline base64-encoded data for the PEM format fulcio CA. - fulcioCAData must be at most 8192 characters. - format: byte - maxLength: 8192 - type: string - x-kubernetes-validations: - - message: the fulcioCAData must start with base64 encoding - of '-----BEGIN CERTIFICATE-----'. - rule: string(self).startsWith('-----BEGIN CERTIFICATE-----') - - message: the fulcioCAData must end with base64 encoding - of '-----END CERTIFICATE-----'. - rule: string(self).endsWith('-----END CERTIFICATE-----\n') - || string(self).endsWith('-----END CERTIFICATE-----') - fulcioSubject: - description: fulcioSubject is a required field specifies - OIDC issuer and the email of the Fulcio authentication - configuration. - properties: - oidcIssuer: - description: |- - oidcIssuer is a required filed contains the expected OIDC issuer. The oidcIssuer must be a valid URL and at most 2048 characters in length. - It will be verified that the Fulcio-issued certificate contains a (Fulcio-defined) certificate extension pointing at this OIDC issuer URL. - When Fulcio issues certificates, it includes a value based on an URL inside the client-provided ID token. - Example: "https://expected.OIDC.issuer/" - maxLength: 2048 - type: string - x-kubernetes-validations: - - message: oidcIssuer must be a valid URL - rule: isURL(self) - signedEmail: - description: |- - signedEmail is a required field holds the email address that the Fulcio certificate is issued for. - The signedEmail must be a valid email address and at most 320 characters in length. - Example: "expected-signing-user@example.com" - maxLength: 320 - type: string - x-kubernetes-validations: - - message: invalid email address - rule: self.matches('^\\S+@\\S+$') - required: - - oidcIssuer - - signedEmail - type: object - rekorKeyData: - description: |- - rekorKeyData is a required field contains inline base64-encoded data for the PEM format from the Rekor public key. - rekorKeyData must be at most 8192 characters. - format: byte - maxLength: 8192 - type: string - x-kubernetes-validations: - - message: the rekorKeyData must start with base64 encoding - of '-----BEGIN PUBLIC KEY-----'. - rule: string(self).startsWith('-----BEGIN PUBLIC KEY-----') - - message: the rekorKeyData must end with base64 encoding - of '-----END PUBLIC KEY-----'. - rule: string(self).endsWith('-----END PUBLIC KEY-----\n') - || string(self).endsWith('-----END PUBLIC KEY-----') - required: - - fulcioCAData - - fulcioSubject - - rekorKeyData - type: object - pki: - description: |- - pki defines the root of trust configuration based on Bring Your Own Public Key Infrastructure (BYOPKI) Root CA(s) and corresponding intermediate certificates. - pki is required when policyType is PKI, and forbidden otherwise. - properties: - caIntermediatesData: - description: |- - caIntermediatesData contains base64-encoded data of a certificate bundle PEM file, which contains one or more intermediate certificates in the PEM format. The total length of the data must not exceed 8192 characters. - caIntermediatesData requires caRootsData to be set. - format: byte - maxLength: 8192 - minLength: 72 - type: string - x-kubernetes-validations: - - message: the caIntermediatesData must start with base64 - encoding of '-----BEGIN CERTIFICATE-----'. - rule: string(self).startsWith('-----BEGIN CERTIFICATE-----') - - message: the caIntermediatesData must end with base64 - encoding of '-----END CERTIFICATE-----'. - rule: string(self).endsWith('-----END CERTIFICATE-----\n') - || string(self).endsWith('-----END CERTIFICATE-----') - - message: caIntermediatesData must be base64 encoding - of valid PEM format data contain the same number of - '-----BEGIN CERTIFICATE-----' and '-----END CERTIFICATE-----' - markers. - rule: string(self).findAll('-----BEGIN CERTIFICATE-----').size() - == string(self).findAll('-----END CERTIFICATE-----').size() - caRootsData: - description: caRootsData contains base64-encoded data - of a certificate bundle PEM file, which contains one - or more CA roots in the PEM format. The total length - of the data must not exceed 8192 characters. - format: byte - maxLength: 8192 - minLength: 72 - type: string - x-kubernetes-validations: - - message: the caRootsData must start with base64 encoding - of '-----BEGIN CERTIFICATE-----'. - rule: string(self).startsWith('-----BEGIN CERTIFICATE-----') - - message: the caRootsData must end with base64 encoding - of '-----END CERTIFICATE-----'. - rule: string(self).endsWith('-----END CERTIFICATE-----\n') - || string(self).endsWith('-----END CERTIFICATE-----') - - message: caRootsData must be base64 encoding of valid - PEM format data contain the same number of '-----BEGIN - CERTIFICATE-----' and '-----END CERTIFICATE-----' - markers. - rule: string(self).findAll('-----BEGIN CERTIFICATE-----').size() - == string(self).findAll('-----END CERTIFICATE-----').size() - pkiCertificateSubject: - description: pkiCertificateSubject defines the requirements - imposed on the subject to which the certificate was - issued. - properties: - email: - description: |- - email specifies the expected email address imposed on the subject to which the certificate was issued, and must match the email address listed in the Subject Alternative Name (SAN) field of the certificate. - The email must be a valid email address and at most 320 characters in length. - maxLength: 320 - type: string - x-kubernetes-validations: - - message: invalid email address - rule: self.matches('^\\S+@\\S+$') - hostname: - description: |- - hostname specifies the expected hostname imposed on the subject to which the certificate was issued, and it must match the hostname listed in the Subject Alternative Name (SAN) DNS field of the certificate. - The hostname must be a valid dns 1123 subdomain name, optionally prefixed by '*.', and at most 253 characters in length. - It must consist only of lowercase alphanumeric characters, hyphens, periods and the optional preceding asterisk. - maxLength: 253 - type: string - x-kubernetes-validations: - - message: hostname must be a valid dns 1123 subdomain - name, optionally prefixed by '*.'. It must consist - only of lowercase alphanumeric characters, hyphens, - periods and the optional preceding asterisk. - rule: 'self.startsWith(''*.'') ? !format.dns1123Subdomain().validate(self.replace(''*.'', - '''', 1)).hasValue() : !format.dns1123Subdomain().validate(self).hasValue()' - type: object - x-kubernetes-validations: - - message: at least one of email or hostname must be set - in pkiCertificateSubject - rule: has(self.email) || has(self.hostname) - required: - - caRootsData - - pkiCertificateSubject - type: object - policyType: - description: |- - policyType is a required field specifies the type of the policy for verification. This field must correspond to how the policy was generated. - Allowed values are "PublicKey", "FulcioCAWithRekor", and "PKI". - When set to "PublicKey", the policy relies on a sigstore publicKey and may optionally use a Rekor verification. - When set to "FulcioCAWithRekor", the policy is based on the Fulcio certification and incorporates a Rekor verification. - When set to "PKI", the policy is based on the certificates from Bring Your Own Public Key Infrastructure (BYOPKI). This value is enabled by turning on the SigstoreImageVerificationPKI feature gate. - enum: - - PublicKey - - FulcioCAWithRekor - - PKI - type: string - publicKey: - description: |- - publicKey defines the root of trust configuration based on a sigstore public key. Optionally include a Rekor public key for Rekor verification. - publicKey is required when policyType is PublicKey, and forbidden otherwise. - properties: - keyData: - description: |- - keyData is a required field contains inline base64-encoded data for the PEM format public key. - keyData must be at most 8192 characters. - format: byte - maxLength: 8192 - minLength: 68 - type: string - x-kubernetes-validations: - - message: the keyData must start with base64 encoding - of '-----BEGIN PUBLIC KEY-----'. - rule: string(self).startsWith('-----BEGIN PUBLIC KEY-----') - - message: the keyData must end with base64 encoding of - '-----END PUBLIC KEY-----'. - rule: string(self).endsWith('-----END PUBLIC KEY-----\n') - || string(self).endsWith('-----END PUBLIC KEY-----') - rekorKeyData: - description: |- - rekorKeyData is an optional field contains inline base64-encoded data for the PEM format from the Rekor public key. - rekorKeyData must be at most 8192 characters. - format: byte - maxLength: 8192 - type: string - x-kubernetes-validations: - - message: the rekorKeyData must start with base64 encoding - of '-----BEGIN PUBLIC KEY-----'. - rule: string(self).startsWith('-----BEGIN PUBLIC KEY-----') - - message: the rekorKeyData must end with base64 encoding - of '-----END PUBLIC KEY-----'. - rule: string(self).endsWith('-----END PUBLIC KEY-----\n') - || string(self).endsWith('-----END PUBLIC KEY-----') - required: - - keyData - type: object - required: - - policyType - type: object - x-kubernetes-validations: - - message: pki is required when policyType is PKI, and forbidden - otherwise - rule: 'has(self.policyType) && self.policyType == ''PKI'' ? - has(self.pki) : !has(self.pki)' - - message: publicKey is required when policyType is PublicKey, - and forbidden otherwise - rule: 'has(self.policyType) && self.policyType == ''PublicKey'' - ? has(self.publicKey) : !has(self.publicKey)' - - message: fulcioCAWithRekor is required when policyType is FulcioCAWithRekor, - and forbidden otherwise - rule: 'has(self.policyType) && self.policyType == ''FulcioCAWithRekor'' - ? has(self.fulcioCAWithRekor) : !has(self.fulcioCAWithRekor)' - signedIdentity: - description: |- - signedIdentity is an optional field specifies what image identity the signature claims about the image. This is useful when the image identity in the signature differs from the original image spec, such as when mirror registry is configured for the image scope, the signature from the mirror registry contains the image identity of the mirror instead of the original scope. - The required matchPolicy field specifies the approach used in the verification process to verify the identity in the signature and the actual image identity, the default matchPolicy is "MatchRepoDigestOrExact". - properties: - exactRepository: - description: |- - exactRepository specifies the repository that must be exactly matched by the identity in the signature. - exactRepository is required if matchPolicy is set to "ExactRepository". It is used to verify that the signature claims an identity matching this exact repository, rather than the original image identity. - properties: - repository: - description: |- - repository is the reference of the image identity to be matched. - repository is required if matchPolicy is set to "ExactRepository". - The value should be a repository name (by omitting the tag or digest) in a registry implementing the "Docker Registry HTTP API V2". For example, docker.io/library/busybox - maxLength: 512 - type: string - x-kubernetes-validations: - - message: invalid repository or prefix in the signedIdentity, - should not include the tag or digest - rule: 'self.matches(''.*:([\\w][\\w.-]{0,127})$'')? - self.matches(''^(localhost:[0-9]+)$''): true' - - message: invalid repository or prefix in the signedIdentity. - The repository or prefix must starts with 'localhost' - or a valid '.' separated domain. If contains registry - paths, the path component names must start with at - least one letter or number, with following parts able - to be separated by one period, one or two underscore - and multiple dashes. - rule: self.matches('^(((?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9])(?:\\.(?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9]))+(?::[0-9]+)?)|(localhost(?::[0-9]+)?))(?:(?:/[a-z0-9]+(?:(?:(?:[._]|__|[-]*)[a-z0-9]+)+)?)+)?$') - required: - - repository - type: object - matchPolicy: - description: |- - matchPolicy is a required filed specifies matching strategy to verify the image identity in the signature against the image scope. - Allowed values are "MatchRepoDigestOrExact", "MatchRepository", "ExactRepository", "RemapIdentity". When omitted, the default value is "MatchRepoDigestOrExact". - When set to "MatchRepoDigestOrExact", the identity in the signature must be in the same repository as the image identity if the image identity is referenced by a digest. Otherwise, the identity in the signature must be the same as the image identity. - When set to "MatchRepository", the identity in the signature must be in the same repository as the image identity. - When set to "ExactRepository", the exactRepository must be specified. The identity in the signature must be in the same repository as a specific identity specified by "repository". - When set to "RemapIdentity", the remapIdentity must be specified. The signature must be in the same as the remapped image identity. Remapped image identity is obtained by replacing the "prefix" with the specified “signedPrefix” if the the image identity matches the specified remapPrefix. - enum: - - MatchRepoDigestOrExact - - MatchRepository - - ExactRepository - - RemapIdentity - type: string - remapIdentity: - description: |- - remapIdentity specifies the prefix remapping rule for verifying image identity. - remapIdentity is required if matchPolicy is set to "RemapIdentity". It is used to verify that the signature claims a different registry/repository prefix than the original image. - properties: - prefix: - description: |- - prefix is required if matchPolicy is set to "RemapIdentity". - prefix is the prefix of the image identity to be matched. - If the image identity matches the specified prefix, that prefix is replaced by the specified “signedPrefix” (otherwise it is used as unchanged and no remapping takes place). - This is useful when verifying signatures for a mirror of some other repository namespace that preserves the vendor’s repository structure. - The prefix and signedPrefix values can be either host[:port] values (matching exactly the same host[:port], string), repository namespaces, - or repositories (i.e. they must not contain tags/digests), and match as prefixes of the fully expanded form. - For example, docker.io/library/busybox (not busybox) to specify that single repository, or docker.io/library (not an empty string) to specify the parent namespace of docker.io/library/busybox. - maxLength: 512 - type: string - x-kubernetes-validations: - - message: invalid repository or prefix in the signedIdentity, - should not include the tag or digest - rule: 'self.matches(''.*:([\\w][\\w.-]{0,127})$'')? - self.matches(''^(localhost:[0-9]+)$''): true' - - message: invalid repository or prefix in the signedIdentity. - The repository or prefix must starts with 'localhost' - or a valid '.' separated domain. If contains registry - paths, the path component names must start with at - least one letter or number, with following parts able - to be separated by one period, one or two underscore - and multiple dashes. - rule: self.matches('^(((?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9])(?:\\.(?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9]))+(?::[0-9]+)?)|(localhost(?::[0-9]+)?))(?:(?:/[a-z0-9]+(?:(?:(?:[._]|__|[-]*)[a-z0-9]+)+)?)+)?$') - signedPrefix: - description: |- - signedPrefix is required if matchPolicy is set to "RemapIdentity". - signedPrefix is the prefix of the image identity to be matched in the signature. The format is the same as "prefix". The values can be either host[:port] values (matching exactly the same host[:port], string), repository namespaces, - or repositories (i.e. they must not contain tags/digests), and match as prefixes of the fully expanded form. - For example, docker.io/library/busybox (not busybox) to specify that single repository, or docker.io/library (not an empty string) to specify the parent namespace of docker.io/library/busybox. - maxLength: 512 - type: string - x-kubernetes-validations: - - message: invalid repository or prefix in the signedIdentity, - should not include the tag or digest - rule: 'self.matches(''.*:([\\w][\\w.-]{0,127})$'')? - self.matches(''^(localhost:[0-9]+)$''): true' - - message: invalid repository or prefix in the signedIdentity. - The repository or prefix must starts with 'localhost' - or a valid '.' separated domain. If contains registry - paths, the path component names must start with at - least one letter or number, with following parts able - to be separated by one period, one or two underscore - and multiple dashes. - rule: self.matches('^(((?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9])(?:\\.(?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9]))+(?::[0-9]+)?)|(localhost(?::[0-9]+)?))(?:(?:/[a-z0-9]+(?:(?:(?:[._]|__|[-]*)[a-z0-9]+)+)?)+)?$') - required: - - prefix - - signedPrefix - type: object - required: - - matchPolicy - type: object - x-kubernetes-validations: - - message: exactRepository is required when matchPolicy is ExactRepository, - and forbidden otherwise - rule: '(has(self.matchPolicy) && self.matchPolicy == ''ExactRepository'') - ? has(self.exactRepository) : !has(self.exactRepository)' - - message: remapIdentity is required when matchPolicy is RemapIdentity, - and forbidden otherwise - rule: '(has(self.matchPolicy) && self.matchPolicy == ''RemapIdentity'') - ? has(self.remapIdentity) : !has(self.remapIdentity)' - required: - - rootOfTrust - type: object - scopes: - description: |- - scopes is a required field that defines the list of image identities assigned to a policy. Each item refers to a scope in a registry implementing the "Docker Registry HTTP API V2". - Scopes matching individual images are named Docker references in the fully expanded form, either using a tag or digest. For example, docker.io/library/busybox:latest (not busybox:latest). - More general scopes are prefixes of individual-image scopes, and specify a repository (by omitting the tag or digest), a repository - namespace, or a registry host (by only specifying the host name and possibly a port number) or a wildcard expression starting with `*.`, for matching all subdomains (not including a port number). - Wildcards are only supported for subdomain matching, and may not be used in the middle of the host, i.e. *.example.com is a valid case, but example*.*.com is not. - This support no more than 256 scopes in one object. If multiple scopes match a given image, only the policy requirements for the most specific scope apply. The policy requirements for more general scopes are ignored. - In addition to setting a policy appropriate for your own deployed applications, make sure that a policy on the OpenShift image repositories - quay.io/openshift-release-dev/ocp-release, quay.io/openshift-release-dev/ocp-v4.0-art-dev (or on a more general scope) allows deployment of the OpenShift images required for cluster operation. - If a scope is configured in both the ClusterImagePolicy and the ImagePolicy, or if the scope in ImagePolicy is nested under one of the scopes from the ClusterImagePolicy, only the policy from the ClusterImagePolicy will be applied. - For additional details about the format, please refer to the document explaining the docker transport field, - which can be found at: https://github.com/containers/image/blob/main/docs/containers-policy.json.5.md#docker - items: - maxLength: 512 - type: string - x-kubernetes-validations: - - message: invalid image scope format, scope must contain a fully - qualified domain name or 'localhost' - rule: 'size(self.split(''/'')[0].split(''.'')) == 1 ? self.split(''/'')[0].split(''.'')[0].split('':'')[0] - == ''localhost'' : true' - - message: invalid image scope with wildcard, a wildcard can only - be at the start of the domain and is only supported for subdomain - matching, not path matching - rule: 'self.contains(''*'') ? self.matches(''^\\*(?:\\.(?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9]))+$'') - : true' - - message: invalid repository namespace or image specification in - the image scope - rule: '!self.contains(''*'') ? self.matches(''^((((?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9])(?:\\.(?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9]))+(?::[0-9]+)?)|(localhost(?::[0-9]+)?))(?:(?:/[a-z0-9]+(?:(?:(?:[._]|__|[-]*)[a-z0-9]+)+)?)+)?)(?::([\\w][\\w.-]{0,127}))?(?:@([A-Za-z][A-Za-z0-9]*(?:[-_+.][A-Za-z][A-Za-z0-9]*)*[:][[:xdigit:]]{32,}))?$'') - : true' - maxItems: 256 - type: array - x-kubernetes-list-type: set - required: - - policy - - scopes - type: object - status: - description: status contains the observed state of the resource. - properties: - conditions: - description: |- - conditions provide details on the status of this API Resource. - condition type 'Pending' indicates that the customer resource contains a policy that cannot take effect. It is either overwritten by a global policy or the image scope is not valid. - items: - description: Condition contains details for one aspect of the current - state of this API Resource. - properties: - lastTransitionTime: - description: |- - lastTransitionTime is the last time the condition transitioned from one status to another. - This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: |- - message is a human readable message indicating details about the transition. - This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: - description: |- - observedGeneration represents the .metadata.generation that the condition was set based upon. - For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date - with respect to the current state of the instance. - format: int64 - minimum: 0 - type: integer - reason: - description: |- - reason contains a programmatic identifier indicating the reason for the condition's last transition. - Producers of specific condition types may define expected values and meanings for this field, - and whether the values are considered a guaranteed API. - The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, False, Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - message - - reason - - status - - type - type: object - maxItems: 8 - minItems: 1 - type: array - x-kubernetes-list-map-keys: - - type - x-kubernetes-list-type: map - type: object - required: - - spec - type: object - served: true - storage: true - subresources: - status: {} diff --git a/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_imagepolicies-CustomNoUpgrade.crd.yaml b/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_imagepolicies.crd.yaml similarity index 99% rename from vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_imagepolicies-CustomNoUpgrade.crd.yaml rename to vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_imagepolicies.crd.yaml index f71c64952..d649f057d 100644 --- a/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_imagepolicies-CustomNoUpgrade.crd.yaml +++ b/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_imagepolicies.crd.yaml @@ -6,7 +6,6 @@ metadata: api.openshift.io/merged-by-featuregates: "true" include.release.openshift.io/ibm-cloud-managed: "true" include.release.openshift.io/self-managed-high-availability: "true" - release.openshift.io/feature-set: CustomNoUpgrade name: imagepolicies.config.openshift.io spec: group: config.openshift.io @@ -220,7 +219,7 @@ spec: Allowed values are "PublicKey", "FulcioCAWithRekor", and "PKI". When set to "PublicKey", the policy relies on a sigstore publicKey and may optionally use a Rekor verification. When set to "FulcioCAWithRekor", the policy is based on the Fulcio certification and incorporates a Rekor verification. - When set to "PKI", the policy is based on the certificates from Bring Your Own Public Key Infrastructure (BYOPKI). This value is enabled by turning on the SigstoreImageVerificationPKI feature gate. + When set to "PKI", the policy is based on the certificates from Bring Your Own Public Key Infrastructure (BYOPKI). enum: - PublicKey - FulcioCAWithRekor diff --git a/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_infrastructures-OKD.crd.yaml b/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_infrastructures-OKD.crd.yaml new file mode 100644 index 000000000..ed9fb2c3b --- /dev/null +++ b/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_infrastructures-OKD.crd.yaml @@ -0,0 +1,2338 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.openshift.io: https://github.com/openshift/api/pull/470 + api.openshift.io/merged-by-featuregates: "true" + include.release.openshift.io/ibm-cloud-managed: "true" + include.release.openshift.io/self-managed-high-availability: "true" + release.openshift.io/bootstrap-required: "true" + release.openshift.io/feature-set: OKD + name: infrastructures.config.openshift.io +spec: + group: config.openshift.io + names: + kind: Infrastructure + listKind: InfrastructureList + plural: infrastructures + singular: infrastructure + scope: Cluster + versions: + - name: v1 + schema: + openAPIV3Schema: + description: |- + Infrastructure holds cluster-wide information about Infrastructure. The canonical name is `cluster` + + Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer). + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: spec holds user settable values for configuration + properties: + cloudConfig: + description: |- + cloudConfig is a reference to a ConfigMap containing the cloud provider configuration file. + This configuration file is used to configure the Kubernetes cloud provider integration + when using the built-in cloud provider integration or the external cloud controller manager. + The namespace for this config map is openshift-config. + + cloudConfig should only be consumed by the kube_cloud_config controller. + The controller is responsible for using the user configuration in the spec + for various platforms and combining that with the user provided ConfigMap in this field + to create a stitched kube cloud config. + The controller generates a ConfigMap `kube-cloud-config` in `openshift-config-managed` namespace + with the kube cloud config is stored in `cloud.conf` key. + All the clients are expected to use the generated ConfigMap only. + properties: + key: + description: key allows pointing to a specific key/value inside + of the configmap. This is useful for logical file references. + type: string + name: + type: string + type: object + platformSpec: + description: |- + platformSpec holds desired information specific to the underlying + infrastructure provider. + properties: + alibabaCloud: + description: alibabaCloud contains settings specific to the Alibaba + Cloud infrastructure provider. + type: object + aws: + description: aws contains settings specific to the Amazon Web + Services infrastructure provider. + properties: + serviceEndpoints: + description: |- + serviceEndpoints list contains custom endpoints which will override default + service endpoint of AWS Services. + There must be only one ServiceEndpoint for a service. + items: + description: |- + AWSServiceEndpoint store the configuration of a custom url to + override existing defaults of AWS Services. + properties: + name: + description: |- + name is the name of the AWS service. + The list of all the service names can be found at https://docs.aws.amazon.com/general/latest/gr/aws-service-information.html + This must be provided and cannot be empty. + pattern: ^[a-z0-9-]+$ + type: string + url: + description: |- + url is fully qualified URI with scheme https, that overrides the default generated + endpoint for a client. + This must be provided and cannot be empty. + pattern: ^https:// + type: string + type: object + type: array + x-kubernetes-list-type: atomic + type: object + azure: + description: azure contains settings specific to the Azure infrastructure + provider. + type: object + baremetal: + description: baremetal contains settings specific to the BareMetal + platform. + properties: + apiServerInternalIPs: + description: |- + apiServerInternalIPs are the IP addresses to contact the Kubernetes API + server that can be used by components inside the cluster, like kubelets + using the infrastructure rather than Kubernetes networking. These are the + IPs for a self-hosted load balancer in front of the API servers. + In dual stack clusters this list contains two IP addresses, one from IPv4 + family and one from IPv6. + In single stack clusters a single IP address is expected. + When omitted, values from the status.apiServerInternalIPs will be used. + Once set, the list cannot be completely removed (but its second entry can). + items: + description: IP is an IP address (for example, "10.0.0.0" + or "fd00::"). + maxLength: 39 + minLength: 1 + type: string + x-kubernetes-validations: + - message: value must be a valid IP address + rule: isIP(self) + maxItems: 2 + type: array + x-kubernetes-list-type: atomic + x-kubernetes-validations: + - message: apiServerInternalIPs must contain at most one IPv4 + address and at most one IPv6 address + rule: 'size(self) == 2 && isIP(self[0]) && isIP(self[1]) + ? ip(self[0]).family() != ip(self[1]).family() : true' + ingressIPs: + description: |- + ingressIPs are the external IPs which route to the default ingress + controller. The IPs are suitable targets of a wildcard DNS record used to + resolve default route host names. + In dual stack clusters this list contains two IP addresses, one from IPv4 + family and one from IPv6. + In single stack clusters a single IP address is expected. + When omitted, values from the status.ingressIPs will be used. + Once set, the list cannot be completely removed (but its second entry can). + items: + description: IP is an IP address (for example, "10.0.0.0" + or "fd00::"). + maxLength: 39 + minLength: 1 + type: string + x-kubernetes-validations: + - message: value must be a valid IP address + rule: isIP(self) + maxItems: 2 + type: array + x-kubernetes-list-type: atomic + x-kubernetes-validations: + - message: ingressIPs must contain at most one IPv4 address + and at most one IPv6 address + rule: 'size(self) == 2 && isIP(self[0]) && isIP(self[1]) + ? ip(self[0]).family() != ip(self[1]).family() : true' + machineNetworks: + description: |- + machineNetworks are IP networks used to connect all the OpenShift cluster + nodes. Each network is provided in the CIDR format and should be IPv4 or IPv6, + for example "10.0.0.0/8" or "fd00::/8". + items: + description: CIDR is an IP address range in CIDR notation + (for example, "10.0.0.0/8" or "fd00::/8"). + maxLength: 43 + minLength: 1 + type: string + x-kubernetes-validations: + - message: value must be a valid CIDR network address + rule: isCIDR(self) + maxItems: 32 + type: array + x-kubernetes-list-type: atomic + x-kubernetes-validations: + - rule: self.all(x, self.exists_one(y, x == y)) + type: object + x-kubernetes-validations: + - message: apiServerInternalIPs list is required once set + rule: '!has(oldSelf.apiServerInternalIPs) || has(self.apiServerInternalIPs)' + - message: ingressIPs list is required once set + rule: '!has(oldSelf.ingressIPs) || has(self.ingressIPs)' + equinixMetal: + description: equinixMetal contains settings specific to the Equinix + Metal infrastructure provider. + type: object + external: + description: |- + ExternalPlatformType represents generic infrastructure provider. + Platform-specific components should be supplemented separately. + properties: + platformName: + default: Unknown + description: |- + platformName holds the arbitrary string representing the infrastructure provider name, expected to be set at the installation time. + This field is solely for informational and reporting purposes and is not expected to be used for decision-making. + type: string + x-kubernetes-validations: + - message: platform name cannot be changed once set + rule: oldSelf == 'Unknown' || self == oldSelf + type: object + gcp: + description: gcp contains settings specific to the Google Cloud + Platform infrastructure provider. + type: object + ibmcloud: + description: ibmcloud contains settings specific to the IBMCloud + infrastructure provider. + type: object + kubevirt: + description: kubevirt contains settings specific to the kubevirt + infrastructure provider. + type: object + nutanix: + description: nutanix contains settings specific to the Nutanix + infrastructure provider. + properties: + failureDomains: + description: |- + failureDomains configures failure domains information for the Nutanix platform. + When set, the failure domains defined here may be used to spread Machines across + prism element clusters to improve fault tolerance of the cluster. + items: + description: NutanixFailureDomain configures failure domain + information for the Nutanix platform. + properties: + cluster: + description: |- + cluster is to identify the cluster (the Prism Element under management of the Prism Central), + in which the Machine's VM will be created. The cluster identifier (uuid or name) can be obtained + from the Prism Central console or using the prism_central API. + properties: + name: + description: name is the resource name in the PC. + It cannot be empty if the type is Name. + type: string + type: + description: type is the identifier type to use + for this resource. + enum: + - UUID + - Name + type: string + uuid: + description: uuid is the UUID of the resource in + the PC. It cannot be empty if the type is UUID. + type: string + required: + - type + type: object + x-kubernetes-validations: + - message: uuid configuration is required when type + is UUID, and forbidden otherwise + rule: 'has(self.type) && self.type == ''UUID'' ? has(self.uuid) + : !has(self.uuid)' + - message: name configuration is required when type + is Name, and forbidden otherwise + rule: 'has(self.type) && self.type == ''Name'' ? has(self.name) + : !has(self.name)' + name: + description: |- + name defines the unique name of a failure domain. + Name is required and must be at most 64 characters in length. + It must consist of only lower case alphanumeric characters and hyphens (-). + It must start and end with an alphanumeric character. + This value is arbitrary and is used to identify the failure domain within the platform. + maxLength: 64 + minLength: 1 + pattern: '[a-z0-9]([-a-z0-9]*[a-z0-9])?' + type: string + subnets: + description: |- + subnets holds a list of identifiers (one or more) of the cluster's network subnets + If the feature gate NutanixMultiSubnets is enabled, up to 32 subnets may be configured. + for the Machine's VM to connect to. The subnet identifiers (uuid or name) can be + obtained from the Prism Central console or using the prism_central API. + items: + description: NutanixResourceIdentifier holds the identity + of a Nutanix PC resource (cluster, image, subnet, + etc.) + properties: + name: + description: name is the resource name in the + PC. It cannot be empty if the type is Name. + type: string + type: + description: type is the identifier type to use + for this resource. + enum: + - UUID + - Name + type: string + uuid: + description: uuid is the UUID of the resource + in the PC. It cannot be empty if the type is + UUID. + type: string + required: + - type + type: object + x-kubernetes-validations: + - message: uuid configuration is required when type + is UUID, and forbidden otherwise + rule: 'has(self.type) && self.type == ''UUID'' ? has(self.uuid) + : !has(self.uuid)' + - message: name configuration is required when type + is Name, and forbidden otherwise + rule: 'has(self.type) && self.type == ''Name'' ? has(self.name) + : !has(self.name)' + maxItems: 1 + minItems: 1 + type: array + x-kubernetes-list-type: atomic + required: + - cluster + - name + - subnets + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + prismCentral: + description: |- + prismCentral holds the endpoint address and port to access the Nutanix Prism Central. + When a cluster-wide proxy is installed, by default, this endpoint will be accessed via the proxy. + Should you wish for communication with this endpoint not to be proxied, please add the endpoint to the + proxy spec.noProxy list. + properties: + address: + description: address is the endpoint address (DNS name + or IP address) of the Nutanix Prism Central or Element + (cluster) + maxLength: 256 + type: string + port: + description: port is the port number to access the Nutanix + Prism Central or Element (cluster) + format: int32 + maximum: 65535 + minimum: 1 + type: integer + required: + - address + - port + type: object + prismElements: + description: |- + prismElements holds one or more endpoint address and port data to access the Nutanix + Prism Elements (clusters) of the Nutanix Prism Central. Currently we only support one + Prism Element (cluster) for an OpenShift cluster, where all the Nutanix resources (VMs, subnets, volumes, etc.) + used in the OpenShift cluster are located. In the future, we may support Nutanix resources (VMs, etc.) + spread over multiple Prism Elements (clusters) of the Prism Central. + items: + description: NutanixPrismElementEndpoint holds the name + and endpoint data for a Prism Element (cluster) + properties: + endpoint: + description: |- + endpoint holds the endpoint address and port data of the Prism Element (cluster). + When a cluster-wide proxy is installed, by default, this endpoint will be accessed via the proxy. + Should you wish for communication with this endpoint not to be proxied, please add the endpoint to the + proxy spec.noProxy list. + properties: + address: + description: address is the endpoint address (DNS + name or IP address) of the Nutanix Prism Central + or Element (cluster) + maxLength: 256 + type: string + port: + description: port is the port number to access the + Nutanix Prism Central or Element (cluster) + format: int32 + maximum: 65535 + minimum: 1 + type: integer + required: + - address + - port + type: object + name: + description: |- + name is the name of the Prism Element (cluster). This value will correspond with + the cluster field configured on other resources (eg Machines, PVCs, etc). + maxLength: 256 + type: string + required: + - endpoint + - name + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + required: + - prismCentral + - prismElements + type: object + openstack: + description: openstack contains settings specific to the OpenStack + infrastructure provider. + properties: + apiServerInternalIPs: + description: |- + apiServerInternalIPs are the IP addresses to contact the Kubernetes API + server that can be used by components inside the cluster, like kubelets + using the infrastructure rather than Kubernetes networking. These are the + IPs for a self-hosted load balancer in front of the API servers. + In dual stack clusters this list contains two IP addresses, one from IPv4 + family and one from IPv6. + In single stack clusters a single IP address is expected. + When omitted, values from the status.apiServerInternalIPs will be used. + Once set, the list cannot be completely removed (but its second entry can). + items: + description: IP is an IP address (for example, "10.0.0.0" + or "fd00::"). + maxLength: 39 + minLength: 1 + type: string + x-kubernetes-validations: + - message: value must be a valid IP address + rule: isIP(self) + maxItems: 2 + type: array + x-kubernetes-list-type: atomic + x-kubernetes-validations: + - message: apiServerInternalIPs must contain at most one IPv4 + address and at most one IPv6 address + rule: 'size(self) == 2 && isIP(self[0]) && isIP(self[1]) + ? ip(self[0]).family() != ip(self[1]).family() : true' + ingressIPs: + description: |- + ingressIPs are the external IPs which route to the default ingress + controller. The IPs are suitable targets of a wildcard DNS record used to + resolve default route host names. + In dual stack clusters this list contains two IP addresses, one from IPv4 + family and one from IPv6. + In single stack clusters a single IP address is expected. + When omitted, values from the status.ingressIPs will be used. + Once set, the list cannot be completely removed (but its second entry can). + items: + description: IP is an IP address (for example, "10.0.0.0" + or "fd00::"). + maxLength: 39 + minLength: 1 + type: string + x-kubernetes-validations: + - message: value must be a valid IP address + rule: isIP(self) + maxItems: 2 + type: array + x-kubernetes-list-type: atomic + x-kubernetes-validations: + - message: ingressIPs must contain at most one IPv4 address + and at most one IPv6 address + rule: 'size(self) == 2 && isIP(self[0]) && isIP(self[1]) + ? ip(self[0]).family() != ip(self[1]).family() : true' + machineNetworks: + description: |- + machineNetworks are IP networks used to connect all the OpenShift cluster + nodes. Each network is provided in the CIDR format and should be IPv4 or IPv6, + for example "10.0.0.0/8" or "fd00::/8". + items: + description: CIDR is an IP address range in CIDR notation + (for example, "10.0.0.0/8" or "fd00::/8"). + maxLength: 43 + minLength: 1 + type: string + x-kubernetes-validations: + - message: value must be a valid CIDR network address + rule: isCIDR(self) + maxItems: 32 + type: array + x-kubernetes-list-type: atomic + x-kubernetes-validations: + - rule: self.all(x, self.exists_one(y, x == y)) + type: object + x-kubernetes-validations: + - message: apiServerInternalIPs list is required once set + rule: '!has(oldSelf.apiServerInternalIPs) || has(self.apiServerInternalIPs)' + - message: ingressIPs list is required once set + rule: '!has(oldSelf.ingressIPs) || has(self.ingressIPs)' + ovirt: + description: ovirt contains settings specific to the oVirt infrastructure + provider. + type: object + powervs: + description: powervs contains settings specific to the IBM Power + Systems Virtual Servers infrastructure provider. + properties: + serviceEndpoints: + description: |- + serviceEndpoints is a list of custom endpoints which will override the default + service endpoints of a Power VS service. + items: + description: |- + PowervsServiceEndpoint stores the configuration of a custom url to + override existing defaults of PowerVS Services. + properties: + name: + description: |- + name is the name of the Power VS service. + Few of the services are + IAM - https://cloud.ibm.com/apidocs/iam-identity-token-api + ResourceController - https://cloud.ibm.com/apidocs/resource-controller/resource-controller + Power Cloud - https://cloud.ibm.com/apidocs/power-cloud + enum: + - CIS + - COS + - COSConfig + - DNSServices + - GlobalCatalog + - GlobalSearch + - GlobalTagging + - HyperProtect + - IAM + - KeyProtect + - Power + - ResourceController + - ResourceManager + - VPC + type: string + url: + description: |- + url is fully qualified URI with scheme https, that overrides the default generated + endpoint for a client. + This must be provided and cannot be empty. + format: uri + pattern: ^https:// + type: string + required: + - name + - url + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + type: + description: |- + type is the underlying infrastructure provider for the cluster. This + value controls whether infrastructure automation such as service load + balancers, dynamic volume provisioning, machine creation and deletion, and + other integrations are enabled. If None, no infrastructure automation is + enabled. Allowed values are "AWS", "Azure", "BareMetal", "GCP", "Libvirt", + "OpenStack", "VSphere", "oVirt", "KubeVirt", "EquinixMetal", "PowerVS", + "AlibabaCloud", "Nutanix" and "None". Individual components may not support all platforms, + and must handle unrecognized platforms as None if they do not support that platform. + enum: + - "" + - AWS + - Azure + - BareMetal + - GCP + - Libvirt + - OpenStack + - None + - VSphere + - oVirt + - IBMCloud + - KubeVirt + - EquinixMetal + - PowerVS + - AlibabaCloud + - Nutanix + - External + type: string + vsphere: + description: vsphere contains settings specific to the VSphere + infrastructure provider. + properties: + apiServerInternalIPs: + description: |- + apiServerInternalIPs are the IP addresses to contact the Kubernetes API + server that can be used by components inside the cluster, like kubelets + using the infrastructure rather than Kubernetes networking. These are the + IPs for a self-hosted load balancer in front of the API servers. + In dual stack clusters this list contains two IP addresses, one from IPv4 + family and one from IPv6. + In single stack clusters a single IP address is expected. + When omitted, values from the status.apiServerInternalIPs will be used. + Once set, the list cannot be completely removed (but its second entry can). + items: + description: IP is an IP address (for example, "10.0.0.0" + or "fd00::"). + maxLength: 39 + minLength: 1 + type: string + x-kubernetes-validations: + - message: value must be a valid IP address + rule: isIP(self) + maxItems: 2 + type: array + x-kubernetes-list-type: atomic + x-kubernetes-validations: + - message: apiServerInternalIPs must contain at most one IPv4 + address and at most one IPv6 address + rule: 'size(self) == 2 && isIP(self[0]) && isIP(self[1]) + ? ip(self[0]).family() != ip(self[1]).family() : true' + failureDomains: + description: |- + failureDomains contains the definition of region, zone and the vCenter topology. + If this is omitted failure domains (regions and zones) will not be used. + items: + description: VSpherePlatformFailureDomainSpec holds the + region and zone failure domain and the vCenter topology + of that failure domain. + properties: + name: + description: |- + name defines the arbitrary but unique name + of a failure domain. + maxLength: 256 + minLength: 1 + type: string + region: + description: |- + region defines the name of a region tag that will + be attached to a vCenter datacenter. The tag + category in vCenter must be named openshift-region. + maxLength: 80 + minLength: 1 + type: string + regionAffinity: + description: |- + regionAffinity holds the type of region, Datacenter or ComputeCluster. + When set to Datacenter, this means the region is a vCenter Datacenter as defined in topology. + When set to ComputeCluster, this means the region is a vCenter Cluster as defined in topology. + properties: + type: + description: |- + type determines the vSphere object type for a region within this failure domain. + Available types are Datacenter and ComputeCluster. + When set to Datacenter, this means the vCenter Datacenter defined is the region. + When set to ComputeCluster, this means the vCenter cluster defined is the region. + enum: + - ComputeCluster + - Datacenter + type: string + required: + - type + type: object + server: + anyOf: + - format: ipv4 + - format: ipv6 + - format: hostname + description: server is the fully-qualified domain name + or the IP address of the vCenter server. + maxLength: 255 + minLength: 1 + type: string + topology: + description: topology describes a given failure domain + using vSphere constructs + properties: + computeCluster: + description: |- + computeCluster the absolute path of the vCenter cluster + in which virtual machine will be located. + The absolute path is of the form //host/. + The maximum length of the path is 2048 characters. + maxLength: 2048 + pattern: ^/.*?/host/.*? + type: string + datacenter: + description: |- + datacenter is the name of vCenter datacenter in which virtual machines will be located. + The maximum length of the datacenter name is 80 characters. + maxLength: 80 + type: string + datastore: + description: |- + datastore is the absolute path of the datastore in which the + virtual machine is located. + The absolute path is of the form //datastore/ + The maximum length of the path is 2048 characters. + maxLength: 2048 + pattern: ^/.*?/datastore/.*? + type: string + folder: + description: |- + folder is the absolute path of the folder where + virtual machines are located. The absolute path + is of the form //vm/. + The maximum length of the path is 2048 characters. + maxLength: 2048 + pattern: ^/.*?/vm/.*? + type: string + networks: + description: |- + networks is the list of port group network names within this failure domain. + If feature gate VSphereMultiNetworks is enabled, up to 10 network adapters may be defined. + 10 is the maximum number of virtual network devices which may be attached to a VM as defined by: + https://configmax.esp.vmware.com/guest?vmwareproduct=vSphere&release=vSphere%208.0&categories=1-0 + The available networks (port groups) can be listed using + `govc ls 'network/*'` + Networks should be in the form of an absolute path: + //network/. + items: + type: string + maxItems: 10 + minItems: 1 + type: array + x-kubernetes-list-type: atomic + resourcePool: + description: |- + resourcePool is the absolute path of the resource pool where virtual machines will be + created. The absolute path is of the form //host//Resources/. + The maximum length of the path is 2048 characters. + maxLength: 2048 + pattern: ^/.*?/host/.*?/Resources.* + type: string + template: + description: |- + template is the full inventory path of the virtual machine or template + that will be cloned when creating new machines in this failure domain. + The maximum length of the path is 2048 characters. + + When omitted, the template will be calculated by the control plane + machineset operator based on the region and zone defined in + VSpherePlatformFailureDomainSpec. + For example, for zone=zonea, region=region1, and infrastructure name=test, + the template path would be calculated as //vm/test-rhcos-region1-zonea. + maxLength: 2048 + minLength: 1 + pattern: ^/.*?/vm/.*? + type: string + required: + - computeCluster + - datacenter + - datastore + - networks + type: object + zone: + description: |- + zone defines the name of a zone tag that will + be attached to a vCenter cluster. The tag + category in vCenter must be named openshift-zone. + maxLength: 80 + minLength: 1 + type: string + zoneAffinity: + description: |- + zoneAffinity holds the type of the zone and the hostGroup which + vmGroup and the hostGroup names in vCenter corresponds to + a vm-host group of type Virtual Machine and Host respectively. Is also + contains the vmHostRule which is an affinity vm-host rule in vCenter. + properties: + hostGroup: + description: |- + hostGroup holds the vmGroup and the hostGroup names in vCenter + corresponds to a vm-host group of type Virtual Machine and Host respectively. Is also + contains the vmHostRule which is an affinity vm-host rule in vCenter. + properties: + hostGroup: + description: |- + hostGroup is the name of the vm-host group of type host within vCenter for this failure domain. + hostGroup is limited to 80 characters. + This field is required when the VSphereFailureDomain ZoneType is HostGroup + maxLength: 80 + minLength: 1 + type: string + vmGroup: + description: |- + vmGroup is the name of the vm-host group of type virtual machine within vCenter for this failure domain. + vmGroup is limited to 80 characters. + This field is required when the VSphereFailureDomain ZoneType is HostGroup + maxLength: 80 + minLength: 1 + type: string + vmHostRule: + description: |- + vmHostRule is the name of the affinity vm-host rule within vCenter for this failure domain. + vmHostRule is limited to 80 characters. + This field is required when the VSphereFailureDomain ZoneType is HostGroup + maxLength: 80 + minLength: 1 + type: string + required: + - hostGroup + - vmGroup + - vmHostRule + type: object + type: + description: |- + type determines the vSphere object type for a zone within this failure domain. + Available types are ComputeCluster and HostGroup. + When set to ComputeCluster, this means the vCenter cluster defined is the zone. + When set to HostGroup, hostGroup must be configured with hostGroup, vmGroup and vmHostRule and + this means the zone is defined by the grouping of those fields. + enum: + - HostGroup + - ComputeCluster + type: string + required: + - type + type: object + x-kubernetes-validations: + - message: hostGroup is required when type is HostGroup, + and forbidden otherwise + rule: 'has(self.type) && self.type == ''HostGroup'' + ? has(self.hostGroup) : !has(self.hostGroup)' + required: + - name + - region + - server + - topology + - zone + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + ingressIPs: + description: |- + ingressIPs are the external IPs which route to the default ingress + controller. The IPs are suitable targets of a wildcard DNS record used to + resolve default route host names. + In dual stack clusters this list contains two IP addresses, one from IPv4 + family and one from IPv6. + In single stack clusters a single IP address is expected. + When omitted, values from the status.ingressIPs will be used. + Once set, the list cannot be completely removed (but its second entry can). + items: + description: IP is an IP address (for example, "10.0.0.0" + or "fd00::"). + maxLength: 39 + minLength: 1 + type: string + x-kubernetes-validations: + - message: value must be a valid IP address + rule: isIP(self) + maxItems: 2 + type: array + x-kubernetes-list-type: atomic + x-kubernetes-validations: + - message: ingressIPs must contain at most one IPv4 address + and at most one IPv6 address + rule: 'size(self) == 2 && isIP(self[0]) && isIP(self[1]) + ? ip(self[0]).family() != ip(self[1]).family() : true' + machineNetworks: + description: |- + machineNetworks are IP networks used to connect all the OpenShift cluster + nodes. Each network is provided in the CIDR format and should be IPv4 or IPv6, + for example "10.0.0.0/8" or "fd00::/8". + items: + description: CIDR is an IP address range in CIDR notation + (for example, "10.0.0.0/8" or "fd00::/8"). + maxLength: 43 + minLength: 1 + type: string + x-kubernetes-validations: + - message: value must be a valid CIDR network address + rule: isCIDR(self) + maxItems: 32 + type: array + x-kubernetes-list-type: atomic + x-kubernetes-validations: + - rule: self.all(x, self.exists_one(y, x == y)) + nodeNetworking: + description: |- + nodeNetworking contains the definition of internal and external network constraints for + assigning the node's networking. + If this field is omitted, networking defaults to the legacy + address selection behavior which is to only support a single address and + return the first one found. + properties: + external: + description: external represents the network configuration + of the node that is externally routable. + properties: + excludeNetworkSubnetCidr: + description: |- + excludeNetworkSubnetCidr IP addresses in subnet ranges will be excluded when selecting + the IP address from the VirtualMachine's VM for use in the status.addresses fields. + items: + format: cidr + type: string + type: array + x-kubernetes-list-type: atomic + network: + description: |- + network VirtualMachine's VM Network names that will be used to when searching + for status.addresses fields. Note that if internal.networkSubnetCIDR and + external.networkSubnetCIDR are not set, then the vNIC associated to this network must + only have a single IP address assigned to it. + The available networks (port groups) can be listed using + `govc ls 'network/*'` + type: string + networkSubnetCidr: + description: |- + networkSubnetCidr IP address on VirtualMachine's network interfaces included in the fields' CIDRs + that will be used in respective status.addresses fields. + items: + format: cidr + type: string + type: array + x-kubernetes-list-type: set + type: object + internal: + description: internal represents the network configuration + of the node that is routable only within the cluster. + properties: + excludeNetworkSubnetCidr: + description: |- + excludeNetworkSubnetCidr IP addresses in subnet ranges will be excluded when selecting + the IP address from the VirtualMachine's VM for use in the status.addresses fields. + items: + format: cidr + type: string + type: array + x-kubernetes-list-type: atomic + network: + description: |- + network VirtualMachine's VM Network names that will be used to when searching + for status.addresses fields. Note that if internal.networkSubnetCIDR and + external.networkSubnetCIDR are not set, then the vNIC associated to this network must + only have a single IP address assigned to it. + The available networks (port groups) can be listed using + `govc ls 'network/*'` + type: string + networkSubnetCidr: + description: |- + networkSubnetCidr IP address on VirtualMachine's network interfaces included in the fields' CIDRs + that will be used in respective status.addresses fields. + items: + format: cidr + type: string + type: array + x-kubernetes-list-type: set + type: object + type: object + vcenters: + description: |- + vcenters holds the connection details for services to communicate with vCenter. + Currently, only a single vCenter is supported, but in tech preview 3 vCenters are supported. + Once the cluster has been installed, you are unable to change the current number of defined + vCenters except in the case where the cluster has been upgraded from a version of OpenShift + where the vsphere platform spec was not present. You may make modifications to the existing + vCenters that are defined in the vcenters list in order to match with any added or modified + failure domains. + items: + description: |- + VSpherePlatformVCenterSpec stores the vCenter connection fields. + This is used by the vSphere CCM. + properties: + datacenters: + description: |- + The vCenter Datacenters in which the RHCOS + vm guests are located. This field will + be used by the Cloud Controller Manager. + Each datacenter listed here should be used within + a topology. + items: + type: string + minItems: 1 + type: array + x-kubernetes-list-type: set + port: + description: |- + port is the TCP port that will be used to communicate to + the vCenter endpoint. + When omitted, this means the user has no opinion and + it is up to the platform to choose a sensible default, + which is subject to change over time. + format: int32 + maximum: 32767 + minimum: 1 + type: integer + server: + anyOf: + - format: ipv4 + - format: ipv6 + - format: hostname + description: server is the fully-qualified domain name + or the IP address of the vCenter server. + maxLength: 255 + type: string + required: + - datacenters + - server + type: object + maxItems: 3 + minItems: 0 + type: array + x-kubernetes-list-type: atomic + x-kubernetes-validations: + - message: vcenters cannot be added or removed once set + rule: 'size(self) != size(oldSelf) ? size(oldSelf) == 0 + && size(self) < 2 : true' + type: object + x-kubernetes-validations: + - message: apiServerInternalIPs list is required once set + rule: '!has(oldSelf.apiServerInternalIPs) || has(self.apiServerInternalIPs)' + - message: ingressIPs list is required once set + rule: '!has(oldSelf.ingressIPs) || has(self.ingressIPs)' + - message: vcenters can have at most 1 item when configured post-install + rule: '!has(oldSelf.vcenters) && has(self.vcenters) ? size(self.vcenters) + < 2 : true' + type: object + x-kubernetes-validations: + - message: vcenters can have at most 1 item when configured post-install + rule: '!has(oldSelf.vsphere) && has(self.vsphere) ? size(self.vsphere.vcenters) + < 2 : true' + type: object + status: + description: status holds observed values from the cluster. They may not + be overridden. + properties: + apiServerInternalURI: + description: |- + apiServerInternalURL is a valid URI with scheme 'https', + address and optionally a port (defaulting to 443). apiServerInternalURL can be used by components + like kubelets, to contact the Kubernetes API server using the + infrastructure provider rather than Kubernetes networking. + type: string + apiServerURL: + description: |- + apiServerURL is a valid URI with scheme 'https', address and + optionally a port (defaulting to 443). apiServerURL can be used by components like the web console + to tell users where to find the Kubernetes API. + type: string + controlPlaneTopology: + default: HighlyAvailable + description: |- + controlPlaneTopology expresses the expectations for operands that normally run on control nodes. + The default is 'HighlyAvailable', which represents the behavior operators have in a "normal" cluster. + The 'SingleReplica' mode will be used in single-node deployments + and the operators should not configure the operand for highly-available operation + The 'External' mode indicates that the control plane is hosted externally to the cluster and that + its components are not visible within the cluster. + enum: + - HighlyAvailable + - HighlyAvailableArbiter + - SingleReplica + - External + type: string + cpuPartitioning: + default: None + description: |- + cpuPartitioning expresses if CPU partitioning is a currently enabled feature in the cluster. + CPU Partitioning means that this cluster can support partitioning workloads to specific CPU Sets. + Valid values are "None" and "AllNodes". When omitted, the default value is "None". + The default value of "None" indicates that no nodes will be setup with CPU partitioning. + The "AllNodes" value indicates that all nodes have been setup with CPU partitioning, + and can then be further configured via the PerformanceProfile API. + enum: + - None + - AllNodes + type: string + etcdDiscoveryDomain: + description: |- + etcdDiscoveryDomain is the domain used to fetch the SRV records for discovering + etcd servers and clients. + For more info: https://github.com/etcd-io/etcd/blob/329be66e8b3f9e2e6af83c123ff89297e49ebd15/Documentation/op-guide/clustering.md#dns-discovery + deprecated: as of 4.7, this field is no longer set or honored. It will be removed in a future release. + type: string + infrastructureName: + description: |- + infrastructureName uniquely identifies a cluster with a human friendly name. + Once set it should not be changed. Must be of max length 27 and must have only + alphanumeric or hyphen characters. + type: string + infrastructureTopology: + default: HighlyAvailable + description: |- + infrastructureTopology expresses the expectations for infrastructure services that do not run on control + plane nodes, usually indicated by a node selector for a `role` value + other than `master`. + The default is 'HighlyAvailable', which represents the behavior operators have in a "normal" cluster. + The 'SingleReplica' mode will be used in single-node deployments + and the operators should not configure the operand for highly-available operation + NOTE: External topology mode is not applicable for this field. + enum: + - HighlyAvailable + - SingleReplica + type: string + platform: + description: |- + platform is the underlying infrastructure provider for the cluster. + + Deprecated: Use platformStatus.type instead. + enum: + - "" + - AWS + - Azure + - BareMetal + - GCP + - Libvirt + - OpenStack + - None + - VSphere + - oVirt + - IBMCloud + - KubeVirt + - EquinixMetal + - PowerVS + - AlibabaCloud + - Nutanix + - External + type: string + platformStatus: + description: |- + platformStatus holds status information specific to the underlying + infrastructure provider. + properties: + alibabaCloud: + description: alibabaCloud contains settings specific to the Alibaba + Cloud infrastructure provider. + properties: + region: + description: region specifies the region for Alibaba Cloud + resources created for the cluster. + pattern: ^[0-9A-Za-z-]+$ + type: string + resourceGroupID: + description: resourceGroupID is the ID of the resource group + for the cluster. + pattern: ^(rg-[0-9A-Za-z]+)?$ + type: string + resourceTags: + description: resourceTags is a list of additional tags to + apply to Alibaba Cloud resources created for the cluster. + items: + description: AlibabaCloudResourceTag is the set of tags + to add to apply to resources. + properties: + key: + description: key is the key of the tag. + maxLength: 128 + minLength: 1 + type: string + value: + description: value is the value of the tag. + maxLength: 128 + minLength: 1 + type: string + required: + - key + - value + type: object + maxItems: 20 + type: array + x-kubernetes-list-map-keys: + - key + x-kubernetes-list-type: map + required: + - region + type: object + aws: + description: aws contains settings specific to the Amazon Web + Services infrastructure provider. + properties: + region: + description: region holds the default AWS region for new AWS + resources created by the cluster. + type: string + resourceTags: + description: |- + resourceTags is a list of additional tags to apply to AWS resources created for the cluster. + See https://docs.aws.amazon.com/general/latest/gr/aws_tagging.html for information on tagging AWS resources. + AWS supports a maximum of 50 tags per resource. OpenShift reserves 25 tags for its use, leaving 25 tags + available for the user. + items: + description: AWSResourceTag is a tag to apply to AWS resources + created for the cluster. + properties: + key: + description: |- + key sets the key of the AWS resource tag key-value pair. Key is required when defining an AWS resource tag. + Key should consist of between 1 and 128 characters, and may + contain only the set of alphanumeric characters, space (' '), '_', '.', '/', '=', '+', '-', ':', and '@'. + maxLength: 128 + minLength: 1 + type: string + x-kubernetes-validations: + - message: invalid AWS resource tag key. The string + can contain only the set of alphanumeric characters, + space (' '), '_', '.', '/', '=', '+', '-', ':', + '@' + rule: self.matches('^[0-9A-Za-z_.:/=+-@ ]+$') + value: + description: |- + value sets the value of the AWS resource tag key-value pair. Value is required when defining an AWS resource tag. + Value should consist of between 1 and 256 characters, and may + contain only the set of alphanumeric characters, space (' '), '_', '.', '/', '=', '+', '-', ':', and '@'. + Some AWS service do not support empty values. Since tags are added to resources in many services, the + length of the tag value must meet the requirements of all services. + maxLength: 256 + minLength: 1 + type: string + x-kubernetes-validations: + - message: invalid AWS resource tag value. The string + can contain only the set of alphanumeric characters, + space (' '), '_', '.', '/', '=', '+', '-', ':', + '@' + rule: self.matches('^[0-9A-Za-z_.:/=+-@ ]+$') + required: + - key + - value + type: object + maxItems: 25 + type: array + x-kubernetes-list-type: atomic + serviceEndpoints: + description: |- + serviceEndpoints list contains custom endpoints which will override default + service endpoint of AWS Services. + There must be only one ServiceEndpoint for a service. + items: + description: |- + AWSServiceEndpoint store the configuration of a custom url to + override existing defaults of AWS Services. + properties: + name: + description: |- + name is the name of the AWS service. + The list of all the service names can be found at https://docs.aws.amazon.com/general/latest/gr/aws-service-information.html + This must be provided and cannot be empty. + pattern: ^[a-z0-9-]+$ + type: string + url: + description: |- + url is fully qualified URI with scheme https, that overrides the default generated + endpoint for a client. + This must be provided and cannot be empty. + pattern: ^https:// + type: string + type: object + type: array + x-kubernetes-list-type: atomic + type: object + azure: + description: azure contains settings specific to the Azure infrastructure + provider. + properties: + armEndpoint: + description: armEndpoint specifies a URL to use for resource + management in non-soverign clouds such as Azure Stack. + type: string + cloudName: + description: |- + cloudName is the name of the Azure cloud environment which can be used to configure the Azure SDK + with the appropriate Azure API endpoints. + If empty, the value is equal to `AzurePublicCloud`. + enum: + - "" + - AzurePublicCloud + - AzureUSGovernmentCloud + - AzureChinaCloud + - AzureGermanCloud + - AzureStackCloud + type: string + networkResourceGroupName: + description: |- + networkResourceGroupName is the Resource Group for network resources like the Virtual Network and Subnets used by the cluster. + If empty, the value is same as ResourceGroupName. + type: string + resourceGroupName: + description: resourceGroupName is the Resource Group for new + Azure resources created for the cluster. + type: string + resourceTags: + description: |- + resourceTags is a list of additional tags to apply to Azure resources created for the cluster. + See https://docs.microsoft.com/en-us/rest/api/resources/tags for information on tagging Azure resources. + Due to limitations on Automation, Content Delivery Network, DNS Azure resources, a maximum of 15 tags + may be applied. OpenShift reserves 5 tags for internal use, allowing 10 tags for user configuration. + items: + description: AzureResourceTag is a tag to apply to Azure + resources created for the cluster. + properties: + key: + description: |- + key is the key part of the tag. A tag key can have a maximum of 128 characters and cannot be empty. Key + must begin with a letter, end with a letter, number or underscore, and must contain only alphanumeric + characters and the following special characters `_ . -`. + maxLength: 128 + minLength: 1 + pattern: ^[a-zA-Z]([0-9A-Za-z_.-]*[0-9A-Za-z_])?$ + type: string + value: + description: |- + value is the value part of the tag. A tag value can have a maximum of 256 characters and cannot be empty. Value + must contain only alphanumeric characters and the following special characters `_ + , - . / : ; < = > ? @`. + maxLength: 256 + minLength: 1 + pattern: ^[0-9A-Za-z_.=+-@]+$ + type: string + required: + - key + - value + type: object + maxItems: 10 + type: array + x-kubernetes-list-type: atomic + x-kubernetes-validations: + - message: resourceTags are immutable and may only be configured + during installation + rule: self.all(x, x in oldSelf) && oldSelf.all(x, x in self) + type: object + x-kubernetes-validations: + - message: resourceTags may only be configured during installation + rule: '!has(oldSelf.resourceTags) && !has(self.resourceTags) + || has(oldSelf.resourceTags) && has(self.resourceTags)' + baremetal: + description: baremetal contains settings specific to the BareMetal + platform. + properties: + apiServerInternalIP: + description: |- + apiServerInternalIP is an IP address to contact the Kubernetes API server that can be used + by components inside the cluster, like kubelets using the infrastructure rather + than Kubernetes networking. It is the IP that the Infrastructure.status.apiServerInternalURI + points to. It is the IP for a self-hosted load balancer in front of the API servers. + + Deprecated: Use APIServerInternalIPs instead. + type: string + apiServerInternalIPs: + description: |- + apiServerInternalIPs are the IP addresses to contact the Kubernetes API + server that can be used by components inside the cluster, like kubelets + using the infrastructure rather than Kubernetes networking. These are the + IPs for a self-hosted load balancer in front of the API servers. In dual + stack clusters this list contains two IPs otherwise only one. + format: ip + items: + type: string + maxItems: 2 + type: array + x-kubernetes-list-type: atomic + x-kubernetes-validations: + - message: apiServerInternalIPs must contain at most one IPv4 + address and at most one IPv6 address + rule: 'self == oldSelf || (size(self) == 2 && isIP(self[0]) + && isIP(self[1]) ? ip(self[0]).family() != ip(self[1]).family() + : true)' + ingressIP: + description: |- + ingressIP is an external IP which routes to the default ingress controller. + The IP is a suitable target of a wildcard DNS record used to resolve default route host names. + + Deprecated: Use IngressIPs instead. + type: string + ingressIPs: + description: |- + ingressIPs are the external IPs which route to the default ingress + controller. The IPs are suitable targets of a wildcard DNS record used to + resolve default route host names. In dual stack clusters this list + contains two IPs otherwise only one. + format: ip + items: + type: string + maxItems: 2 + type: array + x-kubernetes-list-type: atomic + x-kubernetes-validations: + - message: ingressIPs must contain at most one IPv4 address + and at most one IPv6 address + rule: 'self == oldSelf || (size(self) == 2 && isIP(self[0]) + && isIP(self[1]) ? ip(self[0]).family() != ip(self[1]).family() + : true)' + loadBalancer: + default: + type: OpenShiftManagedDefault + description: loadBalancer defines how the load balancer used + by the cluster is configured. + properties: + type: + default: OpenShiftManagedDefault + description: |- + type defines the type of load balancer used by the cluster on BareMetal platform + which can be a user-managed or openshift-managed load balancer + that is to be used for the OpenShift API and Ingress endpoints. + When set to OpenShiftManagedDefault the static pods in charge of API and Ingress traffic load-balancing + defined in the machine config operator will be deployed. + When set to UserManaged these static pods will not be deployed and it is expected that + the load balancer is configured out of band by the deployer. + When omitted, this means no opinion and the platform is left to choose a reasonable default. + The default value is OpenShiftManagedDefault. + enum: + - OpenShiftManagedDefault + - UserManaged + type: string + x-kubernetes-validations: + - message: type is immutable once set + rule: oldSelf == '' || self == oldSelf + type: object + machineNetworks: + description: machineNetworks are IP networks used to connect + all the OpenShift cluster nodes. + items: + description: CIDR is an IP address range in CIDR notation + (for example, "10.0.0.0/8" or "fd00::/8"). + maxLength: 43 + minLength: 1 + type: string + x-kubernetes-validations: + - message: value must be a valid CIDR network address + rule: isCIDR(self) + maxItems: 32 + type: array + x-kubernetes-list-type: atomic + x-kubernetes-validations: + - rule: self.all(x, self.exists_one(y, x == y)) + nodeDNSIP: + description: |- + nodeDNSIP is the IP address for the internal DNS used by the + nodes. Unlike the one managed by the DNS operator, `NodeDNSIP` + provides name resolution for the nodes themselves. There is no DNS-as-a-service for + BareMetal deployments. In order to minimize necessary changes to the + datacenter DNS, a DNS service is hosted as a static pod to serve those hostnames + to the nodes in the cluster. + type: string + type: object + equinixMetal: + description: equinixMetal contains settings specific to the Equinix + Metal infrastructure provider. + properties: + apiServerInternalIP: + description: |- + apiServerInternalIP is an IP address to contact the Kubernetes API server that can be used + by components inside the cluster, like kubelets using the infrastructure rather + than Kubernetes networking. It is the IP that the Infrastructure.status.apiServerInternalURI + points to. It is the IP for a self-hosted load balancer in front of the API servers. + type: string + ingressIP: + description: |- + ingressIP is an external IP which routes to the default ingress controller. + The IP is a suitable target of a wildcard DNS record used to resolve default route host names. + type: string + type: object + external: + description: external contains settings specific to the generic + External infrastructure provider. + properties: + cloudControllerManager: + description: |- + cloudControllerManager contains settings specific to the external Cloud Controller Manager (a.k.a. CCM or CPI). + When omitted, new nodes will be not tainted + and no extra initialization from the cloud controller manager is expected. + properties: + state: + description: |- + state determines whether or not an external Cloud Controller Manager is expected to + be installed within the cluster. + https://kubernetes.io/docs/tasks/administer-cluster/running-cloud-controller/#running-cloud-controller-manager + + Valid values are "External", "None" and omitted. + When set to "External", new nodes will be tainted as uninitialized when created, + preventing them from running workloads until they are initialized by the cloud controller manager. + When omitted or set to "None", new nodes will be not tainted + and no extra initialization from the cloud controller manager is expected. + enum: + - "" + - External + - None + type: string + x-kubernetes-validations: + - message: state is immutable once set + rule: self == oldSelf + type: object + x-kubernetes-validations: + - message: state may not be added or removed once set + rule: (has(self.state) == has(oldSelf.state)) || (!has(oldSelf.state) + && self.state != "External") + type: object + x-kubernetes-validations: + - message: cloudControllerManager may not be added or removed + once set + rule: has(self.cloudControllerManager) == has(oldSelf.cloudControllerManager) + gcp: + description: gcp contains settings specific to the Google Cloud + Platform infrastructure provider. + properties: + cloudLoadBalancerConfig: + default: + dnsType: PlatformDefault + description: |- + cloudLoadBalancerConfig holds configuration related to DNS and cloud + load balancers. It allows configuration of in-cluster DNS as an alternative + to the platform default DNS implementation. + When using the ClusterHosted DNS type, Load Balancer IP addresses + must be provided for the API and internal API load balancers as well as the + ingress load balancer. + nullable: true + properties: + clusterHosted: + description: |- + clusterHosted holds the IP addresses of API, API-Int and Ingress Load + Balancers on Cloud Platforms. The DNS solution hosted within the cluster + use these IP addresses to provide resolution for API, API-Int and Ingress + services. + properties: + apiIntLoadBalancerIPs: + description: |- + apiIntLoadBalancerIPs holds Load Balancer IPs for the internal API service. + These Load Balancer IP addresses can be IPv4 and/or IPv6 addresses. + Entries in the apiIntLoadBalancerIPs must be unique. + A maximum of 16 IP addresses are permitted. + format: ip + items: + description: IP is an IP address (for example, "10.0.0.0" + or "fd00::"). + maxLength: 39 + minLength: 1 + type: string + x-kubernetes-validations: + - message: value must be a valid IP address + rule: isIP(self) + maxItems: 16 + type: array + x-kubernetes-list-type: set + apiLoadBalancerIPs: + description: |- + apiLoadBalancerIPs holds Load Balancer IPs for the API service. + These Load Balancer IP addresses can be IPv4 and/or IPv6 addresses. + Could be empty for private clusters. + Entries in the apiLoadBalancerIPs must be unique. + A maximum of 16 IP addresses are permitted. + format: ip + items: + description: IP is an IP address (for example, "10.0.0.0" + or "fd00::"). + maxLength: 39 + minLength: 1 + type: string + x-kubernetes-validations: + - message: value must be a valid IP address + rule: isIP(self) + maxItems: 16 + type: array + x-kubernetes-list-type: set + ingressLoadBalancerIPs: + description: |- + ingressLoadBalancerIPs holds IPs for Ingress Load Balancers. + These Load Balancer IP addresses can be IPv4 and/or IPv6 addresses. + Entries in the ingressLoadBalancerIPs must be unique. + A maximum of 16 IP addresses are permitted. + format: ip + items: + description: IP is an IP address (for example, "10.0.0.0" + or "fd00::"). + maxLength: 39 + minLength: 1 + type: string + x-kubernetes-validations: + - message: value must be a valid IP address + rule: isIP(self) + maxItems: 16 + type: array + x-kubernetes-list-type: set + type: object + dnsType: + default: PlatformDefault + description: |- + dnsType indicates the type of DNS solution in use within the cluster. Its default value of + `PlatformDefault` indicates that the cluster's DNS is the default provided by the cloud platform. + It can be set to `ClusterHosted` to bypass the configuration of the cloud default DNS. In this mode, + the cluster needs to provide a self-hosted DNS solution for the cluster's installation to succeed. + The cluster's use of the cloud's Load Balancers is unaffected by this setting. + The value is immutable after it has been set at install time. + Currently, there is no way for the customer to add additional DNS entries into the cluster hosted DNS. + Enabling this functionality allows the user to start their own DNS solution outside the cluster after + installation is complete. The customer would be responsible for configuring this custom DNS solution, + and it can be run in addition to the in-cluster DNS solution. + enum: + - ClusterHosted + - PlatformDefault + type: string + x-kubernetes-validations: + - message: dnsType is immutable + rule: oldSelf == '' || self == oldSelf + type: object + x-kubernetes-validations: + - message: clusterHosted is permitted only when dnsType is + ClusterHosted + rule: 'has(self.dnsType) && self.dnsType != ''ClusterHosted'' + ? !has(self.clusterHosted) : true' + projectID: + description: resourceGroupName is the Project ID for new GCP + resources created for the cluster. + type: string + region: + description: region holds the region for new GCP resources + created for the cluster. + type: string + resourceLabels: + description: |- + resourceLabels is a list of additional labels to apply to GCP resources created for the cluster. + See https://cloud.google.com/compute/docs/labeling-resources for information on labeling GCP resources. + GCP supports a maximum of 64 labels per resource. OpenShift reserves 32 labels for internal use, + allowing 32 labels for user configuration. + items: + description: GCPResourceLabel is a label to apply to GCP + resources created for the cluster. + properties: + key: + description: |- + key is the key part of the label. A label key can have a maximum of 63 characters and cannot be empty. + Label key must begin with a lowercase letter, and must contain only lowercase letters, numeric characters, + and the following special characters `_-`. Label key must not have the reserved prefixes `kubernetes-io` + and `openshift-io`. + maxLength: 63 + minLength: 1 + pattern: ^[a-z][0-9a-z_-]{0,62}$ + type: string + x-kubernetes-validations: + - message: label keys must not start with either `openshift-io` + or `kubernetes-io` + rule: '!self.startsWith(''openshift-io'') && !self.startsWith(''kubernetes-io'')' + value: + description: |- + value is the value part of the label. A label value can have a maximum of 63 characters and cannot be empty. + Value must contain only lowercase letters, numeric characters, and the following special characters `_-`. + maxLength: 63 + minLength: 1 + pattern: ^[0-9a-z_-]{1,63}$ + type: string + required: + - key + - value + type: object + maxItems: 32 + type: array + x-kubernetes-list-map-keys: + - key + x-kubernetes-list-type: map + x-kubernetes-validations: + - message: resourceLabels are immutable and may only be configured + during installation + rule: self.all(x, x in oldSelf) && oldSelf.all(x, x in self) + resourceTags: + description: |- + resourceTags is a list of additional tags to apply to GCP resources created for the cluster. + See https://cloud.google.com/resource-manager/docs/tags/tags-overview for information on + tagging GCP resources. GCP supports a maximum of 50 tags per resource. + items: + description: GCPResourceTag is a tag to apply to GCP resources + created for the cluster. + properties: + key: + description: |- + key is the key part of the tag. A tag key can have a maximum of 63 characters and cannot be empty. + Tag key must begin and end with an alphanumeric character, and must contain only uppercase, lowercase + alphanumeric characters, and the following special characters `._-`. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z0-9]([0-9A-Za-z_.-]{0,61}[a-zA-Z0-9])?$ + type: string + parentID: + description: |- + parentID is the ID of the hierarchical resource where the tags are defined, + e.g. at the Organization or the Project level. To find the Organization or Project ID refer to the following pages: + https://cloud.google.com/resource-manager/docs/creating-managing-organization#retrieving_your_organization_id, + https://cloud.google.com/resource-manager/docs/creating-managing-projects#identifying_projects. + An OrganizationID must consist of decimal numbers, and cannot have leading zeroes. + A ProjectID must be 6 to 30 characters in length, can only contain lowercase letters, numbers, + and hyphens, and must start with a letter, and cannot end with a hyphen. + maxLength: 32 + minLength: 1 + pattern: (^[1-9][0-9]{0,31}$)|(^[a-z][a-z0-9-]{4,28}[a-z0-9]$) + type: string + value: + description: |- + value is the value part of the tag. A tag value can have a maximum of 63 characters and cannot be empty. + Tag value must begin and end with an alphanumeric character, and must contain only uppercase, lowercase + alphanumeric characters, and the following special characters `_-.@%=+:,*#&(){}[]` and spaces. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z0-9]([0-9A-Za-z_.@%=+:,*#&()\[\]{}\-\s]{0,61}[a-zA-Z0-9])?$ + type: string + required: + - key + - parentID + - value + type: object + maxItems: 50 + type: array + x-kubernetes-list-map-keys: + - key + x-kubernetes-list-type: map + x-kubernetes-validations: + - message: resourceTags are immutable and may only be configured + during installation + rule: self.all(x, x in oldSelf) && oldSelf.all(x, x in self) + type: object + x-kubernetes-validations: + - message: resourceLabels may only be configured during installation + rule: '!has(oldSelf.resourceLabels) && !has(self.resourceLabels) + || has(oldSelf.resourceLabels) && has(self.resourceLabels)' + - message: resourceTags may only be configured during installation + rule: '!has(oldSelf.resourceTags) && !has(self.resourceTags) + || has(oldSelf.resourceTags) && has(self.resourceTags)' + ibmcloud: + description: ibmcloud contains settings specific to the IBMCloud + infrastructure provider. + properties: + cisInstanceCRN: + description: |- + cisInstanceCRN is the CRN of the Cloud Internet Services instance managing + the DNS zone for the cluster's base domain + type: string + dnsInstanceCRN: + description: |- + dnsInstanceCRN is the CRN of the DNS Services instance managing the DNS zone + for the cluster's base domain + type: string + location: + description: location is where the cluster has been deployed + type: string + providerType: + description: providerType indicates the type of cluster that + was created + type: string + resourceGroupName: + description: resourceGroupName is the Resource Group for new + IBMCloud resources created for the cluster. + type: string + serviceEndpoints: + description: |- + serviceEndpoints is a list of custom endpoints which will override the default + service endpoints of an IBM service. These endpoints are used by components + within the cluster when trying to reach the IBM Cloud Services that have been + overridden. The CCCMO reads in the IBMCloudPlatformSpec and validates each + endpoint is resolvable. Once validated, the cloud config and IBMCloudPlatformStatus + are updated to reflect the same custom endpoints. + items: + description: |- + IBMCloudServiceEndpoint stores the configuration of a custom url to + override existing defaults of IBM Cloud Services. + properties: + name: + description: |- + name is the name of the IBM Cloud service. + Possible values are: CIS, COS, COSConfig, DNSServices, GlobalCatalog, GlobalSearch, GlobalTagging, HyperProtect, IAM, KeyProtect, ResourceController, ResourceManager, or VPC. + For example, the IBM Cloud Private IAM service could be configured with the + service `name` of `IAM` and `url` of `https://private.iam.cloud.ibm.com` + Whereas the IBM Cloud Private VPC service for US South (Dallas) could be configured + with the service `name` of `VPC` and `url` of `https://us.south.private.iaas.cloud.ibm.com` + enum: + - CIS + - COS + - COSConfig + - DNSServices + - GlobalCatalog + - GlobalSearch + - GlobalTagging + - HyperProtect + - IAM + - KeyProtect + - ResourceController + - ResourceManager + - VPC + type: string + url: + description: |- + url is fully qualified URI with scheme https, that overrides the default generated + endpoint for a client. + This must be provided and cannot be empty. The path must follow the pattern + /v[0,9]+ or /api/v[0,9]+ + maxLength: 300 + type: string + x-kubernetes-validations: + - message: url must be a valid absolute URL + rule: isURL(self) + required: + - name + - url + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + kubevirt: + description: kubevirt contains settings specific to the kubevirt + infrastructure provider. + properties: + apiServerInternalIP: + description: |- + apiServerInternalIP is an IP address to contact the Kubernetes API server that can be used + by components inside the cluster, like kubelets using the infrastructure rather + than Kubernetes networking. It is the IP that the Infrastructure.status.apiServerInternalURI + points to. It is the IP for a self-hosted load balancer in front of the API servers. + type: string + ingressIP: + description: |- + ingressIP is an external IP which routes to the default ingress controller. + The IP is a suitable target of a wildcard DNS record used to resolve default route host names. + type: string + type: object + nutanix: + description: nutanix contains settings specific to the Nutanix + infrastructure provider. + properties: + apiServerInternalIP: + description: |- + apiServerInternalIP is an IP address to contact the Kubernetes API server that can be used + by components inside the cluster, like kubelets using the infrastructure rather + than Kubernetes networking. It is the IP that the Infrastructure.status.apiServerInternalURI + points to. It is the IP for a self-hosted load balancer in front of the API servers. + + Deprecated: Use APIServerInternalIPs instead. + type: string + apiServerInternalIPs: + description: |- + apiServerInternalIPs are the IP addresses to contact the Kubernetes API + server that can be used by components inside the cluster, like kubelets + using the infrastructure rather than Kubernetes networking. These are the + IPs for a self-hosted load balancer in front of the API servers. In dual + stack clusters this list contains two IPs otherwise only one. + format: ip + items: + type: string + maxItems: 2 + type: array + x-kubernetes-list-type: set + x-kubernetes-validations: + - message: apiServerInternalIPs must contain at most one IPv4 + address and at most one IPv6 address + rule: 'self == oldSelf || (size(self) == 2 && isIP(self[0]) + && isIP(self[1]) ? ip(self[0]).family() != ip(self[1]).family() + : true)' + ingressIP: + description: |- + ingressIP is an external IP which routes to the default ingress controller. + The IP is a suitable target of a wildcard DNS record used to resolve default route host names. + + Deprecated: Use IngressIPs instead. + type: string + ingressIPs: + description: |- + ingressIPs are the external IPs which route to the default ingress + controller. The IPs are suitable targets of a wildcard DNS record used to + resolve default route host names. In dual stack clusters this list + contains two IPs otherwise only one. + format: ip + items: + type: string + maxItems: 2 + type: array + x-kubernetes-list-type: set + x-kubernetes-validations: + - message: ingressIPs must contain at most one IPv4 address + and at most one IPv6 address + rule: 'self == oldSelf || (size(self) == 2 && isIP(self[0]) + && isIP(self[1]) ? ip(self[0]).family() != ip(self[1]).family() + : true)' + loadBalancer: + default: + type: OpenShiftManagedDefault + description: loadBalancer defines how the load balancer used + by the cluster is configured. + properties: + type: + default: OpenShiftManagedDefault + description: |- + type defines the type of load balancer used by the cluster on Nutanix platform + which can be a user-managed or openshift-managed load balancer + that is to be used for the OpenShift API and Ingress endpoints. + When set to OpenShiftManagedDefault the static pods in charge of API and Ingress traffic load-balancing + defined in the machine config operator will be deployed. + When set to UserManaged these static pods will not be deployed and it is expected that + the load balancer is configured out of band by the deployer. + When omitted, this means no opinion and the platform is left to choose a reasonable default. + The default value is OpenShiftManagedDefault. + enum: + - OpenShiftManagedDefault + - UserManaged + type: string + x-kubernetes-validations: + - message: type is immutable once set + rule: oldSelf == '' || self == oldSelf + type: object + type: object + openstack: + description: openstack contains settings specific to the OpenStack + infrastructure provider. + properties: + apiServerInternalIP: + description: |- + apiServerInternalIP is an IP address to contact the Kubernetes API server that can be used + by components inside the cluster, like kubelets using the infrastructure rather + than Kubernetes networking. It is the IP that the Infrastructure.status.apiServerInternalURI + points to. It is the IP for a self-hosted load balancer in front of the API servers. + + Deprecated: Use APIServerInternalIPs instead. + type: string + apiServerInternalIPs: + description: |- + apiServerInternalIPs are the IP addresses to contact the Kubernetes API + server that can be used by components inside the cluster, like kubelets + using the infrastructure rather than Kubernetes networking. These are the + IPs for a self-hosted load balancer in front of the API servers. In dual + stack clusters this list contains two IPs otherwise only one. + format: ip + items: + type: string + maxItems: 2 + type: array + x-kubernetes-list-type: atomic + x-kubernetes-validations: + - message: apiServerInternalIPs must contain at most one IPv4 + address and at most one IPv6 address + rule: 'self == oldSelf || (size(self) == 2 && isIP(self[0]) + && isIP(self[1]) ? ip(self[0]).family() != ip(self[1]).family() + : true)' + cloudName: + description: |- + cloudName is the name of the desired OpenStack cloud in the + client configuration file (`clouds.yaml`). + type: string + ingressIP: + description: |- + ingressIP is an external IP which routes to the default ingress controller. + The IP is a suitable target of a wildcard DNS record used to resolve default route host names. + + Deprecated: Use IngressIPs instead. + type: string + ingressIPs: + description: |- + ingressIPs are the external IPs which route to the default ingress + controller. The IPs are suitable targets of a wildcard DNS record used to + resolve default route host names. In dual stack clusters this list + contains two IPs otherwise only one. + format: ip + items: + type: string + maxItems: 2 + type: array + x-kubernetes-list-type: atomic + x-kubernetes-validations: + - message: ingressIPs must contain at most one IPv4 address + and at most one IPv6 address + rule: 'self == oldSelf || (size(self) == 2 && isIP(self[0]) + && isIP(self[1]) ? ip(self[0]).family() != ip(self[1]).family() + : true)' + loadBalancer: + default: + type: OpenShiftManagedDefault + description: loadBalancer defines how the load balancer used + by the cluster is configured. + properties: + type: + default: OpenShiftManagedDefault + description: |- + type defines the type of load balancer used by the cluster on OpenStack platform + which can be a user-managed or openshift-managed load balancer + that is to be used for the OpenShift API and Ingress endpoints. + When set to OpenShiftManagedDefault the static pods in charge of API and Ingress traffic load-balancing + defined in the machine config operator will be deployed. + When set to UserManaged these static pods will not be deployed and it is expected that + the load balancer is configured out of band by the deployer. + When omitted, this means no opinion and the platform is left to choose a reasonable default. + The default value is OpenShiftManagedDefault. + enum: + - OpenShiftManagedDefault + - UserManaged + type: string + x-kubernetes-validations: + - message: type is immutable once set + rule: oldSelf == '' || self == oldSelf + type: object + machineNetworks: + description: machineNetworks are IP networks used to connect + all the OpenShift cluster nodes. + items: + description: CIDR is an IP address range in CIDR notation + (for example, "10.0.0.0/8" or "fd00::/8"). + maxLength: 43 + minLength: 1 + type: string + x-kubernetes-validations: + - message: value must be a valid CIDR network address + rule: isCIDR(self) + maxItems: 32 + type: array + x-kubernetes-list-type: atomic + x-kubernetes-validations: + - rule: self.all(x, self.exists_one(y, x == y)) + nodeDNSIP: + description: |- + nodeDNSIP is the IP address for the internal DNS used by the + nodes. Unlike the one managed by the DNS operator, `NodeDNSIP` + provides name resolution for the nodes themselves. There is no DNS-as-a-service for + OpenStack deployments. In order to minimize necessary changes to the + datacenter DNS, a DNS service is hosted as a static pod to serve those hostnames + to the nodes in the cluster. + type: string + type: object + ovirt: + description: ovirt contains settings specific to the oVirt infrastructure + provider. + properties: + apiServerInternalIP: + description: |- + apiServerInternalIP is an IP address to contact the Kubernetes API server that can be used + by components inside the cluster, like kubelets using the infrastructure rather + than Kubernetes networking. It is the IP that the Infrastructure.status.apiServerInternalURI + points to. It is the IP for a self-hosted load balancer in front of the API servers. + + Deprecated: Use APIServerInternalIPs instead. + type: string + apiServerInternalIPs: + description: |- + apiServerInternalIPs are the IP addresses to contact the Kubernetes API + server that can be used by components inside the cluster, like kubelets + using the infrastructure rather than Kubernetes networking. These are the + IPs for a self-hosted load balancer in front of the API servers. In dual + stack clusters this list contains two IPs otherwise only one. + format: ip + items: + type: string + maxItems: 2 + type: array + x-kubernetes-list-type: set + x-kubernetes-validations: + - message: apiServerInternalIPs must contain at most one IPv4 + address and at most one IPv6 address + rule: 'self == oldSelf || (size(self) == 2 && isIP(self[0]) + && isIP(self[1]) ? ip(self[0]).family() != ip(self[1]).family() + : true)' + ingressIP: + description: |- + ingressIP is an external IP which routes to the default ingress controller. + The IP is a suitable target of a wildcard DNS record used to resolve default route host names. + + Deprecated: Use IngressIPs instead. + type: string + ingressIPs: + description: |- + ingressIPs are the external IPs which route to the default ingress + controller. The IPs are suitable targets of a wildcard DNS record used to + resolve default route host names. In dual stack clusters this list + contains two IPs otherwise only one. + format: ip + items: + type: string + maxItems: 2 + type: array + x-kubernetes-list-type: set + x-kubernetes-validations: + - message: ingressIPs must contain at most one IPv4 address + and at most one IPv6 address + rule: 'self == oldSelf || (size(self) == 2 && isIP(self[0]) + && isIP(self[1]) ? ip(self[0]).family() != ip(self[1]).family() + : true)' + loadBalancer: + default: + type: OpenShiftManagedDefault + description: loadBalancer defines how the load balancer used + by the cluster is configured. + properties: + type: + default: OpenShiftManagedDefault + description: |- + type defines the type of load balancer used by the cluster on Ovirt platform + which can be a user-managed or openshift-managed load balancer + that is to be used for the OpenShift API and Ingress endpoints. + When set to OpenShiftManagedDefault the static pods in charge of API and Ingress traffic load-balancing + defined in the machine config operator will be deployed. + When set to UserManaged these static pods will not be deployed and it is expected that + the load balancer is configured out of band by the deployer. + When omitted, this means no opinion and the platform is left to choose a reasonable default. + The default value is OpenShiftManagedDefault. + enum: + - OpenShiftManagedDefault + - UserManaged + type: string + x-kubernetes-validations: + - message: type is immutable once set + rule: oldSelf == '' || self == oldSelf + type: object + nodeDNSIP: + description: 'deprecated: as of 4.6, this field is no longer + set or honored. It will be removed in a future release.' + type: string + type: object + powervs: + description: powervs contains settings specific to the Power Systems + Virtual Servers infrastructure provider. + properties: + cisInstanceCRN: + description: |- + cisInstanceCRN is the CRN of the Cloud Internet Services instance managing + the DNS zone for the cluster's base domain + type: string + dnsInstanceCRN: + description: |- + dnsInstanceCRN is the CRN of the DNS Services instance managing the DNS zone + for the cluster's base domain + type: string + region: + description: region holds the default Power VS region for + new Power VS resources created by the cluster. + type: string + resourceGroup: + description: |- + resourceGroup is the resource group name for new IBMCloud resources created for a cluster. + The resource group specified here will be used by cluster-image-registry-operator to set up a COS Instance in IBMCloud for the cluster registry. + More about resource groups can be found here: https://cloud.ibm.com/docs/account?topic=account-rgs. + When omitted, the image registry operator won't be able to configure storage, + which results in the image registry cluster operator not being in an available state. + maxLength: 40 + pattern: ^[a-zA-Z0-9-_ ]+$ + type: string + x-kubernetes-validations: + - message: resourceGroup is immutable once set + rule: oldSelf == '' || self == oldSelf + serviceEndpoints: + description: |- + serviceEndpoints is a list of custom endpoints which will override the default + service endpoints of a Power VS service. + items: + description: |- + PowervsServiceEndpoint stores the configuration of a custom url to + override existing defaults of PowerVS Services. + properties: + name: + description: |- + name is the name of the Power VS service. + Few of the services are + IAM - https://cloud.ibm.com/apidocs/iam-identity-token-api + ResourceController - https://cloud.ibm.com/apidocs/resource-controller/resource-controller + Power Cloud - https://cloud.ibm.com/apidocs/power-cloud + enum: + - CIS + - COS + - COSConfig + - DNSServices + - GlobalCatalog + - GlobalSearch + - GlobalTagging + - HyperProtect + - IAM + - KeyProtect + - Power + - ResourceController + - ResourceManager + - VPC + type: string + url: + description: |- + url is fully qualified URI with scheme https, that overrides the default generated + endpoint for a client. + This must be provided and cannot be empty. + format: uri + pattern: ^https:// + type: string + required: + - name + - url + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + zone: + description: |- + zone holds the default zone for the new Power VS resources created by the cluster. + Note: Currently only single-zone OCP clusters are supported + type: string + type: object + x-kubernetes-validations: + - message: cannot unset resourceGroup once set + rule: '!has(oldSelf.resourceGroup) || has(self.resourceGroup)' + type: + description: |- + type is the underlying infrastructure provider for the cluster. This + value controls whether infrastructure automation such as service load + balancers, dynamic volume provisioning, machine creation and deletion, and + other integrations are enabled. If None, no infrastructure automation is + enabled. Allowed values are "AWS", "Azure", "BareMetal", "GCP", "Libvirt", + "OpenStack", "VSphere", "oVirt", "EquinixMetal", "PowerVS", "AlibabaCloud", "Nutanix" and "None". + Individual components may not support all platforms, and must handle + unrecognized platforms as None if they do not support that platform. + + This value will be synced with to the `status.platform` and `status.platformStatus.type`. + Currently this value cannot be changed once set. + enum: + - "" + - AWS + - Azure + - BareMetal + - GCP + - Libvirt + - OpenStack + - None + - VSphere + - oVirt + - IBMCloud + - KubeVirt + - EquinixMetal + - PowerVS + - AlibabaCloud + - Nutanix + - External + type: string + vsphere: + description: vsphere contains settings specific to the VSphere + infrastructure provider. + properties: + apiServerInternalIP: + description: |- + apiServerInternalIP is an IP address to contact the Kubernetes API server that can be used + by components inside the cluster, like kubelets using the infrastructure rather + than Kubernetes networking. It is the IP that the Infrastructure.status.apiServerInternalURI + points to. It is the IP for a self-hosted load balancer in front of the API servers. + + Deprecated: Use APIServerInternalIPs instead. + type: string + apiServerInternalIPs: + description: |- + apiServerInternalIPs are the IP addresses to contact the Kubernetes API + server that can be used by components inside the cluster, like kubelets + using the infrastructure rather than Kubernetes networking. These are the + IPs for a self-hosted load balancer in front of the API servers. In dual + stack clusters this list contains two IPs otherwise only one. + format: ip + items: + type: string + maxItems: 2 + type: array + x-kubernetes-list-type: atomic + x-kubernetes-validations: + - message: apiServerInternalIPs must contain at most one IPv4 + address and at most one IPv6 address + rule: 'self == oldSelf || (size(self) == 2 && isIP(self[0]) + && isIP(self[1]) ? ip(self[0]).family() != ip(self[1]).family() + : true)' + ingressIP: + description: |- + ingressIP is an external IP which routes to the default ingress controller. + The IP is a suitable target of a wildcard DNS record used to resolve default route host names. + + Deprecated: Use IngressIPs instead. + type: string + ingressIPs: + description: |- + ingressIPs are the external IPs which route to the default ingress + controller. The IPs are suitable targets of a wildcard DNS record used to + resolve default route host names. In dual stack clusters this list + contains two IPs otherwise only one. + format: ip + items: + type: string + maxItems: 2 + type: array + x-kubernetes-list-type: atomic + x-kubernetes-validations: + - message: ingressIPs must contain at most one IPv4 address + and at most one IPv6 address + rule: 'self == oldSelf || (size(self) == 2 && isIP(self[0]) + && isIP(self[1]) ? ip(self[0]).family() != ip(self[1]).family() + : true)' + loadBalancer: + default: + type: OpenShiftManagedDefault + description: loadBalancer defines how the load balancer used + by the cluster is configured. + properties: + type: + default: OpenShiftManagedDefault + description: |- + type defines the type of load balancer used by the cluster on VSphere platform + which can be a user-managed or openshift-managed load balancer + that is to be used for the OpenShift API and Ingress endpoints. + When set to OpenShiftManagedDefault the static pods in charge of API and Ingress traffic load-balancing + defined in the machine config operator will be deployed. + When set to UserManaged these static pods will not be deployed and it is expected that + the load balancer is configured out of band by the deployer. + When omitted, this means no opinion and the platform is left to choose a reasonable default. + The default value is OpenShiftManagedDefault. + enum: + - OpenShiftManagedDefault + - UserManaged + type: string + x-kubernetes-validations: + - message: type is immutable once set + rule: oldSelf == '' || self == oldSelf + type: object + machineNetworks: + description: machineNetworks are IP networks used to connect + all the OpenShift cluster nodes. + items: + description: CIDR is an IP address range in CIDR notation + (for example, "10.0.0.0/8" or "fd00::/8"). + maxLength: 43 + minLength: 1 + type: string + x-kubernetes-validations: + - message: value must be a valid CIDR network address + rule: isCIDR(self) + maxItems: 32 + type: array + x-kubernetes-list-type: atomic + x-kubernetes-validations: + - rule: self.all(x, self.exists_one(y, x == y)) + nodeDNSIP: + description: |- + nodeDNSIP is the IP address for the internal DNS used by the + nodes. Unlike the one managed by the DNS operator, `NodeDNSIP` + provides name resolution for the nodes themselves. There is no DNS-as-a-service for + vSphere deployments. In order to minimize necessary changes to the + datacenter DNS, a DNS service is hosted as a static pod to serve those hostnames + to the nodes in the cluster. + type: string + type: object + type: object + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} diff --git a/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_insightsdatagathers-CustomNoUpgrade.crd.yaml b/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_insightsdatagathers-CustomNoUpgrade.crd.yaml deleted file mode 100644 index 8e7d3c392..000000000 --- a/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_insightsdatagathers-CustomNoUpgrade.crd.yaml +++ /dev/null @@ -1,233 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - api-approved.openshift.io: https://github.com/openshift/api/pull/2448 - api.openshift.io/merged-by-featuregates: "true" - include.release.openshift.io/ibm-cloud-managed: "true" - include.release.openshift.io/self-managed-high-availability: "true" - release.openshift.io/feature-set: CustomNoUpgrade - name: insightsdatagathers.config.openshift.io -spec: - group: config.openshift.io - names: - kind: InsightsDataGather - listKind: InsightsDataGatherList - plural: insightsdatagathers - singular: insightsdatagather - scope: Cluster - versions: - - name: v1 - schema: - openAPIV3Schema: - description: |- - InsightsDataGather provides data gather configuration options for the Insights Operator. - - Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer). - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: spec holds user settable values for configuration - properties: - gatherConfig: - description: gatherConfig is a required spec attribute that includes - all the configuration options related to gathering of the Insights - data and its uploading to the ingress. - properties: - dataPolicy: - description: |- - dataPolicy is an optional list of DataPolicyOptions that allows user to enable additional obfuscation of the Insights archive data. - It may not exceed 2 items and must not contain duplicates. - Valid values are ObfuscateNetworking and WorkloadNames. - When set to ObfuscateNetworking the IP addresses and the cluster domain name are obfuscated. - When set to WorkloadNames, the gathered data about cluster resources will not contain the workload names for your deployments. Resources UIDs will be used instead. - When omitted no obfuscation is applied. - items: - description: DataPolicyOption declares valid data policy options - enum: - - ObfuscateNetworking - - WorkloadNames - type: string - maxItems: 2 - minItems: 1 - type: array - x-kubernetes-list-type: atomic - x-kubernetes-validations: - - message: dataPolicy items must be unique - rule: self.all(x, self.exists_one(y, x == y)) - gatherers: - description: gatherers is a required field that specifies the - configuration of the gatherers. - properties: - custom: - description: |- - custom provides gathering configuration. - It is required when mode is Custom, and forbidden otherwise. - Custom configuration allows user to disable only a subset of gatherers. - Gatherers that are not explicitly disabled in custom configuration will run. - properties: - configs: - description: |- - configs is a required list of gatherers configurations that can be used to enable or disable specific gatherers. - It may not exceed 100 items and each gatherer can be present only once. - It is possible to disable an entire set of gatherers while allowing a specific function within that set. - The particular gatherers IDs can be found at https://github.com/openshift/insights-operator/blob/master/docs/gathered-data.md. - Run the following command to get the names of last active gatherers: - "oc get insightsoperators.operator.openshift.io cluster -o json | jq '.status.gatherStatus.gatherers[].name'" - items: - description: GathererConfig allows to configure specific - gatherers - properties: - name: - description: |- - name is the required name of a specific gatherer. - It may not exceed 256 characters. - The format for a gatherer name is: {gatherer}/{function} where the function is optional. - Gatherer consists of a lowercase letters only that may include underscores (_). - Function consists of a lowercase letters only that may include underscores (_) and is separated from the gatherer by a forward slash (/). - The particular gatherers can be found at https://github.com/openshift/insights-operator/blob/master/docs/gathered-data.md. - Run the following command to get the names of last active gatherers: - "oc get insightsoperators.operator.openshift.io cluster -o json | jq '.status.gatherStatus.gatherers[].name'" - maxLength: 256 - minLength: 1 - type: string - x-kubernetes-validations: - - message: gatherer name must be in the format of - {gatherer}/{function} where the gatherer and - function are lowercase letters only that may - include underscores (_) and are separated by - a forward slash (/) if the function is provided - rule: self.matches("^[a-z]+[_a-z]*[a-z]([/a-z][_a-z]*)?[a-z]$") - state: - description: |- - state is a required field that allows you to configure specific gatherer. Valid values are "Enabled" and "Disabled". - When set to Enabled the gatherer will run. - When set to Disabled the gatherer will not run. - enum: - - Enabled - - Disabled - type: string - required: - - name - - state - type: object - maxItems: 100 - minItems: 1 - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - required: - - configs - type: object - mode: - description: |- - mode is a required field that specifies the mode for gatherers. Allowed values are All, None, and Custom. - When set to All, all gatherers will run and gather data. - When set to None, all gatherers will be disabled and no data will be gathered. - When set to Custom, the custom configuration from the custom field will be applied. - enum: - - All - - None - - Custom - type: string - required: - - mode - type: object - x-kubernetes-validations: - - message: custom is required when mode is Custom, and forbidden - otherwise - rule: 'has(self.mode) && self.mode == ''Custom'' ? has(self.custom) - : !has(self.custom)' - storage: - description: |- - storage is an optional field that allows user to define persistent storage for gathering jobs to store the Insights data archive. - If omitted, the gathering job will use ephemeral storage. - properties: - persistentVolume: - description: |- - persistentVolume is an optional field that specifies the PersistentVolume that will be used to store the Insights data archive. - The PersistentVolume must be created in the openshift-insights namespace. - properties: - claim: - description: |- - claim is a required field that specifies the configuration of the PersistentVolumeClaim that will be used to store the Insights data archive. - The PersistentVolumeClaim must be created in the openshift-insights namespace. - properties: - name: - description: |- - name is the name of the PersistentVolumeClaim that will be used to store the Insights data archive. - It is a string that follows the DNS1123 subdomain format. - It must be at most 253 characters in length, and must consist only of lower case alphanumeric characters, '-' and '.', and must start and end with an alphanumeric character. - maxLength: 253 - minLength: 1 - type: string - x-kubernetes-validations: - - message: a lowercase RFC 1123 subdomain must consist - of lower case alphanumeric characters, '-' or - '.', and must start and end with an alphanumeric - character. - rule: '!format.dns1123Subdomain().validate(self).hasValue()' - required: - - name - type: object - mountPath: - description: |- - mountPath is an optional field specifying the directory where the PVC will be mounted inside the Insights data gathering Pod. - When omitted, this means no opinion and the platform is left to choose a reasonable default, which is subject to change over time. - The current default mount path is /var/lib/insights-operator - The path may not exceed 1024 characters and must not contain a colon. - maxLength: 1024 - minLength: 1 - type: string - x-kubernetes-validations: - - message: mountPath must not contain a colon - rule: '!self.contains('':'')' - required: - - claim - type: object - type: - description: |- - type is a required field that specifies the type of storage that will be used to store the Insights data archive. - Valid values are "PersistentVolume" and "Ephemeral". - When set to Ephemeral, the Insights data archive is stored in the ephemeral storage of the gathering job. - When set to PersistentVolume, the Insights data archive is stored in the PersistentVolume that is defined by the persistentVolume field. - enum: - - PersistentVolume - - Ephemeral - type: string - required: - - type - type: object - x-kubernetes-validations: - - message: persistentVolume is required when type is PersistentVolume, - and forbidden otherwise - rule: 'has(self.type) && self.type == ''PersistentVolume'' ? has(self.persistentVolume) - : !has(self.persistentVolume)' - required: - - gatherers - type: object - required: - - gatherConfig - type: object - required: - - spec - type: object - served: true - storage: true diff --git a/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_insightsdatagathers-DevPreviewNoUpgrade.crd.yaml b/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_insightsdatagathers-DevPreviewNoUpgrade.crd.yaml deleted file mode 100644 index 0ecdc12f2..000000000 --- a/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_insightsdatagathers-DevPreviewNoUpgrade.crd.yaml +++ /dev/null @@ -1,233 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - api-approved.openshift.io: https://github.com/openshift/api/pull/2448 - api.openshift.io/merged-by-featuregates: "true" - include.release.openshift.io/ibm-cloud-managed: "true" - include.release.openshift.io/self-managed-high-availability: "true" - release.openshift.io/feature-set: DevPreviewNoUpgrade - name: insightsdatagathers.config.openshift.io -spec: - group: config.openshift.io - names: - kind: InsightsDataGather - listKind: InsightsDataGatherList - plural: insightsdatagathers - singular: insightsdatagather - scope: Cluster - versions: - - name: v1 - schema: - openAPIV3Schema: - description: |- - InsightsDataGather provides data gather configuration options for the Insights Operator. - - Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer). - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: spec holds user settable values for configuration - properties: - gatherConfig: - description: gatherConfig is a required spec attribute that includes - all the configuration options related to gathering of the Insights - data and its uploading to the ingress. - properties: - dataPolicy: - description: |- - dataPolicy is an optional list of DataPolicyOptions that allows user to enable additional obfuscation of the Insights archive data. - It may not exceed 2 items and must not contain duplicates. - Valid values are ObfuscateNetworking and WorkloadNames. - When set to ObfuscateNetworking the IP addresses and the cluster domain name are obfuscated. - When set to WorkloadNames, the gathered data about cluster resources will not contain the workload names for your deployments. Resources UIDs will be used instead. - When omitted no obfuscation is applied. - items: - description: DataPolicyOption declares valid data policy options - enum: - - ObfuscateNetworking - - WorkloadNames - type: string - maxItems: 2 - minItems: 1 - type: array - x-kubernetes-list-type: atomic - x-kubernetes-validations: - - message: dataPolicy items must be unique - rule: self.all(x, self.exists_one(y, x == y)) - gatherers: - description: gatherers is a required field that specifies the - configuration of the gatherers. - properties: - custom: - description: |- - custom provides gathering configuration. - It is required when mode is Custom, and forbidden otherwise. - Custom configuration allows user to disable only a subset of gatherers. - Gatherers that are not explicitly disabled in custom configuration will run. - properties: - configs: - description: |- - configs is a required list of gatherers configurations that can be used to enable or disable specific gatherers. - It may not exceed 100 items and each gatherer can be present only once. - It is possible to disable an entire set of gatherers while allowing a specific function within that set. - The particular gatherers IDs can be found at https://github.com/openshift/insights-operator/blob/master/docs/gathered-data.md. - Run the following command to get the names of last active gatherers: - "oc get insightsoperators.operator.openshift.io cluster -o json | jq '.status.gatherStatus.gatherers[].name'" - items: - description: GathererConfig allows to configure specific - gatherers - properties: - name: - description: |- - name is the required name of a specific gatherer. - It may not exceed 256 characters. - The format for a gatherer name is: {gatherer}/{function} where the function is optional. - Gatherer consists of a lowercase letters only that may include underscores (_). - Function consists of a lowercase letters only that may include underscores (_) and is separated from the gatherer by a forward slash (/). - The particular gatherers can be found at https://github.com/openshift/insights-operator/blob/master/docs/gathered-data.md. - Run the following command to get the names of last active gatherers: - "oc get insightsoperators.operator.openshift.io cluster -o json | jq '.status.gatherStatus.gatherers[].name'" - maxLength: 256 - minLength: 1 - type: string - x-kubernetes-validations: - - message: gatherer name must be in the format of - {gatherer}/{function} where the gatherer and - function are lowercase letters only that may - include underscores (_) and are separated by - a forward slash (/) if the function is provided - rule: self.matches("^[a-z]+[_a-z]*[a-z]([/a-z][_a-z]*)?[a-z]$") - state: - description: |- - state is a required field that allows you to configure specific gatherer. Valid values are "Enabled" and "Disabled". - When set to Enabled the gatherer will run. - When set to Disabled the gatherer will not run. - enum: - - Enabled - - Disabled - type: string - required: - - name - - state - type: object - maxItems: 100 - minItems: 1 - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - required: - - configs - type: object - mode: - description: |- - mode is a required field that specifies the mode for gatherers. Allowed values are All, None, and Custom. - When set to All, all gatherers will run and gather data. - When set to None, all gatherers will be disabled and no data will be gathered. - When set to Custom, the custom configuration from the custom field will be applied. - enum: - - All - - None - - Custom - type: string - required: - - mode - type: object - x-kubernetes-validations: - - message: custom is required when mode is Custom, and forbidden - otherwise - rule: 'has(self.mode) && self.mode == ''Custom'' ? has(self.custom) - : !has(self.custom)' - storage: - description: |- - storage is an optional field that allows user to define persistent storage for gathering jobs to store the Insights data archive. - If omitted, the gathering job will use ephemeral storage. - properties: - persistentVolume: - description: |- - persistentVolume is an optional field that specifies the PersistentVolume that will be used to store the Insights data archive. - The PersistentVolume must be created in the openshift-insights namespace. - properties: - claim: - description: |- - claim is a required field that specifies the configuration of the PersistentVolumeClaim that will be used to store the Insights data archive. - The PersistentVolumeClaim must be created in the openshift-insights namespace. - properties: - name: - description: |- - name is the name of the PersistentVolumeClaim that will be used to store the Insights data archive. - It is a string that follows the DNS1123 subdomain format. - It must be at most 253 characters in length, and must consist only of lower case alphanumeric characters, '-' and '.', and must start and end with an alphanumeric character. - maxLength: 253 - minLength: 1 - type: string - x-kubernetes-validations: - - message: a lowercase RFC 1123 subdomain must consist - of lower case alphanumeric characters, '-' or - '.', and must start and end with an alphanumeric - character. - rule: '!format.dns1123Subdomain().validate(self).hasValue()' - required: - - name - type: object - mountPath: - description: |- - mountPath is an optional field specifying the directory where the PVC will be mounted inside the Insights data gathering Pod. - When omitted, this means no opinion and the platform is left to choose a reasonable default, which is subject to change over time. - The current default mount path is /var/lib/insights-operator - The path may not exceed 1024 characters and must not contain a colon. - maxLength: 1024 - minLength: 1 - type: string - x-kubernetes-validations: - - message: mountPath must not contain a colon - rule: '!self.contains('':'')' - required: - - claim - type: object - type: - description: |- - type is a required field that specifies the type of storage that will be used to store the Insights data archive. - Valid values are "PersistentVolume" and "Ephemeral". - When set to Ephemeral, the Insights data archive is stored in the ephemeral storage of the gathering job. - When set to PersistentVolume, the Insights data archive is stored in the PersistentVolume that is defined by the persistentVolume field. - enum: - - PersistentVolume - - Ephemeral - type: string - required: - - type - type: object - x-kubernetes-validations: - - message: persistentVolume is required when type is PersistentVolume, - and forbidden otherwise - rule: 'has(self.type) && self.type == ''PersistentVolume'' ? has(self.persistentVolume) - : !has(self.persistentVolume)' - required: - - gatherers - type: object - required: - - gatherConfig - type: object - required: - - spec - type: object - served: true - storage: true diff --git a/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_insightsdatagathers-TechPreviewNoUpgrade.crd.yaml b/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_insightsdatagathers-TechPreviewNoUpgrade.crd.yaml deleted file mode 100644 index afaf9c37d..000000000 --- a/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_insightsdatagathers-TechPreviewNoUpgrade.crd.yaml +++ /dev/null @@ -1,233 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - api-approved.openshift.io: https://github.com/openshift/api/pull/2448 - api.openshift.io/merged-by-featuregates: "true" - include.release.openshift.io/ibm-cloud-managed: "true" - include.release.openshift.io/self-managed-high-availability: "true" - release.openshift.io/feature-set: TechPreviewNoUpgrade - name: insightsdatagathers.config.openshift.io -spec: - group: config.openshift.io - names: - kind: InsightsDataGather - listKind: InsightsDataGatherList - plural: insightsdatagathers - singular: insightsdatagather - scope: Cluster - versions: - - name: v1 - schema: - openAPIV3Schema: - description: |- - InsightsDataGather provides data gather configuration options for the Insights Operator. - - Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer). - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: spec holds user settable values for configuration - properties: - gatherConfig: - description: gatherConfig is a required spec attribute that includes - all the configuration options related to gathering of the Insights - data and its uploading to the ingress. - properties: - dataPolicy: - description: |- - dataPolicy is an optional list of DataPolicyOptions that allows user to enable additional obfuscation of the Insights archive data. - It may not exceed 2 items and must not contain duplicates. - Valid values are ObfuscateNetworking and WorkloadNames. - When set to ObfuscateNetworking the IP addresses and the cluster domain name are obfuscated. - When set to WorkloadNames, the gathered data about cluster resources will not contain the workload names for your deployments. Resources UIDs will be used instead. - When omitted no obfuscation is applied. - items: - description: DataPolicyOption declares valid data policy options - enum: - - ObfuscateNetworking - - WorkloadNames - type: string - maxItems: 2 - minItems: 1 - type: array - x-kubernetes-list-type: atomic - x-kubernetes-validations: - - message: dataPolicy items must be unique - rule: self.all(x, self.exists_one(y, x == y)) - gatherers: - description: gatherers is a required field that specifies the - configuration of the gatherers. - properties: - custom: - description: |- - custom provides gathering configuration. - It is required when mode is Custom, and forbidden otherwise. - Custom configuration allows user to disable only a subset of gatherers. - Gatherers that are not explicitly disabled in custom configuration will run. - properties: - configs: - description: |- - configs is a required list of gatherers configurations that can be used to enable or disable specific gatherers. - It may not exceed 100 items and each gatherer can be present only once. - It is possible to disable an entire set of gatherers while allowing a specific function within that set. - The particular gatherers IDs can be found at https://github.com/openshift/insights-operator/blob/master/docs/gathered-data.md. - Run the following command to get the names of last active gatherers: - "oc get insightsoperators.operator.openshift.io cluster -o json | jq '.status.gatherStatus.gatherers[].name'" - items: - description: GathererConfig allows to configure specific - gatherers - properties: - name: - description: |- - name is the required name of a specific gatherer. - It may not exceed 256 characters. - The format for a gatherer name is: {gatherer}/{function} where the function is optional. - Gatherer consists of a lowercase letters only that may include underscores (_). - Function consists of a lowercase letters only that may include underscores (_) and is separated from the gatherer by a forward slash (/). - The particular gatherers can be found at https://github.com/openshift/insights-operator/blob/master/docs/gathered-data.md. - Run the following command to get the names of last active gatherers: - "oc get insightsoperators.operator.openshift.io cluster -o json | jq '.status.gatherStatus.gatherers[].name'" - maxLength: 256 - minLength: 1 - type: string - x-kubernetes-validations: - - message: gatherer name must be in the format of - {gatherer}/{function} where the gatherer and - function are lowercase letters only that may - include underscores (_) and are separated by - a forward slash (/) if the function is provided - rule: self.matches("^[a-z]+[_a-z]*[a-z]([/a-z][_a-z]*)?[a-z]$") - state: - description: |- - state is a required field that allows you to configure specific gatherer. Valid values are "Enabled" and "Disabled". - When set to Enabled the gatherer will run. - When set to Disabled the gatherer will not run. - enum: - - Enabled - - Disabled - type: string - required: - - name - - state - type: object - maxItems: 100 - minItems: 1 - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - required: - - configs - type: object - mode: - description: |- - mode is a required field that specifies the mode for gatherers. Allowed values are All, None, and Custom. - When set to All, all gatherers will run and gather data. - When set to None, all gatherers will be disabled and no data will be gathered. - When set to Custom, the custom configuration from the custom field will be applied. - enum: - - All - - None - - Custom - type: string - required: - - mode - type: object - x-kubernetes-validations: - - message: custom is required when mode is Custom, and forbidden - otherwise - rule: 'has(self.mode) && self.mode == ''Custom'' ? has(self.custom) - : !has(self.custom)' - storage: - description: |- - storage is an optional field that allows user to define persistent storage for gathering jobs to store the Insights data archive. - If omitted, the gathering job will use ephemeral storage. - properties: - persistentVolume: - description: |- - persistentVolume is an optional field that specifies the PersistentVolume that will be used to store the Insights data archive. - The PersistentVolume must be created in the openshift-insights namespace. - properties: - claim: - description: |- - claim is a required field that specifies the configuration of the PersistentVolumeClaim that will be used to store the Insights data archive. - The PersistentVolumeClaim must be created in the openshift-insights namespace. - properties: - name: - description: |- - name is the name of the PersistentVolumeClaim that will be used to store the Insights data archive. - It is a string that follows the DNS1123 subdomain format. - It must be at most 253 characters in length, and must consist only of lower case alphanumeric characters, '-' and '.', and must start and end with an alphanumeric character. - maxLength: 253 - minLength: 1 - type: string - x-kubernetes-validations: - - message: a lowercase RFC 1123 subdomain must consist - of lower case alphanumeric characters, '-' or - '.', and must start and end with an alphanumeric - character. - rule: '!format.dns1123Subdomain().validate(self).hasValue()' - required: - - name - type: object - mountPath: - description: |- - mountPath is an optional field specifying the directory where the PVC will be mounted inside the Insights data gathering Pod. - When omitted, this means no opinion and the platform is left to choose a reasonable default, which is subject to change over time. - The current default mount path is /var/lib/insights-operator - The path may not exceed 1024 characters and must not contain a colon. - maxLength: 1024 - minLength: 1 - type: string - x-kubernetes-validations: - - message: mountPath must not contain a colon - rule: '!self.contains('':'')' - required: - - claim - type: object - type: - description: |- - type is a required field that specifies the type of storage that will be used to store the Insights data archive. - Valid values are "PersistentVolume" and "Ephemeral". - When set to Ephemeral, the Insights data archive is stored in the ephemeral storage of the gathering job. - When set to PersistentVolume, the Insights data archive is stored in the PersistentVolume that is defined by the persistentVolume field. - enum: - - PersistentVolume - - Ephemeral - type: string - required: - - type - type: object - x-kubernetes-validations: - - message: persistentVolume is required when type is PersistentVolume, - and forbidden otherwise - rule: 'has(self.type) && self.type == ''PersistentVolume'' ? has(self.persistentVolume) - : !has(self.persistentVolume)' - required: - - gatherers - type: object - required: - - gatherConfig - type: object - required: - - spec - type: object - served: true - storage: true diff --git a/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_nodes-OKD.crd.yaml b/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_nodes-OKD.crd.yaml new file mode 100644 index 000000000..84f5bf266 --- /dev/null +++ b/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_nodes-OKD.crd.yaml @@ -0,0 +1,136 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.openshift.io: https://github.com/openshift/api/pull/1107 + api.openshift.io/merged-by-featuregates: "true" + include.release.openshift.io/ibm-cloud-managed: "true" + include.release.openshift.io/self-managed-high-availability: "true" + release.openshift.io/bootstrap-required: "true" + release.openshift.io/feature-set: OKD + name: nodes.config.openshift.io +spec: + group: config.openshift.io + names: + kind: Node + listKind: NodeList + plural: nodes + singular: node + scope: Cluster + versions: + - name: v1 + schema: + openAPIV3Schema: + description: |- + Node holds cluster-wide information about node specific features. + + Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer). + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: spec holds user settable values for configuration + properties: + cgroupMode: + description: cgroupMode determines the cgroups version on the node + enum: + - v2 + - "" + type: string + workerLatencyProfile: + description: |- + workerLatencyProfile determins the how fast the kubelet is updating + the status and corresponding reaction of the cluster + enum: + - Default + - MediumUpdateAverageReaction + - LowUpdateSlowReaction + type: string + type: object + status: + description: status holds observed values. + properties: + conditions: + description: conditions contain the details and the current state + of the nodes.config object + items: + description: Condition contains details for one aspect of the current + state of this API Resource. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} diff --git a/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_schedulers-SelfManagedHA-DevPreviewNoUpgrade.crd.yaml b/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_schedulers-SelfManagedHA-DevPreviewNoUpgrade.crd.yaml index e57a58f01..ab3788f70 100644 --- a/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_schedulers-SelfManagedHA-DevPreviewNoUpgrade.crd.yaml +++ b/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_schedulers-SelfManagedHA-DevPreviewNoUpgrade.crd.yaml @@ -108,28 +108,6 @@ spec: - HighNodeUtilization - NoScoring type: string - profileCustomizations: - description: |- - profileCustomizations contains configuration for modifying the default behavior of existing scheduler profiles. - Deprecated: no longer needed, since DRA is GA starting with 4.21, and - is enabled by' default in the cluster, this field will be removed in 4.24. - properties: - dynamicResourceAllocation: - description: |- - dynamicResourceAllocation allows to enable or disable dynamic resource allocation within the scheduler. - Dynamic resource allocation is an API for requesting and sharing resources between pods and containers inside a pod. - Third-party resource drivers are responsible for tracking and allocating resources. - Different kinds of resources support arbitrary parameters for defining requirements and initialization. - Valid values are Enabled, Disabled and omitted. - When omitted, this means no opinion and the platform is left to choose a reasonable default, - which is subject to change over time. - The current default is Disabled. - enum: - - "" - - Enabled - - Disabled - type: string - type: object type: object status: description: status holds observed values from the cluster. They may not diff --git a/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_schedulers-SelfManagedHA-OKD.crd.yaml b/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_schedulers-SelfManagedHA-OKD.crd.yaml new file mode 100644 index 000000000..c45c0f520 --- /dev/null +++ b/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_schedulers-SelfManagedHA-OKD.crd.yaml @@ -0,0 +1,122 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.openshift.io: https://github.com/openshift/api/pull/470 + api.openshift.io/merged-by-featuregates: "true" + include.release.openshift.io/self-managed-high-availability: "true" + release.openshift.io/bootstrap-required: "true" + release.openshift.io/feature-set: OKD + name: schedulers.config.openshift.io +spec: + group: config.openshift.io + names: + kind: Scheduler + listKind: SchedulerList + plural: schedulers + singular: scheduler + scope: Cluster + versions: + - name: v1 + schema: + openAPIV3Schema: + description: |- + Scheduler holds cluster-wide config information to run the Kubernetes Scheduler + and influence its placement decisions. The canonical name for this config is `cluster`. + + Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer). + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: spec holds user settable values for configuration + properties: + defaultNodeSelector: + description: |- + defaultNodeSelector helps set the cluster-wide default node selector to + restrict pod placement to specific nodes. This is applied to the pods + created in all namespaces and creates an intersection with any existing + nodeSelectors already set on a pod, additionally constraining that pod's selector. + For example, + defaultNodeSelector: "type=user-node,region=east" would set nodeSelector + field in pod spec to "type=user-node,region=east" to all pods created + in all namespaces. Namespaces having project-wide node selectors won't be + impacted even if this field is set. This adds an annotation section to + the namespace. + For example, if a new namespace is created with + node-selector='type=user-node,region=east', + the annotation openshift.io/node-selector: type=user-node,region=east + gets added to the project. When the openshift.io/node-selector annotation + is set on the project the value is used in preference to the value we are setting + for defaultNodeSelector field. + For instance, + openshift.io/node-selector: "type=user-node,region=west" means + that the default of "type=user-node,region=east" set in defaultNodeSelector + would not be applied. + type: string + mastersSchedulable: + description: |- + mastersSchedulable allows masters nodes to be schedulable. When this flag is + turned on, all the master nodes in the cluster will be made schedulable, + so that workload pods can run on them. The default value for this field is false, + meaning none of the master nodes are schedulable. + Important Note: Once the workload pods start running on the master nodes, + extreme care must be taken to ensure that cluster-critical control plane components + are not impacted. + Please turn on this field after doing due diligence. + type: boolean + policy: + description: |- + DEPRECATED: the scheduler Policy API has been deprecated and will be removed in a future release. + policy is a reference to a ConfigMap containing scheduler policy which has + user specified predicates and priorities. If this ConfigMap is not available + scheduler will default to use DefaultAlgorithmProvider. + The namespace for this configmap is openshift-config. + properties: + name: + description: name is the metadata.name of the referenced config + map + type: string + required: + - name + type: object + profile: + description: |- + profile sets which scheduling profile should be set in order to configure scheduling + decisions for new pods. + + Valid values are "LowNodeUtilization", "HighNodeUtilization", "NoScoring" + Defaults to "LowNodeUtilization" + enum: + - "" + - LowNodeUtilization + - HighNodeUtilization + - NoScoring + type: string + type: object + status: + description: status holds observed values from the cluster. They may not + be overridden. + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} diff --git a/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_schedulers-SelfManagedHA-TechPreviewNoUpgrade.crd.yaml b/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_schedulers-SelfManagedHA-TechPreviewNoUpgrade.crd.yaml index 534bf58f1..cf032fa1a 100644 --- a/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_schedulers-SelfManagedHA-TechPreviewNoUpgrade.crd.yaml +++ b/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_schedulers-SelfManagedHA-TechPreviewNoUpgrade.crd.yaml @@ -108,28 +108,6 @@ spec: - HighNodeUtilization - NoScoring type: string - profileCustomizations: - description: |- - profileCustomizations contains configuration for modifying the default behavior of existing scheduler profiles. - Deprecated: no longer needed, since DRA is GA starting with 4.21, and - is enabled by' default in the cluster, this field will be removed in 4.24. - properties: - dynamicResourceAllocation: - description: |- - dynamicResourceAllocation allows to enable or disable dynamic resource allocation within the scheduler. - Dynamic resource allocation is an API for requesting and sharing resources between pods and containers inside a pod. - Third-party resource drivers are responsible for tracking and allocating resources. - Different kinds of resources support arbitrary parameters for defining requirements and initialization. - Valid values are Enabled, Disabled and omitted. - When omitted, this means no opinion and the platform is left to choose a reasonable default, - which is subject to change over time. - The current default is Disabled. - enum: - - "" - - Enabled - - Disabled - type: string - type: object type: object status: description: status holds observed values from the cluster. They may not diff --git a/vendor/github.com/openshift/api/config/v1/zz_generated.deepcopy.go b/vendor/github.com/openshift/api/config/v1/zz_generated.deepcopy.go index 95084cfcb..0cac82825 100644 --- a/vendor/github.com/openshift/api/config/v1/zz_generated.deepcopy.go +++ b/vendor/github.com/openshift/api/config/v1/zz_generated.deepcopy.go @@ -316,6 +316,22 @@ func (in *AWSServiceEndpoint) DeepCopy() *AWSServiceEndpoint { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *AcceptRisk) DeepCopyInto(out *AcceptRisk) { + *out = *in + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AcceptRisk. +func (in *AcceptRisk) DeepCopy() *AcceptRisk { + if in == nil { + return nil + } + out := new(AcceptRisk) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *AdmissionConfig) DeepCopyInto(out *AdmissionConfig) { *out = *in @@ -1393,7 +1409,7 @@ func (in *ClusterVersionSpec) DeepCopyInto(out *ClusterVersionSpec) { if in.DesiredUpdate != nil { in, out := &in.DesiredUpdate, &out.DesiredUpdate *out = new(Update) - **out = **in + (*in).DeepCopyInto(*out) } if in.Capabilities != nil { in, out := &in.Capabilities, &out.Capabilities @@ -1456,6 +1472,13 @@ func (in *ClusterVersionStatus) DeepCopyInto(out *ClusterVersionStatus) { (*in)[i].DeepCopyInto(&(*out)[i]) } } + if in.ConditionalUpdateRisks != nil { + in, out := &in.ConditionalUpdateRisks, &out.ConditionalUpdateRisks + *out = make([]ConditionalUpdateRisk, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } return } @@ -1544,6 +1567,11 @@ func (in *ComponentRouteStatus) DeepCopy() *ComponentRouteStatus { func (in *ConditionalUpdate) DeepCopyInto(out *ConditionalUpdate) { *out = *in in.Release.DeepCopyInto(&out.Release) + if in.RiskNames != nil { + in, out := &in.RiskNames, &out.RiskNames + *out = make([]string, len(*in)) + copy(*out, *in) + } if in.Risks != nil { in, out := &in.Risks, &out.Risks *out = make([]ConditionalUpdateRisk, len(*in)) @@ -1574,6 +1602,13 @@ func (in *ConditionalUpdate) DeepCopy() *ConditionalUpdate { // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *ConditionalUpdateRisk) DeepCopyInto(out *ConditionalUpdateRisk) { *out = *in + if in.Conditions != nil { + in, out := &in.Conditions, &out.Conditions + *out = make([]metav1.Condition, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } if in.MatchingRules != nil { in, out := &in.MatchingRules, &out.MatchingRules *out = make([]ClusterCondition, len(*in)) @@ -1736,27 +1771,6 @@ func (in *ConsoleStatus) DeepCopy() *ConsoleStatus { return out } -// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (in *Custom) DeepCopyInto(out *Custom) { - *out = *in - if in.Configs != nil { - in, out := &in.Configs, &out.Configs - *out = make([]GathererConfig, len(*in)) - copy(*out, *in) - } - return -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Custom. -func (in *Custom) DeepCopy() *Custom { - if in == nil { - return nil - } - out := new(Custom) - in.DeepCopyInto(out) - return out -} - // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *CustomFeatureGates) DeepCopyInto(out *CustomFeatureGates) { *out = *in @@ -2467,62 +2481,6 @@ func (in *GCPResourceTag) DeepCopy() *GCPResourceTag { return out } -// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (in *GatherConfig) DeepCopyInto(out *GatherConfig) { - *out = *in - if in.DataPolicy != nil { - in, out := &in.DataPolicy, &out.DataPolicy - *out = make([]DataPolicyOption, len(*in)) - copy(*out, *in) - } - in.Gatherers.DeepCopyInto(&out.Gatherers) - out.Storage = in.Storage - return -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GatherConfig. -func (in *GatherConfig) DeepCopy() *GatherConfig { - if in == nil { - return nil - } - out := new(GatherConfig) - in.DeepCopyInto(out) - return out -} - -// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (in *GathererConfig) DeepCopyInto(out *GathererConfig) { - *out = *in - return -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GathererConfig. -func (in *GathererConfig) DeepCopy() *GathererConfig { - if in == nil { - return nil - } - out := new(GathererConfig) - in.DeepCopyInto(out) - return out -} - -// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (in *Gatherers) DeepCopyInto(out *Gatherers) { - *out = *in - in.Custom.DeepCopyInto(&out.Custom) - return -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Gatherers. -func (in *Gatherers) DeepCopy() *Gatherers { - if in == nil { - return nil - } - out := new(Gatherers) - in.DeepCopyInto(out) - return out -} - // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *GenericAPIServerConfig) DeepCopyInto(out *GenericAPIServerConfig) { *out = *in @@ -3626,83 +3584,6 @@ func (in *IngressStatus) DeepCopy() *IngressStatus { return out } -// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (in *InsightsDataGather) DeepCopyInto(out *InsightsDataGather) { - *out = *in - out.TypeMeta = in.TypeMeta - in.ObjectMeta.DeepCopyInto(&out.ObjectMeta) - in.Spec.DeepCopyInto(&out.Spec) - return -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new InsightsDataGather. -func (in *InsightsDataGather) DeepCopy() *InsightsDataGather { - if in == nil { - return nil - } - out := new(InsightsDataGather) - in.DeepCopyInto(out) - return out -} - -// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. -func (in *InsightsDataGather) DeepCopyObject() runtime.Object { - if c := in.DeepCopy(); c != nil { - return c - } - return nil -} - -// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (in *InsightsDataGatherList) DeepCopyInto(out *InsightsDataGatherList) { - *out = *in - out.TypeMeta = in.TypeMeta - in.ListMeta.DeepCopyInto(&out.ListMeta) - if in.Items != nil { - in, out := &in.Items, &out.Items - *out = make([]InsightsDataGather, len(*in)) - for i := range *in { - (*in)[i].DeepCopyInto(&(*out)[i]) - } - } - return -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new InsightsDataGatherList. -func (in *InsightsDataGatherList) DeepCopy() *InsightsDataGatherList { - if in == nil { - return nil - } - out := new(InsightsDataGatherList) - in.DeepCopyInto(out) - return out -} - -// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. -func (in *InsightsDataGatherList) DeepCopyObject() runtime.Object { - if c := in.DeepCopy(); c != nil { - return c - } - return nil -} - -// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (in *InsightsDataGatherSpec) DeepCopyInto(out *InsightsDataGatherSpec) { - *out = *in - in.GatherConfig.DeepCopyInto(&out.GatherConfig) - return -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new InsightsDataGatherSpec. -func (in *InsightsDataGatherSpec) DeepCopy() *InsightsDataGatherSpec { - if in == nil { - return nil - } - out := new(InsightsDataGatherSpec) - in.DeepCopyInto(out) - return out -} - // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *IntermediateTLSProfile) DeepCopyInto(out *IntermediateTLSProfile) { *out = *in @@ -5152,39 +5033,6 @@ func (in *PKICertificateSubject) DeepCopy() *PKICertificateSubject { return out } -// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (in *PersistentVolumeClaimReference) DeepCopyInto(out *PersistentVolumeClaimReference) { - *out = *in - return -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PersistentVolumeClaimReference. -func (in *PersistentVolumeClaimReference) DeepCopy() *PersistentVolumeClaimReference { - if in == nil { - return nil - } - out := new(PersistentVolumeClaimReference) - in.DeepCopyInto(out) - return out -} - -// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (in *PersistentVolumeConfig) DeepCopyInto(out *PersistentVolumeConfig) { - *out = *in - out.Claim = in.Claim - return -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PersistentVolumeConfig. -func (in *PersistentVolumeConfig) DeepCopy() *PersistentVolumeConfig { - if in == nil { - return nil - } - out := new(PersistentVolumeConfig) - in.DeepCopyInto(out) - return out -} - // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *PlatformSpec) DeepCopyInto(out *PlatformSpec) { *out = *in @@ -6147,23 +5995,6 @@ func (in *SignatureStore) DeepCopy() *SignatureStore { return out } -// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (in *Storage) DeepCopyInto(out *Storage) { - *out = *in - out.PersistentVolume = in.PersistentVolume - return -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Storage. -func (in *Storage) DeepCopy() *Storage { - if in == nil { - return nil - } - out := new(Storage) - in.DeepCopyInto(out) - return out -} - // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *StringSource) DeepCopyInto(out *StringSource) { *out = *in @@ -6488,6 +6319,11 @@ func (in *TokenRequiredClaim) DeepCopy() *TokenRequiredClaim { // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *Update) DeepCopyInto(out *Update) { *out = *in + if in.AcceptRisks != nil { + in, out := &in.AcceptRisks, &out.AcceptRisks + *out = make([]AcceptRisk, len(*in)) + copy(*out, *in) + } return } diff --git a/vendor/github.com/openshift/api/config/v1/zz_generated.featuregated-crd-manifests.yaml b/vendor/github.com/openshift/api/config/v1/zz_generated.featuregated-crd-manifests.yaml index e442d8f23..c59c0f630 100644 --- a/vendor/github.com/openshift/api/config/v1/zz_generated.featuregated-crd-manifests.yaml +++ b/vendor/github.com/openshift/api/config/v1/zz_generated.featuregated-crd-manifests.yaml @@ -141,6 +141,7 @@ clusterversions.config.openshift.io: Capability: "" Category: "" FeatureGates: + - ClusterUpdateAcceptRisks - ImageStreamImportMode - SignatureStores FilenameOperatorName: cluster-version-operator @@ -410,29 +411,6 @@ ingresses.config.openshift.io: TopLevelFeatureGates: [] Version: v1 -insightsdatagathers.config.openshift.io: - Annotations: {} - ApprovedPRNumber: https://github.com/openshift/api/pull/2448 - CRDName: insightsdatagathers.config.openshift.io - Capability: "" - Category: "" - FeatureGates: - - InsightsConfig - FilenameOperatorName: config-operator - FilenameOperatorOrdering: "01" - FilenameRunLevel: "0000_10" - GroupName: config.openshift.io - HasStatus: false - KindName: InsightsDataGather - Labels: {} - PluralName: insightsdatagathers - PrinterColumns: [] - Scope: Cluster - ShortNames: null - TopLevelFeatureGates: - - InsightsConfig - Version: v1 - networks.config.openshift.io: Annotations: release.openshift.io/bootstrap-required: "true" @@ -574,7 +552,6 @@ schedulers.config.openshift.io: Capability: "" Category: "" FeatureGates: - - DynamicResourceAllocation - HyperShiftOnlyDynamicResourceAllocation FilenameOperatorName: config-operator FilenameOperatorOrdering: "01" diff --git a/vendor/github.com/openshift/api/config/v1/zz_generated.swagger_doc_generated.go b/vendor/github.com/openshift/api/config/v1/zz_generated.swagger_doc_generated.go index fe0d2236d..2af820ad8 100644 --- a/vendor/github.com/openshift/api/config/v1/zz_generated.swagger_doc_generated.go +++ b/vendor/github.com/openshift/api/config/v1/zz_generated.swagger_doc_generated.go @@ -724,6 +724,15 @@ func (OperandVersion) SwaggerDoc() map[string]string { return map_OperandVersion } +var map_AcceptRisk = map[string]string{ + "": "AcceptRisk represents a risk that is considered acceptable.", + "name": "name is the name of the acceptable risk. It must be a non-empty string and must not exceed 256 characters.", +} + +func (AcceptRisk) SwaggerDoc() map[string]string { + return map_AcceptRisk +} + var map_ClusterCondition = map[string]string{ "": "ClusterCondition is a union of typed cluster conditions. The 'type' property determines which of the type-specific properties are relevant. When evaluated on a cluster, the condition may match, not match, or fail to evaluate.", "type": "type represents the cluster-condition type. This defines the members and semantics of any additional properties.", @@ -790,15 +799,16 @@ func (ClusterVersionSpec) SwaggerDoc() map[string]string { } var map_ClusterVersionStatus = map[string]string{ - "": "ClusterVersionStatus reports the status of the cluster versioning, including any upgrades that are in progress. The current field will be set to whichever version the cluster is reconciling to, and the conditions array will report whether the update succeeded, is in progress, or is failing.", - "desired": "desired is the version that the cluster is reconciling towards. If the cluster is not yet fully initialized desired will be set with the information available, which may be an image or a tag.", - "history": "history contains a list of the most recent versions applied to the cluster. This value may be empty during cluster startup, and then will be updated when a new update is being applied. The newest update is first in the list and it is ordered by recency. Updates in the history have state Completed if the rollout completed - if an update was failing or halfway applied the state will be Partial. Only a limited amount of update history is preserved.", - "observedGeneration": "observedGeneration reports which version of the spec is being synced. If this value is not equal to metadata.generation, then the desired and conditions fields may represent a previous version.", - "versionHash": "versionHash is a fingerprint of the content that the cluster will be updated with. It is used by the operator to avoid unnecessary work and is for internal use only.", - "capabilities": "capabilities describes the state of optional, core cluster components.", - "conditions": "conditions provides information about the cluster version. The condition \"Available\" is set to true if the desiredUpdate has been reached. The condition \"Progressing\" is set to true if an update is being applied. The condition \"Degraded\" is set to true if an update is currently blocked by a temporary or permanent error. Conditions are only valid for the current desiredUpdate when metadata.generation is equal to status.generation.", - "availableUpdates": "availableUpdates contains updates recommended for this cluster. Updates which appear in conditionalUpdates but not in availableUpdates may expose this cluster to known issues. This list may be empty if no updates are recommended, if the update service is unavailable, or if an invalid channel has been specified.", - "conditionalUpdates": "conditionalUpdates contains the list of updates that may be recommended for this cluster if it meets specific required conditions. Consumers interested in the set of updates that are actually recommended for this cluster should use availableUpdates. This list may be empty if no updates are recommended, if the update service is unavailable, or if an empty or invalid channel has been specified.", + "": "ClusterVersionStatus reports the status of the cluster versioning, including any upgrades that are in progress. The current field will be set to whichever version the cluster is reconciling to, and the conditions array will report whether the update succeeded, is in progress, or is failing.", + "desired": "desired is the version that the cluster is reconciling towards. If the cluster is not yet fully initialized desired will be set with the information available, which may be an image or a tag.", + "history": "history contains a list of the most recent versions applied to the cluster. This value may be empty during cluster startup, and then will be updated when a new update is being applied. The newest update is first in the list and it is ordered by recency. Updates in the history have state Completed if the rollout completed - if an update was failing or halfway applied the state will be Partial. Only a limited amount of update history is preserved.", + "observedGeneration": "observedGeneration reports which version of the spec is being synced. If this value is not equal to metadata.generation, then the desired and conditions fields may represent a previous version.", + "versionHash": "versionHash is a fingerprint of the content that the cluster will be updated with. It is used by the operator to avoid unnecessary work and is for internal use only.", + "capabilities": "capabilities describes the state of optional, core cluster components.", + "conditions": "conditions provides information about the cluster version. The condition \"Available\" is set to true if the desiredUpdate has been reached. The condition \"Progressing\" is set to true if an update is being applied. The condition \"Degraded\" is set to true if an update is currently blocked by a temporary or permanent error. Conditions are only valid for the current desiredUpdate when metadata.generation is equal to status.generation.", + "availableUpdates": "availableUpdates contains updates recommended for this cluster. Updates which appear in conditionalUpdates but not in availableUpdates may expose this cluster to known issues. This list may be empty if no updates are recommended, if the update service is unavailable, or if an invalid channel has been specified.", + "conditionalUpdates": "conditionalUpdates contains the list of updates that may be recommended for this cluster if it meets specific required conditions. Consumers interested in the set of updates that are actually recommended for this cluster should use availableUpdates. This list may be empty if no updates are recommended, if the update service is unavailable, or if an empty or invalid channel has been specified.", + "conditionalUpdateRisks": "conditionalUpdateRisks contains the list of risks associated with conditionalUpdates. When performing a conditional update, all its associated risks will be compared with the set of accepted risks in the spec.desiredUpdate.acceptRisks field. If all risks for a conditional update are included in the spec.desiredUpdate.acceptRisks set, the conditional update can proceed, otherwise it is blocked. The risk names in the list must be unique. conditionalUpdateRisks must not contain more than 500 entries.", } func (ClusterVersionStatus) SwaggerDoc() map[string]string { @@ -821,6 +831,7 @@ func (ComponentOverride) SwaggerDoc() map[string]string { var map_ConditionalUpdate = map[string]string{ "": "ConditionalUpdate represents an update which is recommended to some clusters on the version the current cluster is reconciling, but which may not be recommended for the current cluster.", "release": "release is the target of the update.", + "riskNames": "riskNames represents the set of the names of conditionalUpdateRisks that are relevant to this update for some clusters. The Applies condition of each conditionalUpdateRisks entry declares if that risk applies to this cluster. A conditional update is accepted only if each of its risks either does not apply to the cluster or is considered acceptable by the cluster administrator. The latter means that the risk names are included in value of the spec.desiredUpdate.acceptRisks field. Entries must be unique and must not exceed 256 characters. riskNames must not contain more than 500 entries.", "risks": "risks represents the range of issues associated with updating to the target release. The cluster-version operator will evaluate all entries, and only recommend the update if there is at least one entry and all entries recommend the update.", "conditions": "conditions represents the observations of the conditional update's current status. Known types are: * Recommended, for whether the update is recommended for the current cluster.", } @@ -831,6 +842,7 @@ func (ConditionalUpdate) SwaggerDoc() map[string]string { var map_ConditionalUpdateRisk = map[string]string{ "": "ConditionalUpdateRisk represents a reason and cluster-state for not recommending a conditional update.", + "conditions": "conditions represents the observations of the conditional update risk's current status. Known types are: * Applies, for whether the risk applies to the current cluster. The condition's types in the list must be unique. conditions must not contain more than one entry.", "url": "url contains information about this risk.", "name": "name is the CamelCase reason for not recommending a conditional update, in the event that matchingRules match the cluster state.", "message": "message provides additional information about the risk of updating, in the event that matchingRules match the cluster state. This is only to be consumed by humans. It may contain Line Feed characters (U+000A), which should be rendered as new lines.", @@ -879,6 +891,7 @@ var map_Update = map[string]string{ "version": "version is a semantic version identifying the update version. version is required if architecture is specified. If both version and image are set, the version extracted from the referenced image must match the specified version.", "image": "image is a container image location that contains the update. image should be used when the desired version does not exist in availableUpdates or history. When image is set, architecture cannot be specified. If both version and image are set, the version extracted from the referenced image must match the specified version.", "force": "force allows an administrator to update to an image that has failed verification or upgradeable checks that are designed to keep your cluster safe. Only use this if: * you are testing unsigned release images in short-lived test clusters or * you are working around a known bug in the cluster-version\n operator and you have verified the authenticity of the provided\n image yourself.\nThe provided image will run with full administrative access to the cluster. Do not use this flag with images that come from unknown or potentially malicious sources.", + "acceptRisks": "acceptRisks is an optional set of names of conditional update risks that are considered acceptable. A conditional update is performed only if all of its risks are acceptable. This list may contain entries that apply to current, previous or future updates. The entries therefore may not map directly to a risk in .status.conditionalUpdateRisks. acceptRisks must not contain more than 1000 entries. Entries in this list must be unique.", } func (Update) SwaggerDoc() map[string]string { @@ -893,7 +906,7 @@ var map_UpdateHistory = map[string]string{ "version": "version is a semantic version identifying the update version. If the requested image does not define a version, or if a failure occurs retrieving the image, this value may be empty.", "image": "image is a container image location that contains the update. This value is always populated.", "verified": "verified indicates whether the provided update was properly verified before it was installed. If this is false the cluster may not be trusted. Verified does not cover upgradeable checks that depend on the cluster state at the time when the update target was accepted.", - "acceptedRisks": "acceptedRisks records risks which were accepted to initiate the update. For example, it may menition an Upgradeable=False or missing signature that was overridden via desiredUpdate.force, or an update that was initiated despite not being in the availableUpdates set of recommended update targets.", + "acceptedRisks": "acceptedRisks records risks which were accepted to initiate the update. For example, it may mention an Upgradeable=False or missing signature that was overridden via desiredUpdate.force, or an update that was initiated despite not being in the availableUpdates set of recommended update targets.", } func (UpdateHistory) SwaggerDoc() map[string]string { @@ -1335,7 +1348,7 @@ func (PolicyMatchRemapIdentity) SwaggerDoc() map[string]string { var map_PolicyRootOfTrust = map[string]string{ "": "PolicyRootOfTrust defines the root of trust based on the selected policyType.", - "policyType": "policyType is a required field specifies the type of the policy for verification. This field must correspond to how the policy was generated. Allowed values are \"PublicKey\", \"FulcioCAWithRekor\", and \"PKI\". When set to \"PublicKey\", the policy relies on a sigstore publicKey and may optionally use a Rekor verification. When set to \"FulcioCAWithRekor\", the policy is based on the Fulcio certification and incorporates a Rekor verification. When set to \"PKI\", the policy is based on the certificates from Bring Your Own Public Key Infrastructure (BYOPKI). This value is enabled by turning on the SigstoreImageVerificationPKI feature gate.", + "policyType": "policyType is a required field specifies the type of the policy for verification. This field must correspond to how the policy was generated. Allowed values are \"PublicKey\", \"FulcioCAWithRekor\", and \"PKI\". When set to \"PublicKey\", the policy relies on a sigstore publicKey and may optionally use a Rekor verification. When set to \"FulcioCAWithRekor\", the policy is based on the Fulcio certification and incorporates a Rekor verification. When set to \"PKI\", the policy is based on the certificates from Bring Your Own Public Key Infrastructure (BYOPKI).", "publicKey": "publicKey defines the root of trust configuration based on a sigstore public key. Optionally include a Rekor public key for Rekor verification. publicKey is required when policyType is PublicKey, and forbidden otherwise.", "fulcioCAWithRekor": "fulcioCAWithRekor defines the root of trust configuration based on the Fulcio certificate and the Rekor public key. fulcioCAWithRekor is required when policyType is FulcioCAWithRekor, and forbidden otherwise For more information about Fulcio and Rekor, please refer to the document at: https://github.com/sigstore/fulcio and https://github.com/sigstore/rekor", "pki": "pki defines the root of trust configuration based on Bring Your Own Public Key Infrastructure (BYOPKI) Root CA(s) and corresponding intermediate certificates. pki is required when policyType is PKI, and forbidden otherwise.", @@ -2191,104 +2204,6 @@ func (LoadBalancer) SwaggerDoc() map[string]string { return map_LoadBalancer } -var map_Custom = map[string]string{ - "": "Custom provides the custom configuration of gatherers", - "configs": "configs is a required list of gatherers configurations that can be used to enable or disable specific gatherers. It may not exceed 100 items and each gatherer can be present only once. It is possible to disable an entire set of gatherers while allowing a specific function within that set. The particular gatherers IDs can be found at https://github.com/openshift/insights-operator/blob/master/docs/gathered-data.md. Run the following command to get the names of last active gatherers: \"oc get insightsoperators.operator.openshift.io cluster -o json | jq '.status.gatherStatus.gatherers[].name'\"", -} - -func (Custom) SwaggerDoc() map[string]string { - return map_Custom -} - -var map_GatherConfig = map[string]string{ - "": "GatherConfig provides data gathering configuration options.", - "dataPolicy": "dataPolicy is an optional list of DataPolicyOptions that allows user to enable additional obfuscation of the Insights archive data. It may not exceed 2 items and must not contain duplicates. Valid values are ObfuscateNetworking and WorkloadNames. When set to ObfuscateNetworking the IP addresses and the cluster domain name are obfuscated. When set to WorkloadNames, the gathered data about cluster resources will not contain the workload names for your deployments. Resources UIDs will be used instead. When omitted no obfuscation is applied.", - "gatherers": "gatherers is a required field that specifies the configuration of the gatherers.", - "storage": "storage is an optional field that allows user to define persistent storage for gathering jobs to store the Insights data archive. If omitted, the gathering job will use ephemeral storage.", -} - -func (GatherConfig) SwaggerDoc() map[string]string { - return map_GatherConfig -} - -var map_GathererConfig = map[string]string{ - "": "GathererConfig allows to configure specific gatherers", - "name": "name is the required name of a specific gatherer. It may not exceed 256 characters. The format for a gatherer name is: {gatherer}/{function} where the function is optional. Gatherer consists of a lowercase letters only that may include underscores (_). Function consists of a lowercase letters only that may include underscores (_) and is separated from the gatherer by a forward slash (/). The particular gatherers can be found at https://github.com/openshift/insights-operator/blob/master/docs/gathered-data.md. Run the following command to get the names of last active gatherers: \"oc get insightsoperators.operator.openshift.io cluster -o json | jq '.status.gatherStatus.gatherers[].name'\"", - "state": "state is a required field that allows you to configure specific gatherer. Valid values are \"Enabled\" and \"Disabled\". When set to Enabled the gatherer will run. When set to Disabled the gatherer will not run.", -} - -func (GathererConfig) SwaggerDoc() map[string]string { - return map_GathererConfig -} - -var map_Gatherers = map[string]string{ - "": "Gatherers specifies the configuration of the gatherers", - "mode": "mode is a required field that specifies the mode for gatherers. Allowed values are All, None, and Custom. When set to All, all gatherers will run and gather data. When set to None, all gatherers will be disabled and no data will be gathered. When set to Custom, the custom configuration from the custom field will be applied.", - "custom": "custom provides gathering configuration. It is required when mode is Custom, and forbidden otherwise. Custom configuration allows user to disable only a subset of gatherers. Gatherers that are not explicitly disabled in custom configuration will run.", -} - -func (Gatherers) SwaggerDoc() map[string]string { - return map_Gatherers -} - -var map_InsightsDataGather = map[string]string{ - "": "InsightsDataGather provides data gather configuration options for the Insights Operator.\n\n\n\nCompatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).", - "metadata": "metadata is the standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata", - "spec": "spec holds user settable values for configuration", -} - -func (InsightsDataGather) SwaggerDoc() map[string]string { - return map_InsightsDataGather -} - -var map_InsightsDataGatherList = map[string]string{ - "": "InsightsDataGatherList is a collection of items Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).", - "metadata": "metadata is the required standard list's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata", - "items": "items is the required list of InsightsDataGather objects it may not exceed 100 items", -} - -func (InsightsDataGatherList) SwaggerDoc() map[string]string { - return map_InsightsDataGatherList -} - -var map_InsightsDataGatherSpec = map[string]string{ - "": "InsightsDataGatherSpec contains the configuration for the data gathering.", - "gatherConfig": "gatherConfig is a required spec attribute that includes all the configuration options related to gathering of the Insights data and its uploading to the ingress.", -} - -func (InsightsDataGatherSpec) SwaggerDoc() map[string]string { - return map_InsightsDataGatherSpec -} - -var map_PersistentVolumeClaimReference = map[string]string{ - "": "PersistentVolumeClaimReference is a reference to a PersistentVolumeClaim.", - "name": "name is the name of the PersistentVolumeClaim that will be used to store the Insights data archive. It is a string that follows the DNS1123 subdomain format. It must be at most 253 characters in length, and must consist only of lower case alphanumeric characters, '-' and '.', and must start and end with an alphanumeric character.", -} - -func (PersistentVolumeClaimReference) SwaggerDoc() map[string]string { - return map_PersistentVolumeClaimReference -} - -var map_PersistentVolumeConfig = map[string]string{ - "": "PersistentVolumeConfig provides configuration options for PersistentVolume storage.", - "claim": "claim is a required field that specifies the configuration of the PersistentVolumeClaim that will be used to store the Insights data archive. The PersistentVolumeClaim must be created in the openshift-insights namespace.", - "mountPath": "mountPath is an optional field specifying the directory where the PVC will be mounted inside the Insights data gathering Pod. When omitted, this means no opinion and the platform is left to choose a reasonable default, which is subject to change over time. The current default mount path is /var/lib/insights-operator The path may not exceed 1024 characters and must not contain a colon.", -} - -func (PersistentVolumeConfig) SwaggerDoc() map[string]string { - return map_PersistentVolumeConfig -} - -var map_Storage = map[string]string{ - "": "Storage provides persistent storage configuration options for gathering jobs. If the type is set to PersistentVolume, then the PersistentVolume must be defined. If the type is set to Ephemeral, then the PersistentVolume must not be defined.", - "type": "type is a required field that specifies the type of storage that will be used to store the Insights data archive. Valid values are \"PersistentVolume\" and \"Ephemeral\". When set to Ephemeral, the Insights data archive is stored in the ephemeral storage of the gathering job. When set to PersistentVolume, the Insights data archive is stored in the PersistentVolume that is defined by the persistentVolume field.", - "persistentVolume": "persistentVolume is an optional field that specifies the PersistentVolume that will be used to store the Insights data archive. The PersistentVolume must be created in the openshift-insights namespace.", -} - -func (Storage) SwaggerDoc() map[string]string { - return map_Storage -} - var map_AWSKMSConfig = map[string]string{ "": "AWSKMSConfig defines the KMS config specific to AWS KMS provider", "keyARN": "keyARN specifies the Amazon Resource Name (ARN) of the AWS KMS key used for encryption. The value must adhere to the format `arn:aws:kms:::key/`, where: - `` is the AWS region consisting of lowercase letters and hyphens followed by a number. - `` is a 12-digit numeric identifier for the AWS account. - `` is a unique identifier for the KMS key, consisting of lowercase hexadecimal characters and hyphens.", diff --git a/vendor/github.com/openshift/api/features/features.go b/vendor/github.com/openshift/api/features/features.go index 29622d508..ff0c32bd7 100644 --- a/vendor/github.com/openshift/api/features/features.go +++ b/vendor/github.com/openshift/api/features/features.go @@ -40,7 +40,7 @@ var ( reportProblemsToJiraComponent("Management Console"). contactPerson("jhadvig"). productScope(ocpSpecific). - enableIn(configv1.Default, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). + enableIn(configv1.Default, configv1.OKD, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). enhancementPR("https://github.com/openshift/enhancements/pull/1706"). mustRegister() @@ -49,7 +49,7 @@ var ( contactPerson("ibihim"). productScope(kubernetes). enhancementPR("https://github.com/kubernetes/enhancements/issues/4193"). - enableIn(configv1.Default, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). + enableIn(configv1.Default, configv1.OKD, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). mustRegister() FeatureGateMutatingAdmissionPolicy = newFeatureGate("MutatingAdmissionPolicy"). @@ -65,7 +65,7 @@ var ( contactPerson("miciah"). productScope(ocpSpecific). enhancementPR(legacyFeatureGateWithoutEnhancement). - enableIn(configv1.Default, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). + enableIn(configv1.Default, configv1.OKD, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). mustRegister() FeatureGateOpenShiftPodSecurityAdmission = newFeatureGate("OpenShiftPodSecurityAdmission"). @@ -73,7 +73,7 @@ var ( contactPerson("ibihim"). productScope(ocpSpecific). enhancementPR("https://github.com/openshift/enhancements/pull/899"). - enableIn(configv1.Default, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). + enableIn(configv1.Default, configv1.OKD, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). mustRegister() FeatureGateBuildCSIVolumes = newFeatureGate("BuildCSIVolumes"). @@ -81,23 +81,15 @@ var ( contactPerson("adkaplan"). productScope(ocpSpecific). enhancementPR(legacyFeatureGateWithoutEnhancement). - enableIn(configv1.Default, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). + enableIn(configv1.Default, configv1.OKD, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). mustRegister() - FeatureGateDynamicResourceAllocation = newFeatureGate("DynamicResourceAllocation"). - reportProblemsToJiraComponent("scheduling"). - contactPerson("jchaloup"). - productScope(kubernetes). - enhancementPR("https://github.com/kubernetes/enhancements/issues/4381"). - enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). - mustRegister() - FeatureGateAzureWorkloadIdentity = newFeatureGate("AzureWorkloadIdentity"). reportProblemsToJiraComponent("cloud-credential-operator"). contactPerson("abutcher"). productScope(ocpSpecific). enhancementPR(legacyFeatureGateWithoutEnhancement). - enableIn(configv1.Default, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). + enableIn(configv1.Default, configv1.OKD, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). mustRegister() FeatureGateAzureDedicatedHosts = newFeatureGate("AzureDedicatedHosts"). @@ -128,7 +120,7 @@ var ( contactPerson("sgrunert"). productScope(ocpSpecific). enhancementPR(legacyFeatureGateWithoutEnhancement). - enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade, configv1.Default). + enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade, configv1.Default, configv1.OKD). mustRegister() FeatureGateSigstoreImageVerificationPKI = newFeatureGate("SigstoreImageVerificationPKI"). @@ -136,7 +128,7 @@ var ( contactPerson("QiWang"). productScope(ocpSpecific). enhancementPR("https://github.com/openshift/enhancements/pull/1658"). - enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). + enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade, configv1.Default, configv1.OKD). mustRegister() FeatureGateAlibabaPlatform = newFeatureGate("AlibabaPlatform"). @@ -144,7 +136,7 @@ var ( contactPerson("jspeed"). productScope(ocpSpecific). enhancementPR(legacyFeatureGateWithoutEnhancement). - enableIn(configv1.Default, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). + enableIn(configv1.Default, configv1.OKD, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). mustRegister() FeatureGateVSphereHostVMGroupZonal = newFeatureGate("VSphereHostVMGroupZonal"). @@ -160,7 +152,7 @@ var ( contactPerson("vr4manta"). productScope(ocpSpecific). enhancementPR("https://github.com/openshift/enhancements/pull/1709"). - enableIn(configv1.Default, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). + enableIn(configv1.Default, configv1.OKD, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). mustRegister() FeatureGateRouteExternalCertificate = newFeatureGate("RouteExternalCertificate"). @@ -168,7 +160,7 @@ var ( contactPerson("chiragkyal"). productScope(ocpSpecific). enhancementPR(legacyFeatureGateWithoutEnhancement). - enableIn(configv1.Default, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). + enableIn(configv1.Default, configv1.OKD, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). mustRegister() FeatureGateCPMSMachineNamePrefix = newFeatureGate("CPMSMachineNamePrefix"). @@ -176,7 +168,7 @@ var ( contactPerson("chiragkyal"). productScope(ocpSpecific). enhancementPR("https://github.com/openshift/enhancements/pull/1714"). - enableIn(configv1.Default, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). + enableIn(configv1.Default, configv1.OKD, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). mustRegister() FeatureGateAdminNetworkPolicy = newFeatureGate("AdminNetworkPolicy"). @@ -184,7 +176,7 @@ var ( contactPerson("tssurya"). productScope(ocpSpecific). enhancementPR(legacyFeatureGateWithoutEnhancement). - enableIn(configv1.Default, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). + enableIn(configv1.Default, configv1.OKD, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). mustRegister() FeatureGateNetworkSegmentation = newFeatureGate("NetworkSegmentation"). @@ -192,7 +184,7 @@ var ( contactPerson("tssurya"). productScope(ocpSpecific). enhancementPR("https://github.com/openshift/enhancements/pull/1623"). - enableIn(configv1.Default, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). + enableIn(configv1.Default, configv1.OKD, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). mustRegister() FeatureGateAdditionalRoutingCapabilities = newFeatureGate("AdditionalRoutingCapabilities"). @@ -200,7 +192,7 @@ var ( contactPerson("jcaamano"). productScope(ocpSpecific). enhancementPR(legacyFeatureGateWithoutEnhancement). - enableIn(configv1.Default, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). + enableIn(configv1.Default, configv1.OKD, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). mustRegister() FeatureGateRouteAdvertisements = newFeatureGate("RouteAdvertisements"). @@ -208,7 +200,7 @@ var ( contactPerson("jcaamano"). productScope(ocpSpecific). enhancementPR(legacyFeatureGateWithoutEnhancement). - enableIn(configv1.Default, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). + enableIn(configv1.Default, configv1.OKD, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). mustRegister() FeatureGateNetworkLiveMigration = newFeatureGate("NetworkLiveMigration"). @@ -216,7 +208,7 @@ var ( contactPerson("pliu"). productScope(ocpSpecific). enhancementPR(legacyFeatureGateWithoutEnhancement). - enableIn(configv1.Default, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). + enableIn(configv1.Default, configv1.OKD, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). mustRegister() FeatureGateNetworkDiagnosticsConfig = newFeatureGate("NetworkDiagnosticsConfig"). @@ -224,7 +216,7 @@ var ( contactPerson("kyrtapz"). productScope(ocpSpecific). enhancementPR(legacyFeatureGateWithoutEnhancement). - enableIn(configv1.Default, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). + enableIn(configv1.Default, configv1.OKD, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). mustRegister() FeatureGateOVNObservability = newFeatureGate("OVNObservability"). @@ -271,7 +263,7 @@ var ( contactPerson("ijanssen"). productScope(ocpSpecific). enhancementPR("https://github.com/openshift/enhancements/pull/1765"). - enableIn(configv1.Default, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). + enableIn(configv1.Default, configv1.OKD, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). mustRegister() FeatureGateImageModeStatusReporting = newFeatureGate("ImageModeStatusReporting"). @@ -326,7 +318,7 @@ var ( contactPerson("djoshy"). productScope(ocpSpecific). enhancementPR(legacyFeatureGateWithoutEnhancement). - enableIn(configv1.Default, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). + enableIn(configv1.Default, configv1.OKD, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). mustRegister() FeatureGateManagedBootImagesAWS = newFeatureGate("ManagedBootImagesAWS"). @@ -334,7 +326,7 @@ var ( contactPerson("djoshy"). productScope(ocpSpecific). enhancementPR(legacyFeatureGateWithoutEnhancement). - enableIn(configv1.Default, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). + enableIn(configv1.Default, configv1.OKD, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). mustRegister() FeatureGateManagedBootImagesvSphere = newFeatureGate("ManagedBootImagesvSphere"). @@ -342,7 +334,7 @@ var ( contactPerson("rsaini"). productScope(ocpSpecific). enhancementPR("https://github.com/openshift/enhancements/pull/1496"). - enableIn(configv1.Default, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). + enableIn(configv1.Default, configv1.OKD, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). mustRegister() FeatureGateManagedBootImagesAzure = newFeatureGate("ManagedBootImagesAzure"). @@ -350,7 +342,7 @@ var ( contactPerson("djoshy"). productScope(ocpSpecific). enhancementPR("https://github.com/openshift/enhancements/pull/1761"). - enableIn(configv1.Default, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). + enableIn(configv1.Default, configv1.OKD, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). mustRegister() FeatureGateManagedBootImagesCPMS = newFeatureGate("ManagedBootImagesCPMS"). @@ -390,7 +382,7 @@ var ( contactPerson("dgrisonnet"). productScope(kubernetes). enhancementPR(legacyFeatureGateWithoutEnhancement). - enableIn(configv1.Default, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). + enableIn(configv1.Default, configv1.OKD, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). mustRegister() FeatureGatePinnedImages = newFeatureGate("PinnedImages"). @@ -398,7 +390,7 @@ var ( contactPerson("RishabhSaini"). productScope(ocpSpecific). enhancementPR(legacyFeatureGateWithoutEnhancement). - enableIn(configv1.Default, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). + enableIn(configv1.Default, configv1.OKD, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). mustRegister() FeatureGateUpgradeStatus = newFeatureGate("UpgradeStatus"). @@ -406,23 +398,15 @@ var ( contactPerson("pmuller"). productScope(ocpSpecific). enhancementPR(legacyFeatureGateWithoutEnhancement). - enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade, configv1.Default). + enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade, configv1.Default, configv1.OKD). mustRegister() - FeatureGateTranslateStreamCloseWebsocketRequests = newFeatureGate("TranslateStreamCloseWebsocketRequests"). - reportProblemsToJiraComponent("kube-apiserver"). - contactPerson("akashem"). - productScope(kubernetes). - enhancementPR("https://github.com/kubernetes/enhancements/issues/4006"). - enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). - mustRegister() - FeatureGateVolumeAttributesClass = newFeatureGate("VolumeAttributesClass"). reportProblemsToJiraComponent("Storage / Kubernetes External Components"). contactPerson("dfajmon"). productScope(kubernetes). enhancementPR("https://github.com/kubernetes/enhancements/issues/3751"). - enableIn(configv1.Default, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). + enableIn(configv1.Default, configv1.OKD, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). mustRegister() FeatureGateVolumeGroupSnapshot = newFeatureGate("VolumeGroupSnapshot"). @@ -446,7 +430,7 @@ var ( contactPerson("liouk"). productScope(ocpSpecific). enhancementPR("https://github.com/openshift/enhancements/pull/1596"). - enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade, configv1.Default). + enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade, configv1.Default, configv1.OKD). mustRegister() FeatureGateExternalOIDCWithAdditionalClaimMappings = newFeatureGate("ExternalOIDCWithUIDAndExtraClaimMappings"). @@ -454,7 +438,7 @@ var ( contactPerson("bpalmer"). productScope(ocpSpecific). enhancementPR("https://github.com/openshift/enhancements/pull/1777"). - enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade, configv1.Default). + enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade, configv1.Default, configv1.OKD). mustRegister() FeatureGateExample = newFeatureGate("Example"). @@ -478,7 +462,7 @@ var ( contactPerson("joe"). productScope(ocpSpecific). enhancementPR(legacyFeatureGateWithoutEnhancement). - enableForClusterProfile(SelfManaged, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade, configv1.Default). + enableForClusterProfile(SelfManaged, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade, configv1.Default, configv1.OKD). mustRegister() FeatureGateNewOLMCatalogdAPIV1Metas = newFeatureGate("NewOLMCatalogdAPIV1Metas"). @@ -510,7 +494,7 @@ var ( contactPerson("pegoncal"). productScope(ocpSpecific). enhancementPR("https://github.com/openshift/enhancements/pull/1844"). - enableForClusterProfile(SelfManaged, configv1.Default, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). + enableForClusterProfile(SelfManaged, configv1.Default, configv1.OKD, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). mustRegister() FeatureGateNewOLMBoxCutterRuntime = newFeatureGate("NewOLMBoxCutterRuntime"). @@ -541,7 +525,7 @@ var ( contactPerson("rexagod"). productScope(ocpSpecific). enhancementPR(legacyFeatureGateWithoutEnhancement). - enableIn(configv1.Default, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). + enableIn(configv1.Default, configv1.OKD, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). mustRegister() FeatureGateClusterAPIInstallIBMCloud = newFeatureGate("ClusterAPIInstallIBMCloud"). @@ -596,7 +580,7 @@ var ( contactPerson("psundara"). productScope(ocpSpecific). enhancementPR(legacyFeatureGateWithoutEnhancement). - enableIn(configv1.Default, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). + enableIn(configv1.Default, configv1.OKD, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). mustRegister() FeatureGateUserNamespacesSupport = newFeatureGate("UserNamespacesSupport"). @@ -604,7 +588,7 @@ var ( contactPerson("haircommander"). productScope(kubernetes). enhancementPR("https://github.com/kubernetes/enhancements/issues/127"). - enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade, configv1.Default). + enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade, configv1.Default, configv1.OKD). mustRegister() // Note: this feature is perma-alpha, but it is safe and desireable to enable. @@ -615,7 +599,7 @@ var ( contactPerson("haircommander"). productScope(kubernetes). enhancementPR("https://github.com/kubernetes/enhancements/issues/127"). - enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade, configv1.Default). + enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade, configv1.Default, configv1.OKD). mustRegister() FeatureGateProcMountType = newFeatureGate("ProcMountType"). @@ -623,7 +607,7 @@ var ( contactPerson("haircommander"). productScope(kubernetes). enhancementPR("https://github.com/kubernetes/enhancements/issues/4265"). - enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade, configv1.Default). + enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade, configv1.Default, configv1.OKD). mustRegister() FeatureGateVSphereMultiNetworks = newFeatureGate("VSphereMultiNetworks"). @@ -631,7 +615,7 @@ var ( contactPerson("rvanderp"). productScope(ocpSpecific). enhancementPR(legacyFeatureGateWithoutEnhancement). - enableIn(configv1.Default, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). + enableIn(configv1.Default, configv1.OKD, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). mustRegister() FeatureGateIngressControllerDynamicConfigurationManager = newFeatureGate("IngressControllerDynamicConfigurationManager"). @@ -671,7 +655,7 @@ var ( contactPerson("eggfoobar"). productScope(ocpSpecific). enhancementPR("https://github.com/openshift/enhancements/pull/1674"). - enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade, configv1.Default). + enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade, configv1.Default, configv1.OKD). mustRegister() FeatureGateCVOConfiguration = newFeatureGate("ClusterVersionOperatorConfiguration"). @@ -682,6 +666,14 @@ var ( enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). mustRegister() + FeatureGateClusterUpdateAcceptRisks = newFeatureGate("ClusterUpdateAcceptRisks"). + reportProblemsToJiraComponent("Cluster Version Operator"). + contactPerson("hongkliu"). + productScope(ocpSpecific). + enhancementPR("https://github.com/openshift/enhancements/pull/1807"). + enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). + mustRegister() + FeatureGateGCPCustomAPIEndpoints = newFeatureGate("GCPCustomAPIEndpoints"). reportProblemsToJiraComponent("Installer"). contactPerson("barbacbd"). @@ -724,7 +716,7 @@ var ( // A dedicated feature gate now controls the Gateway Controller to distinguish // its production readiness from that of the CRDs. enhancementPR("https://github.com/openshift/enhancements/pull/1756"). - enableIn(configv1.Default, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). + enableIn(configv1.Default, configv1.OKD, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). mustRegister() FeatureShortCertRotation = newFeatureGate("ShortCertRotation"). @@ -755,7 +747,7 @@ var ( contactPerson("hekumar"). productScope(ocpSpecific). enhancementPR("https://github.com/openshift/enhancements/pull/1804"). - enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade, configv1.Default). + enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade, configv1.Default, configv1.OKD). mustRegister() FeatureGateMultiDiskSetup = newFeatureGate("MultiDiskSetup"). @@ -787,7 +779,7 @@ var ( contactPerson("kyrtapz"). productScope(ocpSpecific). enhancementPR("https://github.com/openshift/enhancements/pull/1793"). - enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade, configv1.Default). + enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade, configv1.Default, configv1.OKD). mustRegister() FeatureGateAWSServiceLBNetworkSecurityGroup = newFeatureGate("AWSServiceLBNetworkSecurityGroup"). @@ -799,11 +791,11 @@ var ( mustRegister() FeatureGateImageVolume = newFeatureGate("ImageVolume"). - reportProblemsToJiraComponent("Node"). + reportProblemsToJiraComponent("Node"). contactPerson("haircommander"). productScope(kubernetes). enhancementPR("https://github.com/openshift/enhancements/pull/1792"). - enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade, configv1.Default). + enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade, configv1.Default, configv1.OKD). mustRegister() FeatureGateNoRegistryClusterInstall = newFeatureGate("NoRegistryClusterInstall"). @@ -819,7 +811,7 @@ var ( contactPerson("barbacbd"). productScope(ocpSpecific). enhancementPR("https://github.com/openshift/enhancements/pull/1468"). - enableIn(configv1.Default, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). + enableIn(configv1.Default, configv1.OKD, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). mustRegister() FeatureGateAWSClusterHostedDNSInstall = newFeatureGate("AWSClusterHostedDNSInstall"). @@ -943,6 +935,6 @@ var ( contactPerson("csrwng"). productScope(ocpSpecific). enhancementPR("https://github.com/kubernetes/enhancements/issues/4381"). - enableForClusterProfile(Hypershift, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade, configv1.Default). + enableForClusterProfile(Hypershift, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade, configv1.Default, configv1.OKD). mustRegister() ) diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/custom.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/custom.go deleted file mode 100644 index 77234d0df..000000000 --- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/custom.go +++ /dev/null @@ -1,28 +0,0 @@ -// Code generated by applyconfiguration-gen. DO NOT EDIT. - -package v1 - -// CustomApplyConfiguration represents a declarative configuration of the Custom type for use -// with apply. -type CustomApplyConfiguration struct { - Configs []GathererConfigApplyConfiguration `json:"configs,omitempty"` -} - -// CustomApplyConfiguration constructs a declarative configuration of the Custom type for use with -// apply. -func Custom() *CustomApplyConfiguration { - return &CustomApplyConfiguration{} -} - -// WithConfigs adds the given value to the Configs field in the declarative configuration -// and returns the receiver, so that objects can be build by chaining "With" function invocations. -// If called multiple times, values provided by each call will be appended to the Configs field. -func (b *CustomApplyConfiguration) WithConfigs(values ...*GathererConfigApplyConfiguration) *CustomApplyConfiguration { - for i := range values { - if values[i] == nil { - panic("nil value passed to WithConfigs") - } - b.Configs = append(b.Configs, *values[i]) - } - return b -} diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/gatherconfig.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/gatherconfig.go deleted file mode 100644 index eaa796519..000000000 --- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/gatherconfig.go +++ /dev/null @@ -1,47 +0,0 @@ -// Code generated by applyconfiguration-gen. DO NOT EDIT. - -package v1 - -import ( - configv1 "github.com/openshift/api/config/v1" -) - -// GatherConfigApplyConfiguration represents a declarative configuration of the GatherConfig type for use -// with apply. -type GatherConfigApplyConfiguration struct { - DataPolicy []configv1.DataPolicyOption `json:"dataPolicy,omitempty"` - Gatherers *GatherersApplyConfiguration `json:"gatherers,omitempty"` - Storage *StorageApplyConfiguration `json:"storage,omitempty"` -} - -// GatherConfigApplyConfiguration constructs a declarative configuration of the GatherConfig type for use with -// apply. -func GatherConfig() *GatherConfigApplyConfiguration { - return &GatherConfigApplyConfiguration{} -} - -// WithDataPolicy adds the given value to the DataPolicy field in the declarative configuration -// and returns the receiver, so that objects can be build by chaining "With" function invocations. -// If called multiple times, values provided by each call will be appended to the DataPolicy field. -func (b *GatherConfigApplyConfiguration) WithDataPolicy(values ...configv1.DataPolicyOption) *GatherConfigApplyConfiguration { - for i := range values { - b.DataPolicy = append(b.DataPolicy, values[i]) - } - return b -} - -// WithGatherers sets the Gatherers field in the declarative configuration to the given value -// and returns the receiver, so that objects can be built by chaining "With" function invocations. -// If called multiple times, the Gatherers field is set to the value of the last call. -func (b *GatherConfigApplyConfiguration) WithGatherers(value *GatherersApplyConfiguration) *GatherConfigApplyConfiguration { - b.Gatherers = value - return b -} - -// WithStorage sets the Storage field in the declarative configuration to the given value -// and returns the receiver, so that objects can be built by chaining "With" function invocations. -// If called multiple times, the Storage field is set to the value of the last call. -func (b *GatherConfigApplyConfiguration) WithStorage(value *StorageApplyConfiguration) *GatherConfigApplyConfiguration { - b.Storage = value - return b -} diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/gathererconfig.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/gathererconfig.go deleted file mode 100644 index caa8b79d0..000000000 --- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/gathererconfig.go +++ /dev/null @@ -1,36 +0,0 @@ -// Code generated by applyconfiguration-gen. DO NOT EDIT. - -package v1 - -import ( - configv1 "github.com/openshift/api/config/v1" -) - -// GathererConfigApplyConfiguration represents a declarative configuration of the GathererConfig type for use -// with apply. -type GathererConfigApplyConfiguration struct { - Name *string `json:"name,omitempty"` - State *configv1.GathererState `json:"state,omitempty"` -} - -// GathererConfigApplyConfiguration constructs a declarative configuration of the GathererConfig type for use with -// apply. -func GathererConfig() *GathererConfigApplyConfiguration { - return &GathererConfigApplyConfiguration{} -} - -// WithName sets the Name field in the declarative configuration to the given value -// and returns the receiver, so that objects can be built by chaining "With" function invocations. -// If called multiple times, the Name field is set to the value of the last call. -func (b *GathererConfigApplyConfiguration) WithName(value string) *GathererConfigApplyConfiguration { - b.Name = &value - return b -} - -// WithState sets the State field in the declarative configuration to the given value -// and returns the receiver, so that objects can be built by chaining "With" function invocations. -// If called multiple times, the State field is set to the value of the last call. -func (b *GathererConfigApplyConfiguration) WithState(value configv1.GathererState) *GathererConfigApplyConfiguration { - b.State = &value - return b -} diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/gatherers.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/gatherers.go deleted file mode 100644 index 32469f512..000000000 --- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/gatherers.go +++ /dev/null @@ -1,36 +0,0 @@ -// Code generated by applyconfiguration-gen. DO NOT EDIT. - -package v1 - -import ( - configv1 "github.com/openshift/api/config/v1" -) - -// GatherersApplyConfiguration represents a declarative configuration of the Gatherers type for use -// with apply. -type GatherersApplyConfiguration struct { - Mode *configv1.GatheringMode `json:"mode,omitempty"` - Custom *CustomApplyConfiguration `json:"custom,omitempty"` -} - -// GatherersApplyConfiguration constructs a declarative configuration of the Gatherers type for use with -// apply. -func Gatherers() *GatherersApplyConfiguration { - return &GatherersApplyConfiguration{} -} - -// WithMode sets the Mode field in the declarative configuration to the given value -// and returns the receiver, so that objects can be built by chaining "With" function invocations. -// If called multiple times, the Mode field is set to the value of the last call. -func (b *GatherersApplyConfiguration) WithMode(value configv1.GatheringMode) *GatherersApplyConfiguration { - b.Mode = &value - return b -} - -// WithCustom sets the Custom field in the declarative configuration to the given value -// and returns the receiver, so that objects can be built by chaining "With" function invocations. -// If called multiple times, the Custom field is set to the value of the last call. -func (b *GatherersApplyConfiguration) WithCustom(value *CustomApplyConfiguration) *GatherersApplyConfiguration { - b.Custom = value - return b -} diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/insightsdatagather.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/insightsdatagather.go deleted file mode 100644 index 829a4071a..000000000 --- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/insightsdatagather.go +++ /dev/null @@ -1,254 +0,0 @@ -// Code generated by applyconfiguration-gen. DO NOT EDIT. - -package v1 - -import ( - configv1 "github.com/openshift/api/config/v1" - internal "github.com/openshift/client-go/config/applyconfigurations/internal" - apismetav1 "k8s.io/apimachinery/pkg/apis/meta/v1" - types "k8s.io/apimachinery/pkg/types" - managedfields "k8s.io/apimachinery/pkg/util/managedfields" - metav1 "k8s.io/client-go/applyconfigurations/meta/v1" -) - -// InsightsDataGatherApplyConfiguration represents a declarative configuration of the InsightsDataGather type for use -// with apply. -type InsightsDataGatherApplyConfiguration struct { - metav1.TypeMetaApplyConfiguration `json:",inline"` - *metav1.ObjectMetaApplyConfiguration `json:"metadata,omitempty"` - Spec *InsightsDataGatherSpecApplyConfiguration `json:"spec,omitempty"` -} - -// InsightsDataGather constructs a declarative configuration of the InsightsDataGather type for use with -// apply. -func InsightsDataGather(name string) *InsightsDataGatherApplyConfiguration { - b := &InsightsDataGatherApplyConfiguration{} - b.WithName(name) - b.WithKind("InsightsDataGather") - b.WithAPIVersion("config.openshift.io/v1") - return b -} - -// ExtractInsightsDataGather extracts the applied configuration owned by fieldManager from -// insightsDataGather. If no managedFields are found in insightsDataGather for fieldManager, a -// InsightsDataGatherApplyConfiguration is returned with only the Name, Namespace (if applicable), -// APIVersion and Kind populated. It is possible that no managed fields were found for because other -// field managers have taken ownership of all the fields previously owned by fieldManager, or because -// the fieldManager never owned fields any fields. -// insightsDataGather must be a unmodified InsightsDataGather API object that was retrieved from the Kubernetes API. -// ExtractInsightsDataGather provides a way to perform a extract/modify-in-place/apply workflow. -// Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously -// applied if another fieldManager has updated or force applied any of the previously applied fields. -// Experimental! -func ExtractInsightsDataGather(insightsDataGather *configv1.InsightsDataGather, fieldManager string) (*InsightsDataGatherApplyConfiguration, error) { - return extractInsightsDataGather(insightsDataGather, fieldManager, "") -} - -// ExtractInsightsDataGatherStatus is the same as ExtractInsightsDataGather except -// that it extracts the status subresource applied configuration. -// Experimental! -func ExtractInsightsDataGatherStatus(insightsDataGather *configv1.InsightsDataGather, fieldManager string) (*InsightsDataGatherApplyConfiguration, error) { - return extractInsightsDataGather(insightsDataGather, fieldManager, "status") -} - -func extractInsightsDataGather(insightsDataGather *configv1.InsightsDataGather, fieldManager string, subresource string) (*InsightsDataGatherApplyConfiguration, error) { - b := &InsightsDataGatherApplyConfiguration{} - err := managedfields.ExtractInto(insightsDataGather, internal.Parser().Type("com.github.openshift.api.config.v1.InsightsDataGather"), fieldManager, b, subresource) - if err != nil { - return nil, err - } - b.WithName(insightsDataGather.Name) - - b.WithKind("InsightsDataGather") - b.WithAPIVersion("config.openshift.io/v1") - return b, nil -} -func (b InsightsDataGatherApplyConfiguration) IsApplyConfiguration() {} - -// WithKind sets the Kind field in the declarative configuration to the given value -// and returns the receiver, so that objects can be built by chaining "With" function invocations. -// If called multiple times, the Kind field is set to the value of the last call. -func (b *InsightsDataGatherApplyConfiguration) WithKind(value string) *InsightsDataGatherApplyConfiguration { - b.TypeMetaApplyConfiguration.Kind = &value - return b -} - -// WithAPIVersion sets the APIVersion field in the declarative configuration to the given value -// and returns the receiver, so that objects can be built by chaining "With" function invocations. -// If called multiple times, the APIVersion field is set to the value of the last call. -func (b *InsightsDataGatherApplyConfiguration) WithAPIVersion(value string) *InsightsDataGatherApplyConfiguration { - b.TypeMetaApplyConfiguration.APIVersion = &value - return b -} - -// WithName sets the Name field in the declarative configuration to the given value -// and returns the receiver, so that objects can be built by chaining "With" function invocations. -// If called multiple times, the Name field is set to the value of the last call. -func (b *InsightsDataGatherApplyConfiguration) WithName(value string) *InsightsDataGatherApplyConfiguration { - b.ensureObjectMetaApplyConfigurationExists() - b.ObjectMetaApplyConfiguration.Name = &value - return b -} - -// WithGenerateName sets the GenerateName field in the declarative configuration to the given value -// and returns the receiver, so that objects can be built by chaining "With" function invocations. -// If called multiple times, the GenerateName field is set to the value of the last call. -func (b *InsightsDataGatherApplyConfiguration) WithGenerateName(value string) *InsightsDataGatherApplyConfiguration { - b.ensureObjectMetaApplyConfigurationExists() - b.ObjectMetaApplyConfiguration.GenerateName = &value - return b -} - -// WithNamespace sets the Namespace field in the declarative configuration to the given value -// and returns the receiver, so that objects can be built by chaining "With" function invocations. -// If called multiple times, the Namespace field is set to the value of the last call. -func (b *InsightsDataGatherApplyConfiguration) WithNamespace(value string) *InsightsDataGatherApplyConfiguration { - b.ensureObjectMetaApplyConfigurationExists() - b.ObjectMetaApplyConfiguration.Namespace = &value - return b -} - -// WithUID sets the UID field in the declarative configuration to the given value -// and returns the receiver, so that objects can be built by chaining "With" function invocations. -// If called multiple times, the UID field is set to the value of the last call. -func (b *InsightsDataGatherApplyConfiguration) WithUID(value types.UID) *InsightsDataGatherApplyConfiguration { - b.ensureObjectMetaApplyConfigurationExists() - b.ObjectMetaApplyConfiguration.UID = &value - return b -} - -// WithResourceVersion sets the ResourceVersion field in the declarative configuration to the given value -// and returns the receiver, so that objects can be built by chaining "With" function invocations. -// If called multiple times, the ResourceVersion field is set to the value of the last call. -func (b *InsightsDataGatherApplyConfiguration) WithResourceVersion(value string) *InsightsDataGatherApplyConfiguration { - b.ensureObjectMetaApplyConfigurationExists() - b.ObjectMetaApplyConfiguration.ResourceVersion = &value - return b -} - -// WithGeneration sets the Generation field in the declarative configuration to the given value -// and returns the receiver, so that objects can be built by chaining "With" function invocations. -// If called multiple times, the Generation field is set to the value of the last call. -func (b *InsightsDataGatherApplyConfiguration) WithGeneration(value int64) *InsightsDataGatherApplyConfiguration { - b.ensureObjectMetaApplyConfigurationExists() - b.ObjectMetaApplyConfiguration.Generation = &value - return b -} - -// WithCreationTimestamp sets the CreationTimestamp field in the declarative configuration to the given value -// and returns the receiver, so that objects can be built by chaining "With" function invocations. -// If called multiple times, the CreationTimestamp field is set to the value of the last call. -func (b *InsightsDataGatherApplyConfiguration) WithCreationTimestamp(value apismetav1.Time) *InsightsDataGatherApplyConfiguration { - b.ensureObjectMetaApplyConfigurationExists() - b.ObjectMetaApplyConfiguration.CreationTimestamp = &value - return b -} - -// WithDeletionTimestamp sets the DeletionTimestamp field in the declarative configuration to the given value -// and returns the receiver, so that objects can be built by chaining "With" function invocations. -// If called multiple times, the DeletionTimestamp field is set to the value of the last call. -func (b *InsightsDataGatherApplyConfiguration) WithDeletionTimestamp(value apismetav1.Time) *InsightsDataGatherApplyConfiguration { - b.ensureObjectMetaApplyConfigurationExists() - b.ObjectMetaApplyConfiguration.DeletionTimestamp = &value - return b -} - -// WithDeletionGracePeriodSeconds sets the DeletionGracePeriodSeconds field in the declarative configuration to the given value -// and returns the receiver, so that objects can be built by chaining "With" function invocations. -// If called multiple times, the DeletionGracePeriodSeconds field is set to the value of the last call. -func (b *InsightsDataGatherApplyConfiguration) WithDeletionGracePeriodSeconds(value int64) *InsightsDataGatherApplyConfiguration { - b.ensureObjectMetaApplyConfigurationExists() - b.ObjectMetaApplyConfiguration.DeletionGracePeriodSeconds = &value - return b -} - -// WithLabels puts the entries into the Labels field in the declarative configuration -// and returns the receiver, so that objects can be build by chaining "With" function invocations. -// If called multiple times, the entries provided by each call will be put on the Labels field, -// overwriting an existing map entries in Labels field with the same key. -func (b *InsightsDataGatherApplyConfiguration) WithLabels(entries map[string]string) *InsightsDataGatherApplyConfiguration { - b.ensureObjectMetaApplyConfigurationExists() - if b.ObjectMetaApplyConfiguration.Labels == nil && len(entries) > 0 { - b.ObjectMetaApplyConfiguration.Labels = make(map[string]string, len(entries)) - } - for k, v := range entries { - b.ObjectMetaApplyConfiguration.Labels[k] = v - } - return b -} - -// WithAnnotations puts the entries into the Annotations field in the declarative configuration -// and returns the receiver, so that objects can be build by chaining "With" function invocations. -// If called multiple times, the entries provided by each call will be put on the Annotations field, -// overwriting an existing map entries in Annotations field with the same key. -func (b *InsightsDataGatherApplyConfiguration) WithAnnotations(entries map[string]string) *InsightsDataGatherApplyConfiguration { - b.ensureObjectMetaApplyConfigurationExists() - if b.ObjectMetaApplyConfiguration.Annotations == nil && len(entries) > 0 { - b.ObjectMetaApplyConfiguration.Annotations = make(map[string]string, len(entries)) - } - for k, v := range entries { - b.ObjectMetaApplyConfiguration.Annotations[k] = v - } - return b -} - -// WithOwnerReferences adds the given value to the OwnerReferences field in the declarative configuration -// and returns the receiver, so that objects can be build by chaining "With" function invocations. -// If called multiple times, values provided by each call will be appended to the OwnerReferences field. -func (b *InsightsDataGatherApplyConfiguration) WithOwnerReferences(values ...*metav1.OwnerReferenceApplyConfiguration) *InsightsDataGatherApplyConfiguration { - b.ensureObjectMetaApplyConfigurationExists() - for i := range values { - if values[i] == nil { - panic("nil value passed to WithOwnerReferences") - } - b.ObjectMetaApplyConfiguration.OwnerReferences = append(b.ObjectMetaApplyConfiguration.OwnerReferences, *values[i]) - } - return b -} - -// WithFinalizers adds the given value to the Finalizers field in the declarative configuration -// and returns the receiver, so that objects can be build by chaining "With" function invocations. -// If called multiple times, values provided by each call will be appended to the Finalizers field. -func (b *InsightsDataGatherApplyConfiguration) WithFinalizers(values ...string) *InsightsDataGatherApplyConfiguration { - b.ensureObjectMetaApplyConfigurationExists() - for i := range values { - b.ObjectMetaApplyConfiguration.Finalizers = append(b.ObjectMetaApplyConfiguration.Finalizers, values[i]) - } - return b -} - -func (b *InsightsDataGatherApplyConfiguration) ensureObjectMetaApplyConfigurationExists() { - if b.ObjectMetaApplyConfiguration == nil { - b.ObjectMetaApplyConfiguration = &metav1.ObjectMetaApplyConfiguration{} - } -} - -// WithSpec sets the Spec field in the declarative configuration to the given value -// and returns the receiver, so that objects can be built by chaining "With" function invocations. -// If called multiple times, the Spec field is set to the value of the last call. -func (b *InsightsDataGatherApplyConfiguration) WithSpec(value *InsightsDataGatherSpecApplyConfiguration) *InsightsDataGatherApplyConfiguration { - b.Spec = value - return b -} - -// GetKind retrieves the value of the Kind field in the declarative configuration. -func (b *InsightsDataGatherApplyConfiguration) GetKind() *string { - return b.TypeMetaApplyConfiguration.Kind -} - -// GetAPIVersion retrieves the value of the APIVersion field in the declarative configuration. -func (b *InsightsDataGatherApplyConfiguration) GetAPIVersion() *string { - return b.TypeMetaApplyConfiguration.APIVersion -} - -// GetName retrieves the value of the Name field in the declarative configuration. -func (b *InsightsDataGatherApplyConfiguration) GetName() *string { - b.ensureObjectMetaApplyConfigurationExists() - return b.ObjectMetaApplyConfiguration.Name -} - -// GetNamespace retrieves the value of the Namespace field in the declarative configuration. -func (b *InsightsDataGatherApplyConfiguration) GetNamespace() *string { - b.ensureObjectMetaApplyConfigurationExists() - return b.ObjectMetaApplyConfiguration.Namespace -} diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/insightsdatagatherspec.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/insightsdatagatherspec.go deleted file mode 100644 index 4be6d441a..000000000 --- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/insightsdatagatherspec.go +++ /dev/null @@ -1,23 +0,0 @@ -// Code generated by applyconfiguration-gen. DO NOT EDIT. - -package v1 - -// InsightsDataGatherSpecApplyConfiguration represents a declarative configuration of the InsightsDataGatherSpec type for use -// with apply. -type InsightsDataGatherSpecApplyConfiguration struct { - GatherConfig *GatherConfigApplyConfiguration `json:"gatherConfig,omitempty"` -} - -// InsightsDataGatherSpecApplyConfiguration constructs a declarative configuration of the InsightsDataGatherSpec type for use with -// apply. -func InsightsDataGatherSpec() *InsightsDataGatherSpecApplyConfiguration { - return &InsightsDataGatherSpecApplyConfiguration{} -} - -// WithGatherConfig sets the GatherConfig field in the declarative configuration to the given value -// and returns the receiver, so that objects can be built by chaining "With" function invocations. -// If called multiple times, the GatherConfig field is set to the value of the last call. -func (b *InsightsDataGatherSpecApplyConfiguration) WithGatherConfig(value *GatherConfigApplyConfiguration) *InsightsDataGatherSpecApplyConfiguration { - b.GatherConfig = value - return b -} diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/persistentvolumeclaimreference.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/persistentvolumeclaimreference.go deleted file mode 100644 index 49daf4bc2..000000000 --- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/persistentvolumeclaimreference.go +++ /dev/null @@ -1,23 +0,0 @@ -// Code generated by applyconfiguration-gen. DO NOT EDIT. - -package v1 - -// PersistentVolumeClaimReferenceApplyConfiguration represents a declarative configuration of the PersistentVolumeClaimReference type for use -// with apply. -type PersistentVolumeClaimReferenceApplyConfiguration struct { - Name *string `json:"name,omitempty"` -} - -// PersistentVolumeClaimReferenceApplyConfiguration constructs a declarative configuration of the PersistentVolumeClaimReference type for use with -// apply. -func PersistentVolumeClaimReference() *PersistentVolumeClaimReferenceApplyConfiguration { - return &PersistentVolumeClaimReferenceApplyConfiguration{} -} - -// WithName sets the Name field in the declarative configuration to the given value -// and returns the receiver, so that objects can be built by chaining "With" function invocations. -// If called multiple times, the Name field is set to the value of the last call. -func (b *PersistentVolumeClaimReferenceApplyConfiguration) WithName(value string) *PersistentVolumeClaimReferenceApplyConfiguration { - b.Name = &value - return b -} diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/persistentvolumeconfig.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/persistentvolumeconfig.go deleted file mode 100644 index c62fdbcf9..000000000 --- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/persistentvolumeconfig.go +++ /dev/null @@ -1,32 +0,0 @@ -// Code generated by applyconfiguration-gen. DO NOT EDIT. - -package v1 - -// PersistentVolumeConfigApplyConfiguration represents a declarative configuration of the PersistentVolumeConfig type for use -// with apply. -type PersistentVolumeConfigApplyConfiguration struct { - Claim *PersistentVolumeClaimReferenceApplyConfiguration `json:"claim,omitempty"` - MountPath *string `json:"mountPath,omitempty"` -} - -// PersistentVolumeConfigApplyConfiguration constructs a declarative configuration of the PersistentVolumeConfig type for use with -// apply. -func PersistentVolumeConfig() *PersistentVolumeConfigApplyConfiguration { - return &PersistentVolumeConfigApplyConfiguration{} -} - -// WithClaim sets the Claim field in the declarative configuration to the given value -// and returns the receiver, so that objects can be built by chaining "With" function invocations. -// If called multiple times, the Claim field is set to the value of the last call. -func (b *PersistentVolumeConfigApplyConfiguration) WithClaim(value *PersistentVolumeClaimReferenceApplyConfiguration) *PersistentVolumeConfigApplyConfiguration { - b.Claim = value - return b -} - -// WithMountPath sets the MountPath field in the declarative configuration to the given value -// and returns the receiver, so that objects can be built by chaining "With" function invocations. -// If called multiple times, the MountPath field is set to the value of the last call. -func (b *PersistentVolumeConfigApplyConfiguration) WithMountPath(value string) *PersistentVolumeConfigApplyConfiguration { - b.MountPath = &value - return b -} diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/storage.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/storage.go deleted file mode 100644 index 405df6c13..000000000 --- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/storage.go +++ /dev/null @@ -1,36 +0,0 @@ -// Code generated by applyconfiguration-gen. DO NOT EDIT. - -package v1 - -import ( - configv1 "github.com/openshift/api/config/v1" -) - -// StorageApplyConfiguration represents a declarative configuration of the Storage type for use -// with apply. -type StorageApplyConfiguration struct { - Type *configv1.StorageType `json:"type,omitempty"` - PersistentVolume *PersistentVolumeConfigApplyConfiguration `json:"persistentVolume,omitempty"` -} - -// StorageApplyConfiguration constructs a declarative configuration of the Storage type for use with -// apply. -func Storage() *StorageApplyConfiguration { - return &StorageApplyConfiguration{} -} - -// WithType sets the Type field in the declarative configuration to the given value -// and returns the receiver, so that objects can be built by chaining "With" function invocations. -// If called multiple times, the Type field is set to the value of the last call. -func (b *StorageApplyConfiguration) WithType(value configv1.StorageType) *StorageApplyConfiguration { - b.Type = &value - return b -} - -// WithPersistentVolume sets the PersistentVolume field in the declarative configuration to the given value -// and returns the receiver, so that objects can be built by chaining "With" function invocations. -// If called multiple times, the PersistentVolume field is set to the value of the last call. -func (b *StorageApplyConfiguration) WithPersistentVolume(value *PersistentVolumeConfigApplyConfiguration) *StorageApplyConfiguration { - b.PersistentVolume = value - return b -} diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/internal/internal.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/internal/internal.go index 856255b2a..0d49eb95f 100644 --- a/vendor/github.com/openshift/client-go/config/applyconfigurations/internal/internal.go +++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/internal/internal.go @@ -1065,17 +1065,6 @@ var schemaYAML = typed.YAMLObject(`types: type: scalar: string default: "" -- name: com.github.openshift.api.config.v1.Custom - map: - fields: - - name: configs - type: - list: - elementType: - namedType: com.github.openshift.api.config.v1.GathererConfig - elementRelationship: associative - keys: - - name - name: com.github.openshift.api.config.v1.CustomFeatureGates map: fields: @@ -1397,14 +1386,6 @@ var schemaYAML = typed.YAMLObject(`types: elementRelationship: associative keys: - key - - name: serviceEndpoints - type: - list: - elementType: - namedType: com.github.openshift.api.config.v1.GCPServiceEndpoint - elementRelationship: associative - keys: - - name - name: com.github.openshift.api.config.v1.GCPResourceLabel map: fields: @@ -1431,58 +1412,6 @@ var schemaYAML = typed.YAMLObject(`types: type: scalar: string default: "" -- name: com.github.openshift.api.config.v1.GCPServiceEndpoint - map: - fields: - - name: name - type: - scalar: string - default: "" - - name: url - type: - scalar: string - default: "" -- name: com.github.openshift.api.config.v1.GatherConfig - map: - fields: - - name: dataPolicy - type: - list: - elementType: - scalar: string - elementRelationship: atomic - - name: gatherers - type: - namedType: com.github.openshift.api.config.v1.Gatherers - default: {} - - name: storage - type: - namedType: com.github.openshift.api.config.v1.Storage - default: {} -- name: com.github.openshift.api.config.v1.GathererConfig - map: - fields: - - name: name - type: - scalar: string - - name: state - type: - scalar: string -- name: com.github.openshift.api.config.v1.Gatherers - map: - fields: - - name: custom - type: - namedType: com.github.openshift.api.config.v1.Custom - default: {} - - name: mode - type: - scalar: string - unions: - - discriminator: mode - fields: - - fieldName: custom - discriminatorValue: Custom - name: com.github.openshift.api.config.v1.GitHubIdentityProvider map: fields: @@ -2075,30 +2004,6 @@ var schemaYAML = typed.YAMLObject(`types: type: scalar: string default: "" -- name: com.github.openshift.api.config.v1.InsightsDataGather - map: - fields: - - name: apiVersion - type: - scalar: string - - name: kind - type: - scalar: string - - name: metadata - type: - namedType: io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta - default: {} - - name: spec - type: - namedType: com.github.openshift.api.config.v1.InsightsDataGatherSpec - default: {} -- name: com.github.openshift.api.config.v1.InsightsDataGatherSpec - map: - fields: - - name: gatherConfig - type: - namedType: com.github.openshift.api.config.v1.GatherConfig - default: {} - name: com.github.openshift.api.config.v1.IntermediateTLSProfile map: elementType: @@ -3028,22 +2933,6 @@ var schemaYAML = typed.YAMLObject(`types: - name: hostname type: scalar: string -- name: com.github.openshift.api.config.v1.PersistentVolumeClaimReference - map: - fields: - - name: name - type: - scalar: string -- name: com.github.openshift.api.config.v1.PersistentVolumeConfig - map: - fields: - - name: claim - type: - namedType: com.github.openshift.api.config.v1.PersistentVolumeClaimReference - default: {} - - name: mountPath - type: - scalar: string - name: com.github.openshift.api.config.v1.PlatformSpec map: fields: @@ -3625,21 +3514,6 @@ var schemaYAML = typed.YAMLObject(`types: type: scalar: string default: "" -- name: com.github.openshift.api.config.v1.Storage - map: - fields: - - name: persistentVolume - type: - namedType: com.github.openshift.api.config.v1.PersistentVolumeConfig - default: {} - - name: type - type: - scalar: string - unions: - - discriminator: type - fields: - - fieldName: persistentVolume - discriminatorValue: PersistentVolume - name: com.github.openshift.api.config.v1.TLSSecurityProfile map: fields: diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/utils.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/utils.go index 7bf9f7881..048895c11 100644 --- a/vendor/github.com/openshift/client-go/config/applyconfigurations/utils.go +++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/utils.go @@ -132,8 +132,6 @@ func ForKind(kind schema.GroupVersionKind) interface{} { return &configv1.ConsoleSpecApplyConfiguration{} case v1.SchemeGroupVersion.WithKind("ConsoleStatus"): return &configv1.ConsoleStatusApplyConfiguration{} - case v1.SchemeGroupVersion.WithKind("Custom"): - return &configv1.CustomApplyConfiguration{} case v1.SchemeGroupVersion.WithKind("CustomFeatureGates"): return &configv1.CustomFeatureGatesApplyConfiguration{} case v1.SchemeGroupVersion.WithKind("CustomTLSProfile"): @@ -174,12 +172,6 @@ func ForKind(kind schema.GroupVersionKind) interface{} { return &configv1.FeatureGateStatusApplyConfiguration{} case v1.SchemeGroupVersion.WithKind("FulcioCAWithRekor"): return &configv1.FulcioCAWithRekorApplyConfiguration{} - case v1.SchemeGroupVersion.WithKind("GatherConfig"): - return &configv1.GatherConfigApplyConfiguration{} - case v1.SchemeGroupVersion.WithKind("GathererConfig"): - return &configv1.GathererConfigApplyConfiguration{} - case v1.SchemeGroupVersion.WithKind("Gatherers"): - return &configv1.GatherersApplyConfiguration{} case v1.SchemeGroupVersion.WithKind("GCPPlatformStatus"): return &configv1.GCPPlatformStatusApplyConfiguration{} case v1.SchemeGroupVersion.WithKind("GCPResourceLabel"): @@ -252,10 +244,6 @@ func ForKind(kind schema.GroupVersionKind) interface{} { return &configv1.IngressSpecApplyConfiguration{} case v1.SchemeGroupVersion.WithKind("IngressStatus"): return &configv1.IngressStatusApplyConfiguration{} - case v1.SchemeGroupVersion.WithKind("InsightsDataGather"): - return &configv1.InsightsDataGatherApplyConfiguration{} - case v1.SchemeGroupVersion.WithKind("InsightsDataGatherSpec"): - return &configv1.InsightsDataGatherSpecApplyConfiguration{} case v1.SchemeGroupVersion.WithKind("KeystoneIdentityProvider"): return &configv1.KeystoneIdentityProviderApplyConfiguration{} case v1.SchemeGroupVersion.WithKind("KMSConfig"): @@ -348,10 +336,6 @@ func ForKind(kind schema.GroupVersionKind) interface{} { return &configv1.OvirtPlatformLoadBalancerApplyConfiguration{} case v1.SchemeGroupVersion.WithKind("OvirtPlatformStatus"): return &configv1.OvirtPlatformStatusApplyConfiguration{} - case v1.SchemeGroupVersion.WithKind("PersistentVolumeClaimReference"): - return &configv1.PersistentVolumeClaimReferenceApplyConfiguration{} - case v1.SchemeGroupVersion.WithKind("PersistentVolumeConfig"): - return &configv1.PersistentVolumeConfigApplyConfiguration{} case v1.SchemeGroupVersion.WithKind("PKI"): return &configv1.PKIApplyConfiguration{} case v1.SchemeGroupVersion.WithKind("PKICertificateSubject"): @@ -416,8 +400,6 @@ func ForKind(kind schema.GroupVersionKind) interface{} { return &configv1.SecretNameReferenceApplyConfiguration{} case v1.SchemeGroupVersion.WithKind("SignatureStore"): return &configv1.SignatureStoreApplyConfiguration{} - case v1.SchemeGroupVersion.WithKind("Storage"): - return &configv1.StorageApplyConfiguration{} case v1.SchemeGroupVersion.WithKind("TemplateReference"): return &configv1.TemplateReferenceApplyConfiguration{} case v1.SchemeGroupVersion.WithKind("TLSProfileSpec"): diff --git a/vendor/github.com/openshift/client-go/config/clientset/versioned/typed/config/v1/config_client.go b/vendor/github.com/openshift/client-go/config/clientset/versioned/typed/config/v1/config_client.go index afce6aef5..70957eee8 100644 --- a/vendor/github.com/openshift/client-go/config/clientset/versioned/typed/config/v1/config_client.go +++ b/vendor/github.com/openshift/client-go/config/clientset/versioned/typed/config/v1/config_client.go @@ -28,7 +28,6 @@ type ConfigV1Interface interface { ImageTagMirrorSetsGetter InfrastructuresGetter IngressesGetter - InsightsDataGathersGetter NetworksGetter NodesGetter OAuthsGetter @@ -107,10 +106,6 @@ func (c *ConfigV1Client) Ingresses() IngressInterface { return newIngresses(c) } -func (c *ConfigV1Client) InsightsDataGathers() InsightsDataGatherInterface { - return newInsightsDataGathers(c) -} - func (c *ConfigV1Client) Networks() NetworkInterface { return newNetworks(c) } diff --git a/vendor/github.com/openshift/client-go/config/clientset/versioned/typed/config/v1/fake/fake_config_client.go b/vendor/github.com/openshift/client-go/config/clientset/versioned/typed/config/v1/fake/fake_config_client.go index b5a1a5257..764c8912a 100644 --- a/vendor/github.com/openshift/client-go/config/clientset/versioned/typed/config/v1/fake/fake_config_client.go +++ b/vendor/github.com/openshift/client-go/config/clientset/versioned/typed/config/v1/fake/fake_config_client.go @@ -76,10 +76,6 @@ func (c *FakeConfigV1) Ingresses() v1.IngressInterface { return newFakeIngresses(c) } -func (c *FakeConfigV1) InsightsDataGathers() v1.InsightsDataGatherInterface { - return newFakeInsightsDataGathers(c) -} - func (c *FakeConfigV1) Networks() v1.NetworkInterface { return newFakeNetworks(c) } diff --git a/vendor/github.com/openshift/client-go/config/clientset/versioned/typed/config/v1/fake/fake_insightsdatagather.go b/vendor/github.com/openshift/client-go/config/clientset/versioned/typed/config/v1/fake/fake_insightsdatagather.go deleted file mode 100644 index 1901b7db7..000000000 --- a/vendor/github.com/openshift/client-go/config/clientset/versioned/typed/config/v1/fake/fake_insightsdatagather.go +++ /dev/null @@ -1,37 +0,0 @@ -// Code generated by client-gen. DO NOT EDIT. - -package fake - -import ( - v1 "github.com/openshift/api/config/v1" - configv1 "github.com/openshift/client-go/config/applyconfigurations/config/v1" - typedconfigv1 "github.com/openshift/client-go/config/clientset/versioned/typed/config/v1" - gentype "k8s.io/client-go/gentype" -) - -// fakeInsightsDataGathers implements InsightsDataGatherInterface -type fakeInsightsDataGathers struct { - *gentype.FakeClientWithListAndApply[*v1.InsightsDataGather, *v1.InsightsDataGatherList, *configv1.InsightsDataGatherApplyConfiguration] - Fake *FakeConfigV1 -} - -func newFakeInsightsDataGathers(fake *FakeConfigV1) typedconfigv1.InsightsDataGatherInterface { - return &fakeInsightsDataGathers{ - gentype.NewFakeClientWithListAndApply[*v1.InsightsDataGather, *v1.InsightsDataGatherList, *configv1.InsightsDataGatherApplyConfiguration]( - fake.Fake, - "", - v1.SchemeGroupVersion.WithResource("insightsdatagathers"), - v1.SchemeGroupVersion.WithKind("InsightsDataGather"), - func() *v1.InsightsDataGather { return &v1.InsightsDataGather{} }, - func() *v1.InsightsDataGatherList { return &v1.InsightsDataGatherList{} }, - func(dst, src *v1.InsightsDataGatherList) { dst.ListMeta = src.ListMeta }, - func(list *v1.InsightsDataGatherList) []*v1.InsightsDataGather { - return gentype.ToPointerSlice(list.Items) - }, - func(list *v1.InsightsDataGatherList, items []*v1.InsightsDataGather) { - list.Items = gentype.FromPointerSlice(items) - }, - ), - fake, - } -} diff --git a/vendor/github.com/openshift/client-go/config/clientset/versioned/typed/config/v1/generated_expansion.go b/vendor/github.com/openshift/client-go/config/clientset/versioned/typed/config/v1/generated_expansion.go index 27c5fd110..44ad19dcb 100644 --- a/vendor/github.com/openshift/client-go/config/clientset/versioned/typed/config/v1/generated_expansion.go +++ b/vendor/github.com/openshift/client-go/config/clientset/versioned/typed/config/v1/generated_expansion.go @@ -34,8 +34,6 @@ type InfrastructureExpansion interface{} type IngressExpansion interface{} -type InsightsDataGatherExpansion interface{} - type NetworkExpansion interface{} type NodeExpansion interface{} diff --git a/vendor/github.com/openshift/client-go/config/clientset/versioned/typed/config/v1/insightsdatagather.go b/vendor/github.com/openshift/client-go/config/clientset/versioned/typed/config/v1/insightsdatagather.go deleted file mode 100644 index 43f662012..000000000 --- a/vendor/github.com/openshift/client-go/config/clientset/versioned/typed/config/v1/insightsdatagather.go +++ /dev/null @@ -1,54 +0,0 @@ -// Code generated by client-gen. DO NOT EDIT. - -package v1 - -import ( - context "context" - - configv1 "github.com/openshift/api/config/v1" - applyconfigurationsconfigv1 "github.com/openshift/client-go/config/applyconfigurations/config/v1" - scheme "github.com/openshift/client-go/config/clientset/versioned/scheme" - metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" - types "k8s.io/apimachinery/pkg/types" - watch "k8s.io/apimachinery/pkg/watch" - gentype "k8s.io/client-go/gentype" -) - -// InsightsDataGathersGetter has a method to return a InsightsDataGatherInterface. -// A group's client should implement this interface. -type InsightsDataGathersGetter interface { - InsightsDataGathers() InsightsDataGatherInterface -} - -// InsightsDataGatherInterface has methods to work with InsightsDataGather resources. -type InsightsDataGatherInterface interface { - Create(ctx context.Context, insightsDataGather *configv1.InsightsDataGather, opts metav1.CreateOptions) (*configv1.InsightsDataGather, error) - Update(ctx context.Context, insightsDataGather *configv1.InsightsDataGather, opts metav1.UpdateOptions) (*configv1.InsightsDataGather, error) - Delete(ctx context.Context, name string, opts metav1.DeleteOptions) error - DeleteCollection(ctx context.Context, opts metav1.DeleteOptions, listOpts metav1.ListOptions) error - Get(ctx context.Context, name string, opts metav1.GetOptions) (*configv1.InsightsDataGather, error) - List(ctx context.Context, opts metav1.ListOptions) (*configv1.InsightsDataGatherList, error) - Watch(ctx context.Context, opts metav1.ListOptions) (watch.Interface, error) - Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts metav1.PatchOptions, subresources ...string) (result *configv1.InsightsDataGather, err error) - Apply(ctx context.Context, insightsDataGather *applyconfigurationsconfigv1.InsightsDataGatherApplyConfiguration, opts metav1.ApplyOptions) (result *configv1.InsightsDataGather, err error) - InsightsDataGatherExpansion -} - -// insightsDataGathers implements InsightsDataGatherInterface -type insightsDataGathers struct { - *gentype.ClientWithListAndApply[*configv1.InsightsDataGather, *configv1.InsightsDataGatherList, *applyconfigurationsconfigv1.InsightsDataGatherApplyConfiguration] -} - -// newInsightsDataGathers returns a InsightsDataGathers -func newInsightsDataGathers(c *ConfigV1Client) *insightsDataGathers { - return &insightsDataGathers{ - gentype.NewClientWithListAndApply[*configv1.InsightsDataGather, *configv1.InsightsDataGatherList, *applyconfigurationsconfigv1.InsightsDataGatherApplyConfiguration]( - "insightsdatagathers", - c.RESTClient(), - scheme.ParameterCodec, - "", - func() *configv1.InsightsDataGather { return &configv1.InsightsDataGather{} }, - func() *configv1.InsightsDataGatherList { return &configv1.InsightsDataGatherList{} }, - ), - } -} diff --git a/vendor/github.com/openshift/client-go/config/informers/externalversions/config/v1/insightsdatagather.go b/vendor/github.com/openshift/client-go/config/informers/externalversions/config/v1/insightsdatagather.go deleted file mode 100644 index 53a173991..000000000 --- a/vendor/github.com/openshift/client-go/config/informers/externalversions/config/v1/insightsdatagather.go +++ /dev/null @@ -1,85 +0,0 @@ -// Code generated by informer-gen. DO NOT EDIT. - -package v1 - -import ( - context "context" - time "time" - - apiconfigv1 "github.com/openshift/api/config/v1" - versioned "github.com/openshift/client-go/config/clientset/versioned" - internalinterfaces "github.com/openshift/client-go/config/informers/externalversions/internalinterfaces" - configv1 "github.com/openshift/client-go/config/listers/config/v1" - metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" - runtime "k8s.io/apimachinery/pkg/runtime" - watch "k8s.io/apimachinery/pkg/watch" - cache "k8s.io/client-go/tools/cache" -) - -// InsightsDataGatherInformer provides access to a shared informer and lister for -// InsightsDataGathers. -type InsightsDataGatherInformer interface { - Informer() cache.SharedIndexInformer - Lister() configv1.InsightsDataGatherLister -} - -type insightsDataGatherInformer struct { - factory internalinterfaces.SharedInformerFactory - tweakListOptions internalinterfaces.TweakListOptionsFunc -} - -// NewInsightsDataGatherInformer constructs a new informer for InsightsDataGather type. -// Always prefer using an informer factory to get a shared informer instead of getting an independent -// one. This reduces memory footprint and number of connections to the server. -func NewInsightsDataGatherInformer(client versioned.Interface, resyncPeriod time.Duration, indexers cache.Indexers) cache.SharedIndexInformer { - return NewFilteredInsightsDataGatherInformer(client, resyncPeriod, indexers, nil) -} - -// NewFilteredInsightsDataGatherInformer constructs a new informer for InsightsDataGather type. -// Always prefer using an informer factory to get a shared informer instead of getting an independent -// one. This reduces memory footprint and number of connections to the server. -func NewFilteredInsightsDataGatherInformer(client versioned.Interface, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer { - return cache.NewSharedIndexInformer( - &cache.ListWatch{ - ListFunc: func(options metav1.ListOptions) (runtime.Object, error) { - if tweakListOptions != nil { - tweakListOptions(&options) - } - return client.ConfigV1().InsightsDataGathers().List(context.Background(), options) - }, - WatchFunc: func(options metav1.ListOptions) (watch.Interface, error) { - if tweakListOptions != nil { - tweakListOptions(&options) - } - return client.ConfigV1().InsightsDataGathers().Watch(context.Background(), options) - }, - ListWithContextFunc: func(ctx context.Context, options metav1.ListOptions) (runtime.Object, error) { - if tweakListOptions != nil { - tweakListOptions(&options) - } - return client.ConfigV1().InsightsDataGathers().List(ctx, options) - }, - WatchFuncWithContext: func(ctx context.Context, options metav1.ListOptions) (watch.Interface, error) { - if tweakListOptions != nil { - tweakListOptions(&options) - } - return client.ConfigV1().InsightsDataGathers().Watch(ctx, options) - }, - }, - &apiconfigv1.InsightsDataGather{}, - resyncPeriod, - indexers, - ) -} - -func (f *insightsDataGatherInformer) defaultInformer(client versioned.Interface, resyncPeriod time.Duration) cache.SharedIndexInformer { - return NewFilteredInsightsDataGatherInformer(client, resyncPeriod, cache.Indexers{cache.NamespaceIndex: cache.MetaNamespaceIndexFunc}, f.tweakListOptions) -} - -func (f *insightsDataGatherInformer) Informer() cache.SharedIndexInformer { - return f.factory.InformerFor(&apiconfigv1.InsightsDataGather{}, f.defaultInformer) -} - -func (f *insightsDataGatherInformer) Lister() configv1.InsightsDataGatherLister { - return configv1.NewInsightsDataGatherLister(f.Informer().GetIndexer()) -} diff --git a/vendor/github.com/openshift/client-go/config/informers/externalversions/config/v1/interface.go b/vendor/github.com/openshift/client-go/config/informers/externalversions/config/v1/interface.go index 0ad1b98f3..ff4c521b0 100644 --- a/vendor/github.com/openshift/client-go/config/informers/externalversions/config/v1/interface.go +++ b/vendor/github.com/openshift/client-go/config/informers/externalversions/config/v1/interface.go @@ -40,8 +40,6 @@ type Interface interface { Infrastructures() InfrastructureInformer // Ingresses returns a IngressInformer. Ingresses() IngressInformer - // InsightsDataGathers returns a InsightsDataGatherInformer. - InsightsDataGathers() InsightsDataGatherInformer // Networks returns a NetworkInformer. Networks() NetworkInformer // Nodes returns a NodeInformer. @@ -149,11 +147,6 @@ func (v *version) Ingresses() IngressInformer { return &ingressInformer{factory: v.factory, tweakListOptions: v.tweakListOptions} } -// InsightsDataGathers returns a InsightsDataGatherInformer. -func (v *version) InsightsDataGathers() InsightsDataGatherInformer { - return &insightsDataGatherInformer{factory: v.factory, tweakListOptions: v.tweakListOptions} -} - // Networks returns a NetworkInformer. func (v *version) Networks() NetworkInformer { return &networkInformer{factory: v.factory, tweakListOptions: v.tweakListOptions} diff --git a/vendor/github.com/openshift/client-go/config/informers/externalversions/generic.go b/vendor/github.com/openshift/client-go/config/informers/externalversions/generic.go index 146e7e975..59c98ea77 100644 --- a/vendor/github.com/openshift/client-go/config/informers/externalversions/generic.go +++ b/vendor/github.com/openshift/client-go/config/informers/externalversions/generic.go @@ -71,8 +71,6 @@ func (f *sharedInformerFactory) ForResource(resource schema.GroupVersionResource return &genericInformer{resource: resource.GroupResource(), informer: f.Config().V1().Infrastructures().Informer()}, nil case v1.SchemeGroupVersion.WithResource("ingresses"): return &genericInformer{resource: resource.GroupResource(), informer: f.Config().V1().Ingresses().Informer()}, nil - case v1.SchemeGroupVersion.WithResource("insightsdatagathers"): - return &genericInformer{resource: resource.GroupResource(), informer: f.Config().V1().InsightsDataGathers().Informer()}, nil case v1.SchemeGroupVersion.WithResource("networks"): return &genericInformer{resource: resource.GroupResource(), informer: f.Config().V1().Networks().Informer()}, nil case v1.SchemeGroupVersion.WithResource("nodes"): diff --git a/vendor/github.com/openshift/client-go/config/listers/config/v1/expansion_generated.go b/vendor/github.com/openshift/client-go/config/listers/config/v1/expansion_generated.go index ca93cb283..d4e79cd0e 100644 --- a/vendor/github.com/openshift/client-go/config/listers/config/v1/expansion_generated.go +++ b/vendor/github.com/openshift/client-go/config/listers/config/v1/expansion_generated.go @@ -70,10 +70,6 @@ type InfrastructureListerExpansion interface{} // IngressLister. type IngressListerExpansion interface{} -// InsightsDataGatherListerExpansion allows custom methods to be added to -// InsightsDataGatherLister. -type InsightsDataGatherListerExpansion interface{} - // NetworkListerExpansion allows custom methods to be added to // NetworkLister. type NetworkListerExpansion interface{} diff --git a/vendor/github.com/openshift/client-go/config/listers/config/v1/insightsdatagather.go b/vendor/github.com/openshift/client-go/config/listers/config/v1/insightsdatagather.go deleted file mode 100644 index 79da7823f..000000000 --- a/vendor/github.com/openshift/client-go/config/listers/config/v1/insightsdatagather.go +++ /dev/null @@ -1,32 +0,0 @@ -// Code generated by lister-gen. DO NOT EDIT. - -package v1 - -import ( - configv1 "github.com/openshift/api/config/v1" - labels "k8s.io/apimachinery/pkg/labels" - listers "k8s.io/client-go/listers" - cache "k8s.io/client-go/tools/cache" -) - -// InsightsDataGatherLister helps list InsightsDataGathers. -// All objects returned here must be treated as read-only. -type InsightsDataGatherLister interface { - // List lists all InsightsDataGathers in the indexer. - // Objects returned here must be treated as read-only. - List(selector labels.Selector) (ret []*configv1.InsightsDataGather, err error) - // Get retrieves the InsightsDataGather from the index for a given name. - // Objects returned here must be treated as read-only. - Get(name string) (*configv1.InsightsDataGather, error) - InsightsDataGatherListerExpansion -} - -// insightsDataGatherLister implements the InsightsDataGatherLister interface. -type insightsDataGatherLister struct { - listers.ResourceIndexer[*configv1.InsightsDataGather] -} - -// NewInsightsDataGatherLister returns a new InsightsDataGatherLister. -func NewInsightsDataGatherLister(indexer cache.Indexer) InsightsDataGatherLister { - return &insightsDataGatherLister{listers.New[*configv1.InsightsDataGather](indexer, configv1.Resource("insightsdatagather"))} -} diff --git a/vendor/modules.txt b/vendor/modules.txt index c657ef53f..6d43c055c 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -166,7 +166,7 @@ github.com/openshift-eng/openshift-tests-extension/pkg/flags github.com/openshift-eng/openshift-tests-extension/pkg/ginkgo github.com/openshift-eng/openshift-tests-extension/pkg/util/sets github.com/openshift-eng/openshift-tests-extension/pkg/version -# github.com/openshift/api v0.0.0-20251127005036-0e3c378fdedc +# github.com/openshift/api v0.0.0-20251222154221-d4b2fef98af2 => github.com/hongkailiu/api v0.0.0-20251223025917-1321bde686ff ## explicit; go 1.24.0 github.com/openshift/api/config github.com/openshift/api/config/v1 @@ -181,7 +181,7 @@ github.com/openshift/api/operator/v1 github.com/openshift/api/operator/v1alpha1 github.com/openshift/api/operator/v1alpha1/zz_generated.crd-manifests github.com/openshift/api/security/v1 -# github.com/openshift/client-go v0.0.0-20251201171210-333716c1124a +# github.com/openshift/client-go v0.0.0-20251201171210-333716c1124a => github.com/openshift/client-go v0.0.0-20251223102348-558b0eef16bc ## explicit; go 1.24.0 github.com/openshift/client-go/config/applyconfigurations github.com/openshift/client-go/config/applyconfigurations/config/v1 @@ -1002,3 +1002,5 @@ sigs.k8s.io/structured-merge-diff/v6/value ## explicit; go 1.22 sigs.k8s.io/yaml # github.com/onsi/ginkgo/v2 => github.com/openshift/onsi-ginkgo/v2 v2.6.1-0.20241205171354-8006f302fd12 +# github.com/openshift/api => github.com/hongkailiu/api v0.0.0-20251223025917-1321bde686ff +# github.com/openshift/client-go => github.com/openshift/client-go v0.0.0-20251223102348-558b0eef16bc