diff --git a/cmd/authentication-operator/main.go b/cmd/authentication-operator/main.go index 529253026..b989bad46 100644 --- a/cmd/authentication-operator/main.go +++ b/cmd/authentication-operator/main.go @@ -4,17 +4,16 @@ import ( "context" "os" + "github.com/openshift/cluster-authentication-operator/pkg/cmd/kmshealthwriter" "github.com/openshift/cluster-authentication-operator/pkg/cmd/mom" "github.com/openshift/cluster-authentication-operator/pkg/cmd/operator" "github.com/openshift/cluster-authentication-operator/pkg/cmd/render" "github.com/spf13/cobra" "k8s.io/cli-runtime/pkg/genericiooptions" - "k8s.io/client-go/rest" "k8s.io/component-base/cli" kmshealth "github.com/openshift/library-go/pkg/operator/encryption/kms/health" kmspreflight "github.com/openshift/library-go/pkg/operator/encryption/kms/preflight" - "github.com/openshift/library-go/pkg/operator/v1helpers" ) func main() { @@ -42,11 +41,7 @@ func NewAuthenticationOperatorCommand() *cobra.Command { cmd.AddCommand(mom.NewInputResourcesCommand(ioStreams)) cmd.AddCommand(mom.NewOutputResourcesCommand(ioStreams)) cmd.AddCommand(render.NewRender()) - cmd.AddCommand(kmshealth.NewCommand(context.Background(), func(config *rest.Config) (v1helpers.OperatorClient, error) { - // TODO: replace with a real operator client once the health reporter's condition writer - // is implemented in library-go. - return nil, nil - })) + cmd.AddCommand(kmshealth.NewCommand(context.Background(), kmshealthwriter.NewEncryptionStatusWriter)) cmd.AddCommand(kmspreflight.NewCommand(context.Background())) return cmd diff --git a/go.mod b/go.mod index 8aafa743d..5e547365a 100644 --- a/go.mod +++ b/go.mod @@ -11,9 +11,9 @@ require ( github.com/onsi/ginkgo/v2 v2.27.2 github.com/onsi/gomega v1.38.2 github.com/openshift-eng/openshift-tests-extension v0.0.0-20260408205138-ec501c2bf4a5 - github.com/openshift/api v0.0.0-20260615110019-261e3a0546f3 + github.com/openshift/api v0.0.0-20260618083218-a3c8dea7f8bc github.com/openshift/build-machinery-go v0.0.0-20251023084048-5d77c1a5e5af - github.com/openshift/client-go v0.0.0-20260512113608-deb4dc54551a + github.com/openshift/client-go v0.0.0-20260618131434-17fd91ed6167 github.com/openshift/library-go v0.0.0-20260618132022-b0f5231f2ed6 github.com/openshift/multi-operator-manager v0.0.0-20241205181422-20aa3906b99d github.com/openshift/oauth-apiserver v0.0.0-20260520145010-97a820bd5412 @@ -133,3 +133,5 @@ require ( ) replace github.com/onsi/ginkgo/v2 => github.com/openshift/onsi-ginkgo/v2 v2.6.1-0.20251001123353-fd5b1fb35db1 + +replace github.com/openshift/library-go => /home/ibihim/go/src/github.com/openshift/library-go-worktrees/CNTRLPLANE-3234-health-reporter-writer diff --git a/go.sum b/go.sum index 036682fa9..4ebdb776e 100644 --- a/go.sum +++ b/go.sum @@ -146,14 +146,12 @@ github.com/onsi/gomega v1.38.2 h1:eZCjf2xjZAqe+LeWvKb5weQ+NcPwX84kqJ0cZNxok2A= github.com/onsi/gomega v1.38.2/go.mod h1:W2MJcYxRGV63b418Ai34Ud0hEdTVXq9NW9+Sx6uXf3k= github.com/openshift-eng/openshift-tests-extension v0.0.0-20260408205138-ec501c2bf4a5 h1:FJmsOMCeFpAakgnVhHUoITcHLLW9/DrJJSAY1CZaLCA= github.com/openshift-eng/openshift-tests-extension v0.0.0-20260408205138-ec501c2bf4a5/go.mod h1:6gkP5f2HL0meusT0Aim8icAspcD1cG055xxBZ9yC68M= -github.com/openshift/api v0.0.0-20260615110019-261e3a0546f3 h1:ywnB6YgTcJlxYpnZ5xMWcvJoiC8eeCJrrolr06KlzeQ= -github.com/openshift/api v0.0.0-20260615110019-261e3a0546f3/go.mod h1:pyVjK0nZ4sRs4fuQVQ4rubsJdahI1PB94LnQ8sGdvxo= +github.com/openshift/api v0.0.0-20260618083218-a3c8dea7f8bc h1:EOhLyqTo5g0sM3MVrKO7Zh2CoVyqNt7Q7zGE15S79Fg= +github.com/openshift/api v0.0.0-20260618083218-a3c8dea7f8bc/go.mod h1:pyVjK0nZ4sRs4fuQVQ4rubsJdahI1PB94LnQ8sGdvxo= github.com/openshift/build-machinery-go v0.0.0-20251023084048-5d77c1a5e5af h1:UiYYMi/CCV+kwWrXuXfuUSOY2yNXOpWpNVgHc6aLQlE= github.com/openshift/build-machinery-go v0.0.0-20251023084048-5d77c1a5e5af/go.mod h1:8jcm8UPtg2mCAsxfqKil1xrmRMI3a+XU2TZ9fF8A7TE= -github.com/openshift/client-go v0.0.0-20260512113608-deb4dc54551a h1:EKx2XhOKehd1C5ptY7IrLl4WV35E8kP0pRPnG5BUZXk= -github.com/openshift/client-go v0.0.0-20260512113608-deb4dc54551a/go.mod h1:V933kvY/cb/Un7UCEOhXHUySNX327u7Epe8g9KNqg2Q= -github.com/openshift/library-go v0.0.0-20260618132022-b0f5231f2ed6 h1:Dqs4Fod1A+jnnosihh85xdU9yQVh+R/NcVQLH8sVWr0= -github.com/openshift/library-go v0.0.0-20260618132022-b0f5231f2ed6/go.mod h1:/HBhy6jm/igWI3Y1vYFwFG3ZCcXmnNsKUT6VBpPyM9A= +github.com/openshift/client-go v0.0.0-20260618131434-17fd91ed6167 h1:TfqgEkvjjdzmVW3wkXWjh65rF+cjahnrBMbRdraT4Wo= +github.com/openshift/client-go v0.0.0-20260618131434-17fd91ed6167/go.mod h1:SYV1Wn6Pd27K9olD4WbUtjn4RWU83b9UjG1rbaQsTRE= github.com/openshift/multi-operator-manager v0.0.0-20241205181422-20aa3906b99d h1:Rzx23P63JFNNz5D23ubhC0FCN5rK8CeJhKcq5QKcdyU= github.com/openshift/multi-operator-manager v0.0.0-20241205181422-20aa3906b99d/go.mod h1:iVi9Bopa5cLhjG5ie9DoZVVqkH8BGb1FQVTtecOLn4I= github.com/openshift/oauth-apiserver v0.0.0-20260520145010-97a820bd5412 h1:oDB0GmUXLp8y85fWz+LGRE0hM5JqbXTfNPi5GjEqiX0= diff --git a/pkg/cmd/kmshealthwriter/writer.go b/pkg/cmd/kmshealthwriter/writer.go new file mode 100644 index 000000000..d5cd025cc --- /dev/null +++ b/pkg/cmd/kmshealthwriter/writer.go @@ -0,0 +1,32 @@ +package kmshealthwriter + +import ( + "context" + + applyoperatorv1 "github.com/openshift/client-go/operator/applyconfigurations/operator/v1" + operatorclient "github.com/openshift/client-go/operator/clientset/versioned" + "github.com/openshift/library-go/pkg/operator/encryption/kms/health" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/client-go/rest" +) + +// NewEncryptionStatusWriter satisfies health.NewEncryptionStatusWriterFunc. +// Only the operator itself knows where to apply the KMSEncryptionStatus. +func NewEncryptionStatusWriter(restConfig *rest.Config, fieldManager string) (health.EncryptionStatusWriter, error) { + client, err := operatorclient.NewForConfig(restConfig) + if err != nil { + return nil, err + } + + return func(ctx context.Context, status *applyoperatorv1.KMSEncryptionStatusApplyConfiguration) error { + _, err := client.OperatorV1().Authentications().ApplyStatus( + ctx, + applyoperatorv1.Authentication("cluster"). + WithStatus(applyoperatorv1.AuthenticationStatus().WithOAuthAPIServer( + applyoperatorv1.OAuthAPIServerStatus().WithEncryptionStatus(status), + )), + metav1.ApplyOptions{FieldManager: fieldManager, Force: true}, + ) + return err + }, nil +} diff --git a/vendor/github.com/openshift/api/features.md b/vendor/github.com/openshift/api/features.md index b7ee33cfc..0b16169cf 100644 --- a/vendor/github.com/openshift/api/features.md +++ b/vendor/github.com/openshift/api/features.md @@ -28,9 +28,7 @@ | NoRegistryClusterInstall| | | | Enabled | | | | Enabled | | OLMLifecycleAndCompatibility| | | | Enabled | | | | Enabled | | ProvisioningRequestAvailable| | | Enabled | Enabled | | | | | -| VSphereMultiVCenterDay2| | | Enabled | Enabled | | | | | | AWSClusterHostedDNS| | | Enabled | Enabled | | | Enabled | Enabled | -| AWSClusterHostedDNSInstall| | | Enabled | Enabled | | | Enabled | Enabled | | AWSDedicatedHosts| | | Enabled | Enabled | | | Enabled | Enabled | | AWSDualStackInstall| | | Enabled | Enabled | | | Enabled | Enabled | | AWSEuropeanSovereignCloudInstall| | | Enabled | Enabled | | | Enabled | Enabled | @@ -90,9 +88,11 @@ | TLSGroupPreferences| | | Enabled | Enabled | | | Enabled | Enabled | | VSphereConfigurableMaxAllowedBlockVolumesPerNode| | | Enabled | Enabled | | | Enabled | Enabled | | VSphereMixedNodeEnv| | | Enabled | Enabled | | | Enabled | Enabled | +| VSphereMultiVCenterDay2| | | Enabled | Enabled | | | Enabled | Enabled | | VolumeGroupSnapshot| | | Enabled | Enabled | | | Enabled | Enabled | | AWSServiceLBNetworkSecurityGroup| | Enabled | Enabled | Enabled | | Enabled | Enabled | Enabled | | OSStreams| | Enabled | Enabled | Enabled | | Enabled | Enabled | Enabled | +| AWSClusterHostedDNSInstall| Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | | AzureClusterHostedDNSInstall| Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | | AzureWorkloadIdentity| Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | | BootImageSkewEnforcement| Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | diff --git a/vendor/github.com/openshift/api/features/features.go b/vendor/github.com/openshift/api/features/features.go index de530fa66..1d0f9bcce 100644 --- a/vendor/github.com/openshift/api/features/features.go +++ b/vendor/github.com/openshift/api/features/features.go @@ -806,7 +806,7 @@ var ( contactPerson("vr4manta"). productScope(ocpSpecific). enhancementPR("https://github.com/openshift/enhancements/pull/1961"). - enable(inDevPreviewNoUpgrade()). + enable(inTechPreviewNoUpgrade(), inDevPreviewNoUpgrade()). mustRegister() FeatureGateAWSServiceLBNetworkSecurityGroup = newFeatureGate("AWSServiceLBNetworkSecurityGroup"). @@ -831,7 +831,7 @@ var ( contactPerson("barbacbd"). productScope(ocpSpecific). enhancementPR("https://github.com/openshift/enhancements/pull/1468"). - enable(inTechPreviewNoUpgrade(), inDevPreviewNoUpgrade()). + enable(inDefault(), inOKD(), inTechPreviewNoUpgrade(), inDevPreviewNoUpgrade()). mustRegister() FeatureGateGCPCustomAPIEndpointsInstall = newFeatureGate("GCPCustomAPIEndpointsInstall"). diff --git a/vendor/github.com/openshift/api/operator/v1/types_authentication.go b/vendor/github.com/openshift/api/operator/v1/types_authentication.go index 7cc22d1e4..4d0e9f6d6 100644 --- a/vendor/github.com/openshift/api/operator/v1/types_authentication.go +++ b/vendor/github.com/openshift/api/operator/v1/types_authentication.go @@ -49,6 +49,11 @@ type OAuthAPIServerStatus struct { // +optional // +kubebuilder:validation:Minimum=0 LatestAvailableRevision int32 `json:"latestAvailableRevision,omitempty"` + + // encryptionStatus contains status reports for the KMS plugin health and its key rotation. + // +optional + // +openshift:enable:FeatureGate=KMSEncryption + EncryptionStatus KMSEncryptionStatus `json:"encryptionStatus,omitempty,omitzero"` } // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object diff --git a/vendor/github.com/openshift/api/operator/v1/types_ingress.go b/vendor/github.com/openshift/api/operator/v1/types_ingresscontroller.go similarity index 100% rename from vendor/github.com/openshift/api/operator/v1/types_ingress.go rename to vendor/github.com/openshift/api/operator/v1/types_ingresscontroller.go diff --git a/vendor/github.com/openshift/api/operator/v1/types_kmsencryption.go b/vendor/github.com/openshift/api/operator/v1/types_kmsencryption.go new file mode 100644 index 000000000..a5dcf7d33 --- /dev/null +++ b/vendor/github.com/openshift/api/operator/v1/types_kmsencryption.go @@ -0,0 +1,80 @@ +package v1 + +import ( + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" +) + +// +kubebuilder:validation:Enum=Healthy;Unhealthy;Error +type KMSPluginHealthStatus string + +const ( + KMSPluginHealthStatusHealthy KMSPluginHealthStatus = "Healthy" + + KMSPluginHealthStatusUnhealthy KMSPluginHealthStatus = "Unhealthy" + + KMSPluginHealthStatusError KMSPluginHealthStatus = "Error" +) + +// +openshift:compatibility-gen:level=1 +type KMSPluginHealthReport struct { + + // nodeName is the name of the node this instance of the plugin runs on. + // The combination of nodeName and keyId makes this health report unique. + // The value must be a valid Kubernetes node name: a lowercase RFC 1123 subdomain + // consisting of lowercase alphanumeric characters, '-' or '.', starting and ending with + // an alphanumeric character, and be at most 253 characters in length. + // +kubebuilder:validation:MinLength=1 + // +kubebuilder:validation:MaxLength=253 + // +kubebuilder:validation:XValidation:rule="!format.dns1123Subdomain().validate(self).hasValue()",message="nodeName must be a lowercase RFC 1123 subdomain consisting of lowercase alphanumeric characters, '-' or '.', and must start and end with an alphanumeric character" + // +required + NodeName string `json:"nodeName,omitempty"` + + // keyId is the encryption-key-secret id (kms-{keyId}.sock), a unique identifier of the plugin on that node. + // This is not a cryptographic key used to encrypt/decrypt any resources. + // The value must be between 1 and 512 characters. + // +kubebuilder:validation:MinLength=1 + // +kubebuilder:validation:MaxLength=512 + // +required + KeyId string `json:"keyId,omitempty"` + + // status contains a health indicator for the respective KMS plugin + // The field can have three states: healthy, unhealthy, error. + // With error and unhealthy containing additional information in Detail. + // +required + Status KMSPluginHealthStatus `json:"status,omitempty"` + + // lastCheckedTime is a timestamp of when the probe was last checked. + // +required + LastCheckedTime metav1.Time `json:"lastCheckedTime,omitempty"` + + // kekId refers to the remote KEK id from KMS v2 StatusResponse.key_id. + // This is not a cryptographic key, but a unique representation of the KEK. + // The value must be between 1 and 1024 characters. + // +kubebuilder:validation:MinLength=1 + // +kubebuilder:validation:MaxLength=1024 + // +required + KEKId string `json:"kekId,omitempty"` + + // detail contains additional error/health information for the respective KMS plugin. + // When omitted, no additional error or health information is provided. + // When set, the value must be between 1 and 1024 characters. + // +kubebuilder:validation:MinLength=1 + // +kubebuilder:validation:MaxLength=1024 + // +optional + Detail string `json:"detail,omitempty"` +} + +// +openshift:compatibility-gen:level=1 +// +kubebuilder:validation:MinProperties=1 +type KMSEncryptionStatus struct { + // healthReports contains all KMS plugin health reports. + // When omitted, no health reports are available. + // Each entry must have a unique combination of nodeName and keyId. + // +optional + // +kubebuilder:validation:MinItems=1 + // +kubebuilder:validation:MaxItems=200 + // +listType=map + // +listMapKey=nodeName + // +listMapKey=keyId + HealthReports []KMSPluginHealthReport `json:"healthReports,omitempty"` +} diff --git a/vendor/github.com/openshift/api/operator/v1/types_kubeapiserver.go b/vendor/github.com/openshift/api/operator/v1/types_kubeapiserver.go index 1461f11a1..31b0c201b 100644 --- a/vendor/github.com/openshift/api/operator/v1/types_kubeapiserver.go +++ b/vendor/github.com/openshift/api/operator/v1/types_kubeapiserver.go @@ -63,6 +63,11 @@ type KubeAPIServerStatus struct { // +optional // +listType=atomic ServiceAccountIssuers []ServiceAccountIssuerStatus `json:"serviceAccountIssuers,omitempty"` + + // encryptionStatus contains status reports for the KMS plugin health and its key rotation. + // +optional + // +openshift:enable:FeatureGate=KMSEncryption + EncryptionStatus KMSEncryptionStatus `json:"encryptionStatus,omitempty,omitzero"` } type ServiceAccountIssuerStatus struct { diff --git a/vendor/github.com/openshift/api/operator/v1/types_openshiftapiserver.go b/vendor/github.com/openshift/api/operator/v1/types_openshiftapiserver.go index a96e033cb..c9d104ad2 100644 --- a/vendor/github.com/openshift/api/operator/v1/types_openshiftapiserver.go +++ b/vendor/github.com/openshift/api/operator/v1/types_openshiftapiserver.go @@ -39,6 +39,11 @@ type OpenShiftAPIServerSpec struct { type OpenShiftAPIServerStatus struct { OperatorStatus `json:",inline"` + + // encryptionStatus contains status reports for the KMS plugin health and its key rotation. + // +optional + // +openshift:enable:FeatureGate=KMSEncryption + EncryptionStatus KMSEncryptionStatus `json:"encryptionStatus,omitempty,omitzero"` } // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object diff --git a/vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_20_kube-apiserver_01_kubeapiservers-CustomNoUpgrade.crd.yaml b/vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_20_kube-apiserver_01_kubeapiservers-CustomNoUpgrade.crd.yaml new file mode 100644 index 000000000..57df5e129 --- /dev/null +++ b/vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_20_kube-apiserver_01_kubeapiservers-CustomNoUpgrade.crd.yaml @@ -0,0 +1,431 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.openshift.io: https://github.com/openshift/api/pull/475 + api.openshift.io/merged-by-featuregates: "true" + include.release.openshift.io/ibm-cloud-managed: "true" + include.release.openshift.io/self-managed-high-availability: "true" + release.openshift.io/feature-set: CustomNoUpgrade + name: kubeapiservers.operator.openshift.io +spec: + group: operator.openshift.io + names: + categories: + - coreoperators + kind: KubeAPIServer + listKind: KubeAPIServerList + plural: kubeapiservers + singular: kubeapiserver + scope: Cluster + versions: + - name: v1 + schema: + openAPIV3Schema: + description: |- + KubeAPIServer provides information to configure an operator to manage kube-apiserver. + + Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer). + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: spec is the specification of the desired behavior of the + Kubernetes API Server + properties: + eventTTLMinutes: + description: |- + eventTTLMinutes specifies the amount of time that the events are stored before being deleted. + The TTL is allowed between 5 minutes minimum up to a maximum of 180 minutes (3 hours). + + Lowering this value will reduce the storage required in etcd. Note that this setting will only apply + to new events being created and will not update existing events. + + When omitted this means no opinion, and the platform is left to choose a reasonable default, which is subject to change over time. + The current default value is 3h (180 minutes). + format: int32 + maximum: 180 + minimum: 5 + type: integer + failedRevisionLimit: + description: |- + failedRevisionLimit is the number of failed static pod installer revisions to keep on disk and in the api + -1 = unlimited, 0 or unset = 5 (default) + format: int32 + type: integer + forceRedeploymentReason: + description: |- + forceRedeploymentReason can be used to force the redeployment of the operand by providing a unique string. + This provides a mechanism to kick a previously failed deployment and provide a reason why you think it will work + this time instead of failing again on the same config. + type: string + logLevel: + default: Normal + description: |- + logLevel is an intent based logging for an overall component. It does not give fine grained control, but it is a + simple way to manage coarse grained logging choices that operators have to interpret for their operands. + + Valid values are: "Normal", "Debug", "Trace", "TraceAll". + Defaults to "Normal". + enum: + - "" + - Normal + - Debug + - Trace + - TraceAll + type: string + managementState: + description: managementState indicates whether and how the operator + should manage the component + pattern: ^(Managed|Force)$ + type: string + observedConfig: + description: |- + observedConfig holds a sparse config that controller has observed from the cluster state. It exists in spec because + it is an input to the level for the operator + nullable: true + type: object + x-kubernetes-preserve-unknown-fields: true + operatorLogLevel: + default: Normal + description: |- + operatorLogLevel is an intent based logging for the operator itself. It does not give fine grained control, but it is a + simple way to manage coarse grained logging choices that operators have to interpret for themselves. + + Valid values are: "Normal", "Debug", "Trace", "TraceAll". + Defaults to "Normal". + enum: + - "" + - Normal + - Debug + - Trace + - TraceAll + type: string + succeededRevisionLimit: + description: |- + succeededRevisionLimit is the number of successful static pod installer revisions to keep on disk and in the api + -1 = unlimited, 0 or unset = 5 (default) + format: int32 + type: integer + unsupportedConfigOverrides: + description: |- + unsupportedConfigOverrides overrides the final configuration that was computed by the operator. + Red Hat does not support the use of this field. + Misuse of this field could lead to unexpected behavior or conflict with other configuration options. + Seek guidance from the Red Hat support before using this field. + Use of this property blocks cluster upgrades, it must be removed before upgrading your cluster. + nullable: true + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + status: + description: status is the most recently observed status of the Kubernetes + API Server + properties: + conditions: + description: conditions is a list of conditions and their status + items: + description: OperatorCondition is just the standard condition fields. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + type: string + reason: + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - status + - type + type: object + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + encryptionStatus: + description: encryptionStatus contains status reports for the KMS + plugin health and its key rotation. + minProperties: 1 + properties: + healthReports: + description: |- + healthReports contains all KMS plugin health reports. + When omitted, no health reports are available. + Each entry must have a unique combination of nodeName and keyId. + items: + properties: + detail: + description: |- + detail contains additional error/health information for the respective KMS plugin. + When omitted, no additional error or health information is provided. + When set, the value must be between 1 and 1024 characters. + maxLength: 1024 + minLength: 1 + type: string + kekId: + description: |- + kekId refers to the remote KEK id from KMS v2 StatusResponse.key_id. + This is not a cryptographic key, but a unique representation of the KEK. + The value must be between 1 and 1024 characters. + maxLength: 1024 + minLength: 1 + type: string + keyId: + description: |- + keyId is the encryption-key-secret id (kms-{keyId}.sock), a unique identifier of the plugin on that node. + This is not a cryptographic key used to encrypt/decrypt any resources. + The value must be between 1 and 512 characters. + maxLength: 512 + minLength: 1 + type: string + lastCheckedTime: + description: lastCheckedTime is a timestamp of when the + probe was last checked. + format: date-time + type: string + nodeName: + description: |- + nodeName is the name of the node this instance of the plugin runs on. + The combination of nodeName and keyId makes this health report unique. + The value must be a valid Kubernetes node name: a lowercase RFC 1123 subdomain + consisting of lowercase alphanumeric characters, '-' or '.', starting and ending with + an alphanumeric character, and be at most 253 characters in length. + maxLength: 253 + minLength: 1 + type: string + x-kubernetes-validations: + - message: nodeName must be a lowercase RFC 1123 subdomain + consisting of lowercase alphanumeric characters, '-' + or '.', and must start and end with an alphanumeric + character + rule: '!format.dns1123Subdomain().validate(self).hasValue()' + status: + description: |- + status contains a health indicator for the respective KMS plugin + The field can have three states: healthy, unhealthy, error. + With error and unhealthy containing additional information in Detail. + enum: + - Healthy + - Unhealthy + - Error + type: string + required: + - kekId + - keyId + - lastCheckedTime + - nodeName + - status + type: object + maxItems: 200 + minItems: 1 + type: array + x-kubernetes-list-map-keys: + - nodeName + - keyId + x-kubernetes-list-type: map + type: object + generations: + description: generations are used to determine when an item needs + to be reconciled or has changed in a way that needs a reaction. + items: + description: GenerationStatus keeps track of the generation for + a given resource so that decisions about forced updates can be + made. + properties: + group: + description: group is the group of the thing you're tracking + type: string + hash: + description: hash is an optional field set for resources without + generation that are content sensitive like secrets and configmaps + type: string + lastGeneration: + description: lastGeneration is the last generation of the workload + controller involved + format: int64 + type: integer + name: + description: name is the name of the thing you're tracking + type: string + namespace: + description: namespace is where the thing you're tracking is + type: string + resource: + description: resource is the resource type of the thing you're + tracking + type: string + required: + - group + - name + - namespace + - resource + type: object + type: array + x-kubernetes-list-map-keys: + - group + - resource + - namespace + - name + x-kubernetes-list-type: map + latestAvailableRevision: + description: latestAvailableRevision is the deploymentID of the most + recent deployment + format: int32 + type: integer + x-kubernetes-validations: + - message: must only increase + rule: self >= oldSelf + latestAvailableRevisionReason: + description: latestAvailableRevisionReason describe the detailed reason + for the most recent deployment + type: string + nodeStatuses: + description: nodeStatuses track the deployment values and errors across + individual nodes + items: + description: NodeStatus provides information about the current state + of a particular node managed by this operator. + properties: + currentRevision: + description: |- + currentRevision is the generation of the most recently successful deployment. + Can not be set on creation of a nodeStatus. Updates must only increase the value. + format: int32 + type: integer + x-kubernetes-validations: + - message: must only increase + rule: self >= oldSelf + lastFailedCount: + description: lastFailedCount is how often the installer pod + of the last failed revision failed. + type: integer + lastFailedReason: + description: lastFailedReason is a machine readable failure + reason string. + type: string + lastFailedRevision: + description: lastFailedRevision is the generation of the deployment + we tried and failed to deploy. + format: int32 + type: integer + lastFailedRevisionErrors: + description: lastFailedRevisionErrors is a list of human readable + errors during the failed deployment referenced in lastFailedRevision. + items: + type: string + type: array + x-kubernetes-list-type: atomic + lastFailedTime: + description: lastFailedTime is the time the last failed revision + failed the last time. + format: date-time + type: string + lastFallbackCount: + description: lastFallbackCount is how often a fallback to a + previous revision happened. + type: integer + nodeName: + description: nodeName is the name of the node + type: string + targetRevision: + description: |- + targetRevision is the generation of the deployment we're trying to apply. + Can not be set on creation of a nodeStatus. + format: int32 + type: integer + required: + - nodeName + type: object + x-kubernetes-validations: + - fieldPath: .currentRevision + message: cannot be unset once set + rule: has(self.currentRevision) || !has(oldSelf.currentRevision) + - fieldPath: .currentRevision + message: currentRevision can not be set on creation of a nodeStatus + optionalOldSelf: true + rule: oldSelf.hasValue() || !has(self.currentRevision) + - fieldPath: .targetRevision + message: targetRevision can not be set on creation of a nodeStatus + optionalOldSelf: true + rule: oldSelf.hasValue() || !has(self.targetRevision) + type: array + x-kubernetes-list-map-keys: + - nodeName + x-kubernetes-list-type: map + x-kubernetes-validations: + - message: no more than 1 node status may have a nonzero targetRevision + rule: size(self.filter(status, status.?targetRevision.orValue(0) + != 0)) <= 1 + observedGeneration: + description: observedGeneration is the last generation change you've + dealt with + format: int64 + type: integer + readyReplicas: + description: readyReplicas indicates how many replicas are ready and + at the desired state + format: int32 + type: integer + serviceAccountIssuers: + description: |- + serviceAccountIssuers tracks history of used service account issuers. + The item without expiration time represents the currently used service account issuer. + The other items represents service account issuers that were used previously and are still being trusted. + The default expiration for the items is set by the platform and it defaults to 24h. + see: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#service-account-token-volume-projection + items: + properties: + expirationTime: + description: |- + expirationTime is the time after which this service account issuer will be pruned and removed from the trusted list + of service account issuers. + format: date-time + type: string + name: + description: name is the name of the service account issuer + type: string + type: object + type: array + x-kubernetes-list-type: atomic + version: + description: version is the level this availability applies to + type: string + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} diff --git a/vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_20_kube-apiserver_01_kubeapiservers-Default.crd.yaml b/vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_20_kube-apiserver_01_kubeapiservers-Default.crd.yaml new file mode 100644 index 000000000..3eb9d7d49 --- /dev/null +++ b/vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_20_kube-apiserver_01_kubeapiservers-Default.crd.yaml @@ -0,0 +1,349 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.openshift.io: https://github.com/openshift/api/pull/475 + api.openshift.io/merged-by-featuregates: "true" + include.release.openshift.io/ibm-cloud-managed: "true" + include.release.openshift.io/self-managed-high-availability: "true" + release.openshift.io/feature-set: Default + name: kubeapiservers.operator.openshift.io +spec: + group: operator.openshift.io + names: + categories: + - coreoperators + kind: KubeAPIServer + listKind: KubeAPIServerList + plural: kubeapiservers + singular: kubeapiserver + scope: Cluster + versions: + - name: v1 + schema: + openAPIV3Schema: + description: |- + KubeAPIServer provides information to configure an operator to manage kube-apiserver. + + Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer). + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: spec is the specification of the desired behavior of the + Kubernetes API Server + properties: + eventTTLMinutes: + description: |- + eventTTLMinutes specifies the amount of time that the events are stored before being deleted. + The TTL is allowed between 5 minutes minimum up to a maximum of 180 minutes (3 hours). + + Lowering this value will reduce the storage required in etcd. Note that this setting will only apply + to new events being created and will not update existing events. + + When omitted this means no opinion, and the platform is left to choose a reasonable default, which is subject to change over time. + The current default value is 3h (180 minutes). + format: int32 + maximum: 180 + minimum: 5 + type: integer + failedRevisionLimit: + description: |- + failedRevisionLimit is the number of failed static pod installer revisions to keep on disk and in the api + -1 = unlimited, 0 or unset = 5 (default) + format: int32 + type: integer + forceRedeploymentReason: + description: |- + forceRedeploymentReason can be used to force the redeployment of the operand by providing a unique string. + This provides a mechanism to kick a previously failed deployment and provide a reason why you think it will work + this time instead of failing again on the same config. + type: string + logLevel: + default: Normal + description: |- + logLevel is an intent based logging for an overall component. It does not give fine grained control, but it is a + simple way to manage coarse grained logging choices that operators have to interpret for their operands. + + Valid values are: "Normal", "Debug", "Trace", "TraceAll". + Defaults to "Normal". + enum: + - "" + - Normal + - Debug + - Trace + - TraceAll + type: string + managementState: + description: managementState indicates whether and how the operator + should manage the component + pattern: ^(Managed|Force)$ + type: string + observedConfig: + description: |- + observedConfig holds a sparse config that controller has observed from the cluster state. It exists in spec because + it is an input to the level for the operator + nullable: true + type: object + x-kubernetes-preserve-unknown-fields: true + operatorLogLevel: + default: Normal + description: |- + operatorLogLevel is an intent based logging for the operator itself. It does not give fine grained control, but it is a + simple way to manage coarse grained logging choices that operators have to interpret for themselves. + + Valid values are: "Normal", "Debug", "Trace", "TraceAll". + Defaults to "Normal". + enum: + - "" + - Normal + - Debug + - Trace + - TraceAll + type: string + succeededRevisionLimit: + description: |- + succeededRevisionLimit is the number of successful static pod installer revisions to keep on disk and in the api + -1 = unlimited, 0 or unset = 5 (default) + format: int32 + type: integer + unsupportedConfigOverrides: + description: |- + unsupportedConfigOverrides overrides the final configuration that was computed by the operator. + Red Hat does not support the use of this field. + Misuse of this field could lead to unexpected behavior or conflict with other configuration options. + Seek guidance from the Red Hat support before using this field. + Use of this property blocks cluster upgrades, it must be removed before upgrading your cluster. + nullable: true + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + status: + description: status is the most recently observed status of the Kubernetes + API Server + properties: + conditions: + description: conditions is a list of conditions and their status + items: + description: OperatorCondition is just the standard condition fields. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + type: string + reason: + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - status + - type + type: object + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + generations: + description: generations are used to determine when an item needs + to be reconciled or has changed in a way that needs a reaction. + items: + description: GenerationStatus keeps track of the generation for + a given resource so that decisions about forced updates can be + made. + properties: + group: + description: group is the group of the thing you're tracking + type: string + hash: + description: hash is an optional field set for resources without + generation that are content sensitive like secrets and configmaps + type: string + lastGeneration: + description: lastGeneration is the last generation of the workload + controller involved + format: int64 + type: integer + name: + description: name is the name of the thing you're tracking + type: string + namespace: + description: namespace is where the thing you're tracking is + type: string + resource: + description: resource is the resource type of the thing you're + tracking + type: string + required: + - group + - name + - namespace + - resource + type: object + type: array + x-kubernetes-list-map-keys: + - group + - resource + - namespace + - name + x-kubernetes-list-type: map + latestAvailableRevision: + description: latestAvailableRevision is the deploymentID of the most + recent deployment + format: int32 + type: integer + x-kubernetes-validations: + - message: must only increase + rule: self >= oldSelf + latestAvailableRevisionReason: + description: latestAvailableRevisionReason describe the detailed reason + for the most recent deployment + type: string + nodeStatuses: + description: nodeStatuses track the deployment values and errors across + individual nodes + items: + description: NodeStatus provides information about the current state + of a particular node managed by this operator. + properties: + currentRevision: + description: |- + currentRevision is the generation of the most recently successful deployment. + Can not be set on creation of a nodeStatus. Updates must only increase the value. + format: int32 + type: integer + x-kubernetes-validations: + - message: must only increase + rule: self >= oldSelf + lastFailedCount: + description: lastFailedCount is how often the installer pod + of the last failed revision failed. + type: integer + lastFailedReason: + description: lastFailedReason is a machine readable failure + reason string. + type: string + lastFailedRevision: + description: lastFailedRevision is the generation of the deployment + we tried and failed to deploy. + format: int32 + type: integer + lastFailedRevisionErrors: + description: lastFailedRevisionErrors is a list of human readable + errors during the failed deployment referenced in lastFailedRevision. + items: + type: string + type: array + x-kubernetes-list-type: atomic + lastFailedTime: + description: lastFailedTime is the time the last failed revision + failed the last time. + format: date-time + type: string + lastFallbackCount: + description: lastFallbackCount is how often a fallback to a + previous revision happened. + type: integer + nodeName: + description: nodeName is the name of the node + type: string + targetRevision: + description: |- + targetRevision is the generation of the deployment we're trying to apply. + Can not be set on creation of a nodeStatus. + format: int32 + type: integer + required: + - nodeName + type: object + x-kubernetes-validations: + - fieldPath: .currentRevision + message: cannot be unset once set + rule: has(self.currentRevision) || !has(oldSelf.currentRevision) + - fieldPath: .currentRevision + message: currentRevision can not be set on creation of a nodeStatus + optionalOldSelf: true + rule: oldSelf.hasValue() || !has(self.currentRevision) + - fieldPath: .targetRevision + message: targetRevision can not be set on creation of a nodeStatus + optionalOldSelf: true + rule: oldSelf.hasValue() || !has(self.targetRevision) + type: array + x-kubernetes-list-map-keys: + - nodeName + x-kubernetes-list-type: map + x-kubernetes-validations: + - message: no more than 1 node status may have a nonzero targetRevision + rule: size(self.filter(status, status.?targetRevision.orValue(0) + != 0)) <= 1 + observedGeneration: + description: observedGeneration is the last generation change you've + dealt with + format: int64 + type: integer + readyReplicas: + description: readyReplicas indicates how many replicas are ready and + at the desired state + format: int32 + type: integer + serviceAccountIssuers: + description: |- + serviceAccountIssuers tracks history of used service account issuers. + The item without expiration time represents the currently used service account issuer. + The other items represents service account issuers that were used previously and are still being trusted. + The default expiration for the items is set by the platform and it defaults to 24h. + see: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#service-account-token-volume-projection + items: + properties: + expirationTime: + description: |- + expirationTime is the time after which this service account issuer will be pruned and removed from the trusted list + of service account issuers. + format: date-time + type: string + name: + description: name is the name of the service account issuer + type: string + type: object + type: array + x-kubernetes-list-type: atomic + version: + description: version is the level this availability applies to + type: string + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} diff --git a/vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_20_kube-apiserver_01_kubeapiservers-DevPreviewNoUpgrade.crd.yaml b/vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_20_kube-apiserver_01_kubeapiservers-DevPreviewNoUpgrade.crd.yaml new file mode 100644 index 000000000..0371d90d7 --- /dev/null +++ b/vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_20_kube-apiserver_01_kubeapiservers-DevPreviewNoUpgrade.crd.yaml @@ -0,0 +1,431 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.openshift.io: https://github.com/openshift/api/pull/475 + api.openshift.io/merged-by-featuregates: "true" + include.release.openshift.io/ibm-cloud-managed: "true" + include.release.openshift.io/self-managed-high-availability: "true" + release.openshift.io/feature-set: DevPreviewNoUpgrade + name: kubeapiservers.operator.openshift.io +spec: + group: operator.openshift.io + names: + categories: + - coreoperators + kind: KubeAPIServer + listKind: KubeAPIServerList + plural: kubeapiservers + singular: kubeapiserver + scope: Cluster + versions: + - name: v1 + schema: + openAPIV3Schema: + description: |- + KubeAPIServer provides information to configure an operator to manage kube-apiserver. + + Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer). + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: spec is the specification of the desired behavior of the + Kubernetes API Server + properties: + eventTTLMinutes: + description: |- + eventTTLMinutes specifies the amount of time that the events are stored before being deleted. + The TTL is allowed between 5 minutes minimum up to a maximum of 180 minutes (3 hours). + + Lowering this value will reduce the storage required in etcd. Note that this setting will only apply + to new events being created and will not update existing events. + + When omitted this means no opinion, and the platform is left to choose a reasonable default, which is subject to change over time. + The current default value is 3h (180 minutes). + format: int32 + maximum: 180 + minimum: 5 + type: integer + failedRevisionLimit: + description: |- + failedRevisionLimit is the number of failed static pod installer revisions to keep on disk and in the api + -1 = unlimited, 0 or unset = 5 (default) + format: int32 + type: integer + forceRedeploymentReason: + description: |- + forceRedeploymentReason can be used to force the redeployment of the operand by providing a unique string. + This provides a mechanism to kick a previously failed deployment and provide a reason why you think it will work + this time instead of failing again on the same config. + type: string + logLevel: + default: Normal + description: |- + logLevel is an intent based logging for an overall component. It does not give fine grained control, but it is a + simple way to manage coarse grained logging choices that operators have to interpret for their operands. + + Valid values are: "Normal", "Debug", "Trace", "TraceAll". + Defaults to "Normal". + enum: + - "" + - Normal + - Debug + - Trace + - TraceAll + type: string + managementState: + description: managementState indicates whether and how the operator + should manage the component + pattern: ^(Managed|Force)$ + type: string + observedConfig: + description: |- + observedConfig holds a sparse config that controller has observed from the cluster state. It exists in spec because + it is an input to the level for the operator + nullable: true + type: object + x-kubernetes-preserve-unknown-fields: true + operatorLogLevel: + default: Normal + description: |- + operatorLogLevel is an intent based logging for the operator itself. It does not give fine grained control, but it is a + simple way to manage coarse grained logging choices that operators have to interpret for themselves. + + Valid values are: "Normal", "Debug", "Trace", "TraceAll". + Defaults to "Normal". + enum: + - "" + - Normal + - Debug + - Trace + - TraceAll + type: string + succeededRevisionLimit: + description: |- + succeededRevisionLimit is the number of successful static pod installer revisions to keep on disk and in the api + -1 = unlimited, 0 or unset = 5 (default) + format: int32 + type: integer + unsupportedConfigOverrides: + description: |- + unsupportedConfigOverrides overrides the final configuration that was computed by the operator. + Red Hat does not support the use of this field. + Misuse of this field could lead to unexpected behavior or conflict with other configuration options. + Seek guidance from the Red Hat support before using this field. + Use of this property blocks cluster upgrades, it must be removed before upgrading your cluster. + nullable: true + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + status: + description: status is the most recently observed status of the Kubernetes + API Server + properties: + conditions: + description: conditions is a list of conditions and their status + items: + description: OperatorCondition is just the standard condition fields. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + type: string + reason: + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - status + - type + type: object + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + encryptionStatus: + description: encryptionStatus contains status reports for the KMS + plugin health and its key rotation. + minProperties: 1 + properties: + healthReports: + description: |- + healthReports contains all KMS plugin health reports. + When omitted, no health reports are available. + Each entry must have a unique combination of nodeName and keyId. + items: + properties: + detail: + description: |- + detail contains additional error/health information for the respective KMS plugin. + When omitted, no additional error or health information is provided. + When set, the value must be between 1 and 1024 characters. + maxLength: 1024 + minLength: 1 + type: string + kekId: + description: |- + kekId refers to the remote KEK id from KMS v2 StatusResponse.key_id. + This is not a cryptographic key, but a unique representation of the KEK. + The value must be between 1 and 1024 characters. + maxLength: 1024 + minLength: 1 + type: string + keyId: + description: |- + keyId is the encryption-key-secret id (kms-{keyId}.sock), a unique identifier of the plugin on that node. + This is not a cryptographic key used to encrypt/decrypt any resources. + The value must be between 1 and 512 characters. + maxLength: 512 + minLength: 1 + type: string + lastCheckedTime: + description: lastCheckedTime is a timestamp of when the + probe was last checked. + format: date-time + type: string + nodeName: + description: |- + nodeName is the name of the node this instance of the plugin runs on. + The combination of nodeName and keyId makes this health report unique. + The value must be a valid Kubernetes node name: a lowercase RFC 1123 subdomain + consisting of lowercase alphanumeric characters, '-' or '.', starting and ending with + an alphanumeric character, and be at most 253 characters in length. + maxLength: 253 + minLength: 1 + type: string + x-kubernetes-validations: + - message: nodeName must be a lowercase RFC 1123 subdomain + consisting of lowercase alphanumeric characters, '-' + or '.', and must start and end with an alphanumeric + character + rule: '!format.dns1123Subdomain().validate(self).hasValue()' + status: + description: |- + status contains a health indicator for the respective KMS plugin + The field can have three states: healthy, unhealthy, error. + With error and unhealthy containing additional information in Detail. + enum: + - Healthy + - Unhealthy + - Error + type: string + required: + - kekId + - keyId + - lastCheckedTime + - nodeName + - status + type: object + maxItems: 200 + minItems: 1 + type: array + x-kubernetes-list-map-keys: + - nodeName + - keyId + x-kubernetes-list-type: map + type: object + generations: + description: generations are used to determine when an item needs + to be reconciled or has changed in a way that needs a reaction. + items: + description: GenerationStatus keeps track of the generation for + a given resource so that decisions about forced updates can be + made. + properties: + group: + description: group is the group of the thing you're tracking + type: string + hash: + description: hash is an optional field set for resources without + generation that are content sensitive like secrets and configmaps + type: string + lastGeneration: + description: lastGeneration is the last generation of the workload + controller involved + format: int64 + type: integer + name: + description: name is the name of the thing you're tracking + type: string + namespace: + description: namespace is where the thing you're tracking is + type: string + resource: + description: resource is the resource type of the thing you're + tracking + type: string + required: + - group + - name + - namespace + - resource + type: object + type: array + x-kubernetes-list-map-keys: + - group + - resource + - namespace + - name + x-kubernetes-list-type: map + latestAvailableRevision: + description: latestAvailableRevision is the deploymentID of the most + recent deployment + format: int32 + type: integer + x-kubernetes-validations: + - message: must only increase + rule: self >= oldSelf + latestAvailableRevisionReason: + description: latestAvailableRevisionReason describe the detailed reason + for the most recent deployment + type: string + nodeStatuses: + description: nodeStatuses track the deployment values and errors across + individual nodes + items: + description: NodeStatus provides information about the current state + of a particular node managed by this operator. + properties: + currentRevision: + description: |- + currentRevision is the generation of the most recently successful deployment. + Can not be set on creation of a nodeStatus. Updates must only increase the value. + format: int32 + type: integer + x-kubernetes-validations: + - message: must only increase + rule: self >= oldSelf + lastFailedCount: + description: lastFailedCount is how often the installer pod + of the last failed revision failed. + type: integer + lastFailedReason: + description: lastFailedReason is a machine readable failure + reason string. + type: string + lastFailedRevision: + description: lastFailedRevision is the generation of the deployment + we tried and failed to deploy. + format: int32 + type: integer + lastFailedRevisionErrors: + description: lastFailedRevisionErrors is a list of human readable + errors during the failed deployment referenced in lastFailedRevision. + items: + type: string + type: array + x-kubernetes-list-type: atomic + lastFailedTime: + description: lastFailedTime is the time the last failed revision + failed the last time. + format: date-time + type: string + lastFallbackCount: + description: lastFallbackCount is how often a fallback to a + previous revision happened. + type: integer + nodeName: + description: nodeName is the name of the node + type: string + targetRevision: + description: |- + targetRevision is the generation of the deployment we're trying to apply. + Can not be set on creation of a nodeStatus. + format: int32 + type: integer + required: + - nodeName + type: object + x-kubernetes-validations: + - fieldPath: .currentRevision + message: cannot be unset once set + rule: has(self.currentRevision) || !has(oldSelf.currentRevision) + - fieldPath: .currentRevision + message: currentRevision can not be set on creation of a nodeStatus + optionalOldSelf: true + rule: oldSelf.hasValue() || !has(self.currentRevision) + - fieldPath: .targetRevision + message: targetRevision can not be set on creation of a nodeStatus + optionalOldSelf: true + rule: oldSelf.hasValue() || !has(self.targetRevision) + type: array + x-kubernetes-list-map-keys: + - nodeName + x-kubernetes-list-type: map + x-kubernetes-validations: + - message: no more than 1 node status may have a nonzero targetRevision + rule: size(self.filter(status, status.?targetRevision.orValue(0) + != 0)) <= 1 + observedGeneration: + description: observedGeneration is the last generation change you've + dealt with + format: int64 + type: integer + readyReplicas: + description: readyReplicas indicates how many replicas are ready and + at the desired state + format: int32 + type: integer + serviceAccountIssuers: + description: |- + serviceAccountIssuers tracks history of used service account issuers. + The item without expiration time represents the currently used service account issuer. + The other items represents service account issuers that were used previously and are still being trusted. + The default expiration for the items is set by the platform and it defaults to 24h. + see: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#service-account-token-volume-projection + items: + properties: + expirationTime: + description: |- + expirationTime is the time after which this service account issuer will be pruned and removed from the trusted list + of service account issuers. + format: date-time + type: string + name: + description: name is the name of the service account issuer + type: string + type: object + type: array + x-kubernetes-list-type: atomic + version: + description: version is the level this availability applies to + type: string + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} diff --git a/vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_20_kube-apiserver_01_kubeapiservers.crd.yaml b/vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_20_kube-apiserver_01_kubeapiservers-OKD.crd.yaml similarity index 99% rename from vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_20_kube-apiserver_01_kubeapiservers.crd.yaml rename to vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_20_kube-apiserver_01_kubeapiservers-OKD.crd.yaml index 6d2d44026..fa02abd00 100644 --- a/vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_20_kube-apiserver_01_kubeapiservers.crd.yaml +++ b/vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_20_kube-apiserver_01_kubeapiservers-OKD.crd.yaml @@ -6,6 +6,7 @@ metadata: api.openshift.io/merged-by-featuregates: "true" include.release.openshift.io/ibm-cloud-managed: "true" include.release.openshift.io/self-managed-high-availability: "true" + release.openshift.io/feature-set: OKD name: kubeapiservers.operator.openshift.io spec: group: operator.openshift.io diff --git a/vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_20_kube-apiserver_01_kubeapiservers-TechPreviewNoUpgrade.crd.yaml b/vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_20_kube-apiserver_01_kubeapiservers-TechPreviewNoUpgrade.crd.yaml new file mode 100644 index 000000000..bdabdecd3 --- /dev/null +++ b/vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_20_kube-apiserver_01_kubeapiservers-TechPreviewNoUpgrade.crd.yaml @@ -0,0 +1,431 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.openshift.io: https://github.com/openshift/api/pull/475 + api.openshift.io/merged-by-featuregates: "true" + include.release.openshift.io/ibm-cloud-managed: "true" + include.release.openshift.io/self-managed-high-availability: "true" + release.openshift.io/feature-set: TechPreviewNoUpgrade + name: kubeapiservers.operator.openshift.io +spec: + group: operator.openshift.io + names: + categories: + - coreoperators + kind: KubeAPIServer + listKind: KubeAPIServerList + plural: kubeapiservers + singular: kubeapiserver + scope: Cluster + versions: + - name: v1 + schema: + openAPIV3Schema: + description: |- + KubeAPIServer provides information to configure an operator to manage kube-apiserver. + + Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer). + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: spec is the specification of the desired behavior of the + Kubernetes API Server + properties: + eventTTLMinutes: + description: |- + eventTTLMinutes specifies the amount of time that the events are stored before being deleted. + The TTL is allowed between 5 minutes minimum up to a maximum of 180 minutes (3 hours). + + Lowering this value will reduce the storage required in etcd. Note that this setting will only apply + to new events being created and will not update existing events. + + When omitted this means no opinion, and the platform is left to choose a reasonable default, which is subject to change over time. + The current default value is 3h (180 minutes). + format: int32 + maximum: 180 + minimum: 5 + type: integer + failedRevisionLimit: + description: |- + failedRevisionLimit is the number of failed static pod installer revisions to keep on disk and in the api + -1 = unlimited, 0 or unset = 5 (default) + format: int32 + type: integer + forceRedeploymentReason: + description: |- + forceRedeploymentReason can be used to force the redeployment of the operand by providing a unique string. + This provides a mechanism to kick a previously failed deployment and provide a reason why you think it will work + this time instead of failing again on the same config. + type: string + logLevel: + default: Normal + description: |- + logLevel is an intent based logging for an overall component. It does not give fine grained control, but it is a + simple way to manage coarse grained logging choices that operators have to interpret for their operands. + + Valid values are: "Normal", "Debug", "Trace", "TraceAll". + Defaults to "Normal". + enum: + - "" + - Normal + - Debug + - Trace + - TraceAll + type: string + managementState: + description: managementState indicates whether and how the operator + should manage the component + pattern: ^(Managed|Force)$ + type: string + observedConfig: + description: |- + observedConfig holds a sparse config that controller has observed from the cluster state. It exists in spec because + it is an input to the level for the operator + nullable: true + type: object + x-kubernetes-preserve-unknown-fields: true + operatorLogLevel: + default: Normal + description: |- + operatorLogLevel is an intent based logging for the operator itself. It does not give fine grained control, but it is a + simple way to manage coarse grained logging choices that operators have to interpret for themselves. + + Valid values are: "Normal", "Debug", "Trace", "TraceAll". + Defaults to "Normal". + enum: + - "" + - Normal + - Debug + - Trace + - TraceAll + type: string + succeededRevisionLimit: + description: |- + succeededRevisionLimit is the number of successful static pod installer revisions to keep on disk and in the api + -1 = unlimited, 0 or unset = 5 (default) + format: int32 + type: integer + unsupportedConfigOverrides: + description: |- + unsupportedConfigOverrides overrides the final configuration that was computed by the operator. + Red Hat does not support the use of this field. + Misuse of this field could lead to unexpected behavior or conflict with other configuration options. + Seek guidance from the Red Hat support before using this field. + Use of this property blocks cluster upgrades, it must be removed before upgrading your cluster. + nullable: true + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + status: + description: status is the most recently observed status of the Kubernetes + API Server + properties: + conditions: + description: conditions is a list of conditions and their status + items: + description: OperatorCondition is just the standard condition fields. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + type: string + reason: + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - status + - type + type: object + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + encryptionStatus: + description: encryptionStatus contains status reports for the KMS + plugin health and its key rotation. + minProperties: 1 + properties: + healthReports: + description: |- + healthReports contains all KMS plugin health reports. + When omitted, no health reports are available. + Each entry must have a unique combination of nodeName and keyId. + items: + properties: + detail: + description: |- + detail contains additional error/health information for the respective KMS plugin. + When omitted, no additional error or health information is provided. + When set, the value must be between 1 and 1024 characters. + maxLength: 1024 + minLength: 1 + type: string + kekId: + description: |- + kekId refers to the remote KEK id from KMS v2 StatusResponse.key_id. + This is not a cryptographic key, but a unique representation of the KEK. + The value must be between 1 and 1024 characters. + maxLength: 1024 + minLength: 1 + type: string + keyId: + description: |- + keyId is the encryption-key-secret id (kms-{keyId}.sock), a unique identifier of the plugin on that node. + This is not a cryptographic key used to encrypt/decrypt any resources. + The value must be between 1 and 512 characters. + maxLength: 512 + minLength: 1 + type: string + lastCheckedTime: + description: lastCheckedTime is a timestamp of when the + probe was last checked. + format: date-time + type: string + nodeName: + description: |- + nodeName is the name of the node this instance of the plugin runs on. + The combination of nodeName and keyId makes this health report unique. + The value must be a valid Kubernetes node name: a lowercase RFC 1123 subdomain + consisting of lowercase alphanumeric characters, '-' or '.', starting and ending with + an alphanumeric character, and be at most 253 characters in length. + maxLength: 253 + minLength: 1 + type: string + x-kubernetes-validations: + - message: nodeName must be a lowercase RFC 1123 subdomain + consisting of lowercase alphanumeric characters, '-' + or '.', and must start and end with an alphanumeric + character + rule: '!format.dns1123Subdomain().validate(self).hasValue()' + status: + description: |- + status contains a health indicator for the respective KMS plugin + The field can have three states: healthy, unhealthy, error. + With error and unhealthy containing additional information in Detail. + enum: + - Healthy + - Unhealthy + - Error + type: string + required: + - kekId + - keyId + - lastCheckedTime + - nodeName + - status + type: object + maxItems: 200 + minItems: 1 + type: array + x-kubernetes-list-map-keys: + - nodeName + - keyId + x-kubernetes-list-type: map + type: object + generations: + description: generations are used to determine when an item needs + to be reconciled or has changed in a way that needs a reaction. + items: + description: GenerationStatus keeps track of the generation for + a given resource so that decisions about forced updates can be + made. + properties: + group: + description: group is the group of the thing you're tracking + type: string + hash: + description: hash is an optional field set for resources without + generation that are content sensitive like secrets and configmaps + type: string + lastGeneration: + description: lastGeneration is the last generation of the workload + controller involved + format: int64 + type: integer + name: + description: name is the name of the thing you're tracking + type: string + namespace: + description: namespace is where the thing you're tracking is + type: string + resource: + description: resource is the resource type of the thing you're + tracking + type: string + required: + - group + - name + - namespace + - resource + type: object + type: array + x-kubernetes-list-map-keys: + - group + - resource + - namespace + - name + x-kubernetes-list-type: map + latestAvailableRevision: + description: latestAvailableRevision is the deploymentID of the most + recent deployment + format: int32 + type: integer + x-kubernetes-validations: + - message: must only increase + rule: self >= oldSelf + latestAvailableRevisionReason: + description: latestAvailableRevisionReason describe the detailed reason + for the most recent deployment + type: string + nodeStatuses: + description: nodeStatuses track the deployment values and errors across + individual nodes + items: + description: NodeStatus provides information about the current state + of a particular node managed by this operator. + properties: + currentRevision: + description: |- + currentRevision is the generation of the most recently successful deployment. + Can not be set on creation of a nodeStatus. Updates must only increase the value. + format: int32 + type: integer + x-kubernetes-validations: + - message: must only increase + rule: self >= oldSelf + lastFailedCount: + description: lastFailedCount is how often the installer pod + of the last failed revision failed. + type: integer + lastFailedReason: + description: lastFailedReason is a machine readable failure + reason string. + type: string + lastFailedRevision: + description: lastFailedRevision is the generation of the deployment + we tried and failed to deploy. + format: int32 + type: integer + lastFailedRevisionErrors: + description: lastFailedRevisionErrors is a list of human readable + errors during the failed deployment referenced in lastFailedRevision. + items: + type: string + type: array + x-kubernetes-list-type: atomic + lastFailedTime: + description: lastFailedTime is the time the last failed revision + failed the last time. + format: date-time + type: string + lastFallbackCount: + description: lastFallbackCount is how often a fallback to a + previous revision happened. + type: integer + nodeName: + description: nodeName is the name of the node + type: string + targetRevision: + description: |- + targetRevision is the generation of the deployment we're trying to apply. + Can not be set on creation of a nodeStatus. + format: int32 + type: integer + required: + - nodeName + type: object + x-kubernetes-validations: + - fieldPath: .currentRevision + message: cannot be unset once set + rule: has(self.currentRevision) || !has(oldSelf.currentRevision) + - fieldPath: .currentRevision + message: currentRevision can not be set on creation of a nodeStatus + optionalOldSelf: true + rule: oldSelf.hasValue() || !has(self.currentRevision) + - fieldPath: .targetRevision + message: targetRevision can not be set on creation of a nodeStatus + optionalOldSelf: true + rule: oldSelf.hasValue() || !has(self.targetRevision) + type: array + x-kubernetes-list-map-keys: + - nodeName + x-kubernetes-list-type: map + x-kubernetes-validations: + - message: no more than 1 node status may have a nonzero targetRevision + rule: size(self.filter(status, status.?targetRevision.orValue(0) + != 0)) <= 1 + observedGeneration: + description: observedGeneration is the last generation change you've + dealt with + format: int64 + type: integer + readyReplicas: + description: readyReplicas indicates how many replicas are ready and + at the desired state + format: int32 + type: integer + serviceAccountIssuers: + description: |- + serviceAccountIssuers tracks history of used service account issuers. + The item without expiration time represents the currently used service account issuer. + The other items represents service account issuers that were used previously and are still being trusted. + The default expiration for the items is set by the platform and it defaults to 24h. + see: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#service-account-token-volume-projection + items: + properties: + expirationTime: + description: |- + expirationTime is the time after which this service account issuer will be pruned and removed from the trusted list + of service account issuers. + format: date-time + type: string + name: + description: name is the name of the service account issuer + type: string + type: object + type: array + x-kubernetes-list-type: atomic + version: + description: version is the level this availability applies to + type: string + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} diff --git a/vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_30_openshift-apiserver_01_openshiftapiservers-CustomNoUpgrade.crd.yaml b/vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_30_openshift-apiserver_01_openshiftapiservers-CustomNoUpgrade.crd.yaml new file mode 100644 index 000000000..0a3beba5b --- /dev/null +++ b/vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_30_openshift-apiserver_01_openshiftapiservers-CustomNoUpgrade.crd.yaml @@ -0,0 +1,296 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.openshift.io: https://github.com/openshift/api/pull/475 + api.openshift.io/merged-by-featuregates: "true" + include.release.openshift.io/ibm-cloud-managed: "true" + include.release.openshift.io/self-managed-high-availability: "true" + release.openshift.io/feature-set: CustomNoUpgrade + name: openshiftapiservers.operator.openshift.io +spec: + group: operator.openshift.io + names: + categories: + - coreoperators + kind: OpenShiftAPIServer + listKind: OpenShiftAPIServerList + plural: openshiftapiservers + singular: openshiftapiserver + scope: Cluster + versions: + - name: v1 + schema: + openAPIV3Schema: + description: |- + OpenShiftAPIServer provides information to configure an operator to manage openshift-apiserver. + + Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer). + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: spec is the specification of the desired behavior of the + OpenShift API Server. + properties: + logLevel: + default: Normal + description: |- + logLevel is an intent based logging for an overall component. It does not give fine grained control, but it is a + simple way to manage coarse grained logging choices that operators have to interpret for their operands. + + Valid values are: "Normal", "Debug", "Trace", "TraceAll". + Defaults to "Normal". + enum: + - "" + - Normal + - Debug + - Trace + - TraceAll + type: string + managementState: + description: managementState indicates whether and how the operator + should manage the component + pattern: ^(Managed|Unmanaged|Force|Removed)$ + type: string + observedConfig: + description: |- + observedConfig holds a sparse config that controller has observed from the cluster state. It exists in spec because + it is an input to the level for the operator + nullable: true + type: object + x-kubernetes-preserve-unknown-fields: true + operatorLogLevel: + default: Normal + description: |- + operatorLogLevel is an intent based logging for the operator itself. It does not give fine grained control, but it is a + simple way to manage coarse grained logging choices that operators have to interpret for themselves. + + Valid values are: "Normal", "Debug", "Trace", "TraceAll". + Defaults to "Normal". + enum: + - "" + - Normal + - Debug + - Trace + - TraceAll + type: string + unsupportedConfigOverrides: + description: |- + unsupportedConfigOverrides overrides the final configuration that was computed by the operator. + Red Hat does not support the use of this field. + Misuse of this field could lead to unexpected behavior or conflict with other configuration options. + Seek guidance from the Red Hat support before using this field. + Use of this property blocks cluster upgrades, it must be removed before upgrading your cluster. + nullable: true + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + status: + description: status defines the observed status of the OpenShift API Server. + properties: + conditions: + description: conditions is a list of conditions and their status + items: + description: OperatorCondition is just the standard condition fields. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + type: string + reason: + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - status + - type + type: object + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + encryptionStatus: + description: encryptionStatus contains status reports for the KMS + plugin health and its key rotation. + minProperties: 1 + properties: + healthReports: + description: |- + healthReports contains all KMS plugin health reports. + When omitted, no health reports are available. + Each entry must have a unique combination of nodeName and keyId. + items: + properties: + detail: + description: |- + detail contains additional error/health information for the respective KMS plugin. + When omitted, no additional error or health information is provided. + When set, the value must be between 1 and 1024 characters. + maxLength: 1024 + minLength: 1 + type: string + kekId: + description: |- + kekId refers to the remote KEK id from KMS v2 StatusResponse.key_id. + This is not a cryptographic key, but a unique representation of the KEK. + The value must be between 1 and 1024 characters. + maxLength: 1024 + minLength: 1 + type: string + keyId: + description: |- + keyId is the encryption-key-secret id (kms-{keyId}.sock), a unique identifier of the plugin on that node. + This is not a cryptographic key used to encrypt/decrypt any resources. + The value must be between 1 and 512 characters. + maxLength: 512 + minLength: 1 + type: string + lastCheckedTime: + description: lastCheckedTime is a timestamp of when the + probe was last checked. + format: date-time + type: string + nodeName: + description: |- + nodeName is the name of the node this instance of the plugin runs on. + The combination of nodeName and keyId makes this health report unique. + The value must be a valid Kubernetes node name: a lowercase RFC 1123 subdomain + consisting of lowercase alphanumeric characters, '-' or '.', starting and ending with + an alphanumeric character, and be at most 253 characters in length. + maxLength: 253 + minLength: 1 + type: string + x-kubernetes-validations: + - message: nodeName must be a lowercase RFC 1123 subdomain + consisting of lowercase alphanumeric characters, '-' + or '.', and must start and end with an alphanumeric + character + rule: '!format.dns1123Subdomain().validate(self).hasValue()' + status: + description: |- + status contains a health indicator for the respective KMS plugin + The field can have three states: healthy, unhealthy, error. + With error and unhealthy containing additional information in Detail. + enum: + - Healthy + - Unhealthy + - Error + type: string + required: + - kekId + - keyId + - lastCheckedTime + - nodeName + - status + type: object + maxItems: 200 + minItems: 1 + type: array + x-kubernetes-list-map-keys: + - nodeName + - keyId + x-kubernetes-list-type: map + type: object + generations: + description: generations are used to determine when an item needs + to be reconciled or has changed in a way that needs a reaction. + items: + description: GenerationStatus keeps track of the generation for + a given resource so that decisions about forced updates can be + made. + properties: + group: + description: group is the group of the thing you're tracking + type: string + hash: + description: hash is an optional field set for resources without + generation that are content sensitive like secrets and configmaps + type: string + lastGeneration: + description: lastGeneration is the last generation of the workload + controller involved + format: int64 + type: integer + name: + description: name is the name of the thing you're tracking + type: string + namespace: + description: namespace is where the thing you're tracking is + type: string + resource: + description: resource is the resource type of the thing you're + tracking + type: string + required: + - group + - name + - namespace + - resource + type: object + type: array + x-kubernetes-list-map-keys: + - group + - resource + - namespace + - name + x-kubernetes-list-type: map + latestAvailableRevision: + description: latestAvailableRevision is the deploymentID of the most + recent deployment + format: int32 + type: integer + x-kubernetes-validations: + - message: must only increase + rule: self >= oldSelf + observedGeneration: + description: observedGeneration is the last generation change you've + dealt with + format: int64 + type: integer + readyReplicas: + description: readyReplicas indicates how many replicas are ready and + at the desired state + format: int32 + type: integer + version: + description: version is the level this availability applies to + type: string + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} diff --git a/vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_30_openshift-apiserver_01_openshiftapiservers-Default.crd.yaml b/vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_30_openshift-apiserver_01_openshiftapiservers-Default.crd.yaml new file mode 100644 index 000000000..04e2b329d --- /dev/null +++ b/vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_30_openshift-apiserver_01_openshiftapiservers-Default.crd.yaml @@ -0,0 +1,214 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.openshift.io: https://github.com/openshift/api/pull/475 + api.openshift.io/merged-by-featuregates: "true" + include.release.openshift.io/ibm-cloud-managed: "true" + include.release.openshift.io/self-managed-high-availability: "true" + release.openshift.io/feature-set: Default + name: openshiftapiservers.operator.openshift.io +spec: + group: operator.openshift.io + names: + categories: + - coreoperators + kind: OpenShiftAPIServer + listKind: OpenShiftAPIServerList + plural: openshiftapiservers + singular: openshiftapiserver + scope: Cluster + versions: + - name: v1 + schema: + openAPIV3Schema: + description: |- + OpenShiftAPIServer provides information to configure an operator to manage openshift-apiserver. + + Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer). + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: spec is the specification of the desired behavior of the + OpenShift API Server. + properties: + logLevel: + default: Normal + description: |- + logLevel is an intent based logging for an overall component. It does not give fine grained control, but it is a + simple way to manage coarse grained logging choices that operators have to interpret for their operands. + + Valid values are: "Normal", "Debug", "Trace", "TraceAll". + Defaults to "Normal". + enum: + - "" + - Normal + - Debug + - Trace + - TraceAll + type: string + managementState: + description: managementState indicates whether and how the operator + should manage the component + pattern: ^(Managed|Unmanaged|Force|Removed)$ + type: string + observedConfig: + description: |- + observedConfig holds a sparse config that controller has observed from the cluster state. It exists in spec because + it is an input to the level for the operator + nullable: true + type: object + x-kubernetes-preserve-unknown-fields: true + operatorLogLevel: + default: Normal + description: |- + operatorLogLevel is an intent based logging for the operator itself. It does not give fine grained control, but it is a + simple way to manage coarse grained logging choices that operators have to interpret for themselves. + + Valid values are: "Normal", "Debug", "Trace", "TraceAll". + Defaults to "Normal". + enum: + - "" + - Normal + - Debug + - Trace + - TraceAll + type: string + unsupportedConfigOverrides: + description: |- + unsupportedConfigOverrides overrides the final configuration that was computed by the operator. + Red Hat does not support the use of this field. + Misuse of this field could lead to unexpected behavior or conflict with other configuration options. + Seek guidance from the Red Hat support before using this field. + Use of this property blocks cluster upgrades, it must be removed before upgrading your cluster. + nullable: true + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + status: + description: status defines the observed status of the OpenShift API Server. + properties: + conditions: + description: conditions is a list of conditions and their status + items: + description: OperatorCondition is just the standard condition fields. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + type: string + reason: + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - status + - type + type: object + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + generations: + description: generations are used to determine when an item needs + to be reconciled or has changed in a way that needs a reaction. + items: + description: GenerationStatus keeps track of the generation for + a given resource so that decisions about forced updates can be + made. + properties: + group: + description: group is the group of the thing you're tracking + type: string + hash: + description: hash is an optional field set for resources without + generation that are content sensitive like secrets and configmaps + type: string + lastGeneration: + description: lastGeneration is the last generation of the workload + controller involved + format: int64 + type: integer + name: + description: name is the name of the thing you're tracking + type: string + namespace: + description: namespace is where the thing you're tracking is + type: string + resource: + description: resource is the resource type of the thing you're + tracking + type: string + required: + - group + - name + - namespace + - resource + type: object + type: array + x-kubernetes-list-map-keys: + - group + - resource + - namespace + - name + x-kubernetes-list-type: map + latestAvailableRevision: + description: latestAvailableRevision is the deploymentID of the most + recent deployment + format: int32 + type: integer + x-kubernetes-validations: + - message: must only increase + rule: self >= oldSelf + observedGeneration: + description: observedGeneration is the last generation change you've + dealt with + format: int64 + type: integer + readyReplicas: + description: readyReplicas indicates how many replicas are ready and + at the desired state + format: int32 + type: integer + version: + description: version is the level this availability applies to + type: string + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} diff --git a/vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_30_openshift-apiserver_01_openshiftapiservers-DevPreviewNoUpgrade.crd.yaml b/vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_30_openshift-apiserver_01_openshiftapiservers-DevPreviewNoUpgrade.crd.yaml new file mode 100644 index 000000000..89cb665ff --- /dev/null +++ b/vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_30_openshift-apiserver_01_openshiftapiservers-DevPreviewNoUpgrade.crd.yaml @@ -0,0 +1,296 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.openshift.io: https://github.com/openshift/api/pull/475 + api.openshift.io/merged-by-featuregates: "true" + include.release.openshift.io/ibm-cloud-managed: "true" + include.release.openshift.io/self-managed-high-availability: "true" + release.openshift.io/feature-set: DevPreviewNoUpgrade + name: openshiftapiservers.operator.openshift.io +spec: + group: operator.openshift.io + names: + categories: + - coreoperators + kind: OpenShiftAPIServer + listKind: OpenShiftAPIServerList + plural: openshiftapiservers + singular: openshiftapiserver + scope: Cluster + versions: + - name: v1 + schema: + openAPIV3Schema: + description: |- + OpenShiftAPIServer provides information to configure an operator to manage openshift-apiserver. + + Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer). + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: spec is the specification of the desired behavior of the + OpenShift API Server. + properties: + logLevel: + default: Normal + description: |- + logLevel is an intent based logging for an overall component. It does not give fine grained control, but it is a + simple way to manage coarse grained logging choices that operators have to interpret for their operands. + + Valid values are: "Normal", "Debug", "Trace", "TraceAll". + Defaults to "Normal". + enum: + - "" + - Normal + - Debug + - Trace + - TraceAll + type: string + managementState: + description: managementState indicates whether and how the operator + should manage the component + pattern: ^(Managed|Unmanaged|Force|Removed)$ + type: string + observedConfig: + description: |- + observedConfig holds a sparse config that controller has observed from the cluster state. It exists in spec because + it is an input to the level for the operator + nullable: true + type: object + x-kubernetes-preserve-unknown-fields: true + operatorLogLevel: + default: Normal + description: |- + operatorLogLevel is an intent based logging for the operator itself. It does not give fine grained control, but it is a + simple way to manage coarse grained logging choices that operators have to interpret for themselves. + + Valid values are: "Normal", "Debug", "Trace", "TraceAll". + Defaults to "Normal". + enum: + - "" + - Normal + - Debug + - Trace + - TraceAll + type: string + unsupportedConfigOverrides: + description: |- + unsupportedConfigOverrides overrides the final configuration that was computed by the operator. + Red Hat does not support the use of this field. + Misuse of this field could lead to unexpected behavior or conflict with other configuration options. + Seek guidance from the Red Hat support before using this field. + Use of this property blocks cluster upgrades, it must be removed before upgrading your cluster. + nullable: true + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + status: + description: status defines the observed status of the OpenShift API Server. + properties: + conditions: + description: conditions is a list of conditions and their status + items: + description: OperatorCondition is just the standard condition fields. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + type: string + reason: + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - status + - type + type: object + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + encryptionStatus: + description: encryptionStatus contains status reports for the KMS + plugin health and its key rotation. + minProperties: 1 + properties: + healthReports: + description: |- + healthReports contains all KMS plugin health reports. + When omitted, no health reports are available. + Each entry must have a unique combination of nodeName and keyId. + items: + properties: + detail: + description: |- + detail contains additional error/health information for the respective KMS plugin. + When omitted, no additional error or health information is provided. + When set, the value must be between 1 and 1024 characters. + maxLength: 1024 + minLength: 1 + type: string + kekId: + description: |- + kekId refers to the remote KEK id from KMS v2 StatusResponse.key_id. + This is not a cryptographic key, but a unique representation of the KEK. + The value must be between 1 and 1024 characters. + maxLength: 1024 + minLength: 1 + type: string + keyId: + description: |- + keyId is the encryption-key-secret id (kms-{keyId}.sock), a unique identifier of the plugin on that node. + This is not a cryptographic key used to encrypt/decrypt any resources. + The value must be between 1 and 512 characters. + maxLength: 512 + minLength: 1 + type: string + lastCheckedTime: + description: lastCheckedTime is a timestamp of when the + probe was last checked. + format: date-time + type: string + nodeName: + description: |- + nodeName is the name of the node this instance of the plugin runs on. + The combination of nodeName and keyId makes this health report unique. + The value must be a valid Kubernetes node name: a lowercase RFC 1123 subdomain + consisting of lowercase alphanumeric characters, '-' or '.', starting and ending with + an alphanumeric character, and be at most 253 characters in length. + maxLength: 253 + minLength: 1 + type: string + x-kubernetes-validations: + - message: nodeName must be a lowercase RFC 1123 subdomain + consisting of lowercase alphanumeric characters, '-' + or '.', and must start and end with an alphanumeric + character + rule: '!format.dns1123Subdomain().validate(self).hasValue()' + status: + description: |- + status contains a health indicator for the respective KMS plugin + The field can have three states: healthy, unhealthy, error. + With error and unhealthy containing additional information in Detail. + enum: + - Healthy + - Unhealthy + - Error + type: string + required: + - kekId + - keyId + - lastCheckedTime + - nodeName + - status + type: object + maxItems: 200 + minItems: 1 + type: array + x-kubernetes-list-map-keys: + - nodeName + - keyId + x-kubernetes-list-type: map + type: object + generations: + description: generations are used to determine when an item needs + to be reconciled or has changed in a way that needs a reaction. + items: + description: GenerationStatus keeps track of the generation for + a given resource so that decisions about forced updates can be + made. + properties: + group: + description: group is the group of the thing you're tracking + type: string + hash: + description: hash is an optional field set for resources without + generation that are content sensitive like secrets and configmaps + type: string + lastGeneration: + description: lastGeneration is the last generation of the workload + controller involved + format: int64 + type: integer + name: + description: name is the name of the thing you're tracking + type: string + namespace: + description: namespace is where the thing you're tracking is + type: string + resource: + description: resource is the resource type of the thing you're + tracking + type: string + required: + - group + - name + - namespace + - resource + type: object + type: array + x-kubernetes-list-map-keys: + - group + - resource + - namespace + - name + x-kubernetes-list-type: map + latestAvailableRevision: + description: latestAvailableRevision is the deploymentID of the most + recent deployment + format: int32 + type: integer + x-kubernetes-validations: + - message: must only increase + rule: self >= oldSelf + observedGeneration: + description: observedGeneration is the last generation change you've + dealt with + format: int64 + type: integer + readyReplicas: + description: readyReplicas indicates how many replicas are ready and + at the desired state + format: int32 + type: integer + version: + description: version is the level this availability applies to + type: string + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} diff --git a/vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_30_openshift-apiserver_01_openshiftapiservers.crd.yaml b/vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_30_openshift-apiserver_01_openshiftapiservers-OKD.crd.yaml similarity index 99% rename from vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_30_openshift-apiserver_01_openshiftapiservers.crd.yaml rename to vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_30_openshift-apiserver_01_openshiftapiservers-OKD.crd.yaml index bb9b904fc..6c0b86e19 100644 --- a/vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_30_openshift-apiserver_01_openshiftapiservers.crd.yaml +++ b/vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_30_openshift-apiserver_01_openshiftapiservers-OKD.crd.yaml @@ -6,6 +6,7 @@ metadata: api.openshift.io/merged-by-featuregates: "true" include.release.openshift.io/ibm-cloud-managed: "true" include.release.openshift.io/self-managed-high-availability: "true" + release.openshift.io/feature-set: OKD name: openshiftapiservers.operator.openshift.io spec: group: operator.openshift.io diff --git a/vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_30_openshift-apiserver_01_openshiftapiservers-TechPreviewNoUpgrade.crd.yaml b/vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_30_openshift-apiserver_01_openshiftapiservers-TechPreviewNoUpgrade.crd.yaml new file mode 100644 index 000000000..d380fa60f --- /dev/null +++ b/vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_30_openshift-apiserver_01_openshiftapiservers-TechPreviewNoUpgrade.crd.yaml @@ -0,0 +1,296 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.openshift.io: https://github.com/openshift/api/pull/475 + api.openshift.io/merged-by-featuregates: "true" + include.release.openshift.io/ibm-cloud-managed: "true" + include.release.openshift.io/self-managed-high-availability: "true" + release.openshift.io/feature-set: TechPreviewNoUpgrade + name: openshiftapiservers.operator.openshift.io +spec: + group: operator.openshift.io + names: + categories: + - coreoperators + kind: OpenShiftAPIServer + listKind: OpenShiftAPIServerList + plural: openshiftapiservers + singular: openshiftapiserver + scope: Cluster + versions: + - name: v1 + schema: + openAPIV3Schema: + description: |- + OpenShiftAPIServer provides information to configure an operator to manage openshift-apiserver. + + Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer). + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: spec is the specification of the desired behavior of the + OpenShift API Server. + properties: + logLevel: + default: Normal + description: |- + logLevel is an intent based logging for an overall component. It does not give fine grained control, but it is a + simple way to manage coarse grained logging choices that operators have to interpret for their operands. + + Valid values are: "Normal", "Debug", "Trace", "TraceAll". + Defaults to "Normal". + enum: + - "" + - Normal + - Debug + - Trace + - TraceAll + type: string + managementState: + description: managementState indicates whether and how the operator + should manage the component + pattern: ^(Managed|Unmanaged|Force|Removed)$ + type: string + observedConfig: + description: |- + observedConfig holds a sparse config that controller has observed from the cluster state. It exists in spec because + it is an input to the level for the operator + nullable: true + type: object + x-kubernetes-preserve-unknown-fields: true + operatorLogLevel: + default: Normal + description: |- + operatorLogLevel is an intent based logging for the operator itself. It does not give fine grained control, but it is a + simple way to manage coarse grained logging choices that operators have to interpret for themselves. + + Valid values are: "Normal", "Debug", "Trace", "TraceAll". + Defaults to "Normal". + enum: + - "" + - Normal + - Debug + - Trace + - TraceAll + type: string + unsupportedConfigOverrides: + description: |- + unsupportedConfigOverrides overrides the final configuration that was computed by the operator. + Red Hat does not support the use of this field. + Misuse of this field could lead to unexpected behavior or conflict with other configuration options. + Seek guidance from the Red Hat support before using this field. + Use of this property blocks cluster upgrades, it must be removed before upgrading your cluster. + nullable: true + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + status: + description: status defines the observed status of the OpenShift API Server. + properties: + conditions: + description: conditions is a list of conditions and their status + items: + description: OperatorCondition is just the standard condition fields. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + type: string + reason: + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - status + - type + type: object + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + encryptionStatus: + description: encryptionStatus contains status reports for the KMS + plugin health and its key rotation. + minProperties: 1 + properties: + healthReports: + description: |- + healthReports contains all KMS plugin health reports. + When omitted, no health reports are available. + Each entry must have a unique combination of nodeName and keyId. + items: + properties: + detail: + description: |- + detail contains additional error/health information for the respective KMS plugin. + When omitted, no additional error or health information is provided. + When set, the value must be between 1 and 1024 characters. + maxLength: 1024 + minLength: 1 + type: string + kekId: + description: |- + kekId refers to the remote KEK id from KMS v2 StatusResponse.key_id. + This is not a cryptographic key, but a unique representation of the KEK. + The value must be between 1 and 1024 characters. + maxLength: 1024 + minLength: 1 + type: string + keyId: + description: |- + keyId is the encryption-key-secret id (kms-{keyId}.sock), a unique identifier of the plugin on that node. + This is not a cryptographic key used to encrypt/decrypt any resources. + The value must be between 1 and 512 characters. + maxLength: 512 + minLength: 1 + type: string + lastCheckedTime: + description: lastCheckedTime is a timestamp of when the + probe was last checked. + format: date-time + type: string + nodeName: + description: |- + nodeName is the name of the node this instance of the plugin runs on. + The combination of nodeName and keyId makes this health report unique. + The value must be a valid Kubernetes node name: a lowercase RFC 1123 subdomain + consisting of lowercase alphanumeric characters, '-' or '.', starting and ending with + an alphanumeric character, and be at most 253 characters in length. + maxLength: 253 + minLength: 1 + type: string + x-kubernetes-validations: + - message: nodeName must be a lowercase RFC 1123 subdomain + consisting of lowercase alphanumeric characters, '-' + or '.', and must start and end with an alphanumeric + character + rule: '!format.dns1123Subdomain().validate(self).hasValue()' + status: + description: |- + status contains a health indicator for the respective KMS plugin + The field can have three states: healthy, unhealthy, error. + With error and unhealthy containing additional information in Detail. + enum: + - Healthy + - Unhealthy + - Error + type: string + required: + - kekId + - keyId + - lastCheckedTime + - nodeName + - status + type: object + maxItems: 200 + minItems: 1 + type: array + x-kubernetes-list-map-keys: + - nodeName + - keyId + x-kubernetes-list-type: map + type: object + generations: + description: generations are used to determine when an item needs + to be reconciled or has changed in a way that needs a reaction. + items: + description: GenerationStatus keeps track of the generation for + a given resource so that decisions about forced updates can be + made. + properties: + group: + description: group is the group of the thing you're tracking + type: string + hash: + description: hash is an optional field set for resources without + generation that are content sensitive like secrets and configmaps + type: string + lastGeneration: + description: lastGeneration is the last generation of the workload + controller involved + format: int64 + type: integer + name: + description: name is the name of the thing you're tracking + type: string + namespace: + description: namespace is where the thing you're tracking is + type: string + resource: + description: resource is the resource type of the thing you're + tracking + type: string + required: + - group + - name + - namespace + - resource + type: object + type: array + x-kubernetes-list-map-keys: + - group + - resource + - namespace + - name + x-kubernetes-list-type: map + latestAvailableRevision: + description: latestAvailableRevision is the deploymentID of the most + recent deployment + format: int32 + type: integer + x-kubernetes-validations: + - message: must only increase + rule: self >= oldSelf + observedGeneration: + description: observedGeneration is the last generation change you've + dealt with + format: int64 + type: integer + readyReplicas: + description: readyReplicas indicates how many replicas are ready and + at the desired state + format: int32 + type: integer + version: + description: version is the level this availability applies to + type: string + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} diff --git a/vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_50_authentication_01_authentications-CustomNoUpgrade.crd.yaml b/vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_50_authentication_01_authentications-CustomNoUpgrade.crd.yaml new file mode 100644 index 000000000..3d5beb8c3 --- /dev/null +++ b/vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_50_authentication_01_authentications-CustomNoUpgrade.crd.yaml @@ -0,0 +1,301 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.openshift.io: https://github.com/openshift/api/pull/475 + api.openshift.io/merged-by-featuregates: "true" + include.release.openshift.io/self-managed-high-availability: "true" + release.openshift.io/feature-set: CustomNoUpgrade + name: authentications.operator.openshift.io +spec: + group: operator.openshift.io + names: + kind: Authentication + listKind: AuthenticationList + plural: authentications + singular: authentication + scope: Cluster + versions: + - name: v1 + schema: + openAPIV3Schema: + description: |- + Authentication provides information to configure an operator to manage authentication. + + Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer). + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + properties: + logLevel: + default: Normal + description: |- + logLevel is an intent based logging for an overall component. It does not give fine grained control, but it is a + simple way to manage coarse grained logging choices that operators have to interpret for their operands. + + Valid values are: "Normal", "Debug", "Trace", "TraceAll". + Defaults to "Normal". + enum: + - "" + - Normal + - Debug + - Trace + - TraceAll + type: string + managementState: + description: managementState indicates whether and how the operator + should manage the component + pattern: ^(Managed|Unmanaged|Force|Removed)$ + type: string + observedConfig: + description: |- + observedConfig holds a sparse config that controller has observed from the cluster state. It exists in spec because + it is an input to the level for the operator + nullable: true + type: object + x-kubernetes-preserve-unknown-fields: true + operatorLogLevel: + default: Normal + description: |- + operatorLogLevel is an intent based logging for the operator itself. It does not give fine grained control, but it is a + simple way to manage coarse grained logging choices that operators have to interpret for themselves. + + Valid values are: "Normal", "Debug", "Trace", "TraceAll". + Defaults to "Normal". + enum: + - "" + - Normal + - Debug + - Trace + - TraceAll + type: string + unsupportedConfigOverrides: + description: |- + unsupportedConfigOverrides overrides the final configuration that was computed by the operator. + Red Hat does not support the use of this field. + Misuse of this field could lead to unexpected behavior or conflict with other configuration options. + Seek guidance from the Red Hat support before using this field. + Use of this property blocks cluster upgrades, it must be removed before upgrading your cluster. + nullable: true + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + status: + properties: + conditions: + description: conditions is a list of conditions and their status + items: + description: OperatorCondition is just the standard condition fields. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + type: string + reason: + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - status + - type + type: object + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + generations: + description: generations are used to determine when an item needs + to be reconciled or has changed in a way that needs a reaction. + items: + description: GenerationStatus keeps track of the generation for + a given resource so that decisions about forced updates can be + made. + properties: + group: + description: group is the group of the thing you're tracking + type: string + hash: + description: hash is an optional field set for resources without + generation that are content sensitive like secrets and configmaps + type: string + lastGeneration: + description: lastGeneration is the last generation of the workload + controller involved + format: int64 + type: integer + name: + description: name is the name of the thing you're tracking + type: string + namespace: + description: namespace is where the thing you're tracking is + type: string + resource: + description: resource is the resource type of the thing you're + tracking + type: string + required: + - group + - name + - namespace + - resource + type: object + type: array + x-kubernetes-list-map-keys: + - group + - resource + - namespace + - name + x-kubernetes-list-type: map + latestAvailableRevision: + description: latestAvailableRevision is the deploymentID of the most + recent deployment + format: int32 + type: integer + x-kubernetes-validations: + - message: must only increase + rule: self >= oldSelf + oauthAPIServer: + description: oauthAPIServer holds status specific only to oauth-apiserver + properties: + encryptionStatus: + description: encryptionStatus contains status reports for the + KMS plugin health and its key rotation. + minProperties: 1 + properties: + healthReports: + description: |- + healthReports contains all KMS plugin health reports. + When omitted, no health reports are available. + Each entry must have a unique combination of nodeName and keyId. + items: + properties: + detail: + description: |- + detail contains additional error/health information for the respective KMS plugin. + When omitted, no additional error or health information is provided. + When set, the value must be between 1 and 1024 characters. + maxLength: 1024 + minLength: 1 + type: string + kekId: + description: |- + kekId refers to the remote KEK id from KMS v2 StatusResponse.key_id. + This is not a cryptographic key, but a unique representation of the KEK. + The value must be between 1 and 1024 characters. + maxLength: 1024 + minLength: 1 + type: string + keyId: + description: |- + keyId is the encryption-key-secret id (kms-{keyId}.sock), a unique identifier of the plugin on that node. + This is not a cryptographic key used to encrypt/decrypt any resources. + The value must be between 1 and 512 characters. + maxLength: 512 + minLength: 1 + type: string + lastCheckedTime: + description: lastCheckedTime is a timestamp of when + the probe was last checked. + format: date-time + type: string + nodeName: + description: |- + nodeName is the name of the node this instance of the plugin runs on. + The combination of nodeName and keyId makes this health report unique. + The value must be a valid Kubernetes node name: a lowercase RFC 1123 subdomain + consisting of lowercase alphanumeric characters, '-' or '.', starting and ending with + an alphanumeric character, and be at most 253 characters in length. + maxLength: 253 + minLength: 1 + type: string + x-kubernetes-validations: + - message: nodeName must be a lowercase RFC 1123 subdomain + consisting of lowercase alphanumeric characters, + '-' or '.', and must start and end with an alphanumeric + character + rule: '!format.dns1123Subdomain().validate(self).hasValue()' + status: + description: |- + status contains a health indicator for the respective KMS plugin + The field can have three states: healthy, unhealthy, error. + With error and unhealthy containing additional information in Detail. + enum: + - Healthy + - Unhealthy + - Error + type: string + required: + - kekId + - keyId + - lastCheckedTime + - nodeName + - status + type: object + maxItems: 200 + minItems: 1 + type: array + x-kubernetes-list-map-keys: + - nodeName + - keyId + x-kubernetes-list-type: map + type: object + latestAvailableRevision: + description: |- + latestAvailableRevision is the latest revision used as suffix of revisioned + secrets like encryption-config. A new revision causes a new deployment of pods. + format: int32 + minimum: 0 + type: integer + type: object + observedGeneration: + description: observedGeneration is the last generation change you've + dealt with + format: int64 + type: integer + readyReplicas: + description: readyReplicas indicates how many replicas are ready and + at the desired state + format: int32 + type: integer + version: + description: version is the level this availability applies to + type: string + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} diff --git a/vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_50_authentication_01_authentications-Default.crd.yaml b/vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_50_authentication_01_authentications-Default.crd.yaml new file mode 100644 index 000000000..49a08abc0 --- /dev/null +++ b/vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_50_authentication_01_authentications-Default.crd.yaml @@ -0,0 +1,219 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.openshift.io: https://github.com/openshift/api/pull/475 + api.openshift.io/merged-by-featuregates: "true" + include.release.openshift.io/self-managed-high-availability: "true" + release.openshift.io/feature-set: Default + name: authentications.operator.openshift.io +spec: + group: operator.openshift.io + names: + kind: Authentication + listKind: AuthenticationList + plural: authentications + singular: authentication + scope: Cluster + versions: + - name: v1 + schema: + openAPIV3Schema: + description: |- + Authentication provides information to configure an operator to manage authentication. + + Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer). + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + properties: + logLevel: + default: Normal + description: |- + logLevel is an intent based logging for an overall component. It does not give fine grained control, but it is a + simple way to manage coarse grained logging choices that operators have to interpret for their operands. + + Valid values are: "Normal", "Debug", "Trace", "TraceAll". + Defaults to "Normal". + enum: + - "" + - Normal + - Debug + - Trace + - TraceAll + type: string + managementState: + description: managementState indicates whether and how the operator + should manage the component + pattern: ^(Managed|Unmanaged|Force|Removed)$ + type: string + observedConfig: + description: |- + observedConfig holds a sparse config that controller has observed from the cluster state. It exists in spec because + it is an input to the level for the operator + nullable: true + type: object + x-kubernetes-preserve-unknown-fields: true + operatorLogLevel: + default: Normal + description: |- + operatorLogLevel is an intent based logging for the operator itself. It does not give fine grained control, but it is a + simple way to manage coarse grained logging choices that operators have to interpret for themselves. + + Valid values are: "Normal", "Debug", "Trace", "TraceAll". + Defaults to "Normal". + enum: + - "" + - Normal + - Debug + - Trace + - TraceAll + type: string + unsupportedConfigOverrides: + description: |- + unsupportedConfigOverrides overrides the final configuration that was computed by the operator. + Red Hat does not support the use of this field. + Misuse of this field could lead to unexpected behavior or conflict with other configuration options. + Seek guidance from the Red Hat support before using this field. + Use of this property blocks cluster upgrades, it must be removed before upgrading your cluster. + nullable: true + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + status: + properties: + conditions: + description: conditions is a list of conditions and their status + items: + description: OperatorCondition is just the standard condition fields. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + type: string + reason: + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - status + - type + type: object + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + generations: + description: generations are used to determine when an item needs + to be reconciled or has changed in a way that needs a reaction. + items: + description: GenerationStatus keeps track of the generation for + a given resource so that decisions about forced updates can be + made. + properties: + group: + description: group is the group of the thing you're tracking + type: string + hash: + description: hash is an optional field set for resources without + generation that are content sensitive like secrets and configmaps + type: string + lastGeneration: + description: lastGeneration is the last generation of the workload + controller involved + format: int64 + type: integer + name: + description: name is the name of the thing you're tracking + type: string + namespace: + description: namespace is where the thing you're tracking is + type: string + resource: + description: resource is the resource type of the thing you're + tracking + type: string + required: + - group + - name + - namespace + - resource + type: object + type: array + x-kubernetes-list-map-keys: + - group + - resource + - namespace + - name + x-kubernetes-list-type: map + latestAvailableRevision: + description: latestAvailableRevision is the deploymentID of the most + recent deployment + format: int32 + type: integer + x-kubernetes-validations: + - message: must only increase + rule: self >= oldSelf + oauthAPIServer: + description: oauthAPIServer holds status specific only to oauth-apiserver + properties: + latestAvailableRevision: + description: |- + latestAvailableRevision is the latest revision used as suffix of revisioned + secrets like encryption-config. A new revision causes a new deployment of pods. + format: int32 + minimum: 0 + type: integer + type: object + observedGeneration: + description: observedGeneration is the last generation change you've + dealt with + format: int64 + type: integer + readyReplicas: + description: readyReplicas indicates how many replicas are ready and + at the desired state + format: int32 + type: integer + version: + description: version is the level this availability applies to + type: string + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} diff --git a/vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_50_authentication_01_authentications-DevPreviewNoUpgrade.crd.yaml b/vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_50_authentication_01_authentications-DevPreviewNoUpgrade.crd.yaml new file mode 100644 index 000000000..9c6a6de7d --- /dev/null +++ b/vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_50_authentication_01_authentications-DevPreviewNoUpgrade.crd.yaml @@ -0,0 +1,301 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.openshift.io: https://github.com/openshift/api/pull/475 + api.openshift.io/merged-by-featuregates: "true" + include.release.openshift.io/self-managed-high-availability: "true" + release.openshift.io/feature-set: DevPreviewNoUpgrade + name: authentications.operator.openshift.io +spec: + group: operator.openshift.io + names: + kind: Authentication + listKind: AuthenticationList + plural: authentications + singular: authentication + scope: Cluster + versions: + - name: v1 + schema: + openAPIV3Schema: + description: |- + Authentication provides information to configure an operator to manage authentication. + + Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer). + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + properties: + logLevel: + default: Normal + description: |- + logLevel is an intent based logging for an overall component. It does not give fine grained control, but it is a + simple way to manage coarse grained logging choices that operators have to interpret for their operands. + + Valid values are: "Normal", "Debug", "Trace", "TraceAll". + Defaults to "Normal". + enum: + - "" + - Normal + - Debug + - Trace + - TraceAll + type: string + managementState: + description: managementState indicates whether and how the operator + should manage the component + pattern: ^(Managed|Unmanaged|Force|Removed)$ + type: string + observedConfig: + description: |- + observedConfig holds a sparse config that controller has observed from the cluster state. It exists in spec because + it is an input to the level for the operator + nullable: true + type: object + x-kubernetes-preserve-unknown-fields: true + operatorLogLevel: + default: Normal + description: |- + operatorLogLevel is an intent based logging for the operator itself. It does not give fine grained control, but it is a + simple way to manage coarse grained logging choices that operators have to interpret for themselves. + + Valid values are: "Normal", "Debug", "Trace", "TraceAll". + Defaults to "Normal". + enum: + - "" + - Normal + - Debug + - Trace + - TraceAll + type: string + unsupportedConfigOverrides: + description: |- + unsupportedConfigOverrides overrides the final configuration that was computed by the operator. + Red Hat does not support the use of this field. + Misuse of this field could lead to unexpected behavior or conflict with other configuration options. + Seek guidance from the Red Hat support before using this field. + Use of this property blocks cluster upgrades, it must be removed before upgrading your cluster. + nullable: true + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + status: + properties: + conditions: + description: conditions is a list of conditions and their status + items: + description: OperatorCondition is just the standard condition fields. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + type: string + reason: + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - status + - type + type: object + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + generations: + description: generations are used to determine when an item needs + to be reconciled or has changed in a way that needs a reaction. + items: + description: GenerationStatus keeps track of the generation for + a given resource so that decisions about forced updates can be + made. + properties: + group: + description: group is the group of the thing you're tracking + type: string + hash: + description: hash is an optional field set for resources without + generation that are content sensitive like secrets and configmaps + type: string + lastGeneration: + description: lastGeneration is the last generation of the workload + controller involved + format: int64 + type: integer + name: + description: name is the name of the thing you're tracking + type: string + namespace: + description: namespace is where the thing you're tracking is + type: string + resource: + description: resource is the resource type of the thing you're + tracking + type: string + required: + - group + - name + - namespace + - resource + type: object + type: array + x-kubernetes-list-map-keys: + - group + - resource + - namespace + - name + x-kubernetes-list-type: map + latestAvailableRevision: + description: latestAvailableRevision is the deploymentID of the most + recent deployment + format: int32 + type: integer + x-kubernetes-validations: + - message: must only increase + rule: self >= oldSelf + oauthAPIServer: + description: oauthAPIServer holds status specific only to oauth-apiserver + properties: + encryptionStatus: + description: encryptionStatus contains status reports for the + KMS plugin health and its key rotation. + minProperties: 1 + properties: + healthReports: + description: |- + healthReports contains all KMS plugin health reports. + When omitted, no health reports are available. + Each entry must have a unique combination of nodeName and keyId. + items: + properties: + detail: + description: |- + detail contains additional error/health information for the respective KMS plugin. + When omitted, no additional error or health information is provided. + When set, the value must be between 1 and 1024 characters. + maxLength: 1024 + minLength: 1 + type: string + kekId: + description: |- + kekId refers to the remote KEK id from KMS v2 StatusResponse.key_id. + This is not a cryptographic key, but a unique representation of the KEK. + The value must be between 1 and 1024 characters. + maxLength: 1024 + minLength: 1 + type: string + keyId: + description: |- + keyId is the encryption-key-secret id (kms-{keyId}.sock), a unique identifier of the plugin on that node. + This is not a cryptographic key used to encrypt/decrypt any resources. + The value must be between 1 and 512 characters. + maxLength: 512 + minLength: 1 + type: string + lastCheckedTime: + description: lastCheckedTime is a timestamp of when + the probe was last checked. + format: date-time + type: string + nodeName: + description: |- + nodeName is the name of the node this instance of the plugin runs on. + The combination of nodeName and keyId makes this health report unique. + The value must be a valid Kubernetes node name: a lowercase RFC 1123 subdomain + consisting of lowercase alphanumeric characters, '-' or '.', starting and ending with + an alphanumeric character, and be at most 253 characters in length. + maxLength: 253 + minLength: 1 + type: string + x-kubernetes-validations: + - message: nodeName must be a lowercase RFC 1123 subdomain + consisting of lowercase alphanumeric characters, + '-' or '.', and must start and end with an alphanumeric + character + rule: '!format.dns1123Subdomain().validate(self).hasValue()' + status: + description: |- + status contains a health indicator for the respective KMS plugin + The field can have three states: healthy, unhealthy, error. + With error and unhealthy containing additional information in Detail. + enum: + - Healthy + - Unhealthy + - Error + type: string + required: + - kekId + - keyId + - lastCheckedTime + - nodeName + - status + type: object + maxItems: 200 + minItems: 1 + type: array + x-kubernetes-list-map-keys: + - nodeName + - keyId + x-kubernetes-list-type: map + type: object + latestAvailableRevision: + description: |- + latestAvailableRevision is the latest revision used as suffix of revisioned + secrets like encryption-config. A new revision causes a new deployment of pods. + format: int32 + minimum: 0 + type: integer + type: object + observedGeneration: + description: observedGeneration is the last generation change you've + dealt with + format: int64 + type: integer + readyReplicas: + description: readyReplicas indicates how many replicas are ready and + at the desired state + format: int32 + type: integer + version: + description: version is the level this availability applies to + type: string + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} diff --git a/vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_50_authentication_01_authentications.crd.yaml b/vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_50_authentication_01_authentications-OKD.crd.yaml similarity index 99% rename from vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_50_authentication_01_authentications.crd.yaml rename to vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_50_authentication_01_authentications-OKD.crd.yaml index 029c91ac0..d12f5239d 100644 --- a/vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_50_authentication_01_authentications.crd.yaml +++ b/vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_50_authentication_01_authentications-OKD.crd.yaml @@ -5,6 +5,7 @@ metadata: api-approved.openshift.io: https://github.com/openshift/api/pull/475 api.openshift.io/merged-by-featuregates: "true" include.release.openshift.io/self-managed-high-availability: "true" + release.openshift.io/feature-set: OKD name: authentications.operator.openshift.io spec: group: operator.openshift.io diff --git a/vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_50_authentication_01_authentications-TechPreviewNoUpgrade.crd.yaml b/vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_50_authentication_01_authentications-TechPreviewNoUpgrade.crd.yaml new file mode 100644 index 000000000..196a05d60 --- /dev/null +++ b/vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_50_authentication_01_authentications-TechPreviewNoUpgrade.crd.yaml @@ -0,0 +1,301 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.openshift.io: https://github.com/openshift/api/pull/475 + api.openshift.io/merged-by-featuregates: "true" + include.release.openshift.io/self-managed-high-availability: "true" + release.openshift.io/feature-set: TechPreviewNoUpgrade + name: authentications.operator.openshift.io +spec: + group: operator.openshift.io + names: + kind: Authentication + listKind: AuthenticationList + plural: authentications + singular: authentication + scope: Cluster + versions: + - name: v1 + schema: + openAPIV3Schema: + description: |- + Authentication provides information to configure an operator to manage authentication. + + Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer). + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + properties: + logLevel: + default: Normal + description: |- + logLevel is an intent based logging for an overall component. It does not give fine grained control, but it is a + simple way to manage coarse grained logging choices that operators have to interpret for their operands. + + Valid values are: "Normal", "Debug", "Trace", "TraceAll". + Defaults to "Normal". + enum: + - "" + - Normal + - Debug + - Trace + - TraceAll + type: string + managementState: + description: managementState indicates whether and how the operator + should manage the component + pattern: ^(Managed|Unmanaged|Force|Removed)$ + type: string + observedConfig: + description: |- + observedConfig holds a sparse config that controller has observed from the cluster state. It exists in spec because + it is an input to the level for the operator + nullable: true + type: object + x-kubernetes-preserve-unknown-fields: true + operatorLogLevel: + default: Normal + description: |- + operatorLogLevel is an intent based logging for the operator itself. It does not give fine grained control, but it is a + simple way to manage coarse grained logging choices that operators have to interpret for themselves. + + Valid values are: "Normal", "Debug", "Trace", "TraceAll". + Defaults to "Normal". + enum: + - "" + - Normal + - Debug + - Trace + - TraceAll + type: string + unsupportedConfigOverrides: + description: |- + unsupportedConfigOverrides overrides the final configuration that was computed by the operator. + Red Hat does not support the use of this field. + Misuse of this field could lead to unexpected behavior or conflict with other configuration options. + Seek guidance from the Red Hat support before using this field. + Use of this property blocks cluster upgrades, it must be removed before upgrading your cluster. + nullable: true + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + status: + properties: + conditions: + description: conditions is a list of conditions and their status + items: + description: OperatorCondition is just the standard condition fields. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + type: string + reason: + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - status + - type + type: object + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + generations: + description: generations are used to determine when an item needs + to be reconciled or has changed in a way that needs a reaction. + items: + description: GenerationStatus keeps track of the generation for + a given resource so that decisions about forced updates can be + made. + properties: + group: + description: group is the group of the thing you're tracking + type: string + hash: + description: hash is an optional field set for resources without + generation that are content sensitive like secrets and configmaps + type: string + lastGeneration: + description: lastGeneration is the last generation of the workload + controller involved + format: int64 + type: integer + name: + description: name is the name of the thing you're tracking + type: string + namespace: + description: namespace is where the thing you're tracking is + type: string + resource: + description: resource is the resource type of the thing you're + tracking + type: string + required: + - group + - name + - namespace + - resource + type: object + type: array + x-kubernetes-list-map-keys: + - group + - resource + - namespace + - name + x-kubernetes-list-type: map + latestAvailableRevision: + description: latestAvailableRevision is the deploymentID of the most + recent deployment + format: int32 + type: integer + x-kubernetes-validations: + - message: must only increase + rule: self >= oldSelf + oauthAPIServer: + description: oauthAPIServer holds status specific only to oauth-apiserver + properties: + encryptionStatus: + description: encryptionStatus contains status reports for the + KMS plugin health and its key rotation. + minProperties: 1 + properties: + healthReports: + description: |- + healthReports contains all KMS plugin health reports. + When omitted, no health reports are available. + Each entry must have a unique combination of nodeName and keyId. + items: + properties: + detail: + description: |- + detail contains additional error/health information for the respective KMS plugin. + When omitted, no additional error or health information is provided. + When set, the value must be between 1 and 1024 characters. + maxLength: 1024 + minLength: 1 + type: string + kekId: + description: |- + kekId refers to the remote KEK id from KMS v2 StatusResponse.key_id. + This is not a cryptographic key, but a unique representation of the KEK. + The value must be between 1 and 1024 characters. + maxLength: 1024 + minLength: 1 + type: string + keyId: + description: |- + keyId is the encryption-key-secret id (kms-{keyId}.sock), a unique identifier of the plugin on that node. + This is not a cryptographic key used to encrypt/decrypt any resources. + The value must be between 1 and 512 characters. + maxLength: 512 + minLength: 1 + type: string + lastCheckedTime: + description: lastCheckedTime is a timestamp of when + the probe was last checked. + format: date-time + type: string + nodeName: + description: |- + nodeName is the name of the node this instance of the plugin runs on. + The combination of nodeName and keyId makes this health report unique. + The value must be a valid Kubernetes node name: a lowercase RFC 1123 subdomain + consisting of lowercase alphanumeric characters, '-' or '.', starting and ending with + an alphanumeric character, and be at most 253 characters in length. + maxLength: 253 + minLength: 1 + type: string + x-kubernetes-validations: + - message: nodeName must be a lowercase RFC 1123 subdomain + consisting of lowercase alphanumeric characters, + '-' or '.', and must start and end with an alphanumeric + character + rule: '!format.dns1123Subdomain().validate(self).hasValue()' + status: + description: |- + status contains a health indicator for the respective KMS plugin + The field can have three states: healthy, unhealthy, error. + With error and unhealthy containing additional information in Detail. + enum: + - Healthy + - Unhealthy + - Error + type: string + required: + - kekId + - keyId + - lastCheckedTime + - nodeName + - status + type: object + maxItems: 200 + minItems: 1 + type: array + x-kubernetes-list-map-keys: + - nodeName + - keyId + x-kubernetes-list-type: map + type: object + latestAvailableRevision: + description: |- + latestAvailableRevision is the latest revision used as suffix of revisioned + secrets like encryption-config. A new revision causes a new deployment of pods. + format: int32 + minimum: 0 + type: integer + type: object + observedGeneration: + description: observedGeneration is the last generation change you've + dealt with + format: int64 + type: integer + readyReplicas: + description: readyReplicas indicates how many replicas are ready and + at the desired state + format: int32 + type: integer + version: + description: version is the level this availability applies to + type: string + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} diff --git a/vendor/github.com/openshift/api/operator/v1/zz_generated.deepcopy.go b/vendor/github.com/openshift/api/operator/v1/zz_generated.deepcopy.go index 3d3c8f4f8..b39071949 100644 --- a/vendor/github.com/openshift/api/operator/v1/zz_generated.deepcopy.go +++ b/vendor/github.com/openshift/api/operator/v1/zz_generated.deepcopy.go @@ -338,7 +338,7 @@ func (in *AuthenticationSpec) DeepCopy() *AuthenticationSpec { // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *AuthenticationStatus) DeepCopyInto(out *AuthenticationStatus) { *out = *in - out.OAuthAPIServer = in.OAuthAPIServer + in.OAuthAPIServer.DeepCopyInto(&out.OAuthAPIServer) in.OperatorStatus.DeepCopyInto(&out.OperatorStatus) return } @@ -2749,6 +2749,46 @@ func (in *IrreconcilableValidationOverrides) DeepCopy() *IrreconcilableValidatio return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *KMSEncryptionStatus) DeepCopyInto(out *KMSEncryptionStatus) { + *out = *in + if in.HealthReports != nil { + in, out := &in.HealthReports, &out.HealthReports + *out = make([]KMSPluginHealthReport, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new KMSEncryptionStatus. +func (in *KMSEncryptionStatus) DeepCopy() *KMSEncryptionStatus { + if in == nil { + return nil + } + out := new(KMSEncryptionStatus) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *KMSPluginHealthReport) DeepCopyInto(out *KMSPluginHealthReport) { + *out = *in + in.LastCheckedTime.DeepCopyInto(&out.LastCheckedTime) + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new KMSPluginHealthReport. +func (in *KMSPluginHealthReport) DeepCopy() *KMSPluginHealthReport { + if in == nil { + return nil + } + out := new(KMSPluginHealthReport) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *KubeAPIServer) DeepCopyInto(out *KubeAPIServer) { *out = *in @@ -2838,6 +2878,7 @@ func (in *KubeAPIServerStatus) DeepCopyInto(out *KubeAPIServerStatus) { (*in)[i].DeepCopyInto(&(*out)[i]) } } + in.EncryptionStatus.DeepCopyInto(&out.EncryptionStatus) return } @@ -4038,6 +4079,7 @@ func (in *NodeStatus) DeepCopy() *NodeStatus { // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *OAuthAPIServerStatus) DeepCopyInto(out *OAuthAPIServerStatus) { *out = *in + in.EncryptionStatus.DeepCopyInto(&out.EncryptionStatus) return } @@ -4287,6 +4329,7 @@ func (in *OpenShiftAPIServerSpec) DeepCopy() *OpenShiftAPIServerSpec { func (in *OpenShiftAPIServerStatus) DeepCopyInto(out *OpenShiftAPIServerStatus) { *out = *in in.OperatorStatus.DeepCopyInto(&out.OperatorStatus) + in.EncryptionStatus.DeepCopyInto(&out.EncryptionStatus) return } diff --git a/vendor/github.com/openshift/api/operator/v1/zz_generated.featuregated-crd-manifests.yaml b/vendor/github.com/openshift/api/operator/v1/zz_generated.featuregated-crd-manifests.yaml index 29b4d13d0..9edb02ec6 100644 --- a/vendor/github.com/openshift/api/operator/v1/zz_generated.featuregated-crd-manifests.yaml +++ b/vendor/github.com/openshift/api/operator/v1/zz_generated.featuregated-crd-manifests.yaml @@ -5,7 +5,8 @@ authentications.operator.openshift.io: CRDName: authentications.operator.openshift.io Capability: "" Category: "" - FeatureGates: [] + FeatureGates: + - KMSEncryption FilenameOperatorName: authentication FilenameOperatorOrdering: "01" FilenameRunLevel: "0000_50" @@ -222,6 +223,7 @@ kubeapiservers.operator.openshift.io: Category: coreoperators FeatureGates: - EventTTL + - KMSEncryption FilenameOperatorName: kube-apiserver FilenameOperatorOrdering: "01" FilenameRunLevel: "0000_20" @@ -376,7 +378,8 @@ openshiftapiservers.operator.openshift.io: CRDName: openshiftapiservers.operator.openshift.io Capability: "" Category: coreoperators - FeatureGates: [] + FeatureGates: + - KMSEncryption FilenameOperatorName: openshift-apiserver FilenameOperatorOrdering: "01" FilenameRunLevel: "0000_30" diff --git a/vendor/github.com/openshift/api/operator/v1/zz_generated.swagger_doc_generated.go b/vendor/github.com/openshift/api/operator/v1/zz_generated.swagger_doc_generated.go index 0b82b1ac6..038638551 100644 --- a/vendor/github.com/openshift/api/operator/v1/zz_generated.swagger_doc_generated.go +++ b/vendor/github.com/openshift/api/operator/v1/zz_generated.swagger_doc_generated.go @@ -137,6 +137,7 @@ func (AuthenticationStatus) SwaggerDoc() map[string]string { var map_OAuthAPIServerStatus = map[string]string{ "latestAvailableRevision": "latestAvailableRevision is the latest revision used as suffix of revisioned secrets like encryption-config. A new revision causes a new deployment of pods.", + "encryptionStatus": "encryptionStatus contains status reports for the KMS plugin health and its key rotation.", } func (OAuthAPIServerStatus) SwaggerDoc() map[string]string { @@ -1296,6 +1297,27 @@ func (InsightsReport) SwaggerDoc() map[string]string { return map_InsightsReport } +var map_KMSEncryptionStatus = map[string]string{ + "healthReports": "healthReports contains all KMS plugin health reports. When omitted, no health reports are available. Each entry must have a unique combination of nodeName and keyId.", +} + +func (KMSEncryptionStatus) SwaggerDoc() map[string]string { + return map_KMSEncryptionStatus +} + +var map_KMSPluginHealthReport = map[string]string{ + "nodeName": "nodeName is the name of the node this instance of the plugin runs on. The combination of nodeName and keyId makes this health report unique. The value must be a valid Kubernetes node name: a lowercase RFC 1123 subdomain consisting of lowercase alphanumeric characters, '-' or '.', starting and ending with an alphanumeric character, and be at most 253 characters in length.", + "keyId": "keyId is the encryption-key-secret id (kms-{keyId}.sock), a unique identifier of the plugin on that node. This is not a cryptographic key used to encrypt/decrypt any resources. The value must be between 1 and 512 characters.", + "status": "status contains a health indicator for the respective KMS plugin The field can have three states: healthy, unhealthy, error. With error and unhealthy containing additional information in Detail.", + "lastCheckedTime": "lastCheckedTime is a timestamp of when the probe was last checked.", + "kekId": "kekId refers to the remote KEK id from KMS v2 StatusResponse.key_id. This is not a cryptographic key, but a unique representation of the KEK. The value must be between 1 and 1024 characters.", + "detail": "detail contains additional error/health information for the respective KMS plugin. When omitted, no additional error or health information is provided. When set, the value must be between 1 and 1024 characters.", +} + +func (KMSPluginHealthReport) SwaggerDoc() map[string]string { + return map_KMSPluginHealthReport +} + var map_KubeAPIServer = map[string]string{ "": "KubeAPIServer provides information to configure an operator to manage kube-apiserver.\n\nCompatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).", "metadata": "metadata is the standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata", @@ -1327,6 +1349,7 @@ func (KubeAPIServerSpec) SwaggerDoc() map[string]string { var map_KubeAPIServerStatus = map[string]string{ "serviceAccountIssuers": "serviceAccountIssuers tracks history of used service account issuers. The item without expiration time represents the currently used service account issuer. The other items represents service account issuers that were used previously and are still being trusted. The default expiration for the items is set by the platform and it defaults to 24h. see: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#service-account-token-volume-projection", + "encryptionStatus": "encryptionStatus contains status reports for the KMS plugin health and its key rotation.", } func (KubeAPIServerStatus) SwaggerDoc() map[string]string { @@ -2080,6 +2103,14 @@ func (OpenShiftAPIServerList) SwaggerDoc() map[string]string { return map_OpenShiftAPIServerList } +var map_OpenShiftAPIServerStatus = map[string]string{ + "encryptionStatus": "encryptionStatus contains status reports for the KMS plugin health and its key rotation.", +} + +func (OpenShiftAPIServerStatus) SwaggerDoc() map[string]string { + return map_OpenShiftAPIServerStatus +} + var map_OpenShiftControllerManager = map[string]string{ "": "OpenShiftControllerManager provides information to configure an operator to manage openshift-controller-manager.\n\nCompatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).", "metadata": "metadata is the standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata", diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/clientcredentialconfig.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/clientcredentialconfig.go new file mode 100644 index 000000000..c23f4d530 --- /dev/null +++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/clientcredentialconfig.go @@ -0,0 +1,98 @@ +// Code generated by applyconfiguration-gen. DO NOT EDIT. + +package v1 + +import ( + configv1 "github.com/openshift/api/config/v1" +) + +// ClientCredentialConfigApplyConfiguration represents a declarative configuration of the ClientCredentialConfig type for use +// with apply. +// +// ClientCredentialConfig configures the client credentials and token endpoint +// to use to get an access token via the OAuth2 client credentials grant flow. +type ClientCredentialConfigApplyConfiguration struct { + // clientID is a required client identifier to use during the OAuth2 client credentials flow. + // clientID must be at least 1 character in length, must not exceed 256 characters in length, + // and must only contain printable ASCII characters. + ClientID *string `json:"clientID,omitempty"` + // clientSecret is a required reference to a Secret in the openshift-config namespace to be used + // as the client secret during the OAuth2 client credentials flow. + // + // The key 'client-secret' is used to locate the client secret data in the Secret. + ClientSecret *ClientSecretSecretReferenceApplyConfiguration `json:"clientSecret,omitempty"` + // tokenEndpoint is a required URL to query for an access token using + // the client credential OAuth2 flow. + // tokenEndpoint must be at least 1 character in length and must not exceed 2048 characters in length. + // tokenEndpoint must be a valid HTTPS URL. + // tokenEndpoint must have a host and a path. + // tokenEndpoint must not contain query parameters, fragments, + // or user information (e.g., "user:password@host"). + TokenEndpoint *string `json:"tokenEndpoint,omitempty"` + // scopes is an optional list of OAuth2 scopes to request when obtaining + // an access token. + // + // If not specified, the token endpoint's default scopes + // will be used. + // + // When specified, there must be at least 1 entry and must not exceed 16 entries. + // Each entry must be at least 1 character in length and must not exceed 256 characters in length. + // Each entry must only contain printable ASCII characters, excluding spaces, double quotes and backslashes. + // Entries must be unique. + Scopes []configv1.OAuth2Scope `json:"scopes,omitempty"` + // tls is an optional field that allows configuring the TLS + // settings used to interact with the identity provider + // as an OAuth2 client. + // + // When omitted, system default TLS settings will be used + // for the OAuth2 client. + TLS *ExternalSourceTLSApplyConfiguration `json:"tls,omitempty"` +} + +// ClientCredentialConfigApplyConfiguration constructs a declarative configuration of the ClientCredentialConfig type for use with +// apply. +func ClientCredentialConfig() *ClientCredentialConfigApplyConfiguration { + return &ClientCredentialConfigApplyConfiguration{} +} + +// WithClientID sets the ClientID field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the ClientID field is set to the value of the last call. +func (b *ClientCredentialConfigApplyConfiguration) WithClientID(value string) *ClientCredentialConfigApplyConfiguration { + b.ClientID = &value + return b +} + +// WithClientSecret sets the ClientSecret field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the ClientSecret field is set to the value of the last call. +func (b *ClientCredentialConfigApplyConfiguration) WithClientSecret(value *ClientSecretSecretReferenceApplyConfiguration) *ClientCredentialConfigApplyConfiguration { + b.ClientSecret = value + return b +} + +// WithTokenEndpoint sets the TokenEndpoint field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the TokenEndpoint field is set to the value of the last call. +func (b *ClientCredentialConfigApplyConfiguration) WithTokenEndpoint(value string) *ClientCredentialConfigApplyConfiguration { + b.TokenEndpoint = &value + return b +} + +// WithScopes adds the given value to the Scopes field in the declarative configuration +// and returns the receiver, so that objects can be build by chaining "With" function invocations. +// If called multiple times, values provided by each call will be appended to the Scopes field. +func (b *ClientCredentialConfigApplyConfiguration) WithScopes(values ...configv1.OAuth2Scope) *ClientCredentialConfigApplyConfiguration { + for i := range values { + b.Scopes = append(b.Scopes, values[i]) + } + return b +} + +// WithTLS sets the TLS field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the TLS field is set to the value of the last call. +func (b *ClientCredentialConfigApplyConfiguration) WithTLS(value *ExternalSourceTLSApplyConfiguration) *ClientCredentialConfigApplyConfiguration { + b.TLS = value + return b +} diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/clientsecretsecretreference.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/clientsecretsecretreference.go new file mode 100644 index 000000000..5b2a8fe03 --- /dev/null +++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/clientsecretsecretreference.go @@ -0,0 +1,32 @@ +// Code generated by applyconfiguration-gen. DO NOT EDIT. + +package v1 + +// ClientSecretSecretReferenceApplyConfiguration represents a declarative configuration of the ClientSecretSecretReference type for use +// with apply. +// +// ClientSecretSecretReference is a reference to a Secret in the openshift-config +// namespace that should be used for configuring the client secret to be +// used when sourcing claims from external sources with the client credential authentication flow. +type ClientSecretSecretReferenceApplyConfiguration struct { + // name is the required name of the Secret that exists in the openshift-config namespace. + // + // It must be at least 1 character in length, must not exceed 253 characters in length, + // must start and end with a lowercase alphanumeric character, and must only contain + // lowercase alphanumeric characters, '-' or '.'. + Name *string `json:"name,omitempty"` +} + +// ClientSecretSecretReferenceApplyConfiguration constructs a declarative configuration of the ClientSecretSecretReference type for use with +// apply. +func ClientSecretSecretReference() *ClientSecretSecretReferenceApplyConfiguration { + return &ClientSecretSecretReferenceApplyConfiguration{} +} + +// WithName sets the Name field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the Name field is set to the value of the last call. +func (b *ClientSecretSecretReferenceApplyConfiguration) WithName(value string) *ClientSecretSecretReferenceApplyConfiguration { + b.Name = &value + return b +} diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/customtlsprofile.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/customtlsprofile.go index 7df6a4be9..7b682ef20 100644 --- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/customtlsprofile.go +++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/customtlsprofile.go @@ -31,6 +31,16 @@ func (b *CustomTLSProfileApplyConfiguration) WithCiphers(values ...string) *Cust return b } +// WithGroups adds the given value to the Groups field in the declarative configuration +// and returns the receiver, so that objects can be build by chaining "With" function invocations. +// If called multiple times, values provided by each call will be appended to the Groups field. +func (b *CustomTLSProfileApplyConfiguration) WithGroups(values ...configv1.TLSGroup) *CustomTLSProfileApplyConfiguration { + for i := range values { + b.TLSProfileSpecApplyConfiguration.Groups = append(b.TLSProfileSpecApplyConfiguration.Groups, values[i]) + } + return b +} + // WithMinTLSVersion sets the MinTLSVersion field in the declarative configuration to the given value // and returns the receiver, so that objects can be built by chaining "With" function invocations. // If called multiple times, the MinTLSVersion field is set to the value of the last call. diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/externalclaimssource.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/externalclaimssource.go new file mode 100644 index 000000000..143544e7c --- /dev/null +++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/externalclaimssource.go @@ -0,0 +1,97 @@ +// Code generated by applyconfiguration-gen. DO NOT EDIT. + +package v1 + +// ExternalClaimsSourceApplyConfiguration represents a declarative configuration of the ExternalClaimsSource type for use +// with apply. +// +// ExternalClaimsSource provides the configuration for a single external claim source. +type ExternalClaimsSourceApplyConfiguration struct { + // authentication is an optional field that configures how the apiserver authenticates with an external claims source. + // When not specified, anonymous authentication is used which means no 'Authorization' header + // is sent in the HTTP request to fetch the external claims. + Authentication *ExternalSourceAuthenticationApplyConfiguration `json:"authentication,omitempty"` + // tls is an optional field that configures the http client TLS + // settings when fetching external claims from this source. + // + // When omitted, system default TLS settings will be used + // for fetching claims from the external source. + TLS *ExternalSourceTLSApplyConfiguration `json:"tls,omitempty"` + // url is a required configuration of the URL + // for which the external claims are located. + URL *SourceURLApplyConfiguration `json:"url,omitempty"` + // mappings is a required list of the claim + // and response handling expression pairs + // that produces the claims from the external source. + // mappings must have at least 1 entry and must not exceed 16 entries. + // Entries must have a unique name across all external claim sources. + Mappings []SourcedClaimMappingApplyConfiguration `json:"mappings,omitempty"` + // predicates is an optional list of constraints in + // which claims should attempt to be fetched from this + // external source. + // + // When omitted, claims are always fetched + // from this external source. + // + // When specified, all predicates must evaluate to 'true' + // before claims are attempted to be fetched from this external source. + // predicates must have at least 1 entry and must not exceed 16 entries. + // Entries must have unique expressions. + Predicates []ExternalSourcePredicateApplyConfiguration `json:"predicates,omitempty"` +} + +// ExternalClaimsSourceApplyConfiguration constructs a declarative configuration of the ExternalClaimsSource type for use with +// apply. +func ExternalClaimsSource() *ExternalClaimsSourceApplyConfiguration { + return &ExternalClaimsSourceApplyConfiguration{} +} + +// WithAuthentication sets the Authentication field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the Authentication field is set to the value of the last call. +func (b *ExternalClaimsSourceApplyConfiguration) WithAuthentication(value *ExternalSourceAuthenticationApplyConfiguration) *ExternalClaimsSourceApplyConfiguration { + b.Authentication = value + return b +} + +// WithTLS sets the TLS field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the TLS field is set to the value of the last call. +func (b *ExternalClaimsSourceApplyConfiguration) WithTLS(value *ExternalSourceTLSApplyConfiguration) *ExternalClaimsSourceApplyConfiguration { + b.TLS = value + return b +} + +// WithURL sets the URL field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the URL field is set to the value of the last call. +func (b *ExternalClaimsSourceApplyConfiguration) WithURL(value *SourceURLApplyConfiguration) *ExternalClaimsSourceApplyConfiguration { + b.URL = value + return b +} + +// WithMappings adds the given value to the Mappings field in the declarative configuration +// and returns the receiver, so that objects can be build by chaining "With" function invocations. +// If called multiple times, values provided by each call will be appended to the Mappings field. +func (b *ExternalClaimsSourceApplyConfiguration) WithMappings(values ...*SourcedClaimMappingApplyConfiguration) *ExternalClaimsSourceApplyConfiguration { + for i := range values { + if values[i] == nil { + panic("nil value passed to WithMappings") + } + b.Mappings = append(b.Mappings, *values[i]) + } + return b +} + +// WithPredicates adds the given value to the Predicates field in the declarative configuration +// and returns the receiver, so that objects can be build by chaining "With" function invocations. +// If called multiple times, values provided by each call will be appended to the Predicates field. +func (b *ExternalClaimsSourceApplyConfiguration) WithPredicates(values ...*ExternalSourcePredicateApplyConfiguration) *ExternalClaimsSourceApplyConfiguration { + for i := range values { + if values[i] == nil { + panic("nil value passed to WithPredicates") + } + b.Predicates = append(b.Predicates, *values[i]) + } + return b +} diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/externalsourceauthentication.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/externalsourceauthentication.go new file mode 100644 index 000000000..a2deb822e --- /dev/null +++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/externalsourceauthentication.go @@ -0,0 +1,57 @@ +// Code generated by applyconfiguration-gen. DO NOT EDIT. + +package v1 + +import ( + configv1 "github.com/openshift/api/config/v1" +) + +// ExternalSourceAuthenticationApplyConfiguration represents a declarative configuration of the ExternalSourceAuthentication type for use +// with apply. +// +// ExternalSourceAuthentication configures how the apiserver should attempt +// to authenticate with an external claims source. +type ExternalSourceAuthenticationApplyConfiguration struct { + // type is a required field that sets the type of + // authentication method used by the authenticator + // when fetching external claims. + // + // Allowed values are 'RequestProvidedToken' and 'ClientCredential'. + // + // When set to 'RequestProvidedToken', the authenticator will + // use the token provided to the kube-apiserver as part of the + // request to authenticate with the external claims source. + // + // When set to 'ClientCredential', the authenticator will + // use the configured client-id, client-secret, and token endpoint + // to fetch an access token using the OAuth2 client credentials grant + // flow. The fetched access token will then be used to authenticate + // with the external claims source. + Type *configv1.ExternalSourceAuthenticationType `json:"type,omitempty"` + // clientCredential configures the client credentials + // and token endpoint to use to get an access token. + // clientCredential is required when type is 'ClientCredential', and forbidden otherwise. + ClientCredential *ClientCredentialConfigApplyConfiguration `json:"clientCredential,omitempty"` +} + +// ExternalSourceAuthenticationApplyConfiguration constructs a declarative configuration of the ExternalSourceAuthentication type for use with +// apply. +func ExternalSourceAuthentication() *ExternalSourceAuthenticationApplyConfiguration { + return &ExternalSourceAuthenticationApplyConfiguration{} +} + +// WithType sets the Type field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the Type field is set to the value of the last call. +func (b *ExternalSourceAuthenticationApplyConfiguration) WithType(value configv1.ExternalSourceAuthenticationType) *ExternalSourceAuthenticationApplyConfiguration { + b.Type = &value + return b +} + +// WithClientCredential sets the ClientCredential field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the ClientCredential field is set to the value of the last call. +func (b *ExternalSourceAuthenticationApplyConfiguration) WithClientCredential(value *ClientCredentialConfigApplyConfiguration) *ExternalSourceAuthenticationApplyConfiguration { + b.ClientCredential = value + return b +} diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/externalsourcecertificateauthorityconfigmapreference.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/externalsourcecertificateauthorityconfigmapreference.go new file mode 100644 index 000000000..f1fb64e74 --- /dev/null +++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/externalsourcecertificateauthorityconfigmapreference.go @@ -0,0 +1,34 @@ +// Code generated by applyconfiguration-gen. DO NOT EDIT. + +package v1 + +// ExternalSourceCertificateAuthorityConfigMapReferenceApplyConfiguration represents a declarative configuration of the ExternalSourceCertificateAuthorityConfigMapReference type for use +// with apply. +// +// ExternalSourceCertificateAuthorityConfigMapReference is a reference to a ConfigMap in the openshift-config +// namespace that should be used for configuring the certificate authority to be +// used when sourcing claims from external sources. +type ExternalSourceCertificateAuthorityConfigMapReferenceApplyConfiguration struct { + // name is the required name of the ConfigMap that exists in the openshift-config namespace. + // The key "ca-bundle.crt" must be present and must contain the CA certificate to be used + // to verify the external source's TLS certificate. + // + // It must be at least 1 character in length, must not exceed 253 characters in length, + // must start and end with a lowercase alphanumeric character, and must only contain + // lowercase alphanumeric characters, '-' or '.'. + Name *string `json:"name,omitempty"` +} + +// ExternalSourceCertificateAuthorityConfigMapReferenceApplyConfiguration constructs a declarative configuration of the ExternalSourceCertificateAuthorityConfigMapReference type for use with +// apply. +func ExternalSourceCertificateAuthorityConfigMapReference() *ExternalSourceCertificateAuthorityConfigMapReferenceApplyConfiguration { + return &ExternalSourceCertificateAuthorityConfigMapReferenceApplyConfiguration{} +} + +// WithName sets the Name field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the Name field is set to the value of the last call. +func (b *ExternalSourceCertificateAuthorityConfigMapReferenceApplyConfiguration) WithName(value string) *ExternalSourceCertificateAuthorityConfigMapReferenceApplyConfiguration { + b.Name = &value + return b +} diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/externalsourcepredicate.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/externalsourcepredicate.go new file mode 100644 index 000000000..ade172dee --- /dev/null +++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/externalsourcepredicate.go @@ -0,0 +1,43 @@ +// Code generated by applyconfiguration-gen. DO NOT EDIT. + +package v1 + +// ExternalSourcePredicateApplyConfiguration represents a declarative configuration of the ExternalSourcePredicate type for use +// with apply. +// +// ExternalSourcePredicate configures a singular condition +// that must return true before the external source is queried +// to retrieve external claims. +type ExternalSourcePredicateApplyConfiguration struct { + // expression is a required CEL expression that + // is used to determine whether or not an external + // source should be used to fetch external claims. + // + // The expression must return a boolean value, + // where true means that the source should be consulted + // and false means that it should not. + // + // Claims from the token used for the request to the kube-apiserver + // are made available via the `claims` variable. + // + // The contents of the `claims` variable varies based on the claims that are + // present in the token being validated. It is the responsibility of those configuring this + // field to understand what claims the identity provider includes when issuing tokens. + // + // expression must be at least 1 character and must not exceed 1024 characters in length. + Expression *string `json:"expression,omitempty"` +} + +// ExternalSourcePredicateApplyConfiguration constructs a declarative configuration of the ExternalSourcePredicate type for use with +// apply. +func ExternalSourcePredicate() *ExternalSourcePredicateApplyConfiguration { + return &ExternalSourcePredicateApplyConfiguration{} +} + +// WithExpression sets the Expression field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the Expression field is set to the value of the last call. +func (b *ExternalSourcePredicateApplyConfiguration) WithExpression(value string) *ExternalSourcePredicateApplyConfiguration { + b.Expression = &value + return b +} diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/externalsourcetls.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/externalsourcetls.go new file mode 100644 index 000000000..a0b84ad6d --- /dev/null +++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/externalsourcetls.go @@ -0,0 +1,30 @@ +// Code generated by applyconfiguration-gen. DO NOT EDIT. + +package v1 + +// ExternalSourceTLSApplyConfiguration represents a declarative configuration of the ExternalSourceTLS type for use +// with apply. +// +// ExternalSourceTLS configures the TLS options that the apiserver uses as a client +// when making a request to the external claim source. +type ExternalSourceTLSApplyConfiguration struct { + // certificateAuthority is a required reference to a ConfigMap in the openshift-config + // namespace that contains the CA certificate to use to validate TLS connections with the external claims source. + // The key "ca-bundle.crt" must be present in the referenced ConfigMap and must contain the CA certificate to be used + // to verify the external source's TLS certificate. + CertificateAuthority *ExternalSourceCertificateAuthorityConfigMapReferenceApplyConfiguration `json:"certificateAuthority,omitempty"` +} + +// ExternalSourceTLSApplyConfiguration constructs a declarative configuration of the ExternalSourceTLS type for use with +// apply. +func ExternalSourceTLS() *ExternalSourceTLSApplyConfiguration { + return &ExternalSourceTLSApplyConfiguration{} +} + +// WithCertificateAuthority sets the CertificateAuthority field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the CertificateAuthority field is set to the value of the last call. +func (b *ExternalSourceTLSApplyConfiguration) WithCertificateAuthority(value *ExternalSourceCertificateAuthorityConfigMapReferenceApplyConfiguration) *ExternalSourceTLSApplyConfiguration { + b.CertificateAuthority = value + return b +} diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/networkobservabilityspec.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/networkobservabilityspec.go new file mode 100644 index 000000000..1ccd98076 --- /dev/null +++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/networkobservabilityspec.go @@ -0,0 +1,33 @@ +// Code generated by applyconfiguration-gen. DO NOT EDIT. + +package v1 + +import ( + configv1 "github.com/openshift/api/config/v1" +) + +// NetworkObservabilitySpecApplyConfiguration represents a declarative configuration of the NetworkObservabilitySpec type for use +// with apply. +// +// NetworkObservabilitySpec defines the configuration for network observability installation +type NetworkObservabilitySpecApplyConfiguration struct { + // installationPolicy controls whether network observability is installed during cluster deployment. + // Valid values are "InstallAndEnable" and "NoAction". + // When set to "InstallAndEnable", ensure that network observability will be installed and enabled on the cluster. If already installed, no action taken, but if it gets uninstalled, it will install it again. + // When set to "NoAction", nothing will be done regarding Network observability. + InstallationPolicy *configv1.NetworkObservabilityInstallationPolicy `json:"installationPolicy,omitempty"` +} + +// NetworkObservabilitySpecApplyConfiguration constructs a declarative configuration of the NetworkObservabilitySpec type for use with +// apply. +func NetworkObservabilitySpec() *NetworkObservabilitySpecApplyConfiguration { + return &NetworkObservabilitySpecApplyConfiguration{} +} + +// WithInstallationPolicy sets the InstallationPolicy field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the InstallationPolicy field is set to the value of the last call. +func (b *NetworkObservabilitySpecApplyConfiguration) WithInstallationPolicy(value configv1.NetworkObservabilityInstallationPolicy) *NetworkObservabilitySpecApplyConfiguration { + b.InstallationPolicy = &value + return b +} diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/networkspec.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/networkspec.go index 4a3f9b7b8..27e7480ec 100644 --- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/networkspec.go +++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/networkspec.go @@ -42,6 +42,10 @@ type NetworkSpecApplyConfiguration struct { // and the spec.disableNetworkDiagnostics flag in network.operator.openshift.io is set to true, // the network diagnostics feature will be disabled. NetworkDiagnostics *NetworkDiagnosticsApplyConfiguration `json:"networkDiagnostics,omitempty"` + // networkObservability is an optional field that configures network observability installation + // during cluster deployment (day-0). + // When omitted, unless this is a SNO cluster, network observability will be installed if not already present, after that, no action taken. + NetworkObservability *NetworkObservabilitySpecApplyConfiguration `json:"networkObservability,omitempty"` } // NetworkSpecApplyConfiguration constructs a declarative configuration of the NetworkSpec type for use with @@ -104,3 +108,11 @@ func (b *NetworkSpecApplyConfiguration) WithNetworkDiagnostics(value *NetworkDia b.NetworkDiagnostics = value return b } + +// WithNetworkObservability sets the NetworkObservability field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the NetworkObservability field is set to the value of the last call. +func (b *NetworkSpecApplyConfiguration) WithNetworkObservability(value *NetworkObservabilitySpecApplyConfiguration) *NetworkSpecApplyConfiguration { + b.NetworkObservability = value + return b +} diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/oidcprovider.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/oidcprovider.go index 6f5a249a7..4fb1c97eb 100644 --- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/oidcprovider.go +++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/oidcprovider.go @@ -26,6 +26,27 @@ type OIDCProviderApplyConfiguration struct { // If any rule in the chain of rules evaluates to 'false', authentication will fail. // When specified, at least one rule must be specified and no more than 64 rules may be specified. UserValidationRules []TokenUserValidationRuleApplyConfiguration `json:"userValidationRules,omitempty"` + // externalClaimsSources is an optional field that can be used to configure + // sources, external to the token provided in a request, in which claims + // should be fetched from and made available to the claim mapping process + // that is used to build the identity of a token holder. + // + // For example, fetching additional user metadata from an OIDC provider's UserInfo endpoint. + // + // When not specified, only claims present in the token itself will be available + // in the claim mapping process. + // + // When specified, at least one external claim source must be specified and no more than 5 + // sources may be specified. + // All external claim sources must have unique claim mappings. + // When an external source responds and resolves additional claims successfully, they will + // be made available as claims during the claim mapping process. + // Externally sourced claims with the same name as a claim existing within the token will + // overwrite the claim data from the token with the externally sourced information. + // If an external source does not respond, responds with an error, or the additional + // claim data cannot be resolved from the response successfully it will not be + // included in the claim data passed to the claim mapping process. + ExternalClaimsSources []ExternalClaimsSourceApplyConfiguration `json:"externalClaimsSources,omitempty"` } // OIDCProviderApplyConfiguration constructs a declarative configuration of the OIDCProvider type for use with @@ -96,3 +117,16 @@ func (b *OIDCProviderApplyConfiguration) WithUserValidationRules(values ...*Toke } return b } + +// WithExternalClaimsSources adds the given value to the ExternalClaimsSources field in the declarative configuration +// and returns the receiver, so that objects can be build by chaining "With" function invocations. +// If called multiple times, values provided by each call will be appended to the ExternalClaimsSources field. +func (b *OIDCProviderApplyConfiguration) WithExternalClaimsSources(values ...*ExternalClaimsSourceApplyConfiguration) *OIDCProviderApplyConfiguration { + for i := range values { + if values[i] == nil { + panic("nil value passed to WithExternalClaimsSources") + } + b.ExternalClaimsSources = append(b.ExternalClaimsSources, *values[i]) + } + return b +} diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/sourcedclaimmapping.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/sourcedclaimmapping.go new file mode 100644 index 000000000..92c4dc24f --- /dev/null +++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/sourcedclaimmapping.go @@ -0,0 +1,51 @@ +// Code generated by applyconfiguration-gen. DO NOT EDIT. + +package v1 + +// SourcedClaimMappingApplyConfiguration represents a declarative configuration of the SourcedClaimMapping type for use +// with apply. +// +// SourcedClaimMapping configures the mapping behavior for a single external claim +// from the response the apiserver received from the external claim source. +type SourcedClaimMappingApplyConfiguration struct { + // name is a required name of the claim that + // will be produced and made available during + // the claim-to-identity mapping process. + // name must consist of only lowercase alpha characters and underscores ('_'). + // name must be at least 1 character and must not exceed 256 characters in length. + Name *string `json:"name,omitempty"` + // expression is a required CEL expression that + // will produce a value to be assigned to the claim. + // The full response body from the request to the + // external claim source is provided via the + // `response.body` variable. + // + // The contents of the `response.body` variable varies based on the response received + // from the external source. It is the responsibility of those configuring + // this expression to understand what is returned from the external source. + // + // expression must be at least 1 character and must not exceed 1024 characters in length. + Expression *string `json:"expression,omitempty"` +} + +// SourcedClaimMappingApplyConfiguration constructs a declarative configuration of the SourcedClaimMapping type for use with +// apply. +func SourcedClaimMapping() *SourcedClaimMappingApplyConfiguration { + return &SourcedClaimMappingApplyConfiguration{} +} + +// WithName sets the Name field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the Name field is set to the value of the last call. +func (b *SourcedClaimMappingApplyConfiguration) WithName(value string) *SourcedClaimMappingApplyConfiguration { + b.Name = &value + return b +} + +// WithExpression sets the Expression field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the Expression field is set to the value of the last call. +func (b *SourcedClaimMappingApplyConfiguration) WithExpression(value string) *SourcedClaimMappingApplyConfiguration { + b.Expression = &value + return b +} diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/sourceurl.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/sourceurl.go new file mode 100644 index 000000000..b94a89f39 --- /dev/null +++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/sourceurl.go @@ -0,0 +1,67 @@ +// Code generated by applyconfiguration-gen. DO NOT EDIT. + +package v1 + +// SourceURLApplyConfiguration represents a declarative configuration of the SourceURL type for use +// with apply. +// +// SourceURL configures the options used to build the URL that is queried for external claims. +type SourceURLApplyConfiguration struct { + // hostname is a required hostname for which the external claims are located. + // + // It must be a valid DNS subdomain name as per RFC1123. + // + // This means that it must start and end with a lowercase alphanumeric character, + // must only consist of lowercase alphanumeric characters, '-', and '.'. + // hostname may optionally specify a port in the format ':{port}'. + // If a port is specified it must not exceed 65535. + // + // hostname must be at least 1 character in length. + // When specifying a port, hostname must not exceed 259 characters in length. + // When not specifying a port, hostname must not exceed 253 characters in length. + Hostname *string `json:"hostname,omitempty"` + // pathExpression is a required CEL expression that returns a list + // of string values used to construct the URL path. + // Claims from the token used for the request to the kube-apiserver + // are made available via the `claims` variable. + // expression must be at least 1 character in length and must not exceed 1024 characters in length. + // + // Values in the returned list will be joined with the hostname using a forward slash + // (`/`) as a separator. Values in the returned list do not need to include the forward slash. + // If a forward slash is included in a returned value, it will be encoded as `%2F`. + // + // Example of a static path configuration: + // + // pathExpression: ['realms', 'k8s', 'protocol', 'openid-connect', 'userinfo'] + // + // The above example would resolve to the path: '/realms/k8s/protocol/openid-connect/userinfo' + // + // Example of a dynamic path configuration: + // + // pathExpression: "['admin', 'realms', 'k8s', 'users'] + [claims.sub] + ['groups']" + // + // Assuming 'claims.sub' is set to '12345', the above example would resolve to the path: '/admin/realms/k8s/users/12345/groups' + PathExpression *string `json:"pathExpression,omitempty"` +} + +// SourceURLApplyConfiguration constructs a declarative configuration of the SourceURL type for use with +// apply. +func SourceURL() *SourceURLApplyConfiguration { + return &SourceURLApplyConfiguration{} +} + +// WithHostname sets the Hostname field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the Hostname field is set to the value of the last call. +func (b *SourceURLApplyConfiguration) WithHostname(value string) *SourceURLApplyConfiguration { + b.Hostname = &value + return b +} + +// WithPathExpression sets the PathExpression field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the PathExpression field is set to the value of the last call. +func (b *SourceURLApplyConfiguration) WithPathExpression(value string) *SourceURLApplyConfiguration { + b.PathExpression = &value + return b +} diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/tlsprofilespec.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/tlsprofilespec.go index 5e34ffd5d..cbefaf516 100644 --- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/tlsprofilespec.go +++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/tlsprofilespec.go @@ -21,6 +21,24 @@ type TLSProfileSpecApplyConfiguration struct { // TLS 1.3 cipher suites (e.g. TLS_AES_128_GCM_SHA256) are not configurable // and are always enabled when TLS 1.3 is negotiated. Ciphers []string `json:"ciphers,omitempty"` + // groups is an optional, ordered field used to specify the supported groups (formerly known as + // elliptic curves) that are used during the TLS handshake. The order of the groups represents + // a suggested preference, with the most preferred group first. Note that not all platform + // components honor the ordering: Go-based components use Go's internal preference order and + // treat this list as a filter of allowed groups rather than an ordered preference. + // Operators may remove entries their operands do not support. + // + // When omitted, this means no opinion and the platform is left to choose reasonable defaults which are + // subject to change over time and may be different per platform component depending on the underlying TLS + // libraries they use. If specified, the list must contain at least one and at most 7 groups, + // and each group must be unique. + // + // For example, to use X25519 and secp256r1 (yaml): + // + // groups: + // - X25519 + // - secp256r1 + Groups []configv1.TLSGroup `json:"groups,omitempty"` // minTLSVersion is used to specify the minimal version of the TLS protocol // that is negotiated during the TLS handshake. For example, to use TLS // versions 1.1, 1.2 and 1.3 (yaml): @@ -45,6 +63,16 @@ func (b *TLSProfileSpecApplyConfiguration) WithCiphers(values ...string) *TLSPro return b } +// WithGroups adds the given value to the Groups field in the declarative configuration +// and returns the receiver, so that objects can be build by chaining "With" function invocations. +// If called multiple times, values provided by each call will be appended to the Groups field. +func (b *TLSProfileSpecApplyConfiguration) WithGroups(values ...configv1.TLSGroup) *TLSProfileSpecApplyConfiguration { + for i := range values { + b.Groups = append(b.Groups, values[i]) + } + return b +} + // WithMinTLSVersion sets the MinTLSVersion field in the declarative configuration to the given value // and returns the receiver, so that objects can be built by chaining "With" function invocations. // If called multiple times, the MinTLSVersion field is set to the value of the last call. diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/tlssecurityprofile.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/tlssecurityprofile.go index dd57aad08..eab7cd452 100644 --- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/tlssecurityprofile.go +++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/tlssecurityprofile.go @@ -15,10 +15,16 @@ type TLSSecurityProfileApplyConfiguration struct { // type is one of Old, Intermediate, Modern or Custom. Custom provides the // ability to specify individual TLS security profile parameters. // - // The profiles are based on version 5.7 of the Mozilla Server Side TLS - // configuration guidelines. The cipher lists consist of the configuration's - // "ciphersuites" followed by the Go-specific "ciphers" from the guidelines. - // See: https://ssl-config.mozilla.org/guidelines/5.7.json + // The cipher and groups lists in these profiles are based on version 5.8 of the + // Mozilla Server Side TLS configuration guidelines. + // See: https://ssl-config.mozilla.org/guidelines/5.8.json + // + // The groups are listed in suggested preference order, with the most preferred group first. + // Note that not all platform components honor the ordering: Go-based components use Go's + // internal preference order and treat this list as a filter of allowed groups rather than + // an ordered preference. + // Note that X25519MLKEM768 is a post-quantum hybrid group that is not + // FIPS-approved and should be ignored by components running in FIPS mode. // // The profiles are intent based, so they may change over time as new ciphers are // developed and existing ciphers are found to be insecure. Depending on @@ -27,6 +33,10 @@ type TLSSecurityProfileApplyConfiguration struct { // old is a TLS profile for use when services need to be accessed by very old // clients or libraries and should be used only as a last resort. // + // The supported groups list includes by default the following groups + // in suggested preference order (ordering may not be honored by all implementations): + // X25519MLKEM768, X25519, secp256r1, secp384r1. + // // This profile is equivalent to a Custom profile specified as: // minTLSVersion: VersionTLS10 // ciphers: @@ -43,11 +53,14 @@ type TLSSecurityProfileApplyConfiguration struct { // - ECDHE-RSA-AES128-SHA256 // - ECDHE-ECDSA-AES128-SHA // - ECDHE-RSA-AES128-SHA + // - ECDHE-ECDSA-AES256-SHA384 + // - ECDHE-RSA-AES256-SHA384 // - ECDHE-ECDSA-AES256-SHA // - ECDHE-RSA-AES256-SHA // - AES128-GCM-SHA256 // - AES256-GCM-SHA384 // - AES128-SHA256 + // - AES256-SHA256 // - AES128-SHA // - AES256-SHA // - DES-CBC3-SHA @@ -56,6 +69,10 @@ type TLSSecurityProfileApplyConfiguration struct { // legacy clients and want to remain highly secure while being compatible with // most clients currently in use. // + // The supported groups list includes by default the following groups + // in suggested preference order (ordering may not be honored by all implementations): + // X25519MLKEM768, X25519, secp256r1, secp384r1. + // // This profile is equivalent to a Custom profile specified as: // minTLSVersion: VersionTLS12 // ciphers: @@ -71,7 +88,9 @@ type TLSSecurityProfileApplyConfiguration struct { Intermediate *configv1.IntermediateTLSProfile `json:"intermediate,omitempty"` // modern is a TLS security profile for use with clients that support TLS 1.3 and // do not need backward compatibility for older clients. - // + // The supported groups list includes by default the following groups + // in suggested preference order (ordering may not be honored by all implementations): + // X25519MLKEM768, X25519, secp256r1, secp384r1. // This profile is equivalent to a Custom profile specified as: // minTLSVersion: VersionTLS13 // ciphers: @@ -80,8 +99,11 @@ type TLSSecurityProfileApplyConfiguration struct { // - TLS_CHACHA20_POLY1305_SHA256 Modern *configv1.ModernTLSProfile `json:"modern,omitempty"` // custom is a user-defined TLS security profile. Be extremely careful using a custom - // profile as invalid configurations can be catastrophic. An example custom profile - // looks like this: + // profile as invalid configurations can be catastrophic. + // + // The supported groups list for this profile is empty by default. + // + // An example custom profile looks like this: // // minTLSVersion: VersionTLS11 // ciphers: diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/vaultapproleauthentication.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/vaultapproleauthentication.go index ede86ce36..9119cbe19 100644 --- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/vaultapproleauthentication.go +++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/vaultapproleauthentication.go @@ -9,7 +9,7 @@ package v1 type VaultAppRoleAuthenticationApplyConfiguration struct { // secret references a secret in the openshift-config namespace containing // the AppRole credentials used to authenticate with Vault. - // The secret must contain two keys: "role-id" for the AppRole Role ID and "secret-id" for the AppRole Secret ID. + // The referenced Secret must contain two keys: "role-id" for the AppRole Role ID and "secret-id" for the AppRole Secret ID. Secret *VaultSecretReferenceApplyConfiguration `json:"secret,omitempty"` } diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/vaultkmspluginconfig.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/vaultkmspluginconfig.go index e8cd3bcdf..736095a27 100644 --- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/vaultkmspluginconfig.go +++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/vaultkmspluginconfig.go @@ -47,14 +47,10 @@ type VaultKMSPluginConfigApplyConfiguration struct { Authentication *VaultAuthenticationApplyConfiguration `json:"authentication,omitempty"` // transitMount specifies the mount path of the Vault Transit engine. // - // When omitted, this means the user has no opinion and the platform is left - // to choose a reasonable default. These defaults are subject to change over time. - // The current default is "transit". - // - // The transit mount must be between 1 and 1024 characters when specified, cannot start or - // end with a forward slash, cannot contain consecutive forward slashes, and must only contain - // RFC 3986 unreserved characters (alphanumeric, hyphen, period, underscore, tilde) and forward - // slashes as path separators. + // The transit mount must be between 1 and 1024 characters, cannot start or + // end with a forward slash, cannot contain consecutive forward slashes, and + // must only contain RFC 3986 unreserved characters (alphanumeric, hyphen, + // period, underscore, tilde) and forward slashes as path separators. TransitMount *string `json:"transitMount,omitempty"` // transitKey specifies the name of the encryption key in Vault's Transit engine. // This key is used to encrypt and decrypt data. diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/vaulttlsconfig.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/vaulttlsconfig.go index 9fba4e1a4..04bf8c3bf 100644 --- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/vaulttlsconfig.go +++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/vaulttlsconfig.go @@ -9,7 +9,7 @@ package v1 type VaultTLSConfigApplyConfiguration struct { // caBundle references a ConfigMap in the openshift-config namespace containing // the CA certificate bundle used to verify the TLS connection to the Vault server. - // The ConfigMap must contain the CA bundle in the key "ca-bundle.crt". + // The referenced ConfigMap must contain the CA bundle in the key "ca-bundle.crt". // When this field is not set, the system's trusted CA certificates are used. // // The namespace for the ConfigMap is openshift-config. diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/alertmanagercustomconfig.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/alertmanagercustomconfig.go index c47130a18..37c93f7e1 100644 --- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/alertmanagercustomconfig.go +++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/alertmanagercustomconfig.go @@ -13,8 +13,23 @@ import ( // AlertmanagerCustomConfig represents the configuration for a custom Alertmanager deployment. // alertmanagerCustomConfig provides configuration options for the default Alertmanager instance // that runs in the `openshift-monitoring` namespace. Use this configuration to control -// whether the default Alertmanager is deployed, how it logs, and how its pods are scheduled. +// whether user-defined namespaces are selected for AlertmanagerConfig lookups, how it logs, +// and how its pods are scheduled. type AlertmanagerCustomConfigApplyConfiguration struct { + // userAlertmanagerConfigSelection is an optional field that controls whether user-defined + // namespaces can be selected for AlertmanagerConfig lookups on the platform Alertmanager + // instance in the `openshift-monitoring` namespace. + // Valid values are Selectable and None. + // When set to Selectable, the platform Alertmanager discovers AlertmanagerConfig resources + // in user-defined namespaces. This is equivalent to `enableUserAlertmanagerConfig: true` in + // the cluster-monitoring-config ConfigMap. + // When set to None, user-defined namespaces are not selected for AlertmanagerConfig lookups + // on the platform Alertmanager. This is equivalent to `enableUserAlertmanagerConfig: false` + // in the cluster-monitoring-config ConfigMap. + // This setting only applies when the user-workload monitoring Alertmanager is not enabled. + // When omitted, this means no opinion and the platform is left to choose a reasonable default, which is subject to change over time. + // The current default value is `None`. + UserAlertmanagerConfigSelection *configv1alpha1.UserAlertmanagerConfigSelection `json:"userAlertmanagerConfigSelection,omitempty"` // logLevel defines the verbosity of logs emitted by Alertmanager. // This field allows users to control the amount and severity of logs generated, which can be useful // for debugging issues or reducing noise in production environments. @@ -103,6 +118,14 @@ func AlertmanagerCustomConfig() *AlertmanagerCustomConfigApplyConfiguration { return &AlertmanagerCustomConfigApplyConfiguration{} } +// WithUserAlertmanagerConfigSelection sets the UserAlertmanagerConfigSelection field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the UserAlertmanagerConfigSelection field is set to the value of the last call. +func (b *AlertmanagerCustomConfigApplyConfiguration) WithUserAlertmanagerConfigSelection(value configv1alpha1.UserAlertmanagerConfigSelection) *AlertmanagerCustomConfigApplyConfiguration { + b.UserAlertmanagerConfigSelection = &value + return b +} + // WithLogLevel sets the LogLevel field in the declarative configuration to the given value // and returns the receiver, so that objects can be built by chaining "With" function invocations. // If called multiple times, the LogLevel field is set to the value of the last call. diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/clustermonitoringspec.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/clustermonitoringspec.go index 35ec6d14e..288edad61 100644 --- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/clustermonitoringspec.go +++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/clustermonitoringspec.go @@ -78,6 +78,11 @@ type ClusterMonitoringSpecApplyConfiguration struct { // or topology spread constraints. // When set, at least one field must be specified within monitoringPluginConfig. MonitoringPluginConfig *MonitoringPluginConfigApplyConfiguration `json:"monitoringPluginConfig,omitempty"` + // kubeStateMetricsConfig is an optional field that can be used to configure the kube-state-metrics + // agent that runs in the openshift-monitoring namespace. kube-state-metrics generates metrics about + // the state of Kubernetes objects such as Deployments, Nodes, and Pods. + // When omitted, this means no opinion and the platform is left to choose a reasonable default, which is subject to change over time. + KubeStateMetricsConfig *KubeStateMetricsConfigApplyConfiguration `json:"kubeStateMetricsConfig,omitempty"` } // ClusterMonitoringSpecApplyConfiguration constructs a declarative configuration of the ClusterMonitoringSpec type for use with @@ -173,3 +178,11 @@ func (b *ClusterMonitoringSpecApplyConfiguration) WithMonitoringPluginConfig(val b.MonitoringPluginConfig = value return b } + +// WithKubeStateMetricsConfig sets the KubeStateMetricsConfig field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the KubeStateMetricsConfig field is set to the value of the last call. +func (b *ClusterMonitoringSpecApplyConfiguration) WithKubeStateMetricsConfig(value *KubeStateMetricsConfigApplyConfiguration) *ClusterMonitoringSpecApplyConfiguration { + b.KubeStateMetricsConfig = value + return b +} diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/kubestatemetricsconfig.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/kubestatemetricsconfig.go new file mode 100644 index 000000000..ed850ef34 --- /dev/null +++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/kubestatemetricsconfig.go @@ -0,0 +1,145 @@ +// Code generated by applyconfiguration-gen. DO NOT EDIT. + +package v1alpha1 + +import ( + v1 "k8s.io/api/core/v1" +) + +// KubeStateMetricsConfigApplyConfiguration represents a declarative configuration of the KubeStateMetricsConfig type for use +// with apply. +// +// KubeStateMetricsConfig provides configuration options for the kube-state-metrics agent +// that runs in the `openshift-monitoring` namespace. kube-state-metrics generates metrics +// about the state of Kubernetes objects such as Deployments, Nodes, and Pods. +type KubeStateMetricsConfigApplyConfiguration struct { + // nodeSelector defines the nodes on which the Pods are scheduled. + // nodeSelector is optional. + // + // When omitted, this means the user has no opinion and the platform is left + // to choose reasonable defaults. These defaults are subject to change over time. + // The current default value is `kubernetes.io/os: linux`. + // When specified, nodeSelector must contain at least 1 entry and must not contain more than 10 entries. + NodeSelector map[string]string `json:"nodeSelector,omitempty"` + // resources defines the compute resource requests and limits for the kube-state-metrics container. + // This includes CPU, memory and HugePages constraints to help control scheduling and resource usage. + // When not specified, defaults are used by the platform. Requests cannot exceed limits. + // This field is optional. + // More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + // This is a simplified API that maps to Kubernetes ResourceRequirements. + // The current default values are: + // resources: + // - name: cpu + // request: 4m + // limit: null + // - name: memory + // request: 40Mi + // limit: null + // Maximum length for this list is 5. + // Minimum length for this list is 1. + // Each resource name must be unique within this list. + Resources []ContainerResourceApplyConfiguration `json:"resources,omitempty"` + // tolerations defines tolerations for the pods. + // tolerations is optional. + // + // When omitted, no tolerations are applied. This default is subject to change over time. + // When specified, tolerations must contain at least 1 entry and must not contain more than 10 entries. + // Each toleration's operator, when specified, must be either "Exists" or "Equal". + // Each toleration's effect, when specified, must be one of "NoSchedule", "PreferNoSchedule", or "NoExecute". + // An empty or unset effect means match all effects. + Tolerations []v1.Toleration `json:"tolerations,omitempty"` + // topologySpreadConstraints defines rules for how kube-state-metrics Pods should be distributed + // across topology domains such as zones, nodes, or other user-defined labels. + // topologySpreadConstraints is optional. + // This helps improve high availability and resource efficiency by avoiding placing + // too many replicas in the same failure domain. + // + // This field maps directly to the `topologySpreadConstraints` field in the Pod spec. + // When omitted, no topology spread constraints are applied. This default is subject to change over time. + // When specified, topologySpreadConstraints must contain at least 1 entry and must not contain more than 10 entries. + // Entries must have unique topologyKey and whenUnsatisfiable pairs. + // Each entry's whenUnsatisfiable must be either "DoNotSchedule" or "ScheduleAnyway". + // Each entry's maxSkew must be at least 1. + // When minDomains is specified, it must be at least 1 and whenUnsatisfiable must be "DoNotSchedule". + TopologySpreadConstraints []v1.TopologySpreadConstraint `json:"topologySpreadConstraints,omitempty"` + // additionalResourceLabels defines additional Kubernetes resource labels to expose as metrics + // in kube-state-metrics. + // Currently, only "Job" and "CronJob" resources are supported due to cardinality concerns. + // Each entry specifies a resource name and a list of Kubernetes label names to expose. + // Use "*" in the labels list to expose all labels for a given resource. + // additionalResourceLabels is optional. + // When omitted, no additional Kubernetes object labels are exposed as metrics + // by kube-state-metrics beyond its built-in metric labels (e.g. namespace, job_name). + // Use this field to opt in to exposing specific Kubernetes labels as metric labels + // for the supported resource types. + // Minimum length for this list is 1. + // Maximum length for this list is 2. + // Each resource name must be unique within this list. + AdditionalResourceLabels []KubeStateMetricsResourceLabelsApplyConfiguration `json:"additionalResourceLabels,omitempty"` +} + +// KubeStateMetricsConfigApplyConfiguration constructs a declarative configuration of the KubeStateMetricsConfig type for use with +// apply. +func KubeStateMetricsConfig() *KubeStateMetricsConfigApplyConfiguration { + return &KubeStateMetricsConfigApplyConfiguration{} +} + +// WithNodeSelector puts the entries into the NodeSelector field in the declarative configuration +// and returns the receiver, so that objects can be build by chaining "With" function invocations. +// If called multiple times, the entries provided by each call will be put on the NodeSelector field, +// overwriting an existing map entries in NodeSelector field with the same key. +func (b *KubeStateMetricsConfigApplyConfiguration) WithNodeSelector(entries map[string]string) *KubeStateMetricsConfigApplyConfiguration { + if b.NodeSelector == nil && len(entries) > 0 { + b.NodeSelector = make(map[string]string, len(entries)) + } + for k, v := range entries { + b.NodeSelector[k] = v + } + return b +} + +// WithResources adds the given value to the Resources field in the declarative configuration +// and returns the receiver, so that objects can be build by chaining "With" function invocations. +// If called multiple times, values provided by each call will be appended to the Resources field. +func (b *KubeStateMetricsConfigApplyConfiguration) WithResources(values ...*ContainerResourceApplyConfiguration) *KubeStateMetricsConfigApplyConfiguration { + for i := range values { + if values[i] == nil { + panic("nil value passed to WithResources") + } + b.Resources = append(b.Resources, *values[i]) + } + return b +} + +// WithTolerations adds the given value to the Tolerations field in the declarative configuration +// and returns the receiver, so that objects can be build by chaining "With" function invocations. +// If called multiple times, values provided by each call will be appended to the Tolerations field. +func (b *KubeStateMetricsConfigApplyConfiguration) WithTolerations(values ...v1.Toleration) *KubeStateMetricsConfigApplyConfiguration { + for i := range values { + b.Tolerations = append(b.Tolerations, values[i]) + } + return b +} + +// WithTopologySpreadConstraints adds the given value to the TopologySpreadConstraints field in the declarative configuration +// and returns the receiver, so that objects can be build by chaining "With" function invocations. +// If called multiple times, values provided by each call will be appended to the TopologySpreadConstraints field. +func (b *KubeStateMetricsConfigApplyConfiguration) WithTopologySpreadConstraints(values ...v1.TopologySpreadConstraint) *KubeStateMetricsConfigApplyConfiguration { + for i := range values { + b.TopologySpreadConstraints = append(b.TopologySpreadConstraints, values[i]) + } + return b +} + +// WithAdditionalResourceLabels adds the given value to the AdditionalResourceLabels field in the declarative configuration +// and returns the receiver, so that objects can be build by chaining "With" function invocations. +// If called multiple times, values provided by each call will be appended to the AdditionalResourceLabels field. +func (b *KubeStateMetricsConfigApplyConfiguration) WithAdditionalResourceLabels(values ...*KubeStateMetricsResourceLabelsApplyConfiguration) *KubeStateMetricsConfigApplyConfiguration { + for i := range values { + if values[i] == nil { + panic("nil value passed to WithAdditionalResourceLabels") + } + b.AdditionalResourceLabels = append(b.AdditionalResourceLabels, *values[i]) + } + return b +} diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/kubestatemetricsresourcelabels.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/kubestatemetricsresourcelabels.go new file mode 100644 index 000000000..8b4de02a9 --- /dev/null +++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/kubestatemetricsresourcelabels.go @@ -0,0 +1,53 @@ +// Code generated by applyconfiguration-gen. DO NOT EDIT. + +package v1alpha1 + +import ( + configv1alpha1 "github.com/openshift/api/config/v1alpha1" +) + +// KubeStateMetricsResourceLabelsApplyConfiguration represents a declarative configuration of the KubeStateMetricsResourceLabels type for use +// with apply. +// +// KubeStateMetricsResourceLabels defines which Kubernetes labels to expose as metrics +// for a given resource type in kube-state-metrics. +type KubeStateMetricsResourceLabelsApplyConfiguration struct { + // resource is the Kubernetes resource name whose labels should be exposed as metrics. + // Currently, only "Job" and "CronJob" are supported due to cardinality concerns. + // Valid values are "Job" and "CronJob". + // This field is required. + Resource *configv1alpha1.KubeStateMetricsResourceName `json:"resource,omitempty"` + // labels is the list of Kubernetes label names to expose as metrics for this resource. + // Use "*" to expose all labels for the specified resource. + // When "*" is specified, it must be the only entry in the list; mixing "*" with + // specific label names is not allowed. + // This field is required. + // Each label name must be unique within this list. + // Minimum length for this list is 1. + // Maximum length for this list is 50. + Labels []configv1alpha1.KubeStateMetricsLabelName `json:"labels,omitempty"` +} + +// KubeStateMetricsResourceLabelsApplyConfiguration constructs a declarative configuration of the KubeStateMetricsResourceLabels type for use with +// apply. +func KubeStateMetricsResourceLabels() *KubeStateMetricsResourceLabelsApplyConfiguration { + return &KubeStateMetricsResourceLabelsApplyConfiguration{} +} + +// WithResource sets the Resource field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the Resource field is set to the value of the last call. +func (b *KubeStateMetricsResourceLabelsApplyConfiguration) WithResource(value configv1alpha1.KubeStateMetricsResourceName) *KubeStateMetricsResourceLabelsApplyConfiguration { + b.Resource = &value + return b +} + +// WithLabels adds the given value to the Labels field in the declarative configuration +// and returns the receiver, so that objects can be build by chaining "With" function invocations. +// If called multiple times, values provided by each call will be appended to the Labels field. +func (b *KubeStateMetricsResourceLabelsApplyConfiguration) WithLabels(values ...configv1alpha1.KubeStateMetricsLabelName) *KubeStateMetricsResourceLabelsApplyConfiguration { + for i := range values { + b.Labels = append(b.Labels, values[i]) + } + return b +} diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/nodeexporterconfig.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/nodeexporterconfig.go index 8c6a288f5..a4a250fc2 100644 --- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/nodeexporterconfig.go +++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/nodeexporterconfig.go @@ -4,7 +4,6 @@ package v1alpha1 import ( configv1alpha1 "github.com/openshift/api/config/v1alpha1" - v1 "k8s.io/api/core/v1" ) // NodeExporterConfigApplyConfiguration represents a declarative configuration of the NodeExporterConfig type for use @@ -16,14 +15,6 @@ import ( // network statistics. // At least one field must be specified. type NodeExporterConfigApplyConfiguration struct { - // nodeSelector defines the nodes on which the Pods are scheduled. - // nodeSelector is optional. - // - // When omitted, this means the user has no opinion and the platform is left - // to choose reasonable defaults. These defaults are subject to change over time. - // The current default value is `kubernetes.io/os: linux`. - // When specified, nodeSelector must contain at least 1 entry and must not contain more than 10 entries. - NodeSelector map[string]string `json:"nodeSelector,omitempty"` // resources defines the compute resource requests and limits for the node-exporter container. // This includes CPU, memory and HugePages constraints to help control scheduling and resource usage. // When not specified, defaults are used by the platform. Requests cannot exceed limits. @@ -44,16 +35,6 @@ type NodeExporterConfigApplyConfiguration struct { // Minimum length for this list is 1. // Each resource name must be unique within this list. Resources []ContainerResourceApplyConfiguration `json:"resources,omitempty"` - // tolerations defines tolerations for the pods. - // tolerations is optional. - // - // When omitted, this means the user has no opinion and the platform is left - // to choose reasonable defaults. These defaults are subject to change over time. - // The current default is to tolerate all taints (operator: Exists without any key), - // which is typical for DaemonSets that must run on every node. - // Maximum length for this list is 10. - // Minimum length for this list is 1. - Tolerations []v1.Toleration `json:"tolerations,omitempty"` // collectors configures which node-exporter metric collectors are enabled. // collectors is optional. // Each collector can be individually enabled or disabled. Some collectors may have @@ -96,20 +77,6 @@ func NodeExporterConfig() *NodeExporterConfigApplyConfiguration { return &NodeExporterConfigApplyConfiguration{} } -// WithNodeSelector puts the entries into the NodeSelector field in the declarative configuration -// and returns the receiver, so that objects can be build by chaining "With" function invocations. -// If called multiple times, the entries provided by each call will be put on the NodeSelector field, -// overwriting an existing map entries in NodeSelector field with the same key. -func (b *NodeExporterConfigApplyConfiguration) WithNodeSelector(entries map[string]string) *NodeExporterConfigApplyConfiguration { - if b.NodeSelector == nil && len(entries) > 0 { - b.NodeSelector = make(map[string]string, len(entries)) - } - for k, v := range entries { - b.NodeSelector[k] = v - } - return b -} - // WithResources adds the given value to the Resources field in the declarative configuration // and returns the receiver, so that objects can be build by chaining "With" function invocations. // If called multiple times, values provided by each call will be appended to the Resources field. @@ -123,16 +90,6 @@ func (b *NodeExporterConfigApplyConfiguration) WithResources(values ...*Containe return b } -// WithTolerations adds the given value to the Tolerations field in the declarative configuration -// and returns the receiver, so that objects can be build by chaining "With" function invocations. -// If called multiple times, values provided by each call will be appended to the Tolerations field. -func (b *NodeExporterConfigApplyConfiguration) WithTolerations(values ...v1.Toleration) *NodeExporterConfigApplyConfiguration { - for i := range values { - b.Tolerations = append(b.Tolerations, values[i]) - } - return b -} - // WithCollectors sets the Collectors field in the declarative configuration to the given value // and returns the receiver, so that objects can be built by chaining "With" function invocations. // If called multiple times, the Collectors field is set to the value of the last call. diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/prometheusconfig.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/prometheusconfig.go index 31d3b9f58..2565d5e49 100644 --- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/prometheusconfig.go +++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/prometheusconfig.go @@ -101,7 +101,7 @@ type PrometheusConfigApplyConfiguration struct { // Each resource name must be unique within this list. Resources []ContainerResourceApplyConfiguration `json:"resources,omitempty"` // retention configures how long Prometheus retains metrics data and how much storage it can use. - // When omitted, the platform chooses reasonable defaults (currently 15 days retention, no size limit). + // When omitted, the platform chooses reasonable defaults (currently 15d retention, no size limit). Retention *RetentionApplyConfiguration `json:"retention,omitempty"` // tolerations defines tolerations for the pods. // tolerations is optional. diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/retention.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/retention.go index 2ca903f21..2c999b21d 100644 --- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/retention.go +++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/retention.go @@ -7,20 +7,28 @@ package v1alpha1 // // Retention configures how long Prometheus retains metrics data and how much storage it can use. type RetentionApplyConfiguration struct { - // durationInDays specifies how many days Prometheus will retain metrics data. + // duration is an optional field that specifies how long Prometheus retains metrics data. + // Valid values are Prometheus-style duration strings with unit suffixes y, w, d, h, m, s, or ms + // (for example, "15d", "24h", or "5d1h30m"). Each unit value must be a positive integer. + // Composite durations must follow the fixed unit order y, w, d, h, m, s, ms. + // Must be at least 1 character and at most 64 characters. + // When set to "0", time-based retention is disabled. This is the only supported form for disabling + // time-based retention; other zero-duration representations such as "0d", "0h", or "0y" are rejected. // Prometheus automatically deletes data older than this duration. // When omitted, this means no opinion and the platform is left to choose a reasonable default, which is subject to change over time. - // The default value is 15. - // Minimum value is 1 day. - // Maximum value is 365 days (1 year). - DurationInDays *int32 `json:"durationInDays,omitempty"` - // sizeInGiB specifies the maximum storage size in gibibytes (GiB) that Prometheus + // The current default value is `15d`. + Duration *string `json:"duration,omitempty"` + // size is an optional field that specifies the maximum storage size that Prometheus // can use for data blocks and the write-ahead log (WAL). - // When the limit is reached, Prometheus will delete oldest data first. + // Valid values are byte-size strings with an optional decimal prefix and a unit suffix B, KB, MB, GB, + // TB, EB, PB, or their binary equivalents KiB, MiB, GiB, TiB, EiB, PiB (for example, "500MiB", "10GiB"). + // The numeric value must be greater than zero. + // Must be at least 1 character and at most 32 characters. + // When set to "0", no size limit is enforced. This is the only supported form for disabling size-based + // retention; other zero-size representations such as "0B" or "0MiB" are rejected. + // When the limit is reached, Prometheus deletes oldest data first. // When omitted, no size limit is enforced and Prometheus uses available PersistentVolume capacity. - // Minimum value is 1 GiB. - // Maximum value is 16384 GiB (16 TiB). - SizeInGiB *int32 `json:"sizeInGiB,omitempty"` + Size *string `json:"size,omitempty"` } // RetentionApplyConfiguration constructs a declarative configuration of the Retention type for use with @@ -29,18 +37,18 @@ func Retention() *RetentionApplyConfiguration { return &RetentionApplyConfiguration{} } -// WithDurationInDays sets the DurationInDays field in the declarative configuration to the given value +// WithDuration sets the Duration field in the declarative configuration to the given value // and returns the receiver, so that objects can be built by chaining "With" function invocations. -// If called multiple times, the DurationInDays field is set to the value of the last call. -func (b *RetentionApplyConfiguration) WithDurationInDays(value int32) *RetentionApplyConfiguration { - b.DurationInDays = &value +// If called multiple times, the Duration field is set to the value of the last call. +func (b *RetentionApplyConfiguration) WithDuration(value string) *RetentionApplyConfiguration { + b.Duration = &value return b } -// WithSizeInGiB sets the SizeInGiB field in the declarative configuration to the given value +// WithSize sets the Size field in the declarative configuration to the given value // and returns the receiver, so that objects can be built by chaining "With" function invocations. -// If called multiple times, the SizeInGiB field is set to the value of the last call. -func (b *RetentionApplyConfiguration) WithSizeInGiB(value int32) *RetentionApplyConfiguration { - b.SizeInGiB = &value +// If called multiple times, the Size field is set to the value of the last call. +func (b *RetentionApplyConfiguration) WithSize(value string) *RetentionApplyConfiguration { + b.Size = &value return b } diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/thanosquerierconfig.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/thanosquerierconfig.go index f2fda246e..9210a0a30 100644 --- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/thanosquerierconfig.go +++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/thanosquerierconfig.go @@ -3,6 +3,7 @@ package v1alpha1 import ( + configv1alpha1 "github.com/openshift/api/config/v1alpha1" v1 "k8s.io/api/core/v1" ) @@ -13,6 +14,31 @@ import ( // that runs in the `openshift-monitoring` namespace. // At least one field must be specified; an empty thanosQuerierConfig object is not allowed. type ThanosQuerierConfigApplyConfiguration struct { + // logLevel defines the verbosity of logs emitted by Thanos Querier. + // logLevel is optional. + // Allowed values are Error, Warn, Info, and Debug. + // When set to Error, only errors will be logged. + // When set to Warn, both warnings and errors will be logged. + // When set to Info, general information, warnings, and errors will all be logged. + // When set to Debug, detailed debugging information will be logged. + // When omitted, this means no opinion and the platform is left to choose a reasonable default, that is subject to change over time. + // The current default value is `Info`. + LogLevel *configv1alpha1.LogLevel `json:"logLevel,omitempty"` + // requestLogging configures request logging for Thanos Querier. + // requestLogging is optional. + // When provided, the policy field within is required. + // When omitted, this means no opinion and the platform is left to choose a reasonable default, that is subject to change over time. + // The current default behavior is to not log any requests. + RequestLogging *ThanosQuerierRequestLoggingConfigApplyConfiguration `json:"requestLogging,omitempty"` + // crossOriginRequestPolicy configures the CORS (Cross-Origin Resource Sharing) policy + // for Thanos Querier's HTTP endpoints. + // crossOriginRequestPolicy is optional. + // Valid values are "AllowAll" and "DenyAll". + // When set to "AllowAll", CORS headers are added to responses, allowing cross-origin requests from any domain. + // When set to "DenyAll", no CORS headers are added and cross-origin requests are rejected by the browser. + // When omitted, this means no opinion and the platform is left to choose a reasonable default, that is subject to change over time. + // The current default value is "DenyAll". + CrossOriginRequestPolicy *configv1alpha1.CrossOriginRequestPolicy `json:"crossOriginRequestPolicy,omitempty"` // nodeSelector defines the nodes on which the Pods are scheduled. // nodeSelector is optional. // @@ -69,6 +95,30 @@ func ThanosQuerierConfig() *ThanosQuerierConfigApplyConfiguration { return &ThanosQuerierConfigApplyConfiguration{} } +// WithLogLevel sets the LogLevel field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the LogLevel field is set to the value of the last call. +func (b *ThanosQuerierConfigApplyConfiguration) WithLogLevel(value configv1alpha1.LogLevel) *ThanosQuerierConfigApplyConfiguration { + b.LogLevel = &value + return b +} + +// WithRequestLogging sets the RequestLogging field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the RequestLogging field is set to the value of the last call. +func (b *ThanosQuerierConfigApplyConfiguration) WithRequestLogging(value *ThanosQuerierRequestLoggingConfigApplyConfiguration) *ThanosQuerierConfigApplyConfiguration { + b.RequestLogging = value + return b +} + +// WithCrossOriginRequestPolicy sets the CrossOriginRequestPolicy field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the CrossOriginRequestPolicy field is set to the value of the last call. +func (b *ThanosQuerierConfigApplyConfiguration) WithCrossOriginRequestPolicy(value configv1alpha1.CrossOriginRequestPolicy) *ThanosQuerierConfigApplyConfiguration { + b.CrossOriginRequestPolicy = &value + return b +} + // WithNodeSelector puts the entries into the NodeSelector field in the declarative configuration // and returns the receiver, so that objects can be build by chaining "With" function invocations. // If called multiple times, the entries provided by each call will be put on the NodeSelector field, diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/thanosquerierrequestloggingconfig.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/thanosquerierrequestloggingconfig.go new file mode 100644 index 000000000..d9a626442 --- /dev/null +++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/thanosquerierrequestloggingconfig.go @@ -0,0 +1,34 @@ +// Code generated by applyconfiguration-gen. DO NOT EDIT. + +package v1alpha1 + +import ( + configv1alpha1 "github.com/openshift/api/config/v1alpha1" +) + +// ThanosQuerierRequestLoggingConfigApplyConfiguration represents a declarative configuration of the ThanosQuerierRequestLoggingConfig type for use +// with apply. +// +// ThanosQuerierRequestLoggingConfig configures request logging for Thanos Querier. +type ThanosQuerierRequestLoggingConfigApplyConfiguration struct { + // policy determines which HTTP and gRPC requests are logged by Thanos Querier. + // Valid values are "AllRequests" and "NoRequests". + // When set to "AllRequests", every request received by Thanos Querier is logged with method, path, and response status. + // The log level for request logs is derived from the logLevel field. + // When set to "NoRequests", request logging is turned off. + Policy *configv1alpha1.RequestLoggingPolicy `json:"policy,omitempty"` +} + +// ThanosQuerierRequestLoggingConfigApplyConfiguration constructs a declarative configuration of the ThanosQuerierRequestLoggingConfig type for use with +// apply. +func ThanosQuerierRequestLoggingConfig() *ThanosQuerierRequestLoggingConfigApplyConfiguration { + return &ThanosQuerierRequestLoggingConfigApplyConfiguration{} +} + +// WithPolicy sets the Policy field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the Policy field is set to the value of the last call. +func (b *ThanosQuerierRequestLoggingConfigApplyConfiguration) WithPolicy(value configv1alpha1.RequestLoggingPolicy) *ThanosQuerierRequestLoggingConfigApplyConfiguration { + b.Policy = &value + return b +} diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/internal/internal.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/internal/internal.go index 913a6be82..303a84071 100644 --- a/vendor/github.com/openshift/client-go/config/applyconfigurations/internal/internal.go +++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/internal/internal.go @@ -613,6 +613,7 @@ var schemaYAML = typed.YAMLObject(`types: - name: kms type: namedType: com.github.openshift.api.config.v1.KMSPluginConfig + default: {} - name: type type: scalar: string @@ -1123,6 +1124,35 @@ var schemaYAML = typed.YAMLObject(`types: type: namedType: com.github.openshift.api.config.v1.BuildOverrides default: {} +- name: com.github.openshift.api.config.v1.ClientCredentialConfig + map: + fields: + - name: clientID + type: + scalar: string + - name: clientSecret + type: + namedType: com.github.openshift.api.config.v1.ClientSecretSecretReference + default: {} + - name: scopes + type: + list: + elementType: + scalar: string + elementRelationship: associative + - name: tls + type: + namedType: com.github.openshift.api.config.v1.ExternalSourceTLS + default: {} + - name: tokenEndpoint + type: + scalar: string +- name: com.github.openshift.api.config.v1.ClientSecretSecretReference + map: + fields: + - name: name + type: + scalar: string - name: com.github.openshift.api.config.v1.CloudControllerManagerStatus map: fields: @@ -1683,6 +1713,12 @@ var schemaYAML = typed.YAMLObject(`types: elementType: scalar: string elementRelationship: atomic + - name: groups + type: + list: + elementType: + scalar: string + elementRelationship: associative - name: minTLSVersion type: scalar: string @@ -1791,6 +1827,37 @@ var schemaYAML = typed.YAMLObject(`types: - name: ingressIP type: scalar: string +- name: com.github.openshift.api.config.v1.ExternalClaimsSource + map: + fields: + - name: authentication + type: + namedType: com.github.openshift.api.config.v1.ExternalSourceAuthentication + default: {} + - name: mappings + type: + list: + elementType: + namedType: com.github.openshift.api.config.v1.SourcedClaimMapping + elementRelationship: associative + keys: + - name + - name: predicates + type: + list: + elementType: + namedType: com.github.openshift.api.config.v1.ExternalSourcePredicate + elementRelationship: associative + keys: + - expression + - name: tls + type: + namedType: com.github.openshift.api.config.v1.ExternalSourceTLS + default: {} + - name: url + type: + namedType: com.github.openshift.api.config.v1.SourceURL + default: {} - name: com.github.openshift.api.config.v1.ExternalIPConfig map: fields: @@ -1832,6 +1899,35 @@ var schemaYAML = typed.YAMLObject(`types: type: namedType: com.github.openshift.api.config.v1.CloudControllerManagerStatus default: {} +- name: com.github.openshift.api.config.v1.ExternalSourceAuthentication + map: + fields: + - name: clientCredential + type: + namedType: com.github.openshift.api.config.v1.ClientCredentialConfig + default: {} + - name: type + type: + scalar: string +- name: com.github.openshift.api.config.v1.ExternalSourceCertificateAuthorityConfigMapReference + map: + fields: + - name: name + type: + scalar: string +- name: com.github.openshift.api.config.v1.ExternalSourcePredicate + map: + fields: + - name: expression + type: + scalar: string +- name: com.github.openshift.api.config.v1.ExternalSourceTLS + map: + fields: + - name: certificateAuthority + type: + namedType: com.github.openshift.api.config.v1.ExternalSourceCertificateAuthorityConfigMapReference + default: {} - name: com.github.openshift.api.config.v1.ExtraMapping map: fields: @@ -2940,6 +3036,12 @@ var schemaYAML = typed.YAMLObject(`types: - name: networkType type: scalar: string +- name: com.github.openshift.api.config.v1.NetworkObservabilitySpec + map: + fields: + - name: installationPolicy + type: + scalar: string - name: com.github.openshift.api.config.v1.NetworkSpec map: fields: @@ -2956,6 +3058,10 @@ var schemaYAML = typed.YAMLObject(`types: type: namedType: com.github.openshift.api.config.v1.NetworkDiagnostics default: {} + - name: networkObservability + type: + namedType: com.github.openshift.api.config.v1.NetworkObservabilitySpec + default: {} - name: networkType type: scalar: string @@ -3318,6 +3424,12 @@ var schemaYAML = typed.YAMLObject(`types: elementType: namedType: com.github.openshift.api.config.v1.TokenClaimValidationRule elementRelationship: atomic + - name: externalClaimsSources + type: + list: + elementType: + namedType: com.github.openshift.api.config.v1.ExternalClaimsSource + elementRelationship: atomic - name: issuer type: namedType: com.github.openshift.api.config.v1.TokenIssuer @@ -4201,6 +4313,24 @@ var schemaYAML = typed.YAMLObject(`types: type: scalar: string default: "" +- name: com.github.openshift.api.config.v1.SourceURL + map: + fields: + - name: hostname + type: + scalar: string + - name: pathExpression + type: + scalar: string +- name: com.github.openshift.api.config.v1.SourcedClaimMapping + map: + fields: + - name: expression + type: + scalar: string + - name: name + type: + scalar: string - name: com.github.openshift.api.config.v1.Storage map: fields: @@ -4834,6 +4964,9 @@ var schemaYAML = typed.YAMLObject(`types: keys: - topologyKey - whenUnsatisfiable + - name: userAlertmanagerConfigSelection + type: + scalar: string - name: volumeClaimTemplate type: namedType: PersistentVolumeClaim.v1.core.api.k8s.io @@ -4984,6 +5117,10 @@ var schemaYAML = typed.YAMLObject(`types: type: namedType: com.github.openshift.api.config.v1alpha1.AlertmanagerConfig default: {} + - name: kubeStateMetricsConfig + type: + namedType: com.github.openshift.api.config.v1alpha1.KubeStateMetricsConfig + default: {} - name: metricsServerConfig type: namedType: com.github.openshift.api.config.v1alpha1.MetricsServerConfig @@ -5196,6 +5333,57 @@ var schemaYAML = typed.YAMLObject(`types: discriminatorValue: ECDSA - fieldName: rsa discriminatorValue: RSA +- name: com.github.openshift.api.config.v1alpha1.KubeStateMetricsConfig + map: + fields: + - name: additionalResourceLabels + type: + list: + elementType: + namedType: com.github.openshift.api.config.v1alpha1.KubeStateMetricsResourceLabels + elementRelationship: associative + keys: + - resource + - name: nodeSelector + type: + map: + elementType: + scalar: string + - name: resources + type: + list: + elementType: + namedType: com.github.openshift.api.config.v1alpha1.ContainerResource + elementRelationship: associative + keys: + - name + - name: tolerations + type: + list: + elementType: + namedType: Toleration.v1.core.api.k8s.io + elementRelationship: atomic + - name: topologySpreadConstraints + type: + list: + elementType: + namedType: TopologySpreadConstraint.v1.core.api.k8s.io + elementRelationship: associative + keys: + - topologyKey + - whenUnsatisfiable +- name: com.github.openshift.api.config.v1alpha1.KubeStateMetricsResourceLabels + map: + fields: + - name: labels + type: + list: + elementType: + scalar: string + elementRelationship: associative + - name: resource + type: + scalar: string - name: com.github.openshift.api.config.v1alpha1.Label map: fields: @@ -5343,6 +5531,10 @@ var schemaYAML = typed.YAMLObject(`types: type: namedType: com.github.openshift.api.config.v1alpha1.NodeExporterCollectorProcessesConfig default: {} + - name: softirqs + type: + namedType: com.github.openshift.api.config.v1alpha1.NodeExporterCollectorSoftirqsConfig + default: {} - name: systemd type: namedType: com.github.openshift.api.config.v1alpha1.NodeExporterCollectorSystemdConfig @@ -5408,6 +5600,12 @@ var schemaYAML = typed.YAMLObject(`types: - name: collectionPolicy type: scalar: string +- name: com.github.openshift.api.config.v1alpha1.NodeExporterCollectorSoftirqsConfig + map: + fields: + - name: collectionPolicy + type: + scalar: string - name: com.github.openshift.api.config.v1alpha1.NodeExporterCollectorSystemdCollectConfig map: fields: @@ -5454,11 +5652,6 @@ var schemaYAML = typed.YAMLObject(`types: - name: maxProcs type: scalar: numeric - - name: nodeSelector - type: - map: - elementType: - scalar: string - name: resources type: list: @@ -5467,12 +5660,6 @@ var schemaYAML = typed.YAMLObject(`types: elementRelationship: associative keys: - name - - name: tolerations - type: - list: - elementType: - namedType: Toleration.v1.core.api.k8s.io - elementRelationship: atomic - name: com.github.openshift.api.config.v1alpha1.OAuth2 map: fields: @@ -5940,12 +6127,12 @@ var schemaYAML = typed.YAMLObject(`types: - name: com.github.openshift.api.config.v1alpha1.Retention map: fields: - - name: durationInDays + - name: duration type: - scalar: numeric - - name: sizeInGiB + scalar: string + - name: size type: - scalar: numeric + scalar: string - name: com.github.openshift.api.config.v1alpha1.RetentionNumberConfig map: fields: @@ -6075,11 +6262,21 @@ var schemaYAML = typed.YAMLObject(`types: - name: com.github.openshift.api.config.v1alpha1.ThanosQuerierConfig map: fields: + - name: crossOriginRequestPolicy + type: + scalar: string + - name: logLevel + type: + scalar: string - name: nodeSelector type: map: elementType: scalar: string + - name: requestLogging + type: + namedType: com.github.openshift.api.config.v1alpha1.ThanosQuerierRequestLoggingConfig + default: {} - name: resources type: list: @@ -6103,6 +6300,12 @@ var schemaYAML = typed.YAMLObject(`types: keys: - topologyKey - whenUnsatisfiable +- name: com.github.openshift.api.config.v1alpha1.ThanosQuerierRequestLoggingConfig + map: + fields: + - name: policy + type: + scalar: string - name: com.github.openshift.api.config.v1alpha1.UppercaseActionConfig map: fields: diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/utils.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/utils.go index 79f4f8568..b5690c4d8 100644 --- a/vendor/github.com/openshift/client-go/config/applyconfigurations/utils.go +++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/utils.go @@ -78,6 +78,10 @@ func ForKind(kind schema.GroupVersionKind) interface{} { return &configv1.BuildOverridesApplyConfiguration{} case v1.SchemeGroupVersion.WithKind("BuildSpec"): return &configv1.BuildSpecApplyConfiguration{} + case v1.SchemeGroupVersion.WithKind("ClientCredentialConfig"): + return &configv1.ClientCredentialConfigApplyConfiguration{} + case v1.SchemeGroupVersion.WithKind("ClientSecretSecretReference"): + return &configv1.ClientSecretSecretReferenceApplyConfiguration{} case v1.SchemeGroupVersion.WithKind("CloudControllerManagerStatus"): return &configv1.CloudControllerManagerStatusApplyConfiguration{} case v1.SchemeGroupVersion.WithKind("CloudLoadBalancerConfig"): @@ -150,6 +154,8 @@ func ForKind(kind schema.GroupVersionKind) interface{} { return &configv1.DNSZoneApplyConfiguration{} case v1.SchemeGroupVersion.WithKind("EquinixMetalPlatformStatus"): return &configv1.EquinixMetalPlatformStatusApplyConfiguration{} + case v1.SchemeGroupVersion.WithKind("ExternalClaimsSource"): + return &configv1.ExternalClaimsSourceApplyConfiguration{} case v1.SchemeGroupVersion.WithKind("ExternalIPConfig"): return &configv1.ExternalIPConfigApplyConfiguration{} case v1.SchemeGroupVersion.WithKind("ExternalIPPolicy"): @@ -158,6 +164,14 @@ func ForKind(kind schema.GroupVersionKind) interface{} { return &configv1.ExternalPlatformSpecApplyConfiguration{} case v1.SchemeGroupVersion.WithKind("ExternalPlatformStatus"): return &configv1.ExternalPlatformStatusApplyConfiguration{} + case v1.SchemeGroupVersion.WithKind("ExternalSourceAuthentication"): + return &configv1.ExternalSourceAuthenticationApplyConfiguration{} + case v1.SchemeGroupVersion.WithKind("ExternalSourceCertificateAuthorityConfigMapReference"): + return &configv1.ExternalSourceCertificateAuthorityConfigMapReferenceApplyConfiguration{} + case v1.SchemeGroupVersion.WithKind("ExternalSourcePredicate"): + return &configv1.ExternalSourcePredicateApplyConfiguration{} + case v1.SchemeGroupVersion.WithKind("ExternalSourceTLS"): + return &configv1.ExternalSourceTLSApplyConfiguration{} case v1.SchemeGroupVersion.WithKind("ExtraMapping"): return &configv1.ExtraMappingApplyConfiguration{} case v1.SchemeGroupVersion.WithKind("FeatureGate"): @@ -290,6 +304,8 @@ func ForKind(kind schema.GroupVersionKind) interface{} { return &configv1.NetworkDiagnosticsTargetPlacementApplyConfiguration{} case v1.SchemeGroupVersion.WithKind("NetworkMigration"): return &configv1.NetworkMigrationApplyConfiguration{} + case v1.SchemeGroupVersion.WithKind("NetworkObservabilitySpec"): + return &configv1.NetworkObservabilitySpecApplyConfiguration{} case v1.SchemeGroupVersion.WithKind("NetworkSpec"): return &configv1.NetworkSpecApplyConfiguration{} case v1.SchemeGroupVersion.WithKind("NetworkStatus"): @@ -416,6 +432,10 @@ func ForKind(kind schema.GroupVersionKind) interface{} { return &configv1.SecretNameReferenceApplyConfiguration{} case v1.SchemeGroupVersion.WithKind("SignatureStore"): return &configv1.SignatureStoreApplyConfiguration{} + case v1.SchemeGroupVersion.WithKind("SourcedClaimMapping"): + return &configv1.SourcedClaimMappingApplyConfiguration{} + case v1.SchemeGroupVersion.WithKind("SourceURL"): + return &configv1.SourceURLApplyConfiguration{} case v1.SchemeGroupVersion.WithKind("Storage"): return &configv1.StorageApplyConfiguration{} case v1.SchemeGroupVersion.WithKind("TemplateReference"): @@ -540,6 +560,10 @@ func ForKind(kind schema.GroupVersionKind) interface{} { return &configv1alpha1.KeepEqualActionConfigApplyConfiguration{} case v1alpha1.SchemeGroupVersion.WithKind("KeyConfig"): return &configv1alpha1.KeyConfigApplyConfiguration{} + case v1alpha1.SchemeGroupVersion.WithKind("KubeStateMetricsConfig"): + return &configv1alpha1.KubeStateMetricsConfigApplyConfiguration{} + case v1alpha1.SchemeGroupVersion.WithKind("KubeStateMetricsResourceLabels"): + return &configv1alpha1.KubeStateMetricsResourceLabelsApplyConfiguration{} case v1alpha1.SchemeGroupVersion.WithKind("Label"): return &configv1alpha1.LabelApplyConfiguration{} case v1alpha1.SchemeGroupVersion.WithKind("LabelMapActionConfig"): @@ -642,6 +666,8 @@ func ForKind(kind schema.GroupVersionKind) interface{} { return &configv1alpha1.TelemeterClientConfigApplyConfiguration{} case v1alpha1.SchemeGroupVersion.WithKind("ThanosQuerierConfig"): return &configv1alpha1.ThanosQuerierConfigApplyConfiguration{} + case v1alpha1.SchemeGroupVersion.WithKind("ThanosQuerierRequestLoggingConfig"): + return &configv1alpha1.ThanosQuerierRequestLoggingConfigApplyConfiguration{} case v1alpha1.SchemeGroupVersion.WithKind("TLSConfig"): return &configv1alpha1.TLSConfigApplyConfiguration{} case v1alpha1.SchemeGroupVersion.WithKind("UppercaseActionConfig"): diff --git a/vendor/github.com/openshift/client-go/operator/applyconfigurations/internal/internal.go b/vendor/github.com/openshift/client-go/operator/applyconfigurations/internal/internal.go index 7603b0595..1e4a11635 100644 --- a/vendor/github.com/openshift/client-go/operator/applyconfigurations/internal/internal.go +++ b/vendor/github.com/openshift/client-go/operator/applyconfigurations/internal/internal.go @@ -344,6 +344,12 @@ var schemaYAML = typed.YAMLObject(`types: elementType: scalar: string elementRelationship: atomic + - name: groups + type: + list: + elementType: + scalar: string + elementRelationship: associative - name: minTLSVersion type: scalar: string @@ -400,6 +406,12 @@ var schemaYAML = typed.YAMLObject(`types: elementType: scalar: string elementRelationship: atomic + - name: groups + type: + list: + elementType: + scalar: string + elementRelationship: associative - name: minTLSVersion type: scalar: string diff --git a/vendor/github.com/openshift/client-go/operator/applyconfigurations/operator/v1/etcdspec.go b/vendor/github.com/openshift/client-go/operator/applyconfigurations/operator/v1/etcdspec.go index c3f57e516..5b685313a 100644 --- a/vendor/github.com/openshift/client-go/operator/applyconfigurations/operator/v1/etcdspec.go +++ b/vendor/github.com/openshift/client-go/operator/applyconfigurations/operator/v1/etcdspec.go @@ -19,7 +19,7 @@ type EtcdSpecApplyConfiguration struct { // which is subject to change without notice. HardwareSpeed *operatorv1.ControlPlaneHardwareSpeed `json:"controlPlaneHardwareSpeed,omitempty"` // backendQuotaGiB sets the etcd backend storage size limit in gibibytes. - // The value should be an integer not less than 8 and not more than 32. + // The value should be an integer not less than 8 and not more than 16. // When not specified, the default value is 8. BackendQuotaGiB *int32 `json:"backendQuotaGiB,omitempty"` } diff --git a/vendor/github.com/openshift/client-go/operator/applyconfigurations/operator/v1/kmsencryptionstatus.go b/vendor/github.com/openshift/client-go/operator/applyconfigurations/operator/v1/kmsencryptionstatus.go new file mode 100644 index 000000000..34297c214 --- /dev/null +++ b/vendor/github.com/openshift/client-go/operator/applyconfigurations/operator/v1/kmsencryptionstatus.go @@ -0,0 +1,31 @@ +// Code generated by applyconfiguration-gen. DO NOT EDIT. + +package v1 + +// KMSEncryptionStatusApplyConfiguration represents a declarative configuration of the KMSEncryptionStatus type for use +// with apply. +type KMSEncryptionStatusApplyConfiguration struct { + // healthReports contains all KMS plugin health reports. + // When omitted, no health reports are available. + // Each entry must have a unique combination of nodeName and keyId. + HealthReports []KMSPluginHealthReportApplyConfiguration `json:"healthReports,omitempty"` +} + +// KMSEncryptionStatusApplyConfiguration constructs a declarative configuration of the KMSEncryptionStatus type for use with +// apply. +func KMSEncryptionStatus() *KMSEncryptionStatusApplyConfiguration { + return &KMSEncryptionStatusApplyConfiguration{} +} + +// WithHealthReports adds the given value to the HealthReports field in the declarative configuration +// and returns the receiver, so that objects can be build by chaining "With" function invocations. +// If called multiple times, values provided by each call will be appended to the HealthReports field. +func (b *KMSEncryptionStatusApplyConfiguration) WithHealthReports(values ...*KMSPluginHealthReportApplyConfiguration) *KMSEncryptionStatusApplyConfiguration { + for i := range values { + if values[i] == nil { + panic("nil value passed to WithHealthReports") + } + b.HealthReports = append(b.HealthReports, *values[i]) + } + return b +} diff --git a/vendor/github.com/openshift/client-go/operator/applyconfigurations/operator/v1/kmspluginhealthreport.go b/vendor/github.com/openshift/client-go/operator/applyconfigurations/operator/v1/kmspluginhealthreport.go new file mode 100644 index 000000000..40d8eac77 --- /dev/null +++ b/vendor/github.com/openshift/client-go/operator/applyconfigurations/operator/v1/kmspluginhealthreport.go @@ -0,0 +1,91 @@ +// Code generated by applyconfiguration-gen. DO NOT EDIT. + +package v1 + +import ( + operatorv1 "github.com/openshift/api/operator/v1" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" +) + +// KMSPluginHealthReportApplyConfiguration represents a declarative configuration of the KMSPluginHealthReport type for use +// with apply. +type KMSPluginHealthReportApplyConfiguration struct { + // nodeName is the name of the node this instance of the plugin runs on. + // The combination of nodeName and keyId makes this health report unique. + // The value must be a valid Kubernetes node name: a lowercase RFC 1123 subdomain + // consisting of lowercase alphanumeric characters, '-' or '.', starting and ending with + // an alphanumeric character, and be at most 253 characters in length. + NodeName *string `json:"nodeName,omitempty"` + // keyId is the encryption-key-secret id (kms-{keyId}.sock), a unique identifier of the plugin on that node. + // This is not a cryptographic key used to encrypt/decrypt any resources. + // The value must be between 1 and 512 characters. + KeyId *string `json:"keyId,omitempty"` + // status contains a health indicator for the respective KMS plugin + // The field can have three states: healthy, unhealthy, error. + // With error and unhealthy containing additional information in Detail. + Status *operatorv1.KMSPluginHealthStatus `json:"status,omitempty"` + // lastCheckedTime is a timestamp of when the probe was last checked. + LastCheckedTime *metav1.Time `json:"lastCheckedTime,omitempty"` + // kekId refers to the remote KEK id from KMS v2 StatusResponse.key_id. + // This is not a cryptographic key, but a unique representation of the KEK. + // The value must be between 1 and 1024 characters. + KEKId *string `json:"kekId,omitempty"` + // detail contains additional error/health information for the respective KMS plugin. + // When omitted, no additional error or health information is provided. + // When set, the value must be between 1 and 1024 characters. + Detail *string `json:"detail,omitempty"` +} + +// KMSPluginHealthReportApplyConfiguration constructs a declarative configuration of the KMSPluginHealthReport type for use with +// apply. +func KMSPluginHealthReport() *KMSPluginHealthReportApplyConfiguration { + return &KMSPluginHealthReportApplyConfiguration{} +} + +// WithNodeName sets the NodeName field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the NodeName field is set to the value of the last call. +func (b *KMSPluginHealthReportApplyConfiguration) WithNodeName(value string) *KMSPluginHealthReportApplyConfiguration { + b.NodeName = &value + return b +} + +// WithKeyId sets the KeyId field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the KeyId field is set to the value of the last call. +func (b *KMSPluginHealthReportApplyConfiguration) WithKeyId(value string) *KMSPluginHealthReportApplyConfiguration { + b.KeyId = &value + return b +} + +// WithStatus sets the Status field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the Status field is set to the value of the last call. +func (b *KMSPluginHealthReportApplyConfiguration) WithStatus(value operatorv1.KMSPluginHealthStatus) *KMSPluginHealthReportApplyConfiguration { + b.Status = &value + return b +} + +// WithLastCheckedTime sets the LastCheckedTime field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the LastCheckedTime field is set to the value of the last call. +func (b *KMSPluginHealthReportApplyConfiguration) WithLastCheckedTime(value metav1.Time) *KMSPluginHealthReportApplyConfiguration { + b.LastCheckedTime = &value + return b +} + +// WithKEKId sets the KEKId field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the KEKId field is set to the value of the last call. +func (b *KMSPluginHealthReportApplyConfiguration) WithKEKId(value string) *KMSPluginHealthReportApplyConfiguration { + b.KEKId = &value + return b +} + +// WithDetail sets the Detail field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the Detail field is set to the value of the last call. +func (b *KMSPluginHealthReportApplyConfiguration) WithDetail(value string) *KMSPluginHealthReportApplyConfiguration { + b.Detail = &value + return b +} diff --git a/vendor/github.com/openshift/client-go/operator/applyconfigurations/operator/v1/kubeapiserverstatus.go b/vendor/github.com/openshift/client-go/operator/applyconfigurations/operator/v1/kubeapiserverstatus.go index b6b6bd866..c6eec2ce4 100644 --- a/vendor/github.com/openshift/client-go/operator/applyconfigurations/operator/v1/kubeapiserverstatus.go +++ b/vendor/github.com/openshift/client-go/operator/applyconfigurations/operator/v1/kubeapiserverstatus.go @@ -12,6 +12,8 @@ type KubeAPIServerStatusApplyConfiguration struct { // The default expiration for the items is set by the platform and it defaults to 24h. // see: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#service-account-token-volume-projection ServiceAccountIssuers []ServiceAccountIssuerStatusApplyConfiguration `json:"serviceAccountIssuers,omitempty"` + // encryptionStatus contains status reports for the KMS plugin health and its key rotation. + EncryptionStatus *KMSEncryptionStatusApplyConfiguration `json:"encryptionStatus,omitempty"` } // KubeAPIServerStatusApplyConfiguration constructs a declarative configuration of the KubeAPIServerStatus type for use with @@ -111,3 +113,11 @@ func (b *KubeAPIServerStatusApplyConfiguration) WithServiceAccountIssuers(values } return b } + +// WithEncryptionStatus sets the EncryptionStatus field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the EncryptionStatus field is set to the value of the last call. +func (b *KubeAPIServerStatusApplyConfiguration) WithEncryptionStatus(value *KMSEncryptionStatusApplyConfiguration) *KubeAPIServerStatusApplyConfiguration { + b.EncryptionStatus = value + return b +} diff --git a/vendor/github.com/openshift/client-go/operator/applyconfigurations/operator/v1/oauthapiserverstatus.go b/vendor/github.com/openshift/client-go/operator/applyconfigurations/operator/v1/oauthapiserverstatus.go index 381d4a7e7..1ccbf802f 100644 --- a/vendor/github.com/openshift/client-go/operator/applyconfigurations/operator/v1/oauthapiserverstatus.go +++ b/vendor/github.com/openshift/client-go/operator/applyconfigurations/operator/v1/oauthapiserverstatus.go @@ -8,6 +8,8 @@ type OAuthAPIServerStatusApplyConfiguration struct { // latestAvailableRevision is the latest revision used as suffix of revisioned // secrets like encryption-config. A new revision causes a new deployment of pods. LatestAvailableRevision *int32 `json:"latestAvailableRevision,omitempty"` + // encryptionStatus contains status reports for the KMS plugin health and its key rotation. + EncryptionStatus *KMSEncryptionStatusApplyConfiguration `json:"encryptionStatus,omitempty"` } // OAuthAPIServerStatusApplyConfiguration constructs a declarative configuration of the OAuthAPIServerStatus type for use with @@ -23,3 +25,11 @@ func (b *OAuthAPIServerStatusApplyConfiguration) WithLatestAvailableRevision(val b.LatestAvailableRevision = &value return b } + +// WithEncryptionStatus sets the EncryptionStatus field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the EncryptionStatus field is set to the value of the last call. +func (b *OAuthAPIServerStatusApplyConfiguration) WithEncryptionStatus(value *KMSEncryptionStatusApplyConfiguration) *OAuthAPIServerStatusApplyConfiguration { + b.EncryptionStatus = value + return b +} diff --git a/vendor/github.com/openshift/client-go/operator/applyconfigurations/operator/v1/openshiftapiserverstatus.go b/vendor/github.com/openshift/client-go/operator/applyconfigurations/operator/v1/openshiftapiserverstatus.go index 776701d54..3a68909d5 100644 --- a/vendor/github.com/openshift/client-go/operator/applyconfigurations/operator/v1/openshiftapiserverstatus.go +++ b/vendor/github.com/openshift/client-go/operator/applyconfigurations/operator/v1/openshiftapiserverstatus.go @@ -6,6 +6,8 @@ package v1 // with apply. type OpenShiftAPIServerStatusApplyConfiguration struct { OperatorStatusApplyConfiguration `json:",inline"` + // encryptionStatus contains status reports for the KMS plugin health and its key rotation. + EncryptionStatus *KMSEncryptionStatusApplyConfiguration `json:"encryptionStatus,omitempty"` } // OpenShiftAPIServerStatusApplyConfiguration constructs a declarative configuration of the OpenShiftAPIServerStatus type for use with @@ -71,3 +73,11 @@ func (b *OpenShiftAPIServerStatusApplyConfiguration) WithGenerations(values ...* } return b } + +// WithEncryptionStatus sets the EncryptionStatus field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the EncryptionStatus field is set to the value of the last call. +func (b *OpenShiftAPIServerStatusApplyConfiguration) WithEncryptionStatus(value *KMSEncryptionStatusApplyConfiguration) *OpenShiftAPIServerStatusApplyConfiguration { + b.EncryptionStatus = value + return b +} diff --git a/vendor/github.com/openshift/library-go/pkg/operator/encryption/controllers/key_controller.go b/vendor/github.com/openshift/library-go/pkg/operator/encryption/controllers/key_controller.go index d487e95a7..ac6677a9c 100644 --- a/vendor/github.com/openshift/library-go/pkg/operator/encryption/controllers/key_controller.go +++ b/vendor/github.com/openshift/library-go/pkg/operator/encryption/controllers/key_controller.go @@ -432,8 +432,6 @@ func needsNewKey(grKeys state.GroupResourceState, currentMode state.Mode, extern // kmsProviderConfig abstracts provider-specific KMS logic so that every // provider-type switch lives in a single factory (newKMSProviderConfig). type kmsProviderConfig interface { - // sourceConfig returns the provider-specific API configuration. - sourceConfig() interface{} // referencedSecretName returns the name of the secret referenced by the KMS plugin // config and the specific data keys to carry from that secret. Only the listed keys // are copied into the Key Secret; any other data in the referenced secret is ignored. @@ -457,10 +455,6 @@ type vaultProviderConfig struct { vault configv1.VaultKMSPluginConfig } -func (v *vaultProviderConfig) sourceConfig() interface{} { - return v.vault -} - func (v *vaultProviderConfig) referencedSecretName() (string, []string, error) { switch v.vault.Authentication.Type { case configv1.VaultAuthenticationTypeAppRole: diff --git a/vendor/github.com/openshift/library-go/pkg/operator/encryption/controllers/kms_preflight_controller.go b/vendor/github.com/openshift/library-go/pkg/operator/encryption/controllers/kms_preflight_controller.go deleted file mode 100644 index 64e4f1269..000000000 --- a/vendor/github.com/openshift/library-go/pkg/operator/encryption/controllers/kms_preflight_controller.go +++ /dev/null @@ -1,269 +0,0 @@ -package controllers - -import ( - "context" - "encoding/base64" - "encoding/json" - "fmt" - "hash" - "hash/fnv" - "sort" - "time" - - metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" - corev1client "k8s.io/client-go/kubernetes/typed/core/v1" - - operatorv1 "github.com/openshift/api/operator/v1" - configv1client "github.com/openshift/client-go/config/clientset/versioned/typed/config/v1" - configv1informers "github.com/openshift/client-go/config/informers/externalversions/config/v1" - applyoperatorv1 "github.com/openshift/client-go/operator/applyconfigurations/operator/v1" - - "github.com/openshift/library-go/pkg/controller/factory" - "github.com/openshift/library-go/pkg/operator/events" - operatorv1helpers "github.com/openshift/library-go/pkg/operator/v1helpers" -) - -type kmsConfigHasher struct { - provider kmsProviderConfig - coreClient corev1client.CoreV1Interface - namespace string -} - -// newKMSConfigHasher creates a hasher for a KMS provider config and its referenced resources. -// namespace is the namespace where the referenced Secrets and ConfigMaps are stored (e.g., openshift-config). -func newKMSConfigHasher(provider kmsProviderConfig, coreClient corev1client.CoreV1Interface, namespace string) *kmsConfigHasher { - return &kmsConfigHasher{provider: provider, coreClient: coreClient, namespace: namespace} -} - -// hash computes a deterministic hash over the provider config and the specific data keys -// from its referenced Secret and ConfigMap. Uses FNV-32, JSON encoding, and base64 URL -// encoding, consistent with resourcehash.GetSecretHash and resourcehash.GetConfigMapHash. -func (h *kmsConfigHasher) hash(ctx context.Context) (string, error) { - hasher := fnv.New32() - - if err := json.NewEncoder(hasher).Encode(h.provider.sourceConfig()); err != nil { - return "", fmt.Errorf("failed to hash provider config: %w", err) - } - - if err := h.hashReferencedSecret(ctx, hasher); err != nil { - return "", err - } - if err := h.hashReferencedConfigMap(ctx, hasher); err != nil { - return "", err - } - - return base64.URLEncoding.EncodeToString(hasher.Sum(nil)), nil -} - -func (h *kmsConfigHasher) hashReferencedSecret(ctx context.Context, hasher hash.Hash) error { - name, keys, err := h.provider.referencedSecretName() - if err != nil { - return fmt.Errorf("failed to get referenced secret name: %w", err) - } - if name == "" { - return nil - } - - secret, err := h.coreClient.Secrets(h.namespace).Get(ctx, name, metav1.GetOptions{}) - if err != nil { - return fmt.Errorf("failed to get secret %s/%s: %w", h.namespace, name, err) - } - - // Write each key name before its value to prevent collisions when bytes - // shift between adjacent values (e.g. role-id="ab",secret-id="cd" vs - // role-id="abc",secret-id="d" would otherwise both hash as "abcd"). - sort.Strings(keys) - for _, k := range keys { - v, ok := secret.Data[k] - if !ok { - return fmt.Errorf("key %q not found in secret %s/%s", k, h.namespace, name) - } - if _, err := hasher.Write([]byte(k)); err != nil { - return fmt.Errorf("failed to hash key %q: %w", k, err) - } - if _, err := hasher.Write(v); err != nil { - return fmt.Errorf("failed to hash key %q: %w", k, err) - } - } - return nil -} - -func (h *kmsConfigHasher) hashReferencedConfigMap(ctx context.Context, hasher hash.Hash) error { - name, keys, err := h.provider.referencedConfigMapName() - if err != nil { - return fmt.Errorf("failed to get referenced configmap name: %w", err) - } - if name == "" { - return nil - } - - cm, err := h.coreClient.ConfigMaps(h.namespace).Get(ctx, name, metav1.GetOptions{}) - if err != nil { - return fmt.Errorf("failed to get configmap %s/%s: %w", h.namespace, name, err) - } - - sort.Strings(keys) - for _, k := range keys { - v, ok := cm.Data[k] - if !ok { - return fmt.Errorf("key %q not found in configmap %s/%s", k, h.namespace, name) - } - if _, err := hasher.Write([]byte(k)); err != nil { - return fmt.Errorf("failed to hash key %q: %w", k, err) - } - if _, err := hasher.Write([]byte(v)); err != nil { - return fmt.Errorf("failed to hash key %q: %w", k, err) - } - } - return nil -} - -type kmsPreflightController struct { - controllerInstanceName string - - operatorClient operatorv1helpers.OperatorClient - apiServerClient configv1client.APIServerInterface - - provider Provider - preconditionsFulfilledFn preconditionsFulfilled -} - -// NewKMSPreflightController validates KMS configuration before a key is created. -// -// Coordination with the key-controller: -// -// The key-controller writes a hash of the current KMS config to operator status -// as the EncryptionKMSPreflightRequired condition (hash in the message). -// This controller reads that hash, runs preflight checks, and on success sets -// the EncryptionKMSPreflightSucceeded condition (same hash in the message). -// The key-controller waits for the two hashes to match before creating a key. -// -// This is the same pattern used by the revision and installer controllers: -// the revision controller writes LatestAvailableRevision, the installer -// controller reads it and acts. -// -// Without this protocol the following race can occur: -// 1. Preflight passes for config A, hash A written to operator status. -// 2. Key-controller reads hash A, starts creating a key for config A. -// 3. Config changes to B. -// 4. Preflight controller syncs, sees config B, does not yet see the key -// for A (key-controller is in the process of creating the key), -// runs preflight for B, overwrites status with hash B. -// 5. The key created in step 2 was for config A but status now says B. -// -// Letting the key-controller own EncryptionKMSPreflightRequired and this -// controller own EncryptionKMSPreflightSucceeded solves this. If the config -// changes mid-flight the key-controller posts a new hash and the preflight -// controller sees the mismatch and waits. -// -// Example 1: config changes before key is created -// 1. User creates KMS config A. -// 2. Key-controller computes hash A, writes EncryptionKMSPreflightRequired=A. -// 3. Preflight controller sees required=A, starts checking A. -// 4. User changes config to A2 (minor variation, different hash). -// 5. Key-controller computes hash A2, writes EncryptionKMSPreflightRequired=A2. -// 6. Preflight controller sees required=A2, starts checking A2. -// 7. Key-controller does not create a key until succeeded=A2. -// -// Example 2: config changes after key is created -// 1. User creates KMS config A. -// 2. Key-controller computes hash A, writes EncryptionKMSPreflightRequired=A. -// 3. Preflight controller checks A, succeeds, writes EncryptionKMSPreflightSucceeded=A. -// 4. Key-controller sees required=A matches succeeded=A, creates key for A. -// 5. User changes config to A2 (or B). -// 6. Key-controller waits until the key for A completes the full cycle -// (read, write, migrated) before creating a new key. No preflight done -// at this stage. -// -// Preflight workload: -// -// A deployer interface abstracts the workload creation. Each operator provides -// its own implementation that knows how to install, get status, clean up the -// preflight workload, and wire the credentials needed to update pod status. -// The workload type matches the API server it validates (static pod for kas-o, -// Deployment for aggregated API servers). -// -// When an existing KMS plugin is already configured, the checker runs the new -// plugin alongside the existing one to catch co-existence issues (e.g., metric -// port collisions). When no plugin is configured yet, it runs the new plugin alone. -// The sync method reads existing encryption key secrets to determine whether -// a plugin is already configured. -// -// The pod uses readiness gates to post check results back to the controller. -// To set the readiness gate condition, the pod PATCHes its own status using -// credentials wired by the deployer. -// The controller reads these enhanced pod statuses to update its own operator -// status, which is propagated to end users. -// -// After a successful check the preflight pod is kept for a short period (e.g. 1h) -// so that its logs can be inspected, then cleaned up by a subsequent sync. -func NewKMSPreflightController( - instanceName string, - provider Provider, - preconditionsFulfilledFn preconditionsFulfilled, - operatorClient operatorv1helpers.OperatorClient, - apiServerClient configv1client.APIServerInterface, - apiServerInformer configv1informers.APIServerInformer, - eventRecorder events.Recorder, -) factory.Controller { - c := &kmsPreflightController{ - controllerInstanceName: factory.ControllerInstanceName(instanceName, "EncryptionKMSPreflight"), - - operatorClient: operatorClient, - apiServerClient: apiServerClient, - - provider: provider, - preconditionsFulfilledFn: preconditionsFulfilledFn, - } - - return factory.New(). - WithSync(c.sync). - WithControllerInstanceName(c.controllerInstanceName). - ResyncEvery(time.Minute). - WithInformers( - apiServerInformer.Informer(), - operatorClient.Informer(), - ).ToController( - c.controllerInstanceName, - eventRecorder.WithComponentSuffix("encryption-kms-preflight-controller"), - ) -} - -func (c *kmsPreflightController) sync(ctx context.Context, syncCtx factory.SyncContext) (err error) { - degradedCondition := applyoperatorv1.OperatorCondition().WithType("EncryptionKMSPreflightControllerDegraded") - - defer func() { - if degradedCondition == nil { - return - } - status := applyoperatorv1.OperatorStatus().WithConditions(degradedCondition) - if applyError := c.operatorClient.ApplyOperatorStatus(ctx, c.controllerInstanceName, status); applyError != nil { - err = applyError - } - }() - - if ready, err := shouldRunEncryptionController(c.operatorClient, c.preconditionsFulfilledFn, c.provider.ShouldRunEncryptionControllers); err != nil || !ready { - if err != nil { - degradedCondition = nil - } else { - degradedCondition = degradedCondition.WithStatus(operatorv1.ConditionFalse) - } - return err // we will get re-kicked when the operator status updates - } - - preflightErr := c.runPreflightChecks(ctx) - if preflightErr != nil { - degradedCondition = degradedCondition. - WithStatus(operatorv1.ConditionTrue). - WithReason("Error"). - WithMessage(preflightErr.Error()) - } else { - degradedCondition = degradedCondition. - WithStatus(operatorv1.ConditionFalse) - } - return preflightErr -} - -func (c *kmsPreflightController) runPreflightChecks(ctx context.Context) error { - return fmt.Errorf("implement me") -} diff --git a/vendor/github.com/openshift/library-go/pkg/operator/encryption/kms/health/cmd.go b/vendor/github.com/openshift/library-go/pkg/operator/encryption/kms/health/cmd.go index 3055e4ce9..d36a3fec1 100644 --- a/vendor/github.com/openshift/library-go/pkg/operator/encryption/kms/health/cmd.go +++ b/vendor/github.com/openshift/library-go/pkg/operator/encryption/kms/health/cmd.go @@ -6,7 +6,6 @@ import ( "regexp" "time" - "github.com/openshift/library-go/pkg/operator/v1helpers" "github.com/spf13/cobra" "github.com/spf13/pflag" @@ -14,7 +13,6 @@ import ( "k8s.io/apimachinery/pkg/util/wait" "k8s.io/apiserver/pkg/server" k8senvelopekmsv2 "k8s.io/apiserver/pkg/storage/value/encrypt/envelope/kmsv2" - "k8s.io/client-go/rest" "k8s.io/client-go/tools/clientcmd" "k8s.io/klog/v2" ) @@ -35,21 +33,21 @@ type options struct { NodeName string Kubeconfig string - newOperatorClient func(*rest.Config) (v1helpers.OperatorClient, error) + newWriter NewEncryptionStatusWriterFunc } type Config struct { - operatorClient v1helpers.OperatorClient - prober *prober + writeStatus EncryptionStatusWriter + prober *prober interval time.Duration writeTimeout time.Duration nodeName string } -func NewCommand(ctx context.Context, newOperatorClient func(*rest.Config) (v1helpers.OperatorClient, error)) *cobra.Command { +func NewCommand(ctx context.Context, newWriter NewEncryptionStatusWriterFunc) *cobra.Command { o := &options{ - newOperatorClient: newOperatorClient, + newWriter: newWriter, } cmd := &cobra.Command{ @@ -126,9 +124,12 @@ func (o *options) Config(ctx context.Context) (*Config, error) { return nil, fmt.Errorf("build rest config: %w", err) } - operatorClient, err := o.newOperatorClient(restCfg) + // reporterID is the per-node ownership identity. The naming convention lives + // here, not in the caller's writer, so all three operators stay uniform. + reporterID := "kms-health-reporter-" + o.NodeName + writeStatus, err := o.newWriter(restCfg, reporterID) if err != nil { - return nil, fmt.Errorf("build operator client: %w", err) + return nil, fmt.Errorf("build encryption status writer: %w", err) } plugins, err := buildPlugins(ctx, o.KMSSockets, o.ReadTimeout) @@ -137,11 +138,11 @@ func (o *options) Config(ctx context.Context) (*Config, error) { } return &Config{ - operatorClient: operatorClient, - prober: newProber(plugins), - interval: o.Interval, - writeTimeout: o.WriteTimeout, - nodeName: o.NodeName, + writeStatus: writeStatus, + prober: newProber(plugins), + interval: o.Interval, + writeTimeout: o.WriteTimeout, + nodeName: o.NodeName, }, nil } @@ -149,9 +150,13 @@ func (c *Config) Run(ctx context.Context) error { wait.JitterUntilWithContext(ctx, func(ctx context.Context) { // Each Status RPC enforces the read timeout internally (set at dial // time); ctx here only carries shutdown cancellation. - conditions := c.prober.probeAll(ctx) - // TODO: hand conditions to the writer once it lands; logging is a placeholder. - klog.InfoS("kms plugin health", "conditions", conditions) + reports := c.prober.probeAll(ctx) + + writeCtx, cancel := context.WithTimeout(ctx, c.writeTimeout) + defer cancel() + if err := c.writeStatus(writeCtx, buildEncryptionStatus(c.nodeName, reports)); err != nil { + klog.ErrorS(err, "failed to publish kms plugin health") + } }, c.interval, 0.1, false) return nil diff --git a/vendor/github.com/openshift/library-go/pkg/operator/encryption/kms/health/prober.go b/vendor/github.com/openshift/library-go/pkg/operator/encryption/kms/health/prober.go index 84db02fe1..55c1f3f11 100644 --- a/vendor/github.com/openshift/library-go/pkg/operator/encryption/kms/health/prober.go +++ b/vendor/github.com/openshift/library-go/pkg/operator/encryption/kms/health/prober.go @@ -21,11 +21,11 @@ const ( type pluginHealthReport struct { // KeyID is the controller's sequential key id; KEKID is the KMS provider's // encryption key id. Distinct identifiers, easy to confuse. - KeyID string - KEKID string - Status string - LastChecked time.Time - Detail string + KeyID string `json:"keyID"` + KEKID string `json:"kekID,omitempty"` + Status string `json:"status"` + LastChecked time.Time `json:"lastChecked"` + Detail string `json:"detail,omitempty"` } // pluginClient is the dialed handle to one co-located KMS plugin; the plugin diff --git a/vendor/github.com/openshift/library-go/pkg/operator/encryption/kms/health/writer.go b/vendor/github.com/openshift/library-go/pkg/operator/encryption/kms/health/writer.go new file mode 100644 index 000000000..4c0690de0 --- /dev/null +++ b/vendor/github.com/openshift/library-go/pkg/operator/encryption/kms/health/writer.go @@ -0,0 +1,59 @@ +package health + +import ( + "context" + + operatorv1 "github.com/openshift/api/operator/v1" + applyoperatorv1 "github.com/openshift/client-go/operator/applyconfigurations/operator/v1" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/client-go/rest" +) + +// NewEncryptionStatusWriterFunc builds the EncryptionStatusWriter for a target +// CR. The caller binds the concrete CR; this package only supplies the rest +// config and a reporterID. reporterID is a stable, per-node identifier the write +// path uses to claim ownership of its own entries; with server-side apply, pass +// it as the field manager. +type NewEncryptionStatusWriterFunc func(restConfig *rest.Config, reporterID string) (EncryptionStatusWriter, error) + +// EncryptionStatusWriter is injected by the operator. The operator knows where +// to put it. Creating the status is the health reporter's concern. +type EncryptionStatusWriter func(ctx context.Context, status *applyoperatorv1.KMSEncryptionStatusApplyConfiguration) error + +// buildEncryptionStatus builds the KMSEncryptionStatusApplyConfiguration to be +// applied by the operator. +func buildEncryptionStatus(nodeName string, reports []pluginHealthReport) *applyoperatorv1.KMSEncryptionStatusApplyConfiguration { + healthReports := make([]*applyoperatorv1.KMSPluginHealthReportApplyConfiguration, 0, len(reports)) + for _, r := range reports { + hr := applyoperatorv1.KMSPluginHealthReport(). + WithNodeName(nodeName). + WithKeyId(r.KeyID). + WithStatus(mapStatus(r.Status)). + WithLastCheckedTime(metav1.NewTime(r.LastChecked)) + + // kekId/detail have MinLength=1; setting "" would fail validation. + if r.KEKID != "" { + hr = hr.WithKEKId(r.KEKID) + } + if r.Detail != "" { + hr = hr.WithDetail(r.Detail) + } + + healthReports = append(healthReports, hr) + } + + return applyoperatorv1.KMSEncryptionStatus().WithHealthReports(healthReports...) +} + +// mapStatus defaults to Error so an unknown value never becomes an empty, +// invalid enum. +func mapStatus(s string) operatorv1.KMSPluginHealthStatus { + switch s { + case statusHealthy: + return operatorv1.KMSPluginHealthStatusHealthy + case statusUnhealthy: + return operatorv1.KMSPluginHealthStatusUnhealthy + default: + return operatorv1.KMSPluginHealthStatusError + } +} diff --git a/vendor/github.com/openshift/library-go/pkg/operator/encryption/kms/pluginlifecycle/builder.go b/vendor/github.com/openshift/library-go/pkg/operator/encryption/kms/pluginlifecycle/builder.go deleted file mode 100644 index dd62853b9..000000000 --- a/vendor/github.com/openshift/library-go/pkg/operator/encryption/kms/pluginlifecycle/builder.go +++ /dev/null @@ -1,163 +0,0 @@ -package pluginlifecycle - -import ( - "context" - "fmt" - "path/filepath" - - corev1 "k8s.io/api/core/v1" - apierrors "k8s.io/apimachinery/pkg/api/errors" - metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" - corev1client "k8s.io/client-go/kubernetes/typed/core/v1" - "k8s.io/klog/v2" - - "github.com/openshift/library-go/pkg/operator/encryption/encryptiondata" -) - -// KMSPluginBuilder constructs KMS plugin pod spec contributions for injection -// into API server pods. -type KMSPluginBuilder struct { - encryptionConfig *encryptiondata.Config - encryptionConfigSecretName string - staticPod bool -} - -// NewKMSPluginBuilder creates a builder that defaults to deployment mode. -func NewKMSPluginBuilder() *KMSPluginBuilder { - return &KMSPluginBuilder{} -} - -// FromEncryptionConfig loads all KMS plugins from a parsed encryption config. -// The encryptionConfigSecretName identifies the Secret the config was parsed -// from; it is used for volume configuration in both deployment and static pod -// modes. -func (b *KMSPluginBuilder) FromEncryptionConfig(encryptionConfigSecretName string, cfg *encryptiondata.Config) *KMSPluginBuilder { - b.encryptionConfigSecretName = encryptionConfigSecretName - b.encryptionConfig = cfg - return b -} - -// AsStaticPod switches the builder to static pod mode. Sidecars will reference -// data from the resource-dir volume and run as root (UID 0). -func (b *KMSPluginBuilder) AsStaticPod() *KMSPluginBuilder { - b.staticPod = true - return b -} - -// Apply mutates the given pod spec by injecting KMS plugin sidecars, volumes, -// and volume mounts. containerName identifies the API server container that -// needs the socket volume mount. -// -// It is a no-op (returns nil error) when no KMS plugins are found. -// It is idempotent. -func (b *KMSPluginBuilder) Apply(podSpec *corev1.PodSpec, containerName string) error { - if podSpec == nil { - return fmt.Errorf("pod spec cannot be nil") - } - if containerName == "" { - return fmt.Errorf("container name cannot be empty") - } - - kmsConfigurations, err := encryptiondata.ExtractUniqueAndSortedKMSConfigurations(b.encryptionConfig) - if err != nil { - return fmt.Errorf("failed to get KMS configurations: %w", err) - } - if len(kmsConfigurations) == 0 { - klog.V(4).Infof("skipping KMS sidecar injection: no KMS plugins found in EncryptionConfiguration") - return nil - } - - var refDataVolumeName, refDataMountPath, referenceDataDir string - if b.staticPod { - refDataVolumeName = resourceDirVolumeName - refDataMountPath = resourcesDir - referenceDataDir = filepath.Join(resourcesDir, "secrets", b.encryptionConfigSecretName) - } else { - refDataVolumeName = referenceDataVolumeName - refDataMountPath = referenceDataMountPath - referenceDataDir = referenceDataMountPath - } - - klog.V(4).Infof("injecting %d KMS sidecar(s)", len(kmsConfigurations)) - - socketVolumeMount := corev1.VolumeMount{Name: kmsPluginSocketVolumeName, MountPath: kmsPluginSocketMountPath, ReadOnly: false} - refDataVolumeMount := corev1.VolumeMount{Name: refDataVolumeName, MountPath: refDataMountPath, ReadOnly: true} - - for _, kmsConfiguration := range kmsConfigurations { - // ExtractUniqueAndSortedKMSConfigurations function rewrites the .Name field to include only the key ID - keyID := kmsConfiguration.Name - - pluginConfig, ok := b.encryptionConfig.KMSPlugins[keyID] - if !ok { - return fmt.Errorf("missing plugin config for keyID %s", keyID) - } - - refData := &referenceDataResolver{ - pluginsSecretData: b.encryptionConfig.KMSPluginsSecretData, - pluginsConfigMapData: b.encryptionConfig.KMSPluginsConfigMapData, - referenceDataDir: referenceDataDir, - keyID: keyID, - } - - provider, err := newSidecarProvider(keyID, kmsConfiguration.Endpoint, pluginConfig, refData) - if err != nil { - return fmt.Errorf("failed to create a sidecar provider for keyID %s: %w", keyID, err) - } - - if err := ensureSidecarContainer(podSpec, provider); err != nil { - return err - } - - if err := ensureVolumeMountInContainer(podSpec.InitContainers, provider.Name(), socketVolumeMount); err != nil { - return err - } - - if err := ensureVolumeMountInContainer(podSpec.InitContainers, provider.Name(), refDataVolumeMount); err != nil { - return err - } - - if b.staticPod { - if err := setRunAsRoot(podSpec.InitContainers, provider.Name()); err != nil { - return err - } - } - } - - if err := ensureVolumeMountInContainer(podSpec.Containers, containerName, socketVolumeMount); err != nil { - return err - } - - if err := ensureSocketVolume(podSpec); err != nil { - return err - } - - if !b.staticPod { - if err := ensureReferenceDataVolume(podSpec, b.encryptionConfigSecretName); err != nil { - return err - } - } - - return nil -} - -func fetchEncryptionConfig(ctx context.Context, encryptionConfigNamespace, encryptionConfigSecretName string, secretClient corev1client.SecretsGetter) (*encryptiondata.Config, error) { - encryptionConfigurationSecret, err := secretClient.Secrets(encryptionConfigNamespace).Get(ctx, encryptionConfigSecretName, metav1.GetOptions{}) - if apierrors.IsNotFound(err) { - klog.V(4).Infof("skipping KMS sidecar injection: %s/%s secret not found", encryptionConfigNamespace, encryptionConfigSecretName) - return nil, nil - } - if err != nil { - return nil, fmt.Errorf("failed to get %s/%s secret: %w", encryptionConfigNamespace, encryptionConfigSecretName, err) - } - - encryptionConfig, err := encryptiondata.FromSecret(encryptionConfigurationSecret) - if err != nil { - return nil, fmt.Errorf("failed to extract encryption config from %s/%s secret: %w", encryptionConfigNamespace, encryptionConfigSecretName, err) - } - - if encryptionConfig == nil { - return nil, fmt.Errorf("encryption configuration is required in %s/%s secret", encryptionConfigNamespace, encryptionConfigSecretName) - } - - return encryptionConfig, nil -} diff --git a/vendor/github.com/openshift/library-go/pkg/operator/encryption/kms/pluginlifecycle/sidecar.go b/vendor/github.com/openshift/library-go/pkg/operator/encryption/kms/pluginlifecycle/sidecar.go index 5c8b1e19d..543811e20 100644 --- a/vendor/github.com/openshift/library-go/pkg/operator/encryption/kms/pluginlifecycle/sidecar.go +++ b/vendor/github.com/openshift/library-go/pkg/operator/encryption/kms/pluginlifecycle/sidecar.go @@ -3,13 +3,18 @@ package pluginlifecycle import ( "context" "fmt" + "path/filepath" configv1 "github.com/openshift/api/config/v1" "github.com/openshift/api/features" "github.com/openshift/library-go/pkg/operator/configobserver/featuregates" + "github.com/openshift/library-go/pkg/operator/encryption/encryptiondata" corev1 "k8s.io/api/core/v1" "k8s.io/apimachinery/pkg/api/equality" + apierrors "k8s.io/apimachinery/pkg/api/errors" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" corev1client "k8s.io/client-go/kubernetes/typed/core/v1" + "k8s.io/klog/v2" "k8s.io/utils/ptr" ) @@ -53,29 +58,30 @@ func newSidecarProvider(keyID string, udsPath string, pluginConfig configv1.KMSP // It is a no-op when the KMSEncryption feature gate is not enabled or the encryption-config secret does not exist. // The secretClient should be uncached to avoid injecting sidecars based on a stale encryption configuration. func AddKMSPluginSidecarToStaticPodSpec(ctx context.Context, podSpec *corev1.PodSpec, containerName string, encryptionConfigNamespace string, encryptionConfigSecretName string, secretClient corev1client.SecretsGetter, featureGateAccessor featuregates.FeatureGateAccess) error { - if !featureGateAccessor.AreInitialFeatureGatesObserved() { - return nil - } - featureGates, err := featureGateAccessor.CurrentFeatureGates() - if err != nil { - return fmt.Errorf("failed to get feature gates: %w", err) - } - if !featureGates.Enabled(features.FeatureGateKMSEncryption) { - return nil - } + // The static pod revision controller copies secret data to disk under resourcesDir/secrets//. + referenceDataDir := filepath.Join(resourcesDir, "secrets", encryptionConfigSecretName) - cfg, err := fetchEncryptionConfig(ctx, encryptionConfigNamespace, encryptionConfigSecretName, secretClient) + sidecarNames, err := addKMSPluginSidecars(ctx, podSpec, containerName, encryptionConfigNamespace, encryptionConfigSecretName, secretClient, featureGateAccessor, referenceDataDir) if err != nil { return err } - if cfg == nil { + + // Don't touch the pod spec further when there are no sidecars. + if len(sidecarNames) == 0 { return nil } - return NewKMSPluginBuilder(). - FromEncryptionConfig(encryptionConfigSecretName, cfg). - AsStaticPod(). - Apply(podSpec, containerName) + for _, name := range sidecarNames { + volumeMount := corev1.VolumeMount{Name: resourceDirVolumeName, MountPath: resourcesDir, ReadOnly: true} + if err := ensureVolumeMountInContainer(podSpec.InitContainers, name, volumeMount); err != nil { + return err + } + if err := setRunAsRoot(podSpec.InitContainers, name); err != nil { + return err + } + } + + return nil } // AddKMSPluginSidecarToPodSpec injects KMS plugin sidecar containers into an aggregated API server pod spec (e.g., openshift-apiserver, oauth-apiserver). @@ -83,28 +89,126 @@ func AddKMSPluginSidecarToStaticPodSpec(ctx context.Context, podSpec *corev1.Pod // It is a no-op when the KMSEncryption feature gate is not enabled or the encryption-config secret does not exist. // The secretClient should be uncached to avoid injecting sidecars based on a stale encryption configuration. func AddKMSPluginSidecarToPodSpec(ctx context.Context, podSpec *corev1.PodSpec, containerName string, encryptionConfigNamespace string, encryptionConfigSecretName string, secretClient corev1client.SecretsGetter, featureGateAccessor featuregates.FeatureGateAccess) error { - if !featureGateAccessor.AreInitialFeatureGatesObserved() { + sidecarNames, err := addKMSPluginSidecars(ctx, podSpec, containerName, encryptionConfigNamespace, encryptionConfigSecretName, secretClient, featureGateAccessor, referenceDataMountPath) + if err != nil { + return err + } + + // Don't touch the pod spec further when there are no sidecars. + if len(sidecarNames) == 0 { return nil } + + for _, name := range sidecarNames { + volumeMount := corev1.VolumeMount{Name: referenceDataVolumeName, MountPath: referenceDataMountPath, ReadOnly: true} + if err := ensureVolumeMountInContainer(podSpec.InitContainers, name, volumeMount); err != nil { + return err + } + } + + // Unlike static pods, aggregated API servers access KMS plugin data by mounting the encryption-config Secret directly as a volume. + // Callers include the revision number in encryptionConfigSecretName (e.g. "encryption-config-7"), so each revision maps to a distinct Secret and volume. + if err := ensureReferenceDataVolume(podSpec, encryptionConfigSecretName); err != nil { + return err + } + + return nil +} + +// addKMSPluginSidecars contains the shared logic for discovering KMS plugins and injecting sidecar containers. +// It returns the names of the sidecar containers that were injected, so callers can add deployment-mode-specific volume mounts. +func addKMSPluginSidecars(ctx context.Context, podSpec *corev1.PodSpec, containerName string, encryptionConfigNamespace string, encryptionConfigSecretName string, secretClient corev1client.SecretsGetter, featureGateAccessor featuregates.FeatureGateAccess, referenceDataDir string) ([]string, error) { + if podSpec == nil { + return nil, fmt.Errorf("pod spec cannot be nil") + } + + if containerName == "" { + return nil, fmt.Errorf("container name cannot be empty") + } + + if !featureGateAccessor.AreInitialFeatureGatesObserved() { + return nil, nil + } + featureGates, err := featureGateAccessor.CurrentFeatureGates() if err != nil { - return fmt.Errorf("failed to get feature gates: %w", err) + return nil, fmt.Errorf("failed to get feature gates: %w", err) } + if !featureGates.Enabled(features.FeatureGateKMSEncryption) { - return nil + return nil, nil } - cfg, err := fetchEncryptionConfig(ctx, encryptionConfigNamespace, encryptionConfigSecretName, secretClient) + encryptionConfigurationSecret, err := secretClient.Secrets(encryptionConfigNamespace).Get(ctx, encryptionConfigSecretName, metav1.GetOptions{}) + if apierrors.IsNotFound(err) { + klog.V(4).Infof("skipping KMS sidecar injection: %s/%s secret not found", encryptionConfigNamespace, encryptionConfigSecretName) + return nil, nil + } if err != nil { - return err + return nil, fmt.Errorf("failed to get %s/%s secret: %w", encryptionConfigNamespace, encryptionConfigSecretName, err) } - if cfg == nil { - return nil + + encryptionConfig, err := encryptiondata.FromSecret(encryptionConfigurationSecret) + if err != nil { + return nil, fmt.Errorf("failed to extract encryption config from %s/%s secret: %w", encryptionConfigNamespace, encryptionConfigSecretName, err) + } + + kmsConfigurations, err := encryptiondata.ExtractUniqueAndSortedKMSConfigurations(encryptionConfig) + if err != nil { + return nil, fmt.Errorf("failed to get KMS configurations: %w", err) + } + if len(kmsConfigurations) == 0 { + klog.V(4).Infof("skipping KMS sidecar injection: no KMS plugins found in EncryptionConfiguration") + return nil, nil + } + + klog.V(4).Infof("injecting %d KMS sidecar(s)", len(kmsConfigurations)) + + var sidecarNames []string + socketVolumeMount := corev1.VolumeMount{Name: kmsPluginSocketVolumeName, MountPath: kmsPluginSocketMountPath, ReadOnly: false} + for _, kmsConfiguration := range kmsConfigurations { + // ExtractUniqueAndSortedKMSConfigurations function rewrites the .Name field to include only the key ID + keyID := kmsConfiguration.Name + udsPath := kmsConfiguration.Endpoint + + pluginConfig, ok := encryptionConfig.KMSPlugins[keyID] + if !ok { + return nil, fmt.Errorf("missing plugin config for keyID %s", keyID) + } + + refData := &referenceDataResolver{ + pluginsConfigMapData: encryptionConfig.KMSPluginsConfigMapData, + pluginsSecretData: encryptionConfig.KMSPluginsSecretData, + referenceDataDir: referenceDataDir, + keyID: keyID, + } + + provider, err := newSidecarProvider(keyID, udsPath, pluginConfig, refData) + if err != nil { + return nil, fmt.Errorf("failed to create a sidecar provider for keyID %s: %w", keyID, err) + } + + if err := ensureSidecarContainer(podSpec, provider); err != nil { + return nil, err + } + + if err := ensureVolumeMountInContainer(podSpec.InitContainers, provider.Name(), socketVolumeMount); err != nil { + return nil, err + } + + sidecarNames = append(sidecarNames, provider.Name()) + } + + if err := ensureVolumeMountInContainer(podSpec.Containers, containerName, socketVolumeMount); err != nil { + return nil, err + } + + // The volume mount in the kube-apiserver and KMS plugin containers requires a volume in the podSpec + if err := ensureSocketVolume(podSpec); err != nil { + return nil, err } - return NewKMSPluginBuilder(). - FromEncryptionConfig(encryptionConfigSecretName, cfg). - Apply(podSpec, containerName) + return sidecarNames, nil } func ensureSidecarContainer(podSpec *corev1.PodSpec, provider sidecarProvider) error { diff --git a/vendor/github.com/openshift/library-go/test/library/encryption/kms/vault.go b/vendor/github.com/openshift/library-go/test/library/encryption/kms/vault.go index 75bc48ce2..93dfefac3 100644 --- a/vendor/github.com/openshift/library-go/test/library/encryption/kms/vault.go +++ b/vendor/github.com/openshift/library-go/test/library/encryption/kms/vault.go @@ -4,7 +4,6 @@ import ( "context" "fmt" "net" - "os" "os/exec" "strconv" "strings" @@ -23,34 +22,6 @@ import ( library "github.com/openshift/library-go/test/library/encryption" ) -// resolveVaultKMSPluginImage determines the vault-kube-kms plugin image to use. -// It checks SHARED_DIR because the openshift-e2e-test step ref is a widely-used -// shared ref that does not declare VAULT_KMS_PLUGIN_IMAGE in its env list. -// The vault-install step writes the image reference to a file in SHARED_DIR, -// allowing subsequent steps to pick it up without modifying the shared ref. -func resolveVaultKMSPluginImage(t testing.TB) string { - t.Helper() - if img := os.Getenv("VAULT_KMS_PLUGIN_IMAGE"); img != "" { - t.Logf("Using vault KMS plugin image from VAULT_KMS_PLUGIN_IMAGE env: %s", img) - return img - } - sharedDir := os.Getenv("SHARED_DIR") - if sharedDir == "" { - t.Fatal("SHARED_DIR environment variable is not set; cannot resolve vault KMS plugin image") - } - imagePath := sharedDir + "/vault-kms-plugin-image" - data, err := os.ReadFile(imagePath) - if err != nil { - t.Fatalf("failed to read vault KMS plugin image from %s: %v", imagePath, err) - } - img := strings.TrimSpace(string(data)) - if img == "" { - t.Fatalf("vault KMS plugin image file %s is empty", imagePath) - } - t.Logf("Resolved vault KMS plugin image from %s: %s", imagePath, img) - return img -} - const ( defaultVaultNamespace = "vault-kms" defaultVaultServiceName = "vault" @@ -59,6 +30,7 @@ const ( defaultVaultAppRoleSecretName = "vault-approle-secret" defaultVaultConfigMapName = "vault-ca-bundle" defaultFAKEVaultKMSPluginImage = "quay.io/openshifttest/mock-kms-plugin@sha256:958a2f8276037468aa47dc2137d3c30dfcd96489455eddb2fe655f8168a57622" + defaultVaultKMSPluginImage = "registry.ci.openshift.org/control-plane-custom-builds/vault-kube-kms@sha256:33599dd6eee61dcf9a60138759fafda3d88593a3c2072585156882c6b5bd3fa5" defaultVaultAddress = "https://vault.vault-kms.svc:8200" defaultVaultEnterpriseNS = "admin" defaultVaultTransitMount = "transit" @@ -81,7 +53,6 @@ const ( // and bundles the AppRole secret setup. func DefaultVaultEncryptionProvider(ctx context.Context, t testing.TB) library.EncryptionProvider { cfg := DefaultVaultKMSPluginConfig - cfg.KMS.Vault.KMSPluginImage = resolveVaultKMSPluginImage(t) // Use the Service ClusterIP instead of DNS name because kube-apiserver pods // cannot resolve cluster-local Service names (they use host network DNS). cfg.KMS.Vault.VaultAddress = getVaultServiceAddress(ctx, t, defaultVaultNamespace, defaultVaultServiceName) @@ -103,6 +74,7 @@ var DefaultVaultKMSPluginConfig = configv1.APIServerEncryption{ KMS: configv1.KMSPluginConfig{ Type: configv1.VaultKMSProvider, Vault: configv1.VaultKMSPluginConfig{ + KMSPluginImage: defaultVaultKMSPluginImage, VaultAddress: defaultVaultAddress, VaultNamespace: defaultVaultEnterpriseNS, TransitMount: defaultVaultTransitMount, @@ -153,6 +125,7 @@ var SecondaryVaultKMSPluginConfig = configv1.APIServerEncryption{ KMS: configv1.KMSPluginConfig{ Type: configv1.VaultKMSProvider, Vault: configv1.VaultKMSPluginConfig{ + KMSPluginImage: defaultVaultKMSPluginImage, VaultAddress: secondaryVaultAddress, VaultNamespace: defaultVaultEnterpriseNS, TransitMount: defaultVaultTransitMount, @@ -177,7 +150,6 @@ var SecondaryVaultKMSPluginConfig = configv1.APIServerEncryption{ // for the secondary Vault instance, used in KMS-to-KMS migration e2e tests. func SecondaryVaultEncryptionProvider(ctx context.Context, t testing.TB) library.EncryptionProvider { cfg := SecondaryVaultKMSPluginConfig - cfg.KMS.Vault.KMSPluginImage = resolveVaultKMSPluginImage(t) cfg.KMS.Vault.VaultAddress = getVaultServiceAddress(ctx, t, secondaryVaultNamespace, secondaryVaultServiceName) return library.EncryptionProvider{ APIServerEncryption: cfg, diff --git a/vendor/github.com/openshift/library-go/test/library/encryption/scenarios.go b/vendor/github.com/openshift/library-go/test/library/encryption/scenarios.go index bc923e96e..c1a6b888e 100644 --- a/vendor/github.com/openshift/library-go/test/library/encryption/scenarios.go +++ b/vendor/github.com/openshift/library-go/test/library/encryption/scenarios.go @@ -436,6 +436,13 @@ func TestKMSToKMSOnOff(ctx context.Context, t testing.TB, scenario KMSToKMSMigra clientSet := GetClients(t) scenario.AssertResourceEncryptedFunc(t, clientSet, scenario.ResourceFunc(t, scenario.Namespace)) }}, + {name: "OffIdentityAfterSecondary", testFunc: func(t testing.TB) { + TestEncryptionTypeIdentity(ctx, t, scenario.BasicScenario) + }}, + {name: "AssertDecryptedAfterSecondary", testFunc: func(t testing.TB) { + clientSet := GetClients(t) + scenario.AssertResourceNotEncryptedFunc(t, clientSet, scenario.ResourceFunc(t, scenario.Namespace)) + }}, } for _, step := range steps { diff --git a/vendor/modules.txt b/vendor/modules.txt index ee3b25d4b..784737775 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -227,7 +227,7 @@ github.com/openshift-eng/openshift-tests-extension/pkg/ginkgo github.com/openshift-eng/openshift-tests-extension/pkg/junit github.com/openshift-eng/openshift-tests-extension/pkg/util/sets github.com/openshift-eng/openshift-tests-extension/pkg/version -# github.com/openshift/api v0.0.0-20260615110019-261e3a0546f3 +# github.com/openshift/api v0.0.0-20260618083218-a3c8dea7f8bc ## explicit; go 1.25.0 github.com/openshift/api github.com/openshift/api/annotations @@ -317,7 +317,7 @@ github.com/openshift/build-machinery-go/make/targets/golang github.com/openshift/build-machinery-go/make/targets/openshift github.com/openshift/build-machinery-go/make/targets/openshift/operator github.com/openshift/build-machinery-go/scripts -# github.com/openshift/client-go v0.0.0-20260512113608-deb4dc54551a +# github.com/openshift/client-go v0.0.0-20260618131434-17fd91ed6167 ## explicit; go 1.25.0 github.com/openshift/client-go/config/applyconfigurations github.com/openshift/client-go/config/applyconfigurations/config/v1 @@ -383,7 +383,7 @@ github.com/openshift/client-go/user/applyconfigurations/internal github.com/openshift/client-go/user/applyconfigurations/user/v1 github.com/openshift/client-go/user/clientset/versioned/scheme github.com/openshift/client-go/user/clientset/versioned/typed/user/v1 -# github.com/openshift/library-go v0.0.0-20260618132022-b0f5231f2ed6 +# github.com/openshift/library-go v0.0.0-20260618132022-b0f5231f2ed6 => /home/ibihim/go/src/github.com/openshift/library-go-worktrees/CNTRLPLANE-3234-health-reporter-writer ## explicit; go 1.25.0 github.com/openshift/library-go/pkg/apiserver/jsonpatch github.com/openshift/library-go/pkg/apps/deployment @@ -1654,3 +1654,4 @@ sigs.k8s.io/structured-merge-diff/v6/value ## explicit; go 1.22 sigs.k8s.io/yaml # github.com/onsi/ginkgo/v2 => github.com/openshift/onsi-ginkgo/v2 v2.6.1-0.20251001123353-fd5b1fb35db1 +# github.com/openshift/library-go => /home/ibihim/go/src/github.com/openshift/library-go-worktrees/CNTRLPLANE-3234-health-reporter-writer